mirror of
https://github.com/twentyhq/twenty.git
synced 2026-06-11 17:37:18 -04:00
split/01-data-model
630 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Charles Bochet
|
232ca8eec2 |
security: clear happy-dom High alerts by upgrading wyw-in-js 0.7 → 1.1 (#21394)
## What Clears the 2 High `happy-dom` alerts (GHSA-w4gp-fjgq-3q4g, GHSA-6q6h-j7hj-3r64) via a parent bump — **no resolution**. `happy-dom@15.11.7` came from **`@wyw-in-js/transform@0.7.0`** (Linaria's CSS transform), pinned by a root resolution + a local `.yarn` patch and requested by `@wyw-in-js/vite@^0.7.0` in twenty-front + twenty-ui-deprecated. - `@wyw-in-js/vite` `^0.7.0` → `^1.1.0` (twenty-front, twenty-ui-deprecated) - `@wyw-in-js/babel-preset` `^0.6.0` → `^1.1.0` (twenty-ui-deprecated) - **drop the `@wyw-in-js/transform` 0.7.0 resolutions + the `.yarn` patch** — the patch added a `visited` cycle-guard to `TransformCacheCollection.invalidateIfChanged`, which is **already upstream** in transform 1.1.0, so it's obsolete. `@wyw-in-js/transform` now resolves to **1.1.0** (→ happy-dom 20.10.2) and 0.8.1 (website, unchanged, → happy-dom 20.8.9). The vulnerable 0.7.0/15.11.7 are gone. ## Required config change wyw-in-js 1.x resolves modules in its CSS pre-build via vite's `resolve.alias` instead of `vite-tsconfig-paths`. So twenty-front's `@/` and `~/` tsconfig path aliases are mirrored into `vite.config` `resolve.alias` — otherwise the CSS evaluator throws `Cannot find module '@/...'` for aliased imports used inside `styled` definitions. ## Verification - happy-dom now **20.8.9 + 20.10.2** (both patched); no 15.x left - `nx build twenty-front` — CSS extraction works (**1018 files transformed**) + `typecheck` - `nx build twenty-ui`, `twenty-ui-deprecated` (Linaria CSS extraction) - website's Linaria transform runs fine (local build only stops on a missing `TWENTY_PARTNERS_API_URL` env var, unrelated) - `yarn install --immutable` clean |
||
|
Charles Bochet
|
fc764115ef |
security: clear all High next alerts by upgrading react-email 5 → 6 (#21377)
## What Clears **all 9 High `next` Dependabot alerts** (incl. GHSA-26hh-7cqf-hhc6) in twenty-emails — via a parent bump, no resolutions. All 9 traced to a stale **`next@16.0.10`** pulled by `@react-email/preview-server` 5.x. The latest preview-server 5.x still ships a vulnerable next (16.1.7 < 16.2.6), so bumping it alone wouldn't help. **react-email 6.x** is a rewrite that no longer depends on next or on a separate preview-server. - bump `react-email` `5.1.0` → `6.5.0` - remove the obsolete `@react-email/preview-server` devDependency - add `@react-email/ui` `6.5.0` devDependency ### Why `@react-email/ui` (the CI fix) react-email 6's `email dev` preview server loads its UI from `@react-email/ui`, and **prompts to install it interactively** if missing — which hangs the `emails-test` CI job (no TTY), so the server never starts and the `/preview/test.email` smoke check fails. Pinning `@react-email/ui` makes `email dev` start non-interactively. ### Net effect on `next` The vulnerable `16.0.10` is gone. `@react-email/ui@6.5.0` pulls **`next@16.2.6`** — the **patched** version (≥ every current next advisory fix), so all 9 alerts clear and **no vulnerable next remains**. ## Notes - `react-email` and `@react-email/ui` pinned to exact `6.5.0` (matching the prior react-email pin) because the `6.6.0` line was published today and is still registry-quarantined. - react-email is a dev-only preview tool; CI builds emails via `vite` + typecheck. ## Verification - No `next < 16.2.6` in `yarn.lock` - `nx build` + `nx typecheck` twenty-emails - `email dev -d src/emails -p 4001` starts non-interactively and serves `/preview/test.email` → HTTP 200 (reproduces the emails-test check, now passing) - `yarn install --immutable` clean |
||
|
Charles Bochet
|
217e1f5ab3 |
security: clear immutable High alert via @graphql-codegen typescript plugins v4 (#21380)
## What Clears the High `immutable` alert (GHSA-wf6x-7x77-mvgw) via a parent bump — **no resolution**. `immutable@3.7.6` was pulled by `@ardatan/relay-compiler@12.0.0` (→ `immutable ~3.7.6`), reached through `@graphql-tools/relay-operation-optimizer` inside the `@graphql-codegen` visitor plugins. The fix lives in `relay-operation-optimizer@7.1.4` → `relay-compiler@13.0.1` → `immutable@^5.1.5` — but the old codegen typescript plugins (v3) pinned a 6.x optimizer stuck on relay-compiler 12. **Fix chain:** - `@graphql-codegen/typescript` `^3.0.4` → `^4.1.6` - `@graphql-codegen/typescript-operations` `^3.0.4` → `^4.6.1` - refresh `@graphql-tools/relay-operation-optimizer` (within its existing `^7.0.0` range) → 7.1.4 → `relay-compiler@13.0.1` → `immutable@5.1.6` ## Heads-up: this is effectively a codegen v4 plugin upgrade The codegen typescript plugins v4 change the generated **scalar shape** (`Scalars['X']` → `Scalars['X']['input'|'output']`), so the committed `generated*/graphql.ts` are regenerated (~7.8k lines). The diff is **purely type-level** — no runtime/enum/document changes — and was regenerated against the current schema (verified: **no schema-content drift**). ## Verification - `immutable@3.7.6` gone (now 5.1.6); `relay-compiler@13.0.1` - `nx typecheck twenty-front` passes against the regenerated types (0 errors) - `yarn install --immutable` clean - Generated files regenerated against a clean origin/main schema (no drift markers) |
||
|
Abdullah.
|
ca63904ac5 |
fix(security): bump @scalar/api-reference-react to clear unhead XSS (#21382)
Resolves [Dependabot Alert 630](https://github.com/twentyhq/twenty/security/dependabot/630). unhead@1.11.20 was pulled in transitively via @scalar/api-reference-react@0.4.42 (@unhead/vue@^1.11.11). The useHeadSafe XSS bypass (GHSA, alert https://github.com/twentyhq/twenty/issues/630) is only patched on the unhead 2.x line; the 1.x branch was never fixed and 1.11.20 is the latest 1.x release, so the existing semver range could not reach a patched version. Rather than a resolutions override, bump the direct dependency to a Scalar release that depends on @unhead/vue@^2.x, which resolves unhead to 2.1.15. - Upgrade @scalar/api-reference-react ^0.4.36 -> ^0.9.42 (0.9.43+ blocked by the 3-day npmMinimalAgeGate; the caret adopts them once aged). - Migrate RestPlayground configuration to the new Scalar API: - spec.content -> top-level content - authentication.http.bearer -> authentication.securitySchemes.bearerAuth (with preferredSecurityScheme), matching the server's OpenAPI scheme name. - Drop the ?inline query on the style.css import. It was added in https://github.com/twentyhq/twenty/pull/12099 to stop the old Scalar's global CSS reset from leaking; the new CSS scopes every reset to :where(.scalar-app), so importing it normally restores styling without re-introducing that leak. Proof: <img width="215" height="48" alt="image" src="https://github.com/user-attachments/assets/3a738fae-63bd-4e88-82c3-5dbe72d993ec" /> Co-authored-by: Félix Malfait <felix.malfait@gmail.com> |
||
|
Charles Bochet
|
d2f30e0513 |
security: clear fast-uri + fast-xml-parser High alerts (lockfile only) (#21379)
## What Two more High alerts cleared, **no resolutions** — only `yarn.lock`. | Package | From → To | How | Advisory | |---|---|---|---| | fast-uri | 3.0.1 → 3.1.2 | in-range refresh (consumers already allow it) | GHSA-v39h-62p7-jpjc, GHSA-q3j6-qgpj-74h6 | | fast-xml-parser | 5.4.1 → 5.7.3 | `yarn dedupe @aws-sdk/core @aws-sdk/xml-builder` (collapses a stale aws-sdk xml-builder skew) | GHSA-8gc5-j5rx-235r | For `fast-xml-parser`, the vulnerable 5.4.1 came from a stale `@aws-sdk/xml-builder@3.972.9`; the newer `3.972.24` (→ 5.7.3) was already in the tree, so deduping the aws-sdk packages removes the old one. ## Verification - No `fast-uri@3.0.x` / `fast-xml-parser@5.4.x` left in the lockfile - `yarn install --immutable` clean - `nx typecheck twenty-server` passes (aws-sdk consumer) |
||
