security(apps): bump twenty-sdk to 2.10.1 for the 3 remaining pre-2.0 apps (tmp, undici) (#21374)

## Summary Completes the follow-up flagged in #21344, which deliberately deferred the **three apps pinning a pre-2.0 `twenty-sdk`** (a major jump that needed per-app validation). These were the last `twenty-apps/*` lockfiles still carrying the `tmp` + `undici` Dependabot clusters: | App | SDK before | SDK after | |---|---|---| | `examples/hello-world` | `0.9.0` | `2.10.1` | | `internal/call-recording` | `0.6.3-alpha` | `2.10.1` | | `internal/self-hosting` | `1.22.0-canary.6` | `2.10.1` | Bumping to `twenty-sdk@2.10.1` drops the two vulnerable transitive deps these apps still inherited (via `inquirer ^10 → external-editor`, and `@genql/cli`): | Vuln dep | Advisory | Source | |---|---|---| | `tmp@0.0.33` | [GHSA-ph9p-34f9-6g65](https://github.com/advisories/GHSA-ph9p-34f9-6g65) / CVE-2026-44705 (path traversal) | `inquirer ^10 → external-editor` | | `undici@5.29.0` | [GHSA-vrm6-8vpv-qv8q](https://github.com/advisories/GHSA-vrm6-8vpv-qv8q) / CVE-2026-1526 (websocket OOM) | `@genql/cli` | ## Changes - Bump `twenty-sdk` (and `twenty-client-sdk` where pinned) to `2.10.1` in all 3 apps + regenerate each lockfile. - `hello-world` and `self-hosting` migrate transparently (typecheck clean). - `internal/call-recording` needed source changes for the 2.x API: - `twenty-sdk/clients` → `twenty-client-sdk/core` + `twenty-client-sdk/metadata` (5 files); added `twenty-client-sdk` dependency. - `defineRole` `permissionFlags` → `permissionFlagUniversalIdentifiers` (`SystemPermissionFlag`) — real runtime fix (old key is silently ignored in 2.x). ## Verification Per-app after regen: **`tmp@0.0.33` = 0**, **`undici@5` = 0** in every lockfile; `oxlint` passes with **0 errors**. Root `yarn.lock` untouched; all other undici in the repo is already ≥ patched (`6.26.0` / `7.24.8`).
2026-06-11 17:37:18 -04:00 · 2026-06-09 17:24:09 +02:00
parent 123db9e3be
commit e51efef7c8
12 changed files with 1542 additions and 7521 deletions
--- a/packages/twenty-apps/examples/hello-world/package.json
+++ b/packages/twenty-apps/examples/hello-world/package.json
@@ -16,8 +16,8 @@
    "test:watch": "vitest"
  },
  "dependencies": {
-    "twenty-client-sdk": "0.9.0",
-    "twenty-sdk": "0.9.0"
+    "twenty-client-sdk": "2.10.1",
+    "twenty-sdk": "2.10.1"
  },
  "devDependencies": {
    "@types/node": "^24.7.2",
--- a/packages/twenty-apps/examples/hello-world/yarn.lock
+++ b/packages/twenty-apps/examples/hello-world/yarn.lock
--- a/packages/twenty-apps/internal/call-recording/package.json
+++ b/packages/twenty-apps/internal/call-recording/package.json
@@ -18,7 +18,8 @@
    "@emotion/styled": "^11.11.0",
    "react-loading-skeleton": "^3.5.0",
    "react-markdown": "^10.1.0",
-    "twenty-sdk": "0.6.3-alpha"
+    "twenty-client-sdk": "2.10.1",
+    "twenty-sdk": "2.10.1"
  },
  "devDependencies": {
    "@types/node": "^24.7.2",
--- a/packages/twenty-apps/internal/call-recording/src/front-components/seed-call-recordings.tsx
+++ b/packages/twenty-apps/internal/call-recording/src/front-components/seed-call-recordings.tsx
@@ -5,7 +5,7 @@ import {
 } from 'src/constants/seed-call-recordings-universal-identifiers';
 import { MOCK_CALL_RECORDINGS } from 'src/data/mock-call-recordings';
 import { defineFrontComponent } from 'twenty-sdk/define';
-import { CoreApiClient } from 'twenty-sdk/clients';
+import { CoreApiClient } from 'twenty-client-sdk/core';

 type SeedStatus = 'seeding' | 'done' | 'error';

