fix selected item sorting

PluginMenuItem and PluginMenuButton classes used mutable class-level
defaults for `permissions` and `buttons` attributes, causing permission
leakage between instances when these attributes were modified without
explicit parameters.

Changed to initialize these attributes as fresh lists per instance in
__init__ when not explicitly provided, following standard Python pattern
for avoiding mutable default arguments.

.github/ISSUE_TEMPLATE/06-deprecation.yaml

@@ -1,20 +1,26 @@
 ---
-name: 🗑️ Deprecation
+name: ⚠️ Deprecation
 type: Deprecation
-description: The removal of an existing feature or resource
+description: Designation of a feature or behavior that will be removed in a future release
 labels: ["netbox", "type: deprecation"]
 body:
   - type: textarea
     attributes:
-      label: Proposed Changes
+      label: Deprecated Functionality
       description: >
-        Describe in detail the proposed changes. What is being removed?
+        Describe the feature(s) and/or behavior that is being flagged for deprecation.
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Scheduled removal
+      description: In what future release will the deprecated functionality be removed?
     validations:
       required: true
   - type: textarea
     attributes:
       label: Justification
-      description: Please provide justification for the proposed change(s).
+      description: Please provide justification for the deprecation.
     validations:
       required: true
   - type: textarea

.github/ISSUE_TEMPLATE/07-feature_removal.yaml

@@ -0,0 +1,20 @@
+---
+name: 🗑️ Feature Removal
+type: Removal
+description: The removal of a deprecated feature or resource
+labels: ["netbox", "type: removal"]
+body:
+  - type: input
+    attributes:
+      label: Deprecation Issue
+      description: Specify the issue in which this deprecation was announced.
+      placeholder: "#1234"
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Summary of Changes
+      description: >
+        List all changes necessary to remove the deprecated feature or resource.
+    validations:
+      required: true

.github/workflows/update-translation-strings.yml

@@ -34,7 +34,7 @@ jobs:
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
-        python-version: 3.11
+        python-version: 3.12
 
     - name: Install system dependencies
       run: sudo apt install -y gettext

.gitignore

@@ -9,7 +9,8 @@ yarn-error.log*
 /netbox/netbox/configuration.py
 /netbox/netbox/ldap_config.py
 /netbox/local/*
-/netbox/media
+/netbox/media/*
+!/netbox/media/.gitkeep
 /netbox/reports/*
 !/netbox/reports/__init__.py
 /netbox/scripts/*

docs/features/change-logging.md

@@ -10,9 +10,11 @@ Change records are exposed in the API via the read-only endpoint `/api/extras/ob
 
 ## User Messages
 
-!!! info "This feature was introduced in NetBox v4.4."
+When creating, modifying, or deleting an object in NetBox, a user has the option of recording an arbitrary message (up to 200 characters) that will appear in the change record. This can be helpful to capture additional context, such as the reason for a change or a reference to an external ticket.
 
-When creating, modifying, or deleting an object in NetBox, a user has the option of recording an arbitrary message that will appear in the change record. This can be helpful to capture additional context, such as the reason for the change.
+When editing an object via the web UI, the "Changelog message" field appears at the bottom of the form. This field is optional. The changelog message field is available in object create forms, object edit forms, delete confirmation dialogs, and bulk operations.
+
+For information on including changelog messages when making changes via the REST API, see [Changelog Messages](../integrations/rest-api.md#changelog-messages).
 
 ## Correlating Changes by Request
 

docs/integrations/rest-api.md

@@ -610,9 +610,7 @@ http://netbox/api/dcim/sites/ \
 
 ## Changelog Messages
 
-!!! info "This feature was introduced in NetBox v4.4."
-
-Most objects in NetBox support [change logging](../features/change-logging.md), which generates a detailed record each time an object is created, modified, or deleted. Beginning in NetBox v4.4, users can attach a message to the change record as well. This is accomplished via the REST API by including a `changelog_message` field in the object representation.
+Most objects in NetBox support [change logging](../features/change-logging.md), which generates a detailed record each time an object is created, modified, or deleted. Additionally, users can attach a message to the change record as well. This is accomplished via the REST API by including a `changelog_message` field in the object representation.
 
