This release includes 3 breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
Summary
AI summaryAuthentication is now enabled by default, requiring setup on first boot.
Full changelog
⚠️ Breaking Changes
Authentication is now always on by default
In v5, authentication was opt-in — if WEB_USERNAME and WEB_PASSWORD were not set, the app was open to anyone. In v6, authentication is enabled by default.
- If you were running without those environment variables, you will be redirected to a setup page on first boot to create your account.
- If you prefer to run without authentication, set
AUTH_DISABLED=true.
WEB_USERNAME / WEB_PASSWORD are now bootstrap-only
In v5, these environment variables were checked on every login and API request. In v6, they are only used to automatically create the initial user on first startup — after that, credentials are stored in config/auth.yaml as a bcrypt hash.
Important: Changing these environment variables after the first boot will have no effect on your credentials. To rotate your password, use the UI or edit
config/auth.yamldirectly.
Credentials are now persisted in config/auth.yaml
A new file, config/auth.yaml, stores your hashed credentials. Your /config volume must be mounted and writable (owner 1000:1000) — without it, the app will be unable to save your account and will redirect to setup on every restart.
If you were already mounting /config for settings persistence, no additional changes are needed.
What's Changed
- Bump actions/setup-node from 6.2.0 to 6.3.0 by @dependabot[bot] in https://github.com/Brandawg93/PeaNUT/pull/398
- Bump pnpm/action-setup from 4 to 5 by @dependabot[bot] in https://github.com/Brandawg93/PeaNUT/pull/402
- Bump helm/kind-action from 1.13.0 to 1.14.0 by @dependabot[bot] in https://github.com/Brandawg93/PeaNUT/pull/396
- Bump next from 16.1.6 to 16.1.7 by @dependabot[bot] in https://github.com/Brandawg93/PeaNUT/pull/401
- Create user on setup by @Brandawg93 in https://github.com/Brandawg93/PeaNUT/pull/381
- Package updates by @Brandawg93 in https://github.com/Brandawg93/PeaNUT/pull/406
- Make config directory permission errors actionable by @Brandawg93 in https://github.com/Brandawg93/PeaNUT/pull/415
- Add TCP connection pooling for NUT server client by @Brandawg93 in https://github.com/Brandawg93/PeaNUT/pull/405
- Package updates by @Brandawg93 in https://github.com/Brandawg93/PeaNUT/pull/416
- Bump pnpm/action-setup from 5 to 6 by @dependabot[bot] in https://github.com/Brandawg93/PeaNUT/pull/410
- Bump actions/setup-node from 6.3.0 to 6.4.0 by @dependabot[bot] in https://github.com/Brandawg93/PeaNUT/pull/412
- Parallelize CI build workflow by @Brandawg93 in https://github.com/Brandawg93/PeaNUT/pull/417
- Bump azure/setup-helm from 4 to 5 by @dependabot[bot] in https://github.com/Brandawg93/PeaNUT/pull/407
- Fix WS terminal auth behind SSL-terminating proxies by @Brandawg93 in https://github.com/Brandawg93/PeaNUT/pull/419
- Upgrade recharts to v3 by @Brandawg93 in https://github.com/Brandawg93/PeaNUT/pull/420
Full Changelog: https://github.com/Brandawg93/PeaNUT/compare/v5.22.0...v6.0.0
Breaking Changes
- Authentication is enabled by default; unauthenticated deployments must set AUTH_DISABLED=true to disable it.
- `WEB_USERNAME` and `WEB_PASSWORD` are now bootstrap-only and have no effect after first startup.
- Credentials are persisted in config/auth.yaml; the /config volume must be mounted and writable (owner 1000:1000).
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Beta — feedback welcome: [email protected]