|
Charles Bochet
|
0d8d463a44 |
security: clear all High minimatch Dependabot alerts via parent bumps (#21373)
## What Clears **all 14 High `minimatch` ReDoS alerts** (GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74, GHSA-3ppc-4f35-3m26) in the root tree — **by bumping the actual parent dev tools, with no `resolutions`/overrides**. Each parent that pinned a vulnerable minimatch is upgraded so the patched version resolves naturally. | Vulnerable minimatch | Pinned by | Fix | |---|---|---| | 10.0.3 | `@microsoft/api-extractor` 7.55.1 | → 7.58.7 (in-range refresh) → minimatch 10.2.3 | | 3.1.2 | `@stoplight/spectral-core` 1.20.0 | → 1.23.0 (in-range refresh) → minimatch ^3.1.4 | | 3.0.8 | `vite-plugin-dts` 3.8.1 → api-extractor 7.43.0 | bump to `^4.5.4` (already used elsewhere here) → minimatch 10.2.3 | | 4.2.3 | `graphql-config` 4.5.0 via `@graphql-codegen/cli` ^3.3.1 | bump cli to `^5.0.7` → graphql-config 5.1.6 → minimatch ^10 | | 9.0.3 | `zapier-platform-cli` ^15.4.1 | bump to `^19.0.0` | | 7.4.6 | `verdaccio` 6.5.2 → `@verdaccio/core` 8.0.0-next | refresh to 6.7.2 → core 8.1.1 → minimatch 7.4.9 | All six are **build/test tooling** — the ReDoS exposure is build-time, never shipped to users. ## Verification - ✅ Every resolved `minimatch` in `yarn.lock` is now ≥ its patched floor (3.1.5 / 7.4.9 / 9.0.9 / 10.2.3+). No `resolutions` added. - ✅ `nx build`: twenty-shared, twenty-ui, twenty-ui-deprecated, twenty-emails (validates vite-plugin-dts v4) - ✅ twenty-zapier: typecheck + build + `zapier validate` (35/35 checks pass; cli 19 + core 15.5.1) - ✅ twenty-front: typecheck; `graphql:generate` with codegen cli 5 produces **byte-identical** output (no generated-file changes in this PR) - ✅ `yarn install --immutable` clean ## Notes - The large `yarn.lock` diff is expected: major bumps to codegen (3→5), zapier-cli (15→19), and vite-plugin-dts (3→4) cascade through dev-tree transitives (net −1244 lines after dedup). - `zapier-platform-core` (runtime) intentionally left at 15.5.1 — only the CLI (dev tool) carried the vulnerable minimatch; `zapier validate` flags only a non-blocking "consider upgrading core" suggestion. - codegen plugins (`typescript`/`typescript-operations`) left at v3: they run fine under cli 5 and produce identical output, so the minimal change is just the cli bump. |
||
|
Charles Bochet
|
bd084afc11 |
security: force shell-quote >= 1.8.4 (GHSA-w7jw-789q-3m8p, critical) (#21372)
## What `shell-quote <= 1.8.3` is affected by [GHSA-w7jw-789q-3m8p](https://github.com/advisories/GHSA-w7jw-789q-3m8p) / CVE-2026-9277 (**critical**): `quote()` backslash-escapes `.op` characters with `/(.)/g`, which doesn't match line terminators (`\n`, `\r`, U+2028/2029). A line terminator in an object token's `.op` value passes through unescaped, and POSIX shells treat a literal `\n` as a command separator — enabling shell command injection in callers that pass attacker-influenced object tokens to `quote()`. First patched in **1.8.4**. This is Dependabot alert #1434 on the root `yarn.lock`. ## How The root lockfile resolved two vulnerable versions: - `1.8.1` — via the `^1.6.1` / `^1.7.3` / `^1.8.1` ranges - `1.8.3` — **hard-pinned** by `concurrently@9.2.1` (used in `twenty-companion`) `yarn up -R shell-quote` only re-resolves the ranged dependents; the exact `1.8.3` pin from `concurrently` stays. So I added a `shell-quote: "^1.8.4"` entry to root `resolutions`, matching the existing `tmp` / `chokidar` / `tar` security overrides. Every consumer now resolves to the patched `1.8.4`. ## Scope - `package.json`: +1 resolution line. - `yarn.lock`: two vulnerable entries collapse to a single `shell-quote@1.8.4`. - `1.8.4` is a semver-compatible patch over `1.8.3`; latest `concurrently` (10.x) already depends on `1.8.4`. - Verified no `shell-quote <= 1.8.3` remains in any lockfile across the repo. |
||
|
Charles Bochet
|
834541da6d |
security: bump path-to-regexp and defu to patched versions (lockfile refresh) (#21369)
## What Clears two **High** Dependabot alerts (https://github.com/twentyhq/twenty/security/dependabot) from the root tree **without resolutions/overrides** — by refreshing the lockfile so the existing semver ranges pick up the already-patched releases. | Package | From → To | Requested by | Advisory | |---|---|---|---| | path-to-regexp | 8.3.0 → 8.4.2 | `router` (`^8.0.0`) | GHSA-j3q9-mxjg-w52f | | defu | 6.1.4 → 6.1.7 | `radix-vue` (`^6.1.4`) | GHSA-737v-mqg7-c878 | Only `yarn.lock` changes — no `package.json` edits, no `resolutions`. ## Why only these two I traced every vulnerable transitive back to its parent. Only `defu` and `path-to-regexp` were stuck purely on a stale lockfile (their parents' ranges already allow the patched version). The remaining root High alerts can **not** be fixed by a parent update: - **next** — latest `@react-email/preview-server` (5.2.10) still ships `next@16.1.7`, itself vulnerable - **immutable** — `@ardatan/relay-compiler@12.0.0` is terminal and pins `~3.7.6` - **minimatch / lodash / ws** — exact-pinned deep in dev tooling (api-extractor, spectral, NestJS, graphql-tools) with no fixed upstream release Those will be handled separately. ## Verification - `nx typecheck` passes for twenty-server and twenty-front |
||
|
Charles Bochet
|
4305a7dc84 |
fix(twenty-client-sdk): make genql codegen formatter prettier-3 compatible (fixes app-sync server crash) (#21354)
## Problem
Syncing a `twenty-sdk` app against a server (`twenty dev`) **crashes the
server process**. The metadata migration completes, then the server-side
`GqlTypeGenerator` regenerates typed clients via the vendored genql
codegen in `twenty-client-sdk`, which throws and exits node:
```
ConfigError: Couldn't find plugin for AST format "estree".
Plugins must be explicitly added to the standalone bundle.
at .../packages/twenty-client-sdk/dist/generate.cjs
Node.js v24.5.0 ← process exits
```
The CLI sees `ECONNRESET`; the app row still persists because the crash
happens after the metadata commit. Any app sync takes the server down.
## Root cause
The genql codegen formatter
[`prettify.ts`](https://github.com/twentyhq/twenty/blob/main/packages/twenty-client-sdk/src/generate/genql/helpers/prettify.ts)
was vendored (in #21339) targeting **prettier 2.8**: a synchronous
`format()` and `prettier/parser-typescript`, which in 2.8 bundles the
estree printer. `package.json` pins `prettier ^2.8.8`, but the monorepo
actually resolves/bundles **prettier 3.8.3** (`^2.8.8` is silently
unsatisfied — no 2.8.x is nested for this package, and the subpath
imports are bundled from the hoisted 3.8.3). Under prettier 3 the estree
printer must be added explicitly (`prettier/plugins/estree`) and
`format()` is async — so the codegen throws.
`prettier/parser-typescript` / `parser-graphql` don't even exist in
prettier 3 (only `prettier/plugins/*`), so the declared `^2.8.8` was
already inconsistent with what runs.
## Fix
- `prettify`: switch to the prettier-3 entrypoints
`prettier/plugins/{graphql,typescript,estree}`, `await` the async
`format()`, and fall back to the unformatted (still valid) code on any
failure so cosmetic formatting can never crash codegen again.
- `RenderContext.toCode` + `clientTasks`: propagate the now-async
`prettify` (await the four `toCode` call sites).
- Bump the declared `prettier` dependency `^2.8.8 → ^3.8.3` to match
what is actually used (only consumer; minimal lockfile diff).
## Verification (local, source server on :3000)
- `twenty dev --once` now completes: `Registering application → Syncing
manifest → Generating API client → ✓ Synced` with the **server staying
up**.
- The app integration test passes (full re-sync of 6 metadata objects +
`MetadataApiClient`/`CoreApiClient` CRUD through the generated genql
runtime).
- `nx build twenty-client-sdk` (incl. `tsgo` typecheck) passes.