 For example, the following API request will create a new site and record a message in the resulting changelog entry:
 
@@ -628,7 +626,7 @@ http://netbox/api/dcim/sites/ \
 }'
 ```
 
-This approach works when creating, modifying, or deleting objects, either individually or in bulk.
+This approach works when creating, modifying, or deleting objects, either individually or in bulk. For more information about change logging, see [Change Logging](../features/change-logging.md).
 
 ## Uploading Files
 

docs/models/dcim/moduletype.md

@@ -16,33 +16,9 @@ Note that device bays and module bays may _not_ be added to modules.
 
 ## Automatic Component Renaming
 
-When adding component templates to a module type, placeholders can be used to dynamically incorporate the module bay's `position` field into component names. Two placeholders are available:
+When adding component templates to a module type, the string `{module}` can be used to reference the `position` field of the module bay into which an instance of the module type is being installed.
 
-### `{module}` Placeholder
-
-The `{module}` placeholder references the position of the parent module bay:
-
-* **Single use**: Expands to the immediate parent's position only
-* **Multiple uses**: Each `{module}` token is replaced level-by-level (the number of tokens must match the nesting depth)
-
-For example, a module type with interface templates named `Gi{module}/0/[1-48]`, when installed in a module bay with position "3", will create interfaces named `Gi3/0/[1-48]`.
-
-### `{module_path}` Placeholder
-
-The `{module_path}` placeholder expands to the full path from the root device to the current module, with positions joined by `/`. This is useful for modules that can be installed at any nesting depth without modification.
-
-For example, consider an SFP module type with an interface template named `eth{module_path}`:
-
-* Installed directly in slot 2: creates interface `eth2`
-* Installed in slot 1's nested bay 1: creates interface `eth1/1`
-* Installed in slot 1's nested bay 2's sub-bay 3: creates interface `eth1/2/3`
-
-!!! note
-    `{module_path}` can only be used once per template attribute, and cannot be mixed with `{module}` in the same attribute.
-
-### Position Field Resolution
-
-The `{module}` placeholder can also be used in the `position` field of [module bay templates](./modulebaytemplate.md) defined on a module type. This allows nested module bays to build hierarchical position values. For example, a module bay template with `position="{module}/1"`, when its parent module is installed in a bay with position "2", will have its position resolved to "2/1".
+For example, you can create a module type with interface templates named `Gi{module}/0/[1-48]`. When a new module of this type is "installed" to a module bay with a position of "3", NetBox will automatically name these interfaces `Gi3/0/[1-48]`.
 
 Automatic renaming is supported for all modular component types (those listed above).
 

netbox/dcim/constants.py

@@ -79,8 +79,6 @@ NONCONNECTABLE_IFACE_TYPES = VIRTUAL_IFACE_TYPES + WIRELESS_IFACE_TYPES
 #
 
 MODULE_TOKEN = '{module}'
-MODULE_PATH_TOKEN = '{module_path}'
-MODULE_TOKEN_SEPARATOR = '/'
 
 MODULAR_COMPONENT_TEMPLATE_MODELS = Q(
     app_label='dcim',

netbox/dcim/forms/common.py

@@ -3,7 +3,6 @@ from django.utils.translation import gettext_lazy as _
 
 from dcim.choices import *
 from dcim.constants import *
-from dcim.utils import resolve_module_placeholders
 from utilities.forms import get_field_value
 
 __all__ = (
@@ -120,47 +119,25 @@ class ModuleCommonForm(forms.Form):
             # Get the templates for the module type.
             for template in getattr(module_type, templates).all():
                 resolved_name = template.name
-                has_module_token = MODULE_TOKEN in template.name
-                has_module_path_token = MODULE_PATH_TOKEN in template.name
-
                 # Installing modules with placeholders require that the bay has a position value
