Sync foss-main with upstream Plane v1.3.1#36
Merged
Conversation
…8644) * fix: idor issues in project assets and issue attachements * fix: comments
Bumps the pip group with 1 update in the /apps/api/requirements directory: [cryptography](https://github.com/pyca/cryptography). Updates `cryptography` from 44.0.1 to 46.0.5 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@44.0.1...46.0.5) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.5 dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* refactor: description input component * fix: add missing prop to rich text editor
…makeplane#8692) Bumps [python-json-logger](https://github.com/nhairs/python-json-logger) from 3.3.0 to 4.0.0. - [Release notes](https://github.com/nhairs/python-json-logger/releases) - [Changelog](https://github.com/nhairs/python-json-logger/blob/main/docs/changelog.md) - [Commits](nhairs/python-json-logger@v3.3.0...v4.0.0) --- updated-dependencies: - dependency-name: python-json-logger dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…8693) Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.4.0 to 9.0.2. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@7.4.0...9.0.2) --- updated-dependencies: - dependency-name: pytest dependency-version: 9.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat: instance not ready ui revamp * chore: code refactoring * chore: code refactoring
* [WEB-6610] Fix work item drag handle hover gap Amp-Thread-ID: https://ampcode.com/threads/T-019ce703-e30e-769b-9436-a7f5506e8a6c Co-authored-by: Amp <amp@ampcode.com> * fix: use p-0! pl-6! for correct drag handle hover area Amp-Thread-ID: https://ampcode.com/threads/T-019ce703-e30e-769b-9436-a7f5506e8a6c Co-authored-by: Amp <amp@ampcode.com> * fix: update containerClassName to -ml-6 border-none p-0! pl-6! Amp-Thread-ID: https://ampcode.com/threads/T-019ce703-e30e-769b-9436-a7f5506e8a6c Co-authored-by: Amp <amp@ampcode.com> --------- Co-authored-by: Amp <amp@ampcode.com>
makeplane#8741) Bumps the actions group with 11 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4` | `6` | | [makeplane/actions](https://github.com/makeplane/actions) | `1.0.0` | `1.4.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4` | `7` | | [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `2.1.0` | `2.5.0` | | [actions/setup-node](https://github.com/actions/setup-node) | `4` | `6` | | [actions/setup-go](https://github.com/actions/setup-go) | `5` | `6` | | [docker/login-action](https://github.com/docker/login-action) | `3` | `4` | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `3` | `4` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `6.9.0` | `7.0.0` | | [tailscale/github-action](https://github.com/tailscale/github-action) | `2` | `4` | | [actions/cache](https://github.com/actions/cache) | `4` | `5` | Updates `actions/checkout` from 4 to 6 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v6) Updates `makeplane/actions` from 1.0.0 to 1.4.0 - [Release notes](https://github.com/makeplane/actions/releases) - [Commits](makeplane/actions@v1.0.0...v1.4.0) Updates `actions/upload-artifact` from 4 to 7 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4...v7) Updates `softprops/action-gh-release` from 2.1.0 to 2.5.0 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@v2.1.0...v2.5.0) Updates `actions/setup-node` from 4 to 6 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v4...v6) Updates `actions/setup-go` from 5 to 6 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v5...v6) Updates `docker/login-action` from 3 to 4 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@v3...v4) Updates `docker/setup-buildx-action` from 3 to 4 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@v3...v4) Updates `docker/build-push-action` from 6.9.0 to 7.0.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@v6.9.0...v7.0.0) Updates `tailscale/github-action` from 2 to 4 - [Release notes](https://github.com/tailscale/github-action/releases) - [Commits](tailscale/github-action@v2...v4) Updates `actions/cache` from 4 to 5 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: makeplane/actions dependency-version: 1.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: softprops/action-gh-release dependency-version: 2.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/setup-go dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/login-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/setup-buildx-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/build-push-action dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: tailscale/github-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/cache dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…-core) (makeplane#8751) * fix: remove unused imports and variables (part 1) Resolve oxlint no-unused-vars warnings in packages/*, apps/admin, apps/space, apps/live, and apps/web (non-core). * fix: resolve CI check failures * fix: resolve check:types failures * fix: resolve check:types and check:format failures - Use destructuring alias for activeCycleResolvedPath - Format propel tab-navigation file * fix: format propel button helper with oxfmt Reorder Tailwind classes to match oxfmt canonical ordering.
