mirror/twenty
1
0
Fork 0
mirror of https://github.com/twentyhq/twenty.git synced 2026-06-12 01:46:39 -04:00
Code Issues Packages Projects Releases Wiki Activity
12,649 Commits 888 Branches 459 Tags
503c689f37de6dcd7270207d1ecf4bb1efa68b43
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Charles Bochet 503c689f37 security: upgrade typeorm to 0.3.26 (CVE-2025-60542) (#21456) 
## Context

Retry of the typeorm upgrade that was pulled out of #21448 after CI
showed "intermittently lossy metadata sync". **The investigation
exonerated typeorm**: the postcard/seed failures were a pre-existing bug
in `@ptc-org/nestjs-query-typeorm`'s batched relation paging (global
LIMIT across parents) that scan-order luck had been hiding — reproduced
byte-for-byte on typeorm **0.3.20** against a frozen repro DB. That bug
is fixed in #21455, which this PR is stacked on (base branch =
`charles/fix-nestjs-query-batch-relation-paging`; will retarget to main
when it merges).

## Changes

- typeorm `0.3.20` → `0.3.26`
([CVE-2025-60542](https://github.com/advisories/GHSA-q2pj-6v73-8rgj),
MEDIUM). The CVE lives in TypeORM's MySQL path
(`sqlstring`/`stringifyObjects`); Postgres-only Twenty never exercises
it — this is scanner hygiene + staying current.
- The local yarn patch (`PickKeysByType` + `DeleteResult.generatedMaps`)
applies **verbatim** to 0.3.26 (verified against the pristine tarball) —
renamed to `typeorm+0.3.26.patch`.
- `WorkspaceRepository.query` restricted override adapted to the generic
`query<T = any>()` base signature introduced in 0.3.24 (one-line change,
still throws `RAW_SQL_NOT_ALLOWED`).
- 0.3.26 ships `uuid ^11` natively → the scoped `typeorm/uuid`
resolution from #21441 and its `//resolutions` comment clause (including
the now-disproven "lossy sync" warning) are removed.

## Why we're confident this time

The original failure signature was fully understood, not just retried:
- On a frozen failing DB, **all fieldMetadata rows + workspace columns
were intact** — only the batched metadata API read was truncated (`LIMIT
501` over 558 rows, no ORDER BY).
- Same DB, typeorm 0.3.20: identical truncation, identical SQL → not a
typeorm regression.
- With #21455 applied: postcard install/uninstall stress loop **12/12
green on typeorm 0.3.26** (previously failed within 1–2 iterations), API
returns 558/558 fields.

## Verification

- `npx nx typecheck twenty-server` — clean
- Full `twenty-server` unit suite — green (5651 passed)
- `group-by-resolver` integration suite — 19/19 on a fresh 0.3.26-seeded
test DB
- Postcard app-sync stress loop — 12/12 on this exact stack
- Lockfile: typeorm 0.3.26 + new `sql-highlight` dep, `esbuild`/uuid
entries untouched
2026-06-11 16:41:22 +02:00
.cursor
chore(website): rename twenty-website-new → twenty-website (#20745)
2026-05-19 23:42:09 +02:00
.github
Rename twenty-ui to twenty-ui-deprecated and twenty-new-ui to twenty-ui to prepare package release (#21315)
2026-06-08 18:12:28 +02:00
.vscode
chore(website): rename twenty-website-new → twenty-website (#20745)
2026-05-19 23:42:09 +02:00
.yarn
fix(metadata): nestjs-query batched relation queries truncate results across parents (#21455)
2026-06-11 16:39:14 +02:00
packages
security: upgrade typeorm to 0.3.26 (CVE-2025-60542) (#21456)
2026-06-11 16:41:22 +02:00
.dockerignore
Scaffold light twenty app dev container (#18734)
2026-03-18 20:10:54 +01:00
.gitattributes
Consolidate Prettier config and improve consistency (#15191)
2025-10-18 12:24:35 +02:00
.gitignore
feat(ci): integrate Argos visual regression via vitest screenshots (#21210)
2026-06-04 08:46:37 +02:00
.mcp.json
Fix AI chat re-renders and refactored code (#18585)
2026-03-21 12:52:21 +00:00
.nvmrc
fix(docker): bump Node 24.16.0 (OpenSSL fix), strip unused cruft, dedupe node-forge (#21322)
2026-06-08 18:03:21 +02:00
.oxfmtrc.jsonc
lint: migrate prettier to oxfmt (#20783)
2026-05-22 00:21:33 +02:00
.yarnrc.yml
i18n - translations