-                if has_module_token or has_module_path_token:
+                if MODULE_TOKEN in template.name:
                     if not module_bay.position:
                         raise forms.ValidationError(
                             _("Cannot install module with placeholder values in a module bay with no position defined.")
                         )
 
-                    # Cannot mix {module} and {module_path} in the same attribute
-                    if has_module_token and has_module_path_token:
+                    if len(module_bays) != template.name.count(MODULE_TOKEN):
                         raise forms.ValidationError(
-                            _("Cannot mix {module} and {module_path} placeholders in the same template attribute.")
+                            _(
+                                "Cannot install module with placeholder values in a module bay tree {level} in tree "
+                                "but {tokens} placeholders given."
+                            ).format(
+                                level=len(module_bays), tokens=template.name.count(MODULE_TOKEN)
+                            )
                         )
 
-                    # Validate {module_path} - can only appear once
-                    if has_module_path_token:
-                        path_token_count = template.name.count(MODULE_PATH_TOKEN)
-                        if path_token_count > 1:
-                            raise forms.ValidationError(
-                                _("The {module_path} placeholder can only be used once per template.")
-                            )
-
-                    # Validate {module} - multi-token must match depth exactly
-                    if has_module_token:
-                        token_count = template.name.count(MODULE_TOKEN)
-                        # Multiple {module} tokens must match the tree depth exactly
-                        if token_count > 1 and token_count != len(module_bays):
-                            raise forms.ValidationError(
-                                _(
-                                    "Cannot install module with placeholder values in a module bay tree {level} deep "
-                                    "but {tokens} placeholders given."
-                                ).format(
-                                    level=len(module_bays), tokens=token_count
-                                )
-                            )
-
-                    # Use centralized helper for placeholder substitution
-                    positions = [mb.position for mb in module_bays]
-                    resolved_name = resolve_module_placeholders(resolved_name, positions)
+                    for module_bay in module_bays:
+                        resolved_name = resolved_name.replace(MODULE_TOKEN, module_bay.position, 1)
 
                 existing_item = installed_components.get(resolved_name)
 

netbox/dcim/forms/model_forms.py

@@ -733,9 +733,10 @@ class ModuleForm(ModuleCommonForm, PrimaryModelForm):
     )
     module_bay = DynamicModelChoiceField(
         label=_('Module bay'),
-        queryset=ModuleBay.objects.all(),
+        queryset=ModuleBay.objects.order_by('name'),
         query_params={
-            'device_id': '$device'
+            'device_id': '$device',
+            'ordering': 'name',
         },
         context={
             'disabled': 'installed_module',

netbox/dcim/graphql/filter_mixins.py

@@ -38,6 +38,15 @@ class ScopedFilterMixin:
 
 @dataclass
 class ComponentModelFilterMixin:
+    _site: Annotated['SiteFilter', strawberry.lazy('dcim.graphql.filters')] | None = (
+        strawberry_django.filter_field(name='site')
+    )
+    _location: Annotated['LocationFilter', strawberry.lazy('dcim.graphql.filters')] | None = (
+        strawberry_django.filter_field(name='location')
+    )
+    _rack: Annotated['RackFilter', strawberry.lazy('dcim.graphql.filters')] | None = (
