How to handle settings.js (with users and hashed password) in version control?

Node red has many files for settings and configurations. I have added all config files and settings.js to a github repo used for setup, config, installation and version control of node red. Then use an install script to automatically set up a pi5 with docker, clone github repo, make image and run container so everything is ready on a new machine. This includes settings.js as well as all other config files. But I'm not used to handle users there and hashed passwords. I guess it's not recommended? What is the recommended way to deal with this? At least it's better than storing the password itself

Perhaps the hashed passwords could go in an env file?

As long as your GitHub repo is private, it probably isn't too much of a problem as at least the passwords are 1-way hashed.

A lot depends on whether you are offering a supported commercial service to customers though because your responsibilities and accountability may be much higher in that case.

Where the value of the service is sufficiently high or the numbers of users creep up to higher numbers, you should consider using a proper identity management service and potentially consider moving authentication to a separate service via a proxy.