Release note: this is a v2.11 blocker — without it, installing/syncing
any app crashes the server.
|
||
|
Charles Bochet
|
1e309369bc |
chore(deps): upgrade tar to v7, evict vulnerable tar@6.2.1 (CVE-2026-24842) (#21341)
## Summary Removes all transitive **`tar@6.2.1`** from the dependency tree, resolving [Dependabot alert #400](https://github.com/twentyhq/twenty/security/dependabot/400) ([GHSA-34x7-hfp2-rc4v](https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v) / CVE-2026-24842 — node-tar hardlink path traversal, high/8.2). The alert had been dismissed as `no_bandwidth`, but `tar@6.2.1` was still in the lockfile. I confirmed **6.2.1 is genuinely exploitable** by running the advisory's PoC (the hardlink escaped the extraction dir to a parent-directory file); `7.5.16` blocks it. There is **no patched 6.x release** — the fix only exists in `7.5.7+`. ## Approach Upgrade the build tooling that pulled tar v6 to the majors that depend on tar v7, rather than forcing tar onto v6-era consumers: | Package | Change | Mechanism | |---|---|---| | `node-gyp` | 10.2.0 / 7.1.2 / 9.4.1 → **12.4.0** | resolution | | `cacache` | 18 → **20.0.4** | resolution | | `make-fetch-happen` | → **15.0.6** | resolution | | `mintlify` (twenty-docs) | `latest` → **^4.2.594** (`@mintlify/previewing` → tar 7.5.15) | direct dep bump | | `@electron/rebuild`, `@electron/node-gyp`, `pacote` → `tar` | → **^7.5.16** | scoped resolution | The last row covers the two subtrees with **no upstream tar-v7 release**: `@electron/rebuild` (+ electron's `node-gyp` fork) in `twenty-companion`, and `pacote@11/15` via `zapier-platform-cli` in `twenty-zapier`. All `tar` now resolves to **7.5.13 / 7.5.15 / 7.5.16**; `node_modules` verified free of tar v6. ## Validation done - `yarn install` completes cleanly (constraints pass, only pre-existing `enableScripts: false` + peer-dep warnings). - Installed `node_modules` contains zero tar v6. ## Validation still needed before merge ⚠️ - The scoped overrides force tar v7 onto packages written for the v6 API. Resolution is consistent, but **runtime not exercised** (`enableScripts: false` skips native builds at install). Please validate: - `twenty-companion` electron `make` / native rebuild - `twenty-zapier` build/push - If either breaks, drop the scoped overrides and accept those two **dev/build-only** clusters as residual — they extract only trusted archives at build time, so the CVE (which needs attacker-controlled input) isn't reachable there. - `mintlify` is pinned (not `latest`) because `.yarnrc.yml`'s `npmMinimalAgeGate: 3d` quarantines the true latest. Pinning is arguably healthier, but it's a deliberate behavior change. ## Note twenty-server's own runtime tarball extraction (`extract-tarball-securely.util.ts`) was already on patched tar **and** rejects all hardlink/symlink entries — so this PR addresses the remaining build-tooling exposure, not a live runtime hole. Large `yarn.lock` churn is expected: the node-gyp/cacache major bumps refresh npm-internals tree-wide. |
||
|
Charles Bochet
|
37b986aa4b |
security: vendor @genql/cli codegen to drop undici/native-fetch (#21339)
## What Vendors a narrowed copy of [`@genql/cli@3.0.5`](https://github.com/remorses/genql) (MIT) into `packages/twenty-client-sdk/src/generate/genql/` and repoints the two client generators at it, then removes `@genql/cli` from `twenty-client-sdk`, `twenty-sdk` and `create-twenty-app`. ## Why `@genql/cli` was used **only** to generate the typed GraphQL client from an SDL string. It is unmaintained and pulls in vulnerable/abandoned transitives — `undici@5` (**30 Dependabot alerts**), `native-fetch`, `listr`, `yargs`, etc. None of these were ever executed by Twenty: the sole consumer of `undici`/`native-fetch` is `@genql/cli`'s live-endpoint schema-introspection path, and Twenty always passes a schema string, never an endpoint. Removing the package eliminates the dependency at the source — for Twenty and for scaffolded end-user apps. ## What changed vs upstream The vendored copy (`genql/README.md` + `genql/LICENSE`) keeps the `render/` and `runtime/` trees verbatim and narrows the orchestration: - **Dropped the endpoint/introspection path** (`schema/fetchSchema.ts`) — the only `undici`/`native-fetch`/`qs` consumer. - **Dropped `listr`** — generation tasks run as plain sequential `async` functions (file contents unchanged). - **Replaced `fs-extra`/`mkdirp`/`rimraf`** with `node:fs`. - **Runtime templates are imported as `?raw`** and bundled, instead of read from `node_modules` at generation time. - **Kept `prettier@^2.8` and `@graphql-tools/*`** so the generated output is byte-for-byte identical. ## Verification - **Byte-identical output**: regenerating the metadata client from its committed schema produces a recursive-diff-clean result vs the previous `@genql/cli` output (including the copied `runtime/` folder). The core client generates and esbuild-bundles cleanly. - The public `twenty-client-sdk/generate` barrel API is unchanged (twenty-server / twenty-sdk consumers unaffected). - `undici@^5`, `native-fetch`, `@genql/cli`, `listr`, `yargs@^15` and `subscriptions-transport-ws@0.9` are gone from `yarn.lock` (net −364 lines). - `twenty-client-sdk` and `twenty-sdk` typecheck, lint and build; `twenty-client-sdk` tests pass (9/9). ## Notes - The vendored folder is excluded from `oxlint`/`oxfmt` (it is third-party code, with `@ts-nocheck` on the verbatim renderers, mirroring the generated output). - Stacks conceptually on #21334 (drops `@genql/runtime`); the two are independent and only overlap trivially in `yarn.lock`. `@genql/runtime` is intentionally left for that PR. |
||
|
Charles Bochet
|
a0fb157899 |
fix(sdk): bump inquirer ^10 -> ^14 to drop external-editor/tmp from apps (#21340)
The **central fix** for the `tmp` Dependabot alerts in `packages/twenty-apps/*` — so apps don't each need a per-app `resolutions` entry. ### Root cause Every app depends on `twenty-sdk`, whose inquirer chain pulls the vulnerable `tmp`: ``` twenty-sdk → inquirer ^10 → @inquirer/prompts 7.x → @inquirer/editor 4.x → external-editor → tmp@0.0.33 ``` `@inquirer/editor 5.x` dropped `external-editor` (and thus old `tmp`), and it's only reached via `@inquirer/prompts 8.x`, which requires **inquirer ≥ 13.4.3**. So `^12` isn't enough — bump to **`^14`** (latest): ``` inquirer 14 → @inquirer/prompts 8.5.2 → @inquirer/editor 5.2.2 (no external-editor) ``` ### Verified - The SDK uses the classic `inquirer.prompt([...])` API (uninstall / add / remote commands) — **typechecks cleanly under inquirer 14**. - After the bump, the SDK's subtree resolves `@inquirer/editor@5.2.2` (the lingering `external-editor` in this repo's lockfile is from *other* consumers — `nx`/`zapier` — handled separately). ### Propagation Fixes it **once** for every app using the SDK, with no per-app `package.json` additions. Existing `twenty-apps/*` clear their `tmp` alert once a new `twenty-sdk` is published and they bump to it; newly-scaffolded apps are clean immediately. (The root-workspace `tmp` from `nx`/`zapier` is handled by twenty#21338.) |
||
|
Charles Bochet
|
822beb6a86 |
chore: force tmp >= 0.2.7 for root dev tooling (nx/zapier) (#21338)
Resolves the **root** `tmp` Dependabot alert (`tmp < 0.2.6`, #1308). In the root workspace, `tmp` is a transitive dep of `nx` (`~0.2.1`) and `zapier-platform-cli` (exact `0.2.1`) — dev/CLI tooling that **exact-pins old tmp with no fixed parent to upgrade to** (verified: even latest `zapier-platform-cli@15.19.0` still pins `0.2.1`). So it's pinned to the patched **0.2.7** via a root `resolutions` entry — the correct tool for un-dedupe-able transitive pins. Not in the prod image. ### Why the `twenty-apps/*` alerts are not fixed here Those come from a different source — `twenty-sdk → inquirer ^10 → @inquirer/editor 4.x → external-editor → tmp@0.0.33`. Rather than add a `resolutions` block to every app's `package.json` (which doesn't scale — every newly-scaffolded app would need it), they'll be fixed **centrally** by bumping `inquirer` in `twenty-sdk` (`^10 → ^12`, which reaches `@inquirer/editor 5.x` that dropped external-editor). Separate PR — apps inherit the fix on the next SDK release with no manual additions. |