+        strawberry_django.filter_field(name='rack')
+    )
     device: Annotated['DeviceFilter', strawberry.lazy('dcim.graphql.filters')] | None = strawberry_django.filter_field()
     device_id: ID | None = strawberry_django.filter_field()
     name: FilterLookup[str] | None = strawberry_django.filter_field()

netbox/dcim/models/device_component_templates.py

@@ -8,7 +8,6 @@ from mptt.models import MPTTModel, TreeForeignKey
 from dcim.choices import *
 from dcim.constants import *
 from dcim.models.base import PortMappingBase
-from dcim.utils import resolve_module_placeholders
 from dcim.models.mixins import InterfaceValidationMixin
 from netbox.models import ChangeLoggedModel
 from utilities.fields import ColorField, NaturalOrderingField
@@ -171,17 +170,27 @@ class ModularComponentTemplateModel(ComponentTemplateModel):
         return modules
 
     def resolve_name(self, module):
-        """Resolve {module} and {module_path} placeholders in component name."""
+        if MODULE_TOKEN not in self.name:
+            return self.name
+
         if module:
-            positions = [m.module_bay.position for m in self._get_module_tree(module)]
-            return resolve_module_placeholders(self.name, positions)
+            modules = self._get_module_tree(module)
+            name = self.name
+            for module in modules:
+                name = name.replace(MODULE_TOKEN, module.module_bay.position, 1)
+            return name
         return self.name
 
     def resolve_label(self, module):
-        """Resolve {module} and {module_path} placeholders in component label."""
+        if MODULE_TOKEN not in self.label:
+            return self.label
+
         if module:
-            positions = [m.module_bay.position for m in self._get_module_tree(module)]
-            return resolve_module_placeholders(self.label, positions)
+            modules = self._get_module_tree(module)
+            label = self.label
+            for module in modules:
+                label = label.replace(MODULE_TOKEN, module.module_bay.position, 1)
+            return label
         return self.label
 
 
@@ -712,26 +721,11 @@ class ModuleBayTemplate(ModularComponentTemplateModel):
         verbose_name = _('module bay template')
         verbose_name_plural = _('module bay templates')
 
-    def resolve_position(self, module):
-        """
-        Resolve {module} and {module_path} placeholders in position field.
-
-        This allows positions like "{module}/1" to resolve to "A/1" when
-        the parent module is installed in bay "A".
-
-        Fixes Issue #20467.
-        """
-        if module:
-            positions = [m.module_bay.position for m in self._get_module_tree(module)]
-            return resolve_module_placeholders(self.position, positions)
-        return self.position
-
     def instantiate(self, **kwargs):
-        module = kwargs.get('module')
         return self.component_model(
-            name=self.resolve_name(module),
-            label=self.resolve_label(module),
-            position=self.resolve_position(module),
+            name=self.resolve_name(kwargs.get('module')),
+            label=self.resolve_label(kwargs.get('module')),
+            position=self.position,
             **kwargs
         )
     instantiate.do_not_call_in_templates = True

netbox/dcim/models/modules.py

@@ -259,11 +259,13 @@ class Module(TrackingModelMixin, PrimaryModel, ConfigContextModel):
         module_bays = []
         modules = []
         while module:
-            if module.pk in modules or module.module_bay.pk in module_bays:
+            module_module_bay = getattr(module, "module_bay", None)
+            if module.pk in modules or (module_module_bay and module_module_bay.pk in module_bays):
                 raise ValidationError(_("A module bay cannot belong to a module installed within it."))
             modules.append(module.pk)
-            module_bays.append(module.module_bay.pk)