--- a/packages/twenty-apps/internal/call-recording/src/front-components/summarize-person-recordings.tsx
+++ b/packages/twenty-apps/internal/call-recording/src/front-components/summarize-person-recordings.tsx
@@ -7,7 +7,7 @@ import {
 } from 'src/constants/summarize-person-recordings-universal-identifiers';
 import { defineFrontComponent } from 'twenty-sdk/define';
 import { useRecordId } from 'twenty-sdk/front-component';
-import { CoreApiClient } from 'twenty-sdk/clients';
+import { CoreApiClient } from 'twenty-client-sdk/core';
 import { isDefined } from 'twenty-shared/utils';

 const SUMMARIZATION_SYSTEM_PROMPT = [
--- a/packages/twenty-apps/internal/call-recording/src/hooks/useCallRecording.ts
+++ b/packages/twenty-apps/internal/call-recording/src/hooks/useCallRecording.ts
@@ -1,6 +1,6 @@
 import { useEffect, useState } from 'react';
 import { useRecordId } from 'twenty-sdk/front-component';
-import { CoreApiClient } from 'twenty-sdk/clients';
+import { CoreApiClient } from 'twenty-client-sdk/core';
 import { isDefined } from 'twenty-shared/utils';

 type CallRecording = {
@@ -74,13 +74,13 @@ export const useCallRecording = () => {
          name: callRecording?.name ?? '',
          createdAt: callRecording?.createdAt ?? '',
          endedAt: callRecording?.endedAt ?? null,
-          recordingFile: callRecording?.recordingFile?.map((file) => ({
+          recordingFile: callRecording?.recordingFile?.map((file: CallRecording['recordingFile'][number]) => ({
            fileId: file.fileId,
            label: file.label,
            url: file.url ?? null,
            extension: file.extension ?? null,
          })) ?? [],
-          transcriptFile: callRecording?.transcriptFile?.map((file) => ({
+          transcriptFile: callRecording?.transcriptFile?.map((file: CallRecording['transcriptFile'][number]) => ({
            fileId: file.fileId,
            label: file.label,
            url: file.url ?? null,
--- a/packages/twenty-apps/internal/call-recording/src/logic-functions/end-recording.ts
+++ b/packages/twenty-apps/internal/call-recording/src/logic-functions/end-recording.ts
@@ -8,7 +8,8 @@ import {
 } from 'src/utils/match-participants';
 import { summarizeTranscript } from 'src/utils/summarize-transcript';
 import { defineLogicFunction } from 'twenty-sdk/define';
-import { CoreApiClient, MetadataApiClient } from 'twenty-sdk/clients';
+import { CoreApiClient } from 'twenty-client-sdk/core';
+import { MetadataApiClient } from 'twenty-client-sdk/metadata';
 import { z } from 'zod';

 interface LocalTranscriptWord {
--- a/packages/twenty-apps/internal/call-recording/src/roles/default-role.ts
+++ b/packages/twenty-apps/internal/call-recording/src/roles/default-role.ts
@@ -1,5 +1,4 @@
-import { defineRole } from 'twenty-sdk/define';
-import { PermissionFlagType } from 'twenty-shared/constants';
+import { defineRole, SystemPermissionFlag } from 'twenty-sdk/define';

 export const DEFAULT_ROLE_UNIVERSAL_IDENTIFIER =
  'f9cfb3ce-cb1e-4f55-af85-be45f6059054';
@@ -12,5 +11,8 @@ export default defineRole({
  canUpdateAllObjectRecords: true,
  canSoftDeleteAllObjectRecords: true,
  canDestroyAllObjectRecords: false,
-  permissionFlags: [PermissionFlagType.UPLOAD_FILE, PermissionFlagType.AI],
+  permissionFlagUniversalIdentifiers: [
+    SystemPermissionFlag.UPLOAD_FILE,
+    SystemPermissionFlag.AI,
+  ],
 });
--- a/packages/twenty-apps/internal/call-recording/src/utils/match-participants.ts
+++ b/packages/twenty-apps/internal/call-recording/src/utils/match-participants.ts
@@ -1,4 +1,4 @@
-import { CoreApiClient } from 'twenty-sdk/clients';
+import { CoreApiClient } from 'twenty-client-sdk/core';

 export interface Participant {
  id: string;
--- a/packages/twenty-apps/internal/call-recording/yarn.lock
+++ b/packages/twenty-apps/internal/call-recording/yarn.lock
--- a/packages/twenty-apps/internal/self-hosting/package.json
+++ b/packages/twenty-apps/internal/self-hosting/package.json
@@ -16,8 +16,8 @@
    "test:watch": "vitest"
  },
  "dependencies": {
-    "twenty-client-sdk": "1.22.0-canary.6",
-    "twenty-sdk": "1.22.0-canary.6"
+    "twenty-client-sdk": "2.10.1",
+    "twenty-sdk": "2.10.1"
  },
  "devDependencies": {
    "@types/node": "^24.7.2",
--- a/packages/twenty-apps/internal/self-hosting/yarn.lock
+++ b/packages/twenty-apps/internal/self-hosting/yarn.lock