||
|
Charles Bochet
|
356cec5f24 |
security: drop unused @genql/runtime dependency (#21334)
## What Removes the `@genql/runtime` dependency from `twenty-client-sdk` and `twenty-sdk`. It was declared but **never imported** in source. ## Why The genql codegen (`@genql/cli` `generate()`) inlines a **fully self-contained runtime** into every generated client — see the committed `twenty-client-sdk/src/metadata/generated/runtime/` (all relative imports) and the generated `index.ts` which imports from `./runtime`, not `@genql/runtime`. So the `@genql/runtime` package was dead weight in the dep graph. Dropping it prunes its abandoned, vulnerable transitive deps **at the source**: - `ws@^6` (old) - `subscriptions-transport-ws@0.9.x` - `isomorphic-unfetch` - `zen-observable-ts` - `graphql-query-batcher` - `lodash` None are used by Twenty — the generated client makes plain `fetch` GraphQL requests and has no `ws`-based subscriptions. ## Verification - `@genql/runtime` is gone from `node_modules` and `yarn.lock` (103 lockfile lines removed); the remaining `subscriptions-transport-ws@0.11.0` is a different, maintained version pulled by an unrelated package. - `twenty-client-sdk` and `twenty-sdk` typecheck. - `twenty-client-sdk` unit tests pass (9/9). - With `@genql/runtime` physically removed from `node_modules`, `generate()` still emits a complete, self-contained client (`index.ts` imports `./runtime`). ## Scope `@genql/cli` (the codegen, which pulls `undici`) is intentionally **not** touched here — it is still required for client generation and will be addressed separately. |
||
|
Charles Bochet
|
434f5cbcd2 |
chore(server): bump @nestjs to 11.1.24 + serve-static 5.0.5 to clear CVEs (#21333)
Bumps `@nestjs` packages to clear the scanner findings they pin on the prod image. All within-major bumps, past the repo's `npmMinimalAgeGate: 3d`. ## Changes | Package | From → To | Clears | |---|---|---| | `@nestjs/common` | 11.1.16 → **11.1.24** | `file-type@21.3.0` → 21.3.4 | | `@nestjs/core` | ^11.1.18 → **^11.1.24** | (path-to-regexp 8.4.2) | | `@nestjs/platform-express` | 11.1.16 → **11.1.24** | `path-to-regexp@8.3.0` → 8.4.2 | | `@nestjs/serve-static` | 5.0.4 → **5.0.5** | `path-to-regexp@8.3.0` → 8.4.2 | | `@nestjs/testing` | 11.1.16 → **11.1.24** | — | Verified in the regenerated lockfile: **`file-type@21.3.0` and `path-to-regexp@8.3.0` are gone**. `twenty-server:typecheck` passes locally. ## Not in scope - **`lodash@4.17.21`** and **`ws@8.16.0`** are pinned by **`@nestjs/graphql@12.1.1`** (and lodash also by `@nestjs/config@3.3.0`). Bumping graphql 12→13 would clear them, but it's blocked by a **316-line custom patch** implementing Twenty's multi-schema scoping (`resolverSchemaScope`, `computeReachableTypes`) welded to 12.1.1's compiled internals — a dedicated effort, not a routine bump. (Twenty uses the Yoga driver, so it's *not* an Apollo migration.) - `@nestjs/config` 3→4 alone wouldn't clear `lodash` (graphql still pins it), so deferred with the graphql work. - `path-to-regexp@0.1.12` is express 4.x's own — separate from @nestjs. |
||
|
Raphaël Bosi
|
c596a5e342 |
Rename twenty-ui to twenty-ui-deprecated and twenty-new-ui to twenty-ui to prepare package release (#21315)
## Description Promotes the next-gen UI library (formerly `twenty-new-ui`) to the name **`twenty-ui`** (v0.1.0, publishable) and renames the old package to **`twenty-ui-deprecated`**. Rewrites ~1,730 `twenty-ui` imports → `twenty-ui-deprecated`, updates all configs/CI/Docker/deps, and migrates twenty-front's `Toggle` to the new package (first consumer) as a drop-in. ## Next steps - Wire the `ui/v*` publish dispatch (`cd-deploy-tag.yaml` + `.yarnrc.yml`), then tag `ui/v0.1.0` to publish. - Continue migrating components from `twenty-ui-deprecated` → `twenty-ui`. |
||
|
Charles Bochet
|
a91e737e69 |
fix(docker): bump Node 24.16.0 (OpenSSL fix), strip unused cruft, dedupe node-forge (#21322)
Hardens the `prod-twenty` server image. Built `--target twenty-server` and walked it to verify each change. - **Node 24.15.0 → 24.16.0** (all stages + `.nvmrc`): 24.15.0 links OpenSSL **3.5.5** (CVE-2026-31798), 24.16.0 links **3.5.6** — the proper fix (deleting headers only hid it; the binary still linked the vuln lib). - **Remove the bundled npm CLI** (`ip-address`): app uses yarn via corepack, never npm; npm still bundles `ip-address@10.1.0` and its latest 10.2.0 is itself unfixed — no upgrade path. - **Remove vendored `example/` apps** (`passport-microsoft/example` ships a `package-lock.json` for an old Express demo, never installed/run; not in our lockfile). - **node-forge → 1.4.0** (Critical CVE-2026-33606) via `yarn dedupe` — lockfile-only, no phantom dep, no root resolution. Verified on the built image: node 24.16.0 / openssl 3.5.6, npm CLI + example dirs absent, node-forge@1.4.0 only. **Not included (need CI/QA):** real deps pinned inside `@nestjs/*`/`express` (`lodash@4.17.21`, `file-type`, `path-to-regexp`, `ws`, `qs`) need parent bumps or scoped resolutions; standalone `undici@5.29.0` (5→7), `apollo-server-core@3` (EOL), `typeorm`, etc. (`axios` already patched.) |
||
|
Charles Bochet
|
13e8e26d1c |
security: bump uuid 9 → 11 (server, shared, front) (#21326)
Clears the `uuid` "missing buffer bounds check in v3/v5/v6" advisory — patched in **11.1.1**. Bumps `twenty-server`, `twenty-shared`, `twenty-front` from 9 → `^11.1.1`. ### Why 11 and not 13 uuid **11.1.x still ships a CommonJS build**, so jest loads it with **no config changes**. uuid went **ESM-only at v12+**, which would otherwise force `transformIgnorePatterns` workarounds across the jest projects (and broke server/integration/storybook CI on the earlier 13 attempt). 11.1.1 is the actual patched version, so this is the minimal fix. ### Changes - `uuid` → `^11.1.1` in the three workspaces (lockfile regenerated under hardened mode) - one test (`useCreateManyRecords.test.tsx`): pin the mocked `v4` to its string-returning overload — uuid's types declare a `Uint8Array` overload that `jest.mocked` resolves to (present in v11 too, unrelated to ESM). All usages are named imports, so no source migration. typecheck passes (server/shared/front); affected specs pass. **No jest config changes.** |
||
|
Charles Bochet
|
b7fefe29b7 |
security: bump serialize-javascript 6 → 7 (RCE) (#21325)
Fixes the **high-severity** `serialize-javascript` RCE advisory (RegExp.flags / Date.prototype.toISOString, patched in **7.0.5**). - Bumps the direct dep in `twenty-website` `^6.0.2 → ^7.0.5`. - Only consumer is `src/lib/seo/JsonLd.tsx` (default-export API, unchanged in v7 — the major only drops old Node support). - `twenty-website` typecheck passes; lockfile regenerated under hardened mode (`--immutable --check-cache` clean). |
||
|
Charles Bochet
|
f19d8ff7e9 |
security: bump electron 36 → 39 in twenty-companion (#21327)
Clears the Electron advisory batch (use-after-free, IPC scoping, origin
handling, ASAR integrity, …) — patched in **39.8.5+**, resolves to
**39.8.10**.
- `twenty-companion` is the standalone desktop companion app
(electron-forge; @electron-forge 7.8 supports Electron 39). Main-process
code only uses basic `require('electron')` APIs, stable across 36→39.
- Lockfile + manifest only; gate-safe; hardened install clean.
⚠️ **Verification caveat:** there's no CI job that builds/tests
twenty-companion, so this isn't exercised by CI, and I couldn't verify
runtime locally (electron-forge packaging downloads the ~100MB Electron
binary / needs a display, and the repo's `enableScripts: false` skips
the binary). **Recommend a manual smoke test** (`yarn make`/`start` in
twenty-companion) before relying on the bump.