-            module = module.module_bay.module if module.module_bay else None
+            if module_module_bay:
+                module_bays.append(module_module_bay.pk)
+            module = module_module_bay.module if module_module_bay else None
 
     def save(self, *args, **kwargs):
         is_new = self.pk is None

netbox/dcim/utils.py

@@ -4,54 +4,6 @@ from django.apps import apps
 from django.contrib.contenttypes.models import ContentType
 from django.db import router, transaction
 
-from dcim.constants import MODULE_PATH_TOKEN, MODULE_TOKEN, MODULE_TOKEN_SEPARATOR
-
-
-def resolve_module_placeholders(text, positions):
-    """
-    Substitute {module} and {module_path} placeholders in text with position values.
-
-    Args:
-        text: String potentially containing {module} or {module_path} placeholders
-        positions: List of position strings from the module tree (root to leaf)
-
-    Returns:
-        Text with placeholders replaced according to these rules:
-
-        {module_path}: Always expands to full path (positions joined by MODULE_TOKEN_SEPARATOR).
-                       Can only appear once in the text.
-
-        {module}: If used once, expands to the PARENT module bay position only (last in positions).
-                  If used multiple times, each token is replaced level-by-level.
-
-    This design (Option 2 per sigprof's feedback) allows two approaches:
-    1. Use {module_path} for automatic full-path expansion (hardcodes '/' separator)
-    2. Use {module} in position fields to build custom paths with user-controlled separators
-    """
-    if not text:
-        return text
-
-    result = text
-
-    # Handle {module_path} - always expands to full path
-    if MODULE_PATH_TOKEN in result:
-        full_path = MODULE_TOKEN_SEPARATOR.join(positions) if positions else ''
-        result = result.replace(MODULE_PATH_TOKEN, full_path)
-
-    # Handle {module} - parent-only for single token, level-by-level for multiple
-    if MODULE_TOKEN in result:
-        token_count = result.count(MODULE_TOKEN)
-        if token_count == 1 and positions:
-            # Single {module}: substitute with parent (immediate) bay position only
-            parent_position = positions[-1] if positions else ''
-            result = result.replace(MODULE_TOKEN, parent_position, 1)
-        else:
-            # Multiple {module}: substitute level-by-level (existing behavior)
-            for pos in positions:
-                result = result.replace(MODULE_TOKEN, pos, 1)
-
-    return result
-
 
 def compile_path_node(ct_id, object_id):
     return f'{ct_id}:{object_id}'

netbox/netbox/navigation/menu.py

@@ -232,7 +232,7 @@ VPN_MENU = Menu(
             label=_('L2VPNs'),
             items=(
                 get_model_item('vpn', 'l2vpn', _('L2VPNs')),
-                get_model_item('vpn', 'l2vpntermination', _('Terminations')),
+                get_model_item('vpn', 'l2vpntermination', _('L2VPN Terminations')),
             ),
         ),
         MenuGroup(

netbox/netbox/plugins/navigation.py

@@ -37,8 +37,6 @@ class PluginMenuItem:
     Alternatively, a pre-generated url can be set on the object which will be rendered literally.
     Buttons are each specified as a list of PluginMenuButton instances.
     """
-    permissions = []
-    buttons = []
     _url = None
 
     def __init__(
@@ -54,10 +52,14 @@ class PluginMenuItem:
             if type(permissions) not in (list, tuple):
                 raise TypeError(_("Permissions must be passed as a tuple or list."))
             self.permissions = permissions
+        else:
+            self.permissions = []
         if buttons is not None:
             if type(buttons) not in (list, tuple):
                 raise TypeError(_("Buttons must be passed as a tuple or list."))
             self.buttons = buttons
+        else:
+            self.buttons = []
 
     @property
     def url(self):
@@ -74,7 +76,6 @@ class PluginMenuButton:
