makeplane/plane v1.3.1

on GitHub

✨ Improvements

• Scrollbar in keyboard shortcuts modal
• Skip role & use-case steps for self-hosted instances

🐛 Bug Fixes

• Prevent ORM field injection via analytics segment parameter —
  Security fix (GHSA-93x3-ghh7-72j3). Centralizes analytics field allowlists into VALID_ANALYTICS_FIELDS / VALID_YAXIS and adds defense-in-depth validation in build_graph_plot() and extract_axis() so no caller can pass arbitrary field references to Django F() expressions. Also adds missing segment validation to SavedAnalyticEndpoint.
• Enforce workspace membership on V2 asset endpoints —
  Security fix (GHSA-qw87-v5w3-6vxx). Adds @allow_permission to all WorkspaceFileAssetEndpoint methods and scopes DuplicateAssetEndpoint's source asset lookup to workspaces where the caller is an active member.
• Sanitize filenames in upload paths to prevent path traversal —
  Security fix (GHSA-v57h-5999-w7xp). Server-side filename sanitization across all file upload endpoints; defense-in-depth against S3 key pollution. Handles Windows-style paths and leading-dot/whitespace edge cases.
• Replace IS_SELF_MANAGED toggle with WEBHOOK_ALLOWED_IPS allowlist —
  Webhook SSRF protection: blocks all private/internal IPs by default; only specific networks listed in WEBHOOK_ALLOWED_IPS (comma-separated IPs/CIDRs) are permitted. Re-validates URL at send time to prevent DNS rebinding, sanitizes error messages, and guards mixed IPv4/IPv6 allowlists.
• Strip whitespace and handle null values in instance configuration —
  Sanitizes patched instance config values: trims leading/trailing whitespace and converts null to "" instead of the literal string "None".
• Update border for project timezone — [WEB-6785]
• Update Twitter icon and links to X —
• Optimize sub-issue query performance —
  Adds optimized annotations and subqueries to the sub-issue listing path.

🔧 Refactor & Chore

• Remove Intercom integration and chat support components
  Intercom is no longer used. Removes all related frontend components, hooks, custom events, API config, types, and i18n keys.
• Add project context to relations API
• Suppress CodeQL file coverage deprecation warning
  Explicitly opts into the new default behavior where CodeQL skips computing file coverage on PRs for improved analysis performance.
• Update CODEOWNERS for apps and deployments
• Add Claude Code skills for PR descriptions and release notes

📦 Dependencies

• Bump axios 1.15.0 → 1.15.2, uuid 13.0.0 → 14.0.0; add pnpm overrides pinning postcss >=8.5.10 and follow-redirects >=1.16.0
• Bump Django 4.2.29 → 4.2.30, cryptography 46.0.6 → 46.0.7, axios 1.13.5 → 1.15.0, lodash 4.17.23 → 4.18.1
• Bump vite 7.3.1 → 7.3.2
• Bump pytest 9.0.2 → 9.0.3
• Bump lxml 6.0.0 → 6.1.0