|
||
|
Charles Bochet
|
7bff4403fc |
fix: dedupe root yarn.lock to satisfy hardened immutable install (unblocks danger-js) (#21320)
The root lockfile carries redundant standalone descriptors (`ws@8.21.0`, `postcss@8.5.15`, `nanoid@3.3.12`) left over from the transitive-dep security bump (#21310). Under `enableHardenedMode` + `yarn install --immutable --check-cache` (how CI runs it), these trip `YN0028` — which is currently **failing the danger-js check on every new PR**. A mutable install merges them into their existing descriptor groups: **2 insertions, 37 deletions, no version changes, no security downgrades**. `yarn install --immutable --check-cache` passes again afterward. This unblocks danger-js across all open PRs. |
||
|
Charles Bochet
|
27b1d1578c |
security: bump vulnerable transitive dependencies (postcss, fast-xml-parser, react-router, brace-expansion, …) (#21310)
## What Companion to the direct-dependency security PR (#21309). Bumps **transitive** vulnerable packages via `yarn up -R` (re-resolve to newest within existing ranges). **Lockfile-only — no root `package.json` / resolutions changes.** ### Cleared | Package | Fix | |---|---| | `brace-expansion` | numeric-range / zero-step DoS | | `follow-redirects` | auth header leak to cross-domain | | `diff` | ReDoS in parse/applyPatch | | `@protobufjs/utf8` | overlong UTF-8 decoding | | `lodash` | — | ## Out of scope Vulnerable copies that are **exact-pinned by third-party parents**, so they can only be fixed once those parents ship patched versions — they're not direct deps of any workspace, can't be added per-package, and a sibling dependency can't override a parent's exact pin (only a root resolution could, which we're intentionally not adding): - `postcss` ← `next`, `styled-components` - `fast-xml-parser` ← `@aws-sdk/xml-builder` - `undici`, `ws`, `tmp`, `picomatch`, `webpack-dev-server`, `ip-address`, `unhead`, `yeoman-environment`, `@tootallnate/once`, `ajv`, `react-router` (need breaking major bumps or coordinated multi-package updates; mostly dev/build tooling, not shipped runtime) > Split from the direct-deps PR (#21309) per the agreed split-by-group plan. |
||
|
Charles Bochet
|
d2e7dc0e74 |
security: bump vulnerable direct dependencies (axios, next, vitest, qs, dompurify, …) (#21309)
## What Within-major version bumps of **direct** dependencies to clear a large batch of Dependabot alerts that are breaching (or near) their SLA. No major-version changes — all stay within the current major, so risk is low. | Package | From → To | Clears | |---|---|---| | `axios` | ^1.13.5 → ^1.16.0 | ReDoS, Proxy-Auth leak, proto-pollution gadgets, NO_PROXY bypass, resource DoS (56 alerts) | | `next` | 16.1.7 → ^16.2.6 | DoS, middleware/proxy bypass, SSRF, cache poisoning, XSS (32 alerts) | | `vitest` | 4.0.18 → ^4.1.0 | **CRITICAL** — UI server arbitrary file read/exec (#1421) | | `qs` | ^6.11.2 → ^6.15.2 | `qs.stringify` DoS | | `dompurify` | 3.3.3 → ^3.4.0 | proto-pollution XSS + FORBID_TAGS / SAFE_FOR_TEMPLATES bypasses | | `@nestjs/core` | 11.1.16 → ^11.1.18 | improper output neutralization / injection | | `nodemailer` | 8.0.4 → 8.0.10 | SMTP command injection via CRLF (bumped via root `resolutions`) | | `path-to-regexp` | ^8.2.0 → ^8.4.0 | ReDoS via multiple wildcards | | `file-type` | ^21.3.1 → ^21.3.2 | ZIP decompression-bomb DoS | | `@opentelemetry/exporter-prometheus` | ^0.211.0 → ^0.217.0 | exporter process crash via malformed HTTP request (#1183/#1184) | ## Notes - Added a `next` root **resolution** so the dev-only `@react-email/preview-server` copy (hard-pinned at `16.0.10`) is also pulled up to the patched `16.2.x` line — otherwise that copy keeps the Next.js alerts open. - `@opentelemetry/exporter-prometheus` 0.217 pulled `@opentelemetry/sdk-metrics` to 2.7.1 (compatible); `@opentelemetry/api` stays pinned at 1.9.1. - **Transitive-only** vulnerable packages (undici, tmp, ws, brace-expansion, …) are handled in a **separate PR** per the split-by-group plan. - Breaking major bumps (electron, uuid, serialize-javascript) and migrations (Apollo Server 3→4, simplemde) are intentionally **out of scope** here. |
||
|
Charles Bochet
|
afec1f1332 |
chore(deps): bump @babel/plugin-transform-modules-systemjs to 7.29.7 (CVE-2026-44728) (#21306)
## What Bumps the transitive dev dependency `@babel/plugin-transform-modules-systemjs` from `7.25.9` → `7.29.7` (lockfile-only). ## Why Resolves Dependabot alert **#1182** — **GHSA-fv7c-fp4j-7gwp** / **CVE-2026-44728** (high severity): > `@babel/plugin-transform-modules-systemjs` generates arbitrary code when compiling malicious input. - Vulnerable range: `>= 7.12.0, <= 7.29.3` - First patched: `7.29.4` ## How It's pulled in transitively via `@babel/preset-env` with the range `^7.25.9`, which `7.29.7` satisfies — so **only `yarn.lock` changes**, no `package.json` edits needed. The diff is confined to the `@babel/*` subtree (13 helper packages updated alongside it). ## Notes - Scope is `development` only. - The alert is currently marked *dismissed* on the security tab; opening this anyway to actually remove the vulnerable version from the lockfile. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> |
||
|
Raphaël Bosi
|
6f9b59b224 |
Scaffold twenty-new-ui (#21236)
Scaffolds `twenty-new-ui`, the next-gen replacement for `twenty-ui`, on **SCSS** Modules + **Base UI** (no Linaria). - **Tooling**: Vite lib build, subpaths mirror twenty-ui, typed SCSS Modules, Storybook + axe a11y, size-limit, Nx targets. - **Theme**: single token source → nx generateTheme emits the CSS vars + accessor; parity test asserts token-for-token match with twenty-ui. Migrated a first `Toggle` component with its stories to allow @charlesBochet to wire the new pixel-diff system. --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> |
||
|
Abdullah.
|
d3a1781a59 |
Use serialize-javascript for JSON-LD serialization on twenty-website (#21223)
Our scanner flags the `dangerouslySetInnerHTML` in `JsonLd.tsx` as a potential XSS sink. Since JSON-LD must be emitted as raw `<script type="application/ld+json">` text (rendering it as a React child HTML-entity-escapes it and corrupts the JSON, and the site is statically generated so it must be in the SSG HTML for crawlers), `dangerouslySetInnerHTML` is the correct, Next.js-documented approach (the real fix is sanitizing the payload). This PR swaps our hand-rolled `JSON.stringify().replace(/</g, ...)` for [`serialize-javascript`](https://www.npmjs.com/package/serialize-javascript) in `isJSON` mode, the maintained library [Next.js explicitly recommends](https://nextjs.org/docs/app/guides/json-ld) for this, so the script-unsafe characters are escaped by a vetted serializer rather than custom code. |
||
|
Charles Bochet
|
f4da7767f8 |
chore: remove Chromatic dependencies and configuration (#21221)
## Summary
- Remove `chromatic` and `@chromatic-com/storybook` devDependencies from
twenty-front
- Remove global `chromatic` Nx target from nx.json and twenty-front
project.json override
- Remove commented Chromatic Storybook addon from twenty-front
- Remove `CHROMATIC_PROJECT_TOKEN` from .env.example
- Update README to remove Chromatic sponsor reference (image was already
missing)
- Update stale Chromatic comment in toSpliced.ts
## Context
Visual regression testing has moved from Chromatic SaaS to self-hosted
Argos at `argos.twenty-internal.com`. These are dead references that are
no longer used by any CI workflow.
**Note:** Story `parameters.chromatic: { disableSnapshot: true }`
entries are intentionally kept — the Argos plugin reads them as a
fallback.
## Test plan
- Verify `yarn install` succeeds after dependency removal
- Verify no workflow references `chromatic` or `nx chromatic`
|
||
|
neo773
|
437eed0862 |
fix(messaging): fix reply-quotation stripping that emptied email bodies (#21118)
some synced messages were stored with empty bodies, others with the entire reply thread re-quoted, planer was stripping entirely quoted forwards down to nothing and not trimming inline reply history at all switched plaintext quote stripping to `email-reply-parser`, falling back to the full text when it strips everything so forwards don't end up blank. kept planer for the html path, and normalized body whitespac --------- Co-authored-by: prastoin <paul@twenty.com> |
||
|
Paul Rastoin
|
3d49642d12 |
[AUDIT] Run knip over twenty-server (#21159)
# Introduction Run [knip](https://knip.dev/) over twenty-server Used config: ```json { "$schema": "https://unpkg.com/knip@5/schema.json", "workspaces": { "packages/twenty-server": { "entry": [ "src/main.ts", "src/command/command.ts", "src/queue-worker/queue-worker.ts", "src/database/scripts/setup-db.ts", "src/database/scripts/truncate-db.ts", "src/database/clickHouse/migrations/run-migrations.ts", "src/database/clickHouse/seeds/run-seeds.ts", "src/instrument.ts", "lingui.config.ts", "test/integration/graphql/codegen/index.ts", "test/integration/utils/setup-test.ts", "test/integration/utils/teardown-test.ts", "scripts/**/*.ts", "**/*.spec.ts", "**/*.integration-spec.ts" ], "project": ["src/**/*.ts", "test/**/*.ts", "scripts/**/*.ts"], "ignore": [ "src/database/typeorm/**/migrations/**", "src/database/typeorm/**/*.entity.ts", "**/*.workspace-entity.ts", "**/logic-function-resource/constants/seed-project/**" ], "ignoreDependencies": ["@types/psl", "@types/aws-lambda"], "ignoreBinaries": ["nest", "lingui", "typeorm"] } } } ``` |
||