     ButtonColorChoices.
     """
     color = ButtonColorChoices.DEFAULT
-    permissions = []
     _url = None
 
     def __init__(self, link, title, icon_class, color=None, permissions=None):
@@ -87,6 +88,8 @@ class PluginMenuButton:
             if type(permissions) not in (list, tuple):
                 raise TypeError(_("Permissions must be passed as a tuple or list."))
             self.permissions = permissions
+        else:
+            self.permissions = []
         if color is not None:
             if color not in ButtonColorChoices.values():
                 raise ValueError(_("Button color must be a choice within ButtonColorChoices."))

netbox/netbox/tests/test_plugins.py

@@ -11,7 +11,7 @@ from netbox.tests.dummy_plugin import config as dummy_config
 from netbox.tests.dummy_plugin.data_backends import DummyBackend
 from netbox.tests.dummy_plugin.jobs import DummySystemJob
 from netbox.tests.dummy_plugin.webhook_callbacks import set_context
-from netbox.plugins.navigation import PluginMenu
+from netbox.plugins.navigation import PluginMenu, PluginMenuItem, PluginMenuButton
 from netbox.plugins.utils import get_plugin_config
 from netbox.graphql.schema import Query
 from netbox.registry import registry
@@ -227,3 +227,46 @@ class PluginTest(TestCase):
         Test the registration of webhook callbacks.
         """
         self.assertIn(set_context, registry['webhook_callbacks'])
+
+
+class PluginNavigationTest(TestCase):
+
+    def test_plugin_menu_item_independent_permissions(self):
+        item1 = PluginMenuItem(link='test1', link_text='Test 1')
+        item1.permissions.append('leaked_permission')
+
+        item2 = PluginMenuItem(link='test2', link_text='Test 2')
+
+        self.assertIsNot(item1.permissions, item2.permissions)
+        self.assertEqual(item1.permissions, ['leaked_permission'])
+        self.assertEqual(item2.permissions, [])
+
+    def test_plugin_menu_item_independent_buttons(self):
+        item1 = PluginMenuItem(link='test1', link_text='Test 1')
+        button = PluginMenuButton(link='button1', title='Button 1', icon_class='mdi-test')
+        item1.buttons.append(button)
+
+        item2 = PluginMenuItem(link='test2', link_text='Test 2')
+
+        self.assertIsNot(item1.buttons, item2.buttons)
+        self.assertEqual(len(item1.buttons), 1)
+        self.assertEqual(item1.buttons[0], button)
+        self.assertEqual(item2.buttons, [])
+
+    def test_plugin_menu_button_independent_permissions(self):
+        button1 = PluginMenuButton(link='button1', title='Button 1', icon_class='mdi-test')
+        button1.permissions.append('leaked_permission')
+
+        button2 = PluginMenuButton(link='button2', title='Button 2', icon_class='mdi-test')
+
+        self.assertIsNot(button1.permissions, button2.permissions)
+        self.assertEqual(button1.permissions, ['leaked_permission'])
+        self.assertEqual(button2.permissions, [])
+
+    def test_explicit_permissions_remain_independent(self):
+        item1 = PluginMenuItem(link='test1', link_text='Test 1', permissions=['explicit_permission'])
+        item2 = PluginMenuItem(link='test2', link_text='Test 2', permissions=['different_permission'])
+
+        self.assertIsNot(item1.permissions, item2.permissions)
+        self.assertEqual(item1.permissions, ['explicit_permission'])
+        self.assertEqual(item2.permissions, ['different_permission'])

netbox/project-static/dist/graphiql/plugin-explorer-style.css

@@ -1 +1 @@