…s) (makeplane#8752) * fix: remove unused imports and variables (part 2) Resolve oxlint no-unused-vars warnings in apps/web/core/ (excluding components/issues/). * fix: resolve CI check failures * fix: resolve check:types failures
Resolve oxlint no-unused-vars warnings in apps/web/core/components/issues/.
…HSA-93x3-ghh7-72j3) (makeplane#8864) * fix: prevent ORM field injection via segment parameter in analytics (GHSA-93x3-ghh7-72j3) Centralize analytics field allowlists into VALID_ANALYTICS_FIELDS and VALID_YAXIS constants in analytics_plot.py. Add defense-in-depth validation in build_graph_plot() and extract_axis() so no caller can pass arbitrary field references to Django F() expressions. Add missing segment validation to SavedAnalyticEndpoint. Also fixes ExportAnalytics using "estimate_point" instead of "estimate_point__value". * fix: address PR review - remove unused imports and validate stored query params Remove unused VALID_ANALYTICS_FIELDS and VALID_YAXIS imports from analytic_plot_export.py. Add x_axis/y_axis allowlist validation in SavedAnalyticEndpoint for stored query_dict values to prevent 500 errors from malformed saved analytics.
makeplane#8744) When patching instance configuration values, the raw values from request.data were used directly without sanitization. This adds: - Whitespace stripping via str().strip() to prevent leading/trailing spaces from being stored - Explicit None handling so that null values become empty strings instead of the literal string "None"
* fix: update border for project timezone * feat: added scrollbar in keyboard shortcuts modal * fix: remove unnecessary changes * fix: remove redundant overflow
…lane#8875) Intercom is no longer used. This removes all related frontend components, hooks, custom events, API config, types, and i18n keys.
…eplane#8880) * chore: update dependencies (Django, cryptography, axios, lodash) - Django 4.2.29 → 4.2.30 - cryptography 46.0.6 → 46.0.7 - axios 1.13.5 → 1.15.0 - lodash 4.17.23 → 4.18.0 * chore: update lodash from 4.18.0 to 4.18.1
Bumps the pip group with 1 update in the /apps/api/requirements directory: [pytest](https://github.com/pytest-dev/pytest). Updates `pytest` from 9.0.2 to 9.0.3 - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@9.0.2...9.0.3) --- updated-dependencies: - dependency-name: pytest dependency-version: 9.0.3 dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
WorkspaceFileAssetEndpoint had no authorization checks beyond authentication, allowing any logged-in user to create, read, patch, and delete assets in any workspace by slug. DuplicateAssetEndpoint only authorized the destination workspace, letting users copy assets from workspaces they don't belong to. Add @allow_permission decorators to all WorkspaceFileAssetEndpoint methods and scope DuplicateAssetEndpoint's source asset lookup to workspaces where the caller is an active member. Ref: GHSA-qw87-v5w3-6vxx
…plane#8884) * fix: replace IS_SELF_MANAGED toggle with explicit WEBHOOK_ALLOWED_IPS allowlist Instead of blanket-allowing all private IPs on self-managed deployments, webhook URL validation now blocks all private/internal IPs by default and only permits specific networks listed in the WEBHOOK_ALLOWED_IPS env variable (comma-separated IPs/CIDRs). * fix: address PR review comments for webhook SSRF protection - Sanitize error messages to avoid leaking internal details to clients - Guard against TypeError with mixed IPv4/IPv6 allowlist networks - Re-validate webhook URL at send time to prevent DNS-rebinding - Add unit tests for mixed-version IP network allowlists
…e#8860) * add context for project in relations API * modify issue relation serializer
…keplane#8879) * fix: sanitize filenames in upload paths to prevent path traversal (GHSA-v57h-5999-w7xp) Add server-side filename sanitization across all file upload endpoints to prevent path traversal sequences (../) in user-supplied filenames from being incorporated into S3 object keys. While S3 keys are flat strings and not vulnerable to filesystem traversal, this adds defense-in-depth and prevents S3 key pollution. Changes: - Add sanitize_filename() utility in path_validator.py - Sanitize filenames in get_upload_path() for FileAsset and IssueAttachment models - Sanitize name parameter in all upload view endpoints * fix: address PR review feedback on filename sanitization - Remove unused `import re` - Normalize backslashes to forward slashes before os.path.basename() so Windows-style paths (e.g. ..\..\..\evil.txt) are handled on POSIX - Strip whitespace before removing leading dots so " .env" is caught - Return None instead of "unnamed" for empty input so existing `if not name` validation guards remain effective - Add `or "unnamed"` fallback at call sites that lack a name guard * fix: use random hex name as fallback in get_upload_path instead of "unnamed" * fix: resolve ruff E501 line too long in DuplicateAssetEndpoint
…ne#8916) * chore(ci): suppress CodeQL file coverage deprecation warning Explicitly opt into the new default behavior where CodeQL skips computing file coverage information on pull requests for improved analysis performance. * Update .github/workflows/codeql.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* chore: update CODEOWNERS for apps and deployments Assign owners per app/area so reviews are routed to the right maintainers. * chore: update the codeowners
…akeplane#8920) * chore: add Claude Code skills for PR descriptions and release notes * chore(skills): update release-notes branches to canary->master and example version to v1.3.0 * chore(skills): address PR review comments - pr-description: infer base branch from PR metadata, fix Improvement wording, reference template's screenshot placeholder verbatim - release-notes: add `text` language to unlabeled fenced code block
Bumps the pip group with 1 update in the /apps/api/requirements directory: [lxml](https://github.com/lxml/lxml). Updates `lxml` from 6.0.0 to 6.1.0 - [Release notes](https://github.com/lxml/lxml/releases) - [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt) - [Commits](lxml/lxml@lxml-6.0.0...lxml-6.1.0) --- updated-dependencies: - dependency-name: lxml dependency-version: 6.1.0 dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…makeplane#9078) * fix: add WEBHOOK_ALLOWED_HOSTS allowlist for internal webhook targets The IP-based allowlist alone isn't practical for containerised deployments where service IPs are dynamic. Adds a hostname-based bypass for trusted internal services (e.g. Silo via docker-compose / k8s service DNS) and makes the previously hardcoded ["plane.so"] domain blocklist configurable via WEBHOOK_DISALLOWED_DOMAINS. - validate_url accepts allowed_hosts (exact, case-insensitive match; skips DNS lookup for trusted names) - WebhookSerializer wires both settings through and lets allowlisted hosts bypass the disallowed-domain check - Exposes WEBHOOK_ALLOWED_HOSTS in aio/cli deployment env files * fix: default WEBHOOK_DISALLOWED_DOMAINS to empty for self-hosted * fix: pass WEBHOOK_ALLOWED_HOSTS to send-time webhook re-validation
Add $PNPM_HOME/bin to PATH so corepack-installed pnpm binaries are resolvable during Docker builds.
# Conflicts: # .codespellrc # .github/workflows/codespell.yml # apps/admin/Dockerfile.admin # apps/live/Dockerfile.live # apps/space/Dockerfile.space # apps/web/Dockerfile.web
This reverts commit 6357bb2.
6 tasks
UsamaSadiq
approved these changes
May 20, 2026
aznszn
approved these changes
May 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
19 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
v1.3.1intofoss-main— first sync sincev1.2.3.Conflict resolution (6 files)
Two modify/delete — accepted upstream's deletion:
.codespellrc,.github/workflows/codespell.yml— upstream removed codespell as unused; Pressingly's only edits were to keep it triggered onfoss-main, moot once the files are gone.Four Dockerfiles — took both halves:
apps/admin/Dockerfile.admin,apps/space/Dockerfile.space,apps/live/Dockerfile.live,apps/web/Dockerfile.web— kept Pressingly'scorepack prepare pnpm@10.30.2 --activatepin (PR fix: pin pnpm@10.30.2 in admin, live, space Dockerfiles #28) and took upstream'sturbobump from 2.8.12 → 2.9.4.Pressingly customizations verified post-merge
apps/api/plane/authentication/middleware/proxy_auth.py— 6 references toX-Auth-Requestintact.apps/api/plane/authentication/views/{app,space}/signout.py— present.apps/api/plane/settings/common.py— proxy_auth settings intact.git describe --tags --match "v*.*.*"→v1.3.1-75-g8764a63e78(75 = 74 Pressingly + 1 merge commit).Test plan
make dev.build.plane.apirebuilds cleanlypm.foss.local.devreachable through mPass SSO/god-mode/*and/auth/get-csrf-tokenstill bypass ForwardAuthplane-web/space/admin/liveimages rebuild + render