|
dependabot[bot]
|
f0be78e629 |
chore(deps-dev): bump prettier from 3.4.2 to 3.8.3 (#21205)
Bumps [prettier](https://github.com/prettier/prettier) from 3.4.2 to 3.8.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/prettier/prettier/releases">prettier's releases</a>.</em></p> <blockquote> <h2>3.8.3</h2> <ul> <li>SCSS: Prevent trailing comma in <code>if()</code> function (<a href="https://redirect.github.com/prettier/prettier/pull/18471">prettier/prettier#18471</a> by <a href="https://github.com/kovsu"><code>@kovsu</code></a>)</li> </ul> <p>🔗 <a href="https://github.com/prettier/prettier/blob/3.8.3/CHANGELOG.md#383">Changelog</a></p> <h2>3.8.2</h2> <ul> <li>Support Angular v21.2</li> </ul> <p>🔗 <a href="https://github.com/prettier/prettier/blob/main/CHANGELOG.md#382">Changelog</a></p> <h2>3.8.1</h2> <ul> <li>Include available <code>printers</code> in plugin type declarations (<a href="https://redirect.github.com/prettier/prettier/pull/18706">#18706</a> by <a href="https://github.com/porada"><code>@porada</code></a>)</li> </ul> <p>🔗 <a href="https://github.com/prettier/prettier/blob/main/CHANGELOG.md#381">Changelog</a></p> <h2>3.8.0</h2> <ul> <li>Support Angular v21.1</li> </ul> <p><a href="https://github.com/prettier/prettier/compare/3.7.4...3.8.0">diff</a></p> <p>🔗 <a href="https://prettier.io/blog/2026/01/14/3.8.0">Release note "Prettier 3.8: Support for Angular v21.1"</a></p> <h2>3.7.4</h2> <h2>What's Changed</h2> <ul> <li>Fix comment in union type gets duplicated by <a href="https://github.com/fisker"><code>@fisker</code></a> in <a href="https://redirect.github.com/prettier/prettier/pull/18393">prettier/prettier#18393</a></li> <li>Fix unstable comment print in union type by <a href="https://github.com/fisker"><code>@fisker</code></a> in <a href="https://redirect.github.com/prettier/prettier/pull/18395">prettier/prettier#18395</a></li> <li>Avoid quote around LWC interpolations by <a href="https://github.com/kovsu"><code>@kovsu</code></a> in <a href="https://redirect.github.com/prettier/prettier/pull/18383">prettier/prettier#18383</a></li> </ul> <p>🔗 <a href="https://github.com/prettier/prettier/blob/main/CHANGELOG.md#374">Changelog</a></p> <h2>3.7.3</h2> <h2>What's Changed</h2> <ul> <li>Fix <code>prettier.getFileInfo()</code> change that breaks VSCode extension by <a href="https://github.com/fisker"><code>@fisker</code></a> in <a href="https://redirect.github.com/prettier/prettier/pull/18375">prettier/prettier#18375</a></li> </ul> <p>🔗 <a href="https://github.com/prettier/prettier/blob/main/CHANGELOG.md#373">Changelog</a></p> <h2>3.7.2</h2> <h2>What's Changed</h2> <ul> <li>Fix string print when switching quotes by <a href="https://github.com/fisker"><code>@fisker</code></a> in <a href="https://redirect.github.com/prettier/prettier/pull/18351">prettier/prettier#18351</a></li> <li>Preserve quote for embedded HTML attribute values by <a href="https://github.com/kovsu"><code>@kovsu</code></a> in <a href="https://redirect.github.com/prettier/prettier/pull/18352">prettier/prettier#18352</a></li> <li>Fix comment in empty type literal by <a href="https://github.com/fisker"><code>@fisker</code></a> in <a href="https://redirect.github.com/prettier/prettier/pull/18364">prettier/prettier#18364</a></li> </ul> <p>🔗 <a href="https://github.com/prettier/prettier/blob/main/CHANGELOG.md#372">Changelog</a></p> <h2>3.7.1</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/prettier/prettier/blob/main/CHANGELOG.md">prettier's changelog</a>.</em></p> <blockquote> <h1>3.8.3</h1> <p><a href="https://github.com/prettier/prettier/compare/3.8.2...3.8.3">diff</a></p> <h4>SCSS: Prevent trailing comma in <code>if()</code> function (<a href="https://redirect.github.com/prettier/prettier/pull/18471">#18471</a> by <a href="https://github.com/kovsu"><code>@kovsu</code></a>)</h4> <!-- raw HTML omitted --> <pre lang="scss"><code>// Input $value: if(sass(false): 1; else: -1); <p>// Prettier 3.8.2 $value: if( sass(false): 1; else: -1, );</p> <p>// Prettier 3.8.3 $value: if(sass(false): 1; else: -1); </code></pre></p> <h1>3.8.2</h1> <p><a href="https://github.com/prettier/prettier/compare/3.8.1...3.8.2">diff</a></p> <h4>Angular: Support Angular v21.2 (<a href="https://redirect.github.com/prettier/prettier/pull/18722">#18722</a>, <a href="https://redirect.github.com/prettier/prettier/pull/19034">#19034</a> by <a href="https://github.com/fisker"><code>@fisker</code></a>)</h4> <p>Exhaustive typechecking with <code>@default never;</code></p> <!-- raw HTML omitted --> <pre lang="html"><code><!-- Input --> @switch (foo) { @case (1) {} @default never; } <p><!-- Prettier 3.8.1 --> SyntaxError: Incomplete block "default never". If you meant to write the @ character, you should use the "&<a href="https://redirect.github.com/prettier/prettier/issues/64">#64</a>;" HTML entity instead. (3:3)</p> <p><!-- Prettier 3.8.2 --> <a href="https://github.com/switch"><code>@switch</code></a> (foo) { <a href="https://github.com/case"><code>@case</code></a> (1) {} <a href="https://github.com/default"><code>@default</code></a> never; } </code></pre></p> <p><code>arrow function</code> and <code>instanceof</code> expressions.</p> <!-- raw HTML omitted --> <pre lang="html"><code></tr></table> </code></pre> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
fe5337b7d0 |
chore(deps-dev): bump @types/passport-microsoft from 2.1.0 to 2.1.1 (#21204)
Bumps [@types/passport-microsoft](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/passport-microsoft) from 2.1.0 to 2.1.1. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/passport-microsoft">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
dependabot[bot]
|
f50e471385 |
chore(deps): bump @mantine/hooks from 8.3.15 to 8.3.18 (#21203)
Bumps [@mantine/hooks](https://github.com/mantinedev/mantine/tree/HEAD/packages/@mantine/hooks) from 8.3.15 to 8.3.18. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/mantinedev/mantine/releases">@mantine/hooks's releases</a>.</em></p> <blockquote> <h2>8.3.18</h2> <p>This is the last 8.x release. You are welcome to test 9.0 alpha version and provide feedback before its release on March 31 – <a href="https://alpha.mantine.dev/changelog/9-0-0/">https://alpha.mantine.dev/changelog/9-0-0/</a></p> <ul> <li><code>[@mantine/core]</code> PasswordInput: Fix styles api props not resolving correctly in theme (<a href="https://github.com/mantinedev/mantine/tree/HEAD/packages/@mantine/hooks/issues/8716">#8716</a>)</li> </ul> <h2>8.3.17</h2> <h2>Changes</h2> <ul> <li><code>[@mantine/core]</code> Stepper: Fix Google Translate compatibility issues (<a href="https://github.com/mantinedev/mantine/tree/HEAD/packages/@mantine/hooks/issues/8744">#8744</a>)</li> <li><code>[@mantine/hooks]</code> use-list-state: Add memoization to all handlers (<a href="https://github.com/mantinedev/mantine/tree/HEAD/packages/@mantine/hooks/issues/8739">#8739</a>)</li> </ul> <h2>8.3.16</h2> <h2>What's Changed</h2> <ul> <li><code>[@mantine/modals]</code> Fix <code>onClose</code> being called multiple times (<a href="https://github.com/mantinedev/mantine/tree/HEAD/packages/@mantine/hooks/issues/8727">#8727</a>)</li> <li><code>[@mantine/core]</code> Tooltip: Fix component not throwing erro when used with string (<a href="https://github.com/mantinedev/mantine/tree/HEAD/packages/@mantine/hooks/issues/8694">#8694</a>)</li> <li><code>[@mantine/core]</code> NumberInput: Fix incorrect decimal separator parsing in <code>onPaste</code></li> <li><code>[@mantine/core]</code> AppShell: Fix <code>layout="alt"</code> not working with <code>mode="static"</code></li> <li><code>[@mantine/stotlight]</code> Fix actions list being rendered when nothing found message was not set (<a href="https://github.com/mantinedev/mantine/tree/HEAD/packages/@mantine/hooks/issues/8592">#8592</a>)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/mantinedev/mantine/compare/8.3.15...8.3.16">https://github.com/mantinedev/mantine/compare/8.3.15...8.3.16</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
Charles Bochet
|
e6614299c6 |
feat(ci): integrate Argos visual regression via vitest screenshots (#21210)
## Summary
- Adds `@argos-ci/storybook` vitest plugin to `twenty-ui` for automatic
screenshot capture during vitest storybook tests
- Uploads captured screenshots (PNG, ~5MB) as a CI artifact instead of
passing the full storybook build
- Updates the visual regression dispatch workflow to pass
`mode=argos-screenshots` to ci-privileged, which then uploads
screenshots to Argos via CLI
This replaces the 10-minute Storybook screenshot capture with a ~30s
vitest browser-mode approach. The heavy screenshot work happens on free
public runners, while ci-privileged only handles the Argos API upload
(keeping secrets private).