-.docExplorerWrap{height:unset!important;min-width:unset!important;width:unset!important}.docExplorerWrap svg{display:unset}.doc-explorer-title{font-size:var(--font-size-h2);font-weight:var(--font-weight-medium)}.doc-explorer-rhs{display:none}.graphiql-explorer-root{font-family:var(--font-family-mono)!important;font-size:var(--font-size-body)!important;padding:0!important}.graphiql-explorer-root>div>div{border-color:hsla(var(--color-neutral),var(--alpha-background-heavy))!important;padding-top:var(--px-16)}.graphiql-explorer-root input{background:unset}.graphiql-explorer-root select{background:hsl(var(--color-base))!important;border:1px solid hsla(var(--color-neutral),var(--alpha-secondary));border-radius:var(--border-radius-4);color:hsl(var(--color-neutral))!important;margin:0 var(--px-8);padding:var(--px-4) var(--px-6)}.graphiql-operation-title-bar .toolbar-button{line-height:0;margin-left:var(--px-8);color:hsla(var(--color-neutral),var(--alpha-secondary, .6));font-size:var(--font-size-h3);vertical-align:middle}.graphiql-explorer-graphql-arguments input{line-height:0}.graphiql-explorer-actions{border-color:hsla(var(--color-neutral),var(--alpha-background-heavy))!important}
+.docExplorerWrap{height:unset!important;min-width:unset!important;width:unset!important}.docExplorerWrap svg{display:unset}.doc-explorer-title{font-size:var(--font-size-h2);font-weight:var(--font-weight-medium)}.doc-explorer-rhs{display:none}.graphiql-explorer-root{font-family:var(--font-family-mono)!important;font-size:var(--font-size-body)!important;padding:0!important}.graphiql-explorer-root>div>div{padding-top:var(--px-16);border-color:hsla(var(--color-neutral),var(--alpha-background-heavy))!important}.graphiql-explorer-root>div{overflow:auto!important}.graphiql-explorer-root input{background:unset}.graphiql-explorer-root select{border:1px solid hsla(var(--color-neutral),var(--alpha-secondary));border-radius:var(--border-radius-4);margin:0 var(--px-8);padding:var(--px-4)var(--px-6);background:hsl(var(--color-base))!important;color:hsl(var(--color-neutral))!important}.toolbar-button{all:unset;cursor:pointer;margin-left:var(--px-6);color:hsl(var(--color-primary));line-height:0!important;font-size:var(--font-size-h3)!important}.graphiql-explorer-slug .toolbar-button,.graphiql-explorer-graphql-arguments .toolbar-button{font-size:inherit!important}.graphiql-explorer-graphql-arguments input{min-width:2rem;line-height:0}.graphiql-explorer-actions{border-color:hsla(var(--color-neutral),var(--alpha-background-heavy))!important}

netbox/project-static/netbox-graphiql/package.json

@@ -6,7 +6,7 @@
   "license": "Apache-2.0",
   "private": true,
   "dependencies": {
-    "@graphiql/plugin-explorer": "3.2.6",
+    "@graphiql/plugin-explorer": "4.0.6",
     "graphiql": "4.1.2",
     "graphql": "16.12.0",
     "js-cookie": "3.0.5",

netbox/project-static/src/select/classes/dynamicTomSelect.ts

@@ -75,10 +75,16 @@ export class DynamicTomSelect extends TomSelect {
   load(value: string) {
     const self = this;
 
+    // Save current selection before clearing
+    const currentValue = self.getValue();
+
     // Automatically clear any cached options. (Only options included
     // in the API response should be present.)
     self.clearOptions();
 
+    // Clear user_options to prevent the pre-selected option from being treated specially
+    (self as any).user_options = {};
+
     // Populate the null option (if any) if not searching
     if (self.nullOption && !value) {
       self.addOption(self.nullOption);
@@ -98,16 +104,29 @@ export class DynamicTomSelect extends TomSelect {
       .then(response => response.json())
       .then(apiData => {
         const results: Dict[] = apiData.results;
-        const options: Dict[] = [];
-        for (const result of results) {
+
+        // Add options and manually set $order to ensure correct sorting
+        results.forEach((result, index) => {
           const option = self.getOptionFromData(result);
-          options.push(option);
+          self.addOption(option);
+          // Set $order after addOption() to override any special handling of pre-selected items
+          const key = option[self.settings.valueField as string] as string;
+          if (self.options[key]) {
+            (self.options[key] as any).$order = index;
+          }
+        });
+
+        self.loading--;
+        if (self.loading === 0) {
+          self.wrapper.classList.remove(self.settings.loadingClass as string);
