binarybeach/bb-plane-fork
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
6978 commits 2 branches 0 tags 138 MiB
Commit graph

6978 commits

This branch
This branch
All branches
Author SHA1 Message Date
sriram veeraghanta
cf696d200d
release: v1.3.0 #8835 2026-04-06 20:00:08 +05:30
sriram veeraghanta
bb128e3e16
chore: upgrade turbo from v2.8.12 to v2.9.4 (#8859) 2026-04-06 16:04:57 +05:30
sriram veeraghanta
63fac3b8c4
fix: validate redirects in favicon fetching to prevent SSRF (#8858) 
* fix: validate redirects in favicon fetching to prevent SSRF

The previous SSRF fix (GHSA-jcc6-f9v6-f7jw) only validated redirects for
the main page URL but not for the favicon fetch path. An attacker could
craft an HTML page with a favicon link that redirects to a private IP,
bypassing the IP validation and leaking internal network data as base64.

Extract a reusable `safe_get()` function that validates every redirect hop
against private/internal IPs and use it for both page and favicon fetches.

Resolves: GHSA-9fr2-pprw-pp9j

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address PR review feedback for SSRF favicon fix

- Fix off-by-one in redirect limit: only raise RuntimeError when the
  response is still a redirect after MAX_REDIRECTS hops, not when the
  final response is a successful 200
- Return final URL from safe_get() so favicon href resolution uses the
  correct origin after redirects instead of the original URL
- Add unit tests for validate_url_ip and safe_get covering private IP
  blocking, redirect-following, and redirect limit enforcement

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-06 16:04:43 +05:30
sriram veeraghanta
587fe76032
fix: prevent privilege escalation in project member role updates (GHSA-494h-3rcq-5g3c) (#8833) 
Restrict role modification in ProjectMemberViewSet.partial_update to
Admins only and enforce that requesters cannot modify or assign roles
equal to or higher than their own. Previously, Guests could demote
Admins by exploiting a missing lower-bound check on role changes.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-06 15:54:01 +05:30
Anmol Singh Bhatia
a18d90da86
[WEB-6813] fix: module not associated when accepting intake work items (#8839) 
* fix: intake module association on accept

* chore: code refactoring
 2026-03-31 23:39:34 +05:30
Akshat Jain
febf98ea54
[INFRA-351] fix: correct directory and command for space program in supervisor.conf #8838 2026-03-31 18:53:51 +05:30
sriramveeraghanta
5747dc6fd8 chore: Intake snooze modal width 2026-03-31 18:26:41 +05:30
Akshat Jain
d83944cc8d
[INFRA-346] chore: remove artifacts.plane.so references from community deployments (#8836) 2026-03-31 17:56:32 +05:30
sriramveeraghanta
799b9cbfc5 chore: adding traget commit sha for the github release 2026-03-31 17:54:47 +05:30
sriram veeraghanta
a01b51fca5
fix: scope IssueBulkUpdateDateEndpoint query to workspace and project (#8834) 
The bulk update date endpoint fetched issues by ID without filtering
by workspace or project, allowing any authenticated project member to
modify start_date and target_date of issues in any workspace/project
across the entire instance (IDOR - CWE-639).

Scoped the query to include workspace__slug and project_id filters,
consistent with other issue endpoints in the codebase.

Ref: GHSA-4q54-h4x9-m329
 2026-03-31 17:43:35 +05:30
sriramveeraghanta
00a51f5e6a chore: version bump 2026-03-31 17:09:35 +05:30
sriram veeraghanta
b73d6344ad
chore(deps): replace dotenvx with dotenv and update overrides (#8832) 
* chore(deps): replace dotenvx with dotenv and update dependency overrides

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: sort devDependencies in package.json files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-31 16:55:17 +05:30
sriram veeraghanta
f0ec84661d
chore(deps): update dependency overrides (#8831) 
Update brace-expansion override from 2.0.2 to 5.0.5 and add picomatch,
yaml@1, and yaml@2 overrides to pin transitive dependency versions.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-31 16:32:31 +05:30
Anmol Singh Bhatia
d8ed19f204
[WEB-6794] fix: align profile cover update with correct unsplash and upload handling (#8830) 
* fix: profile cover update

* chore: code refactoring

* chore: code refactoring
 2026-03-31 15:54:12 +05:30
Saurabh Kumar
9fa707b260
[SILO-1026] feat: add estimates external API endpoints (#8664) 
* add project summary endpoint

* update response structure

* add estimates external API endpoints with migrations

* fix invalid project and workspace error
 2026-03-30 15:30:02 +05:30
Saurabh Kumar
d7c80885fd
[SILO-1087] feat: add IssueRelations external API (#8763) 
* add IssueRelations external API

* update serializer methods and filter by slug
 2026-03-30 15:29:16 +05:30
dependabot[bot]
9851fe0b8f
chore(deps): bump cryptography (#8819) 
Bumps the pip group with 1 update in the /apps/api/requirements directory: [cryptography](https://github.com/pyca/cryptography).


Updates `cryptography` from 46.0.5 to 46.0.6
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/46.0.5...46.0.6)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.6
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-03-30 12:28:39 +05:30
Anmol Singh Bhatia
5e237938ff
[WEB-6783] fix: crash when deleting work item from peek view in workspace spreadsheet (#8821) 
* fix: guard against undefined issue in SpreadsheetIssueRow

* fix: add defensive guard for isIssueNew in list block-root
 2026-03-30 12:20:39 +05:30
b-saikrishnakanth
f0468a9173
[WEB-6763] fix: date range dropdown clipped in sub-issues list #8809 2026-03-27 16:01:24 +05:30
b-saikrishnakanth
c53968a7f8
[WEB-6762] fix: missing profile icons for recent activities on "Your Work" Page #8812 2026-03-27 16:00:51 +05:30
Aaron
97b4abd693
fix: tsdown watch (#8813) 
closes #8791
 2026-03-27 15:59:55 +05:30
dependabot[bot]
130ba5ee6c
chore(deps): bump requests (#8804) 
Bumps the pip group with 1 update in the /apps/api/requirements directory: [requests](https://github.com/psf/requests).


Updates `requests` from 2.32.4 to 2.33.0
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](https://github.com/psf/requests/compare/v2.32.4...v2.33.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.33.0
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-03-27 00:11:02 +05:30
M. Palanikannan
113bba46ea
fix: migrate page navigation pane tabs from headless ui to propel (#8805) 2026-03-26 20:43:03 +05:30
b-saikrishnakanth
ce401c723e
[WEB-6734] fix: circular progress indicator stroke color#8802 2026-03-26 18:13:57 +05:30
b-saikrishnakanth
5396d438a3
Open [WEB-6739] fix: color inside of active projects of analytics overview tab #8803 2026-03-26 18:13:30 +05:30
Anmol Singh Bhatia
942d2b98ef
[WEB-6702] feat: redesign intake action buttons and use design tokens (#8801) 
* feat: intake action buttons redesign

* chore: code refactoring
 2026-03-26 18:12:24 +05:30
ouchan
d94a269451
fix: add model_activity.delay() to API issue update/create paths for webhook dispatch (#8792) 
Fixes #6746

API-driven issue updates (PUT update, PUT create-via-upsert, PATCH) were
missing `model_activity.delay()` calls, so webhooks were never dispatched
for changes made through the API. The web UI paths already include these
calls (e.g. in `post()` at L475), but the `put()` and `partial_update()`
methods only called `issue_activity.delay()`.

This adds `model_activity.delay()` immediately after each existing
`issue_activity.delay()` in these three code paths, using the same
signature as the existing call in `post()`.

Tested on Plane CE v1.2.1 self-hosted: API PATCH triggers
`webhook_send_task` in the Celery worker, confirming webhook delivery.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-25 13:31:16 +05:30
sriramveeraghanta
54b80e91eb fix: broken lockfile 2026-03-25 13:23:36 +05:30
sriramveeraghanta
6e033f9fdb sync: master branch changes to preview 2026-03-25 13:21:43 +05:30
sriram veeraghanta
f3c7c057b4
chore: remove service token endpoint which is unused (#8797) 2026-03-25 13:13:58 +05:30
sriram veeraghanta
d91b5a274b fix: removed unused files 2026-03-25 02:04:20 +05:30
darkingtail
5a7d1ebd65 fix: remove unused imports and variables (part 3) (#8753) 
Resolve oxlint no-unused-vars warnings in
apps/web/core/components/issues/.
 2026-03-25 02:04:20 +05:30
darkingtail
04d4490293 fix: remove unused imports and variables (part 2 — web/core non-issues) (#8752) 
* fix: remove unused imports and variables (part 2)

Resolve oxlint no-unused-vars warnings in apps/web/core/
(excluding components/issues/).

* fix: resolve CI check failures

* fix: resolve check:types failures
 2026-03-25 02:04:20 +05:30
darkingtail
d9695afcdc fix: remove unused imports and variables (part 1 — packages & non-web-core) (#8751) 
* fix: remove unused imports and variables (part 1)

Resolve oxlint no-unused-vars warnings in packages/*, apps/admin,
apps/space, apps/live, and apps/web (non-core).

* fix: resolve CI check failures

* fix: resolve check:types failures

* fix: resolve check:types and check:format failures

- Use destructuring alias for activeCycleResolvedPath
- Format propel tab-navigation file

* fix: format propel button helper with oxfmt

Reorder Tailwind classes to match oxfmt canonical ordering.
 2026-03-25 02:04:20 +05:30
sriram veeraghanta
c3c7c72aff fix: package updates 2026-03-25 00:22:25 +05:30
Bavisetti Narayan
9d3b5d9da7
fix: added workspace member check in allow permission for creator #8778 2026-03-24 00:44:50 +05:30
sriram veeraghanta
1faf06c755 chore: remove chat support component 2026-03-18 00:13:13 +05:30
dependabot[bot]
72b6453f6f
chore(deps): bump the actions group across 1 directory with 11 updates (#8741) 
Bumps the actions group with 11 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `4` | `6` |
| [makeplane/actions](https://github.com/makeplane/actions) | `1.0.0` | `1.4.0` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4` | `7` |
| [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `2.1.0` | `2.5.0` |
| [actions/setup-node](https://github.com/actions/setup-node) | `4` | `6` |
| [actions/setup-go](https://github.com/actions/setup-go) | `5` | `6` |
| [docker/login-action](https://github.com/docker/login-action) | `3` | `4` |
| [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `3` | `4` |
| [docker/build-push-action](https://github.com/docker/build-push-action) | `6.9.0` | `7.0.0` |
| [tailscale/github-action](https://github.com/tailscale/github-action) | `2` | `4` |
| [actions/cache](https://github.com/actions/cache) | `4` | `5` |



Updates `actions/checkout` from 4 to 6
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v6)

Updates `makeplane/actions` from 1.0.0 to 1.4.0
- [Release notes](https://github.com/makeplane/actions/releases)
- [Commits](https://github.com/makeplane/actions/compare/v1.0.0...v1.4.0)

Updates `actions/upload-artifact` from 4 to 7
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v7)

Updates `softprops/action-gh-release` from 2.1.0 to 2.5.0
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](https://github.com/softprops/action-gh-release/compare/v2.1.0...v2.5.0)

Updates `actions/setup-node` from 4 to 6
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v4...v6)

Updates `actions/setup-go` from 5 to 6
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v5...v6)

Updates `docker/login-action` from 3 to 4
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v3...v4)

Updates `docker/setup-buildx-action` from 3 to 4
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4)

Updates `docker/build-push-action` from 6.9.0 to 7.0.0
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v6.9.0...v7.0.0)

Updates `tailscale/github-action` from 2 to 4
- [Release notes](https://github.com/tailscale/github-action/releases)
- [Commits](https://github.com/tailscale/github-action/compare/v2...v4)

Updates `actions/cache` from 4 to 5
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: makeplane/actions
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: softprops/action-gh-release
  dependency-version: 2.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/setup-go
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: docker/login-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: docker/setup-buildx-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: docker/build-push-action
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: tailscale/github-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/cache
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-03-18 00:09:47 +05:30
Vipin Chaudhary
428cb478b1
[WEB-6610] Fix work item drag handle hover gap (#8759) 
* [WEB-6610] Fix work item drag handle hover gap

Amp-Thread-ID: https://ampcode.com/threads/T-019ce703-e30e-769b-9436-a7f5506e8a6c
Co-authored-by: Amp <amp@ampcode.com>

* fix: use p-0! pl-6! for correct drag handle hover area

Amp-Thread-ID: https://ampcode.com/threads/T-019ce703-e30e-769b-9436-a7f5506e8a6c
Co-authored-by: Amp <amp@ampcode.com>

* fix: update containerClassName to -ml-6 border-none p-0! pl-6!

Amp-Thread-ID: https://ampcode.com/threads/T-019ce703-e30e-769b-9436-a7f5506e8a6c
Co-authored-by: Amp <amp@ampcode.com>

---------

Co-authored-by: Amp <amp@ampcode.com>
 2026-03-18 00:07:52 +05:30
sriram veeraghanta
e972989522 chore(deps): upgrade the undici and flatted versions 2026-03-18 00:05:21 +05:30
Anmol Singh Bhatia
588dc2927e
[WEB-6599] feat: instance not ready ui revamp (#8755) 
* feat: instance not ready ui revamp

* chore: code refactoring

* chore: code refactoring
 2026-03-16 14:29:33 +05:30
dependabot[bot]
6627282bc5
chore(deps): bump pytest from 7.4.0 to 9.0.2 in /apps/api (#8693) 
Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.4.0 to 9.0.2.
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pytest-dev/pytest/compare/7.4.0...9.0.2)

---
updated-dependencies:
- dependency-name: pytest
  dependency-version: 9.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-03-07 19:24:21 +05:30
dependabot[bot]
d7c12f9730
chore(deps): bump python-json-logger from 3.3.0 to 4.0.0 in /apps/api (#8692) 
Bumps [python-json-logger](https://github.com/nhairs/python-json-logger) from 3.3.0 to 4.0.0.
- [Release notes](https://github.com/nhairs/python-json-logger/releases)
- [Changelog](https://github.com/nhairs/python-json-logger/blob/main/docs/changelog.md)
- [Commits](https://github.com/nhairs/python-json-logger/compare/v3.3.0...v4.0.0)

---
updated-dependencies:
- dependency-name: python-json-logger
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-03-07 19:22:30 +05:30
Aaryan Khandelwal
2e429e5198
[WIKI-874] refactor: description input component (#8544) 
* refactor: description input component

* fix: add missing prop to rich text editor
 2026-03-05 19:37:36 +05:30
Anmol Singh Bhatia
c3a9f99789
[WEB-6420] chore: self-host social icons in project invitation email (#8718) 
* chore: add self-hosted social icon assets for email templates

* chore: pass current_site to project invitation email context

* chore: replace mailinblue CDN icons with self-hosted static assets
 2026-03-05 18:17:42 +05:30
sriram veeraghanta
7902805635
release: v1.2.3 #8717 2026-03-05 18:15:16 +05:30
sriram veeraghanta
7b1f5a47f5 [SECUR-116] fix: ssrf webhook url for ip address #8716 2026-03-05 17:28:32 +05:30
sriram veeraghanta
71b0d30afb
[SECUR-116] fix: ssrf webhook url for ip address #8716 2026-03-05 17:26:06 +05:30
sriramveeraghanta
9a7696acac chore: version upgrade 2026-03-05 17:25:22 +05:30
Aaryan Khandelwal
cc7982ca14
[WEB-5911] fix: error outline button text color #8531 2026-03-05 16:48:56 +05:30