## Architecture
```
twenty (public, free runners) ci-privileged (private)
───────────────────────────── ────────────────────────
1. Build storybook-static 4. Download screenshots artifact
2. Vitest captures screenshots 5. `argos upload` → Argos API
3. Upload screenshots artifact 6. Poll for results
7. Post PR comment
```
## Test plan
- [x] Verified locally: vitest captures 225 screenshots in ~28s
- [x] Verified `@argos-ci/cli upload` successfully creates Argos build
from captured screenshots
- [x] Argos diffs computed and results visible via API
- [ ] CI runs end-to-end on a PR
|
||
|
Abdullah.
|
ccffc4a1ea |
Fix axios related dependabot alerts generated against root yarn.lock (#21187)
Fixes the following Dependabot alerts: https://github.com/twentyhq/twenty/security/dependabot?q=is%3Aopen+package%3Aaxios+manifest%3Ayarn.lock+has%3Apatch Upgraded the referenced version in root yarn.lock. Creating a separate PR for the nested ones to keep the updates isolated (e.g. /seed-dependencies/yarn.lock). |
||
|
Rashad Karanouh
|
8c3a93871e |
fix: update yarn.lock after removing dotenv and zod from twenty-sdk (#21174)
## Summary
- Commit
|
||
|
Thomas des Francs
|
1642be86f5 |
Bonapara/twenty codex plugin (#20857)
@martmull v2.0 ;) --------- Co-authored-by: martmull <martmull@hotmail.fr> Co-authored-by: bosiraphael <raphael.bosi@gmail.com> |
||
|
Rashad Karanouh
|
7e034f711f |
feat(website): surface partner Categories (partnerScope) in marketplace, drop deploymentExpertise facet (#21127)
## What Rebinds the marketplace's expertise facet from `deploymentExpertise` (Cloud / Self-host) to **`partnerScope`** — the five partner Categories: Advisory & Discovery · Solutioning · Custom Development · Hosting & Infrastructure · Training & Adoption. Moves the card chip, the profile facts row, the dropdown filter, the `?categories=` URL param, and the API-boundary normalization onto `partnerScope`. The standalone Cloud/Self-host facet is **dropped** (hosting is now the `HOSTING` category), per the harmonization decision. ## Depends on - The app exposing `partnerScope` — companion app PR #21126. - The new `partnerScope` options + data migration — signup app PR #21040. ## Tests TDD red→green on: `filter-partners`, both API normalizers, `filter-url-helpers`, `PartnerCard`, `use-filter-state`. 53/53 pass; typecheck + lint + format clean. ## Merge order (we'll decide) Independent diff. Suggested last of the four, after the signup PRs (#21039 / #21040) and the app PR (#21126). Run `lingui:extract` once after #21039 merges so the `.po` files don't conflict twice. Deploy the app + migrate before the website ships. |
||
|
Paul Rastoin
|
6ad6fcce0f |
Bump playwright (#21113)
Playwright installation is infinite looping in the ci seems like to be a global outage |
||
|
dependabot[bot]
|
6d550611d2 |
chore(deps): bump typescript from 5.9.2 to 5.9.3 (#20991)
Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.9.2 to 5.9.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/microsoft/TypeScript/releases">typescript's releases</a>.</em></p> <blockquote> <h2>TypeScript 5.9.3</h2> <p>Note: this tag was recreated to point at the correct commit. The npm package contained the correct content.</p> <p>For release notes, check out the <a href="https://devblogs.microsoft.com/typescript/announcing-typescript-5-9/">release announcement</a></p> <ul> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.9.0%22+is%3Aclosed+">fixed issues query for Typescript 5.9.0 (Beta)</a>.</li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.9.1%22+is%3Aclosed+">fixed issues query for Typescript 5.9.1 (RC)</a>.</li> <li><em>No specific changes for TypeScript 5.9.2 (Stable)</em></li> <li><a href="https://github.com/Microsoft/TypeScript/issues?utf8=%E2%9C%93&q=milestone%3A%22TypeScript+5.9.3%22+is%3Aclosed+">fixed issues query for Typescript 5.9.3 (Stable)</a>.</li> </ul> <p>Downloads are available on:</p> <ul> <li><a href="https://www.npmjs.com/package/typescript">npm</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
64e0b76d00 |
chore(deps): bump js-cookie from 3.0.5 to 3.0.7 (#20992)
Bumps [js-cookie](https://github.com/js-cookie/js-cookie) from 3.0.5 to 3.0.7. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/js-cookie/js-cookie/releases">js-cookie's releases</a>.</em></p> <blockquote> <h2>v3.0.7</h2> <ul> <li>Prevent cookie attribute injection: CVE-2026-46625 (eb3c40e)</li> <li>Add <code>Partitioned</code> attribute to readme (b994768)</li> <li>Publish to npm registry via trusted publisher exclusively (4dc71be)</li> <li>Ensure consistent behaviour for <code>get('name')</code> + <code>get()</code> (1953d30)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
6566a918af |
chore(deps): bump @apollo/client from 4.1.6 to 4.2.0 (#20993)
Bumps [@apollo/client](https://github.com/apollographql/apollo-client) from 4.1.6 to 4.2.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/apollographql/apollo-client/releases">@apollo/client's releases</a>.</em></p> <blockquote> <h2><code>@apollo/client</code><a href="https://github.com/4"><code>@4</code></a>.2.0</h2> <h3>Minor Changes</h3> <ul> <li> <p><a href="https://redirect.github.com/apollographql/apollo-client/pull/13132">#13132</a> <a href=" |
||
|
Raphaël Bosi
|
c8b9dace72 |
Fix focus in front components inputs (#20961)
Fixes https://github.com/twentyhq/twenty/issues/20714 Fixes keyboard hotkey conflicts when typing inside `<input>` / `<textarea>` elements rendered by Front Components. Editable fields rendered through the component renderer now properly push/pop a focus item onto Twenty's focus stack, disabling global keyboard hotkeys while the user is typing. ## Before https://github.com/user-attachments/assets/2003c2cb-2698-480f-aedf-bb2f30396572 ## After https://github.com/user-attachments/assets/2c7c6cb0-ecd7-4557-a77b-4d1f264345f0 |
||
|
Félix Malfait
|
dde6df7a26 |
refactor(website): replace axios with native fetch (#20967)
## Summary Follow-up to #20966 (Stripe fetch client). axios's default Node http adapter on workerd has the same TLS hang the Stripe SDK had — it just doesn't surface today because all three call sites are wrapped in \`unstable_cache(revalidate: 3600)\` and the cache is populated at build time, so misses are rare and the failure mode is a silent \`null\` to the layout. This swaps the three remaining axios calls in \`twenty-website\` for native \`fetch\` and removes axios from \`packages/twenty-website/package.json\`. The package is still used by other workspaces, so yarn.lock keeps the other resolution. Touched call sites: - \`src/lib/releases/fetch-latest-release-tag.ts\` (GitHub releases — runs at build time, cosmetic) - \`src/lib/community/fetch-github-star-count.ts\` (GitHub star count in menu) - \`src/lib/community/fetch-discord-member-count.ts\` (Discord member count in menu) ## Test plan - [ ] After merge + deploy: confirm GitHub star + Discord member counts render in the site menu (non-zero, formatted) - [ ] Confirm \`/releases\` shows the latest tag-gated visible release notes - [ ] No \`axios\` in worker bundle (\`grep axios .open-next/worker.js\` should be empty) |
||
|
Charles Bochet
|
e72d10f550 |
chore(security): bump esbuild to ^0.28.0 to clear CVE-2025-68121 (CVSS 10.0) (#20902)
## Summary Follow-up to #20876. That PR bumped `esbuild` to `^0.27.3` to address the Go-stdlib CVEs the self-hoster reported, but only one of the two Go CVEs is actually fixed at that level. This PR closes the remaining gap. ### Why 0.27.3 wasn't enough `esbuild` ships a Go-built binary inside the `@esbuild/<platform>` packages. The vulnerability lives in the bundled Go toolchain, not in any JavaScript. Verified by reading the Go `buildinfo` section from `node_modules/@esbuild/<platform>/bin/esbuild`: - `esbuild@0.27.7` → built with **Go 1.23.8** - `esbuild@0.28.0` → built with **Go 1.26.1** CVE-2024-24790 (IPv6 zone parsing) is fixed in Go 1.21.11 / 1.22.4, so 0.27.x covers it. **CVE-2025-68121** (crypto/tls cert validation bypass via TLS session resumption, **CVSS 10.0 / Critical** per [NVD](https://nvd.nist.gov/vuln/detail/cve-2025-68121)) is fixed only in Go 1.24.13, 1.25.7, and 1.26.0-rc.3+. Go 1.23.x is past Go's support window and will not receive this fix. So `esbuild@0.27.x` still ships a Go binary that Trivy correctly flags as vulnerable. ### Reachable risk in Twenty Low. `esbuild` does not use `crypto/tls` at runtime — it reads files, parses, transforms, and writes. The vulnerable code path is dead code inside the binary, present but never executed. The scan finding is what we are clearing, not an exploitation risk. ### Fix Bump `twenty-client-sdk`'s `esbuild` from `^0.27.3` to `^0.28.0` (resolves to 0.28.0, built with Go 1.26.1). ### Verification Ran `yarn workspaces focus --production twenty twenty-server twenty-emails twenty-shared twenty-client-sdk` (the same install the Dockerfile uses) and confirmed: - `node_modules/esbuild/` resolves to `esbuild@0.28.0` (single copy) - The bundled `node_modules/@esbuild/<platform>/bin/esbuild` binary reports `go1.26.1` in its `buildinfo` ## Test plan - [x] `nx typecheck twenty-server` passes - [x] `nx build twenty-client-sdk` passes (esbuild's `build()` API is stable across 0.27 → 0.28) - [x] Production focus install shows Go 1.26.1 in the shipped binary - [ ] CI green - [ ] Re-run Trivy against the resulting image; confirm CVE-2025-68121 no longer appears |
||