         }
-        return options;
-      })
-      // Pass the options to the callback function
-      .then(options => {
-        self.loadCallback(options, []);
+
+        // Restore the current selection
+        if (currentValue && !self.items.includes(currentValue as string)) {
+          self.items.push(currentValue as string);
+        }
+
+        self.refreshOptions(false);
       })
       .catch(() => {
         self.loadCallback([], []);

netbox/project-static/src/select/dynamic.ts

@@ -49,6 +49,9 @@ export function initDynamicSelects(): void {
       labelField: LABEL_FIELD,
       maxOptions: MAX_OPTIONS,
 
+      // Preserve API response order
+      sortField: '$order',
+
       // Disable local search (search is performed on the backend)
       searchField: [],
 

netbox/project-static/yarn.lock

@@ -294,10 +294,10 @@
     react-compiler-runtime "19.1.0-rc.1"
     zustand "^5"
 
-"@graphiql/plugin-explorer@3.2.6":
-  version "3.2.6"
-  resolved "https://registry.npmjs.org/@graphiql/plugin-explorer/-/plugin-explorer-3.2.6.tgz"
-  integrity sha512-MXzG/zVNzZfes4Em253bHyAbD/lwwAZkPKvxCAQkjz0i3dtcv4uF3D8iqJ7214iu3SCphbORYZZUC93fik1yew==
+"@graphiql/plugin-explorer@4.0.6":
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/@graphiql/plugin-explorer/-/plugin-explorer-4.0.6.tgz#bec1207dc27334914590ab31f46c2e944bbf4ebf"
+  integrity sha512-TppIi92YPER3v70nlF01KTQrq9AiYqkZicSd1hpU7aqGmbqw/pLwBNLUEcfENBoJtw574Qxjswb01+GaYK0Tzw==
   dependencies:
     graphiql-explorer "^0.9.0"
 

netbox/users/forms/model_forms.py

@@ -123,7 +123,7 @@ class UserTokenForm(forms.ModelForm):
     token = forms.CharField(
         label=_('Token'),
         help_text=_(
-            'Tokens must be at least 40 characters in length. <strong>Be sure to record your key</strong> prior to '
+            'Tokens must be at least 40 characters in length. <strong>Be sure to record your token</strong> prior to '
             'submitting this form, as it will no longer be accessible once the token has been created.'
         ),
         widget=forms.TextInput(

netbox/users/models/tokens.py

@@ -69,7 +69,7 @@ class Token(models.Model):
     write_enabled = models.BooleanField(
         verbose_name=_('write enabled'),
         default=True,
-        help_text=_('Permit create/update/delete operations using this key')
+        help_text=_('Permit create/update/delete operations using this token')
     )
     # For legacy v1 tokens, this field stores the plaintext 40-char token value. Not used for v2.
     plaintext = models.CharField(
@@ -213,6 +213,9 @@ class Token(models.Model):
     def clean(self):
         super().clean()
 
+        if self.version == TokenVersionChoices.V2 and not settings.API_TOKEN_PEPPERS:
+            raise ValidationError(_("Unable to save v2 tokens: API_TOKEN_PEPPERS is not defined."))
+
         if self._state.adding:
             if self.pepper_id is not None and self.pepper_id not in settings.API_TOKEN_PEPPERS:
                 raise ValidationError(_(

netbox/users/tests/test_models.py

@@ -1,9 +1,10 @@
 from datetime import timedelta
 
 from django.core.exceptions import ValidationError
-from django.test import TestCase
+from django.test import TestCase, override_settings
 from django.utils import timezone
 
+from users.choices import TokenVersionChoices
 from users.models import User, Token
 from utilities.testing import create_test_user
 
@@ -94,6 +95,15 @@ class TokenTest(TestCase):
         token.refresh_from_db()
         self.assertEqual(token.description, 'New Description')
 
+    @override_settings(API_TOKEN_PEPPERS={})
+    def test_v2_without_peppers_configured(self):
+        """
+        Attempting to save a v2 token without API_TOKEN_PEPPERS defined should raise a ValidationError.
+        """
+        token = Token(version=TokenVersionChoices.V2)
+        with self.assertRaises(ValidationError):
+            token.clean()
+
 
 class UserConfigTest(TestCase):