mirror of
https://github.com/makeplane/plane.git
synced 2026-07-09 20:10:06 +02:00
* fix: remove hardcoded SECRET_KEY from community deployment manifests (GHSA-cmwv-pjmw-8483) Replace the publicly-known default SECRET_KEY and LIVE_SERVER_SECRET_KEY values in AIO and CLI community deployment manifests with a safe placeholder. - deployments/aio: variables.env now ships with placeholder values; start.sh auto-generates a random key on first boot (or on upgrade from the old insecure default) and persists it in plane.env across restarts - deployments/cli: variables.env ships with placeholder; docker-compose.yml fallbacks that referenced the publicly-known default are removed - apps/api/plane/settings/common.py: SECRET_KEY resolution now uses `or` so an empty env var falls back to get_random_secret_key() (not ""); adds a startup warning if the known insecure default or placeholder is detected Closes WEB-7805 Co-authored-by: Plane AI <noreply@plane.so> * fix: use logger.critical instead of print for insecure SECRET_KEY warning Address code review feedback — replace module-level print() with _logger.critical() and move _logger definition before the SECRET_KEY block to avoid duplicate assignment. Also removes the now-unused `import sys`. Co-authored-by: Plane AI <noreply@plane.so> --------- Co-authored-by: Plane AI <noreply@plane.so>