|
Charles Bochet
|
be39702fd2 |
chore(security): bump protobufjs and esbuild to clear CVEs (#20876)
## Summary A self-hoster reported that Trivy blocks the `twentycrm/twenty:v2.7.x` image on three fixed-critical CVEs. The reachable risk is low (none of the vulnerable code paths are exposed to attacker-controlled input in our deployment), but the findings are real and easy to clear by bumping the affected dependencies in their owning workspaces. ### CVE-2026-41242 — `protobufjs` < 7.5.5 Pulled transitively into the production image via `@opentelemetry/sdk-node`, `@opentelemetry/auto-instrumentations-node`, and `@grpc/grpc-js` → `@grpc/proto-loader`. Lockfile was on 7.5.3; this matches dismissed dependabot alert #1009 (Critical 9.4). **Fix:** add `protobufjs: ^7.5.5` as a direct dep of `twenty-server` (the workspace that exercises it via the OpenTelemetry gRPC exporters) and run `yarn dedupe protobufjs` to collapse the residual transitive 7.5.3 copy. Resolves to 7.6.0. ### CVE-2024-24790 and CVE-2025-68121 — Go stdlib in bundled binaries Present in the Go-built `bin/esbuild` shipped by `@esbuild/<platform>` packages. Two paths put esbuild into the production image: 1. `twenty-client-sdk` declares `esbuild` as a runtime dep (used by its `./generate` entry point). 2. `twenty-server` had `@lingui/vite-plugin` in `dependencies`, which pulls `@lingui/cli` as a runtime sub-dep, which bundles `esbuild@0.21.5` nested under `node_modules/@lingui/cli/node_modules/esbuild/`. **Fix:** - Bump `twenty-client-sdk`'s `esbuild` from `^0.25.0` to `^0.27.3` (resolves to 0.27.7, built with patched Go). - Move `@lingui/vite-plugin` from `dependencies` to `devDependencies` in `twenty-server`. The plugin is not imported by any source file — it was misclassified. ### Verification Ran `yarn workspaces focus --production twenty twenty-server twenty-emails twenty-shared twenty-client-sdk` (the same command the Dockerfile uses) and inventoried the resulting `node_modules`. After all three changes: - `node_modules/esbuild/` → **0.27.7 only** (Go-patched) - `node_modules/protobufjs/` → **7.6.0 only** (CVE-patched) No nested copies of either package remain in the production install. ### Follow-up worth tracking separately `esbuild` should arguably not be in `twenty-client-sdk`'s `dependencies` at all — only the `./generate` entry point uses it, and the server never imports that entry. Moving it to optional `peerDependencies` would stop shipping a Go binary into the production image entirely. Out of scope for this PR. ## Test plan - [x] `yarn install` succeeds; `protobufjs` and `esbuild` each resolve to a single version in production focus - [x] `nx build twenty-client-sdk` passes - [x] `nx typecheck twenty-server` passes - [x] `nx build twenty-server` passes - [x] Production focus install confirmed clean (`node_modules/esbuild` and `node_modules/protobufjs` both single-version, both patched) - [ ] CI green - [ ] Re-run Trivy against the resulting image; confirm the three CVEs no longer appear |
||
|
neo773
|
323e66433e |
lint: migrate prettier to oxfmt (#20783)
Most changes are `implements` being unwrapped this is not a oxfmt regression Prettier in 3.7 (we're on 3.1) changed this behaviour prettier blog [post](https://prettier.io/blog/2025/11/27/3.7.0#change-18094) This unifies our linting tooling --------- Co-authored-by: github-actions <github-actions@twenty.com> Co-authored-by: Charles Bochet <charles@twenty.com> |
||
|
Charles Bochet
|
a6a08439f7 |
chore(deps): bump @xmldom/xmldom to 0.8.13 (security) (#20798)
## Summary - Re-resolves the transitive `@xmldom/xmldom` dependency to `0.8.13` to fix four high-severity Dependabot alerts. - yarn.lock-only change: all four upstream consumers (`@node-saml/node-saml`, `plist`, `xml-crypto`, `xml-encryption`) accept `^0.8.x`, so the previous `0.8.10` / `0.8.11` entries collapse onto a single `0.8.13` resolution. No `package.json` change needed. ## Alerts fixed - XML node injection through unvalidated comment serialization (high) - XML node injection through unvalidated processing instruction serialization (high) - XML injection through unvalidated DocumentType serialization (high) - Uncontrolled recursion in XML serialization leads to DoS (high) All four advisories are patched in `0.8.13`, the latest release in the `0.8.x` line. |
||
|
dependabot[bot]
|
b792f7654b |
chore(deps): bump tinyglobby from 0.2.15 to 0.2.16 (#20788)
Bumps [tinyglobby](https://github.com/SuperchupuDev/tinyglobby) from 0.2.15 to 0.2.16. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/SuperchupuDev/tinyglobby/releases">tinyglobby's releases</a>.</em></p> <blockquote> <h2>0.2.16</h2> <h2>Fixed</h2> <ul> <li>Upgraded <code>picomatch</code> to 4.0.4, mitigating any potential exposure to <a href="https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj">CVE-2026-33671</a> and <a href="https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p">CVE-2026-33672</a></li> </ul> <h2>Changed</h2> <ul> <li>Overhauled and optimized most internals by <a href="https://github.com/Torathion"><code>@Torathion</code></a></li> <li>Ignore patterns are no longer compiled twice by <a href="https://github.com/webpro"><code>@webpro</code></a></li> </ul> <p>Consider <a href="https://github.com/sponsors/SuperchupuDev">sponsoring</a> if you'd like to support the development of this project and the goal of reaching a lighter and faster ecosystem</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/SuperchupuDev/tinyglobby/blob/main/CHANGELOG.md">tinyglobby's changelog</a>.</em></p> <blockquote> <h3><a href="https://github.com/SuperchupuDev/tinyglobby/compare/0.2.15...0.2.16">0.2.16</a></h3> <h4>Fixed</h4> <ul> <li>Upgraded <code>picomatch</code> to 4.0.4, mitigating any potential exposure to <a href="https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj">CVE-2026-33671</a> and <a href="https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p">CVE-2026-33672</a></li> </ul> <h4>Changed</h4> <ul> <li>Overhauled and optimized most internals by <a href="https://github.com/Torathion">Torathion</a></li> <li>Ignore patterns are no longer compiled twice by <a href="https://github.com/webpro">webpro</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
42ad3cbd1a |
chore(deps): bump linkify-react from 4.3.2 to 4.3.3 (#20789)
Bumps [linkify-react](https://github.com/nfrasser/linkifyjs/tree/HEAD/packages/linkify-react) from 4.3.2 to 4.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nfrasser/linkifyjs/releases">linkify-react's releases</a>.</em></p> <blockquote> <h2>v4.3.3</h2> <h2>What's Changed</h2> <ul> <li>Fix parsing bugs with some special encoded URLs</li> <li>Parsed emails should not include port numbers</li> <li>Exact version requirement for interfaces and plugins to avoid incompatibility issues with older versions of linkify core</li> <li>Support for jQuery 4</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nfrasser/linkifyjs/compare/v4.3.2...v4.3.3">https://github.com/nfrasser/linkifyjs/compare/v4.3.2...v4.3.3</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/nfrasser/linkifyjs/blob/main/CHANGELOG.md">linkify-react's changelog</a>.</em></p> <blockquote> <h2>v4.3.3</h2> <ul> <li>Fix parsing bugs with some special encoded URLs</li> <li>Parsed emails should not include port numbers</li> <li>Exact version requirement for interfaces and plugins to avoid incompatibility issues with older versions of linkify core</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
dependabot[bot]
|
e1378dd4cf |
chore(deps): bump @azure/msal-node from 3.8.4 to 3.8.10 (#20787)
Bumps [@azure/msal-node](https://github.com/AzureAD/microsoft-authentication-library-for-js) from 3.8.4 to 3.8.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/AzureAD/microsoft-authentication-library-for-js/releases">@azure/msal-node's releases</a>.</em></p> <blockquote> <h2><code>@azure/msal-node</code> v3.8.10</h2> <h2>3.8.10</h2> <p>Wed, 18 Mar 2026 20:48:29 GMT</p> <h3>Patches</h3> <ul> <li>Bump <code>@azure/msal-common</code> to v15.17.0 (beachball)</li> <li>Bump eslint-config-msal to v0.0.0 (beachball)</li> <li>Bump rollup-msal to v0.0.0 (beachball)</li> </ul> <h2><code>@azure/msal-node</code> v3.8.9</h2> <h2>3.8.9</h2> <p>Fri, 13 Mar 2026 04:32:07 GMT</p> <h3>Patches</h3> <ul> <li>Bump <code>@azure/msal-common</code> to v15.16.1 (beachball)</li> <li>Bump eslint-config-msal to v0.0.0 (beachball)</li> <li>Bump rollup-msal to v0.0.0 (beachball)</li> </ul> <h2><code>@azure/msal-node</code> v3.8.8</h2> <h2>3.8.8</h2> <p>Mon, 23 Feb 2026 16:28:24 GMT</p> <h3>Patches</h3> <ul> <li>Bump <code>@azure/msal-common</code> to v15.15.0 (beachball)</li> <li>Bump eslint-config-msal to v0.0.0 (beachball)</li> <li>Bump rollup-msal to v0.0.0 (beachball)</li> </ul> <h2><code>@azure/msal-node</code> v3.8.7</h2> <h2>3.8.7</h2> <p>Tue, 10 Feb 2026 22:19:29 GMT</p> <h3>Patches</h3> <ul> <li>Bump <code>@azure/msal-common</code> to v15.14.2 (beachball)</li> <li>Bump eslint-config-msal to v0.0.0 (beachball)</li> <li>Bump rollup-msal to v0.0.0 (beachball)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |