mirror of
https://github.com/twentyhq/twenty.git
synced 2026-06-12 01:46:39 -04:00
123db9e3be
## What The standalone apps under `packages/twenty-apps/*` each ship **their own `yarn.lock`** (they're not part of the root workspace). Three of them still pinned the vulnerable transitive `vite@7.3.1`: - `examples/hello-world` - `examples/postcard` - `internal/call-recording` `vite <= 7.3.1` is affected by three advisories, all first patched in **7.3.2**: | Advisory | Summary | Open Dependabot alerts | |----------|---------|------------------------| | [GHSA-v2wj-q39q-566r](https://github.com/advisories/GHSA-v2wj-q39q-566r) (CVE-2026-39364) | `server.fs.deny` bypassed with queries | #894, #892, #891 | | [GHSA-4w7w-66w2-5vf9](https://github.com/advisories/GHSA-4w7w-66w2-5vf9) | Path traversal in optimized-deps `.map` handling | #901, #899, #898 | | [GHSA-p9ff-h696-f583](https://github.com/advisories/GHSA-p9ff-h696-f583) | Arbitrary file read via dev-server WebSocket | #908, #906, #905 | The root `yarn.lock` was already remediated separately (vite 7.3.2 / 8.0.16); these three sub-package lockfiles were the only ones still flagged open. ## How Ran `yarn up -R vite` per app to re-resolve vite within the existing range; it lands on **7.3.5**. ## Scope - **Lockfile-only**, 3 apps. No `package.json` changes. - Each lockfile diff is 3 lines (version / resolution / checksum). - Verified no vite resolution below the patched thresholds remains anywhere in the repo.
Postcard App — Twenty App Example
A rich example app showcasing all Twenty app entity types. Use this as a reference when building your own apps.
What's included
This app demonstrates every entity type available in the Twenty SDK:
| Entity | Files | What it shows |
|---|---|---|
| Application | src/application.config.ts |
App metadata, application variables, server variables |
| Objects | src/objects/ |
Custom objects with inline fields, junction tables |
| Fields | src/fields/ |
Standalone fields, relations (ONE_TO_MANY, MANY_TO_ONE), extending standard objects |
| Logic Functions | src/logic-functions/ |
HTTP routes, database event triggers, cron schedules, tool functions, install hooks |
| Front Components | src/components/ |
React components rendered inside Twenty's UI |
| Roles | src/roles/ |
Permission roles with object and field-level access control |
| Views | src/views/ |
Saved table views with column configuration |
| Navigation | src/navigation-menu-items/ |
Sidebar links targeting views |
| Skills | src/skills/ |
AI skill providing context to agents |
| Agents | src/agents/ |
AI agent with a system prompt |
| Page Layouts | src/page-layouts/ |
Custom record page with a front component widget |
Getting started
# From this directory
yarn install
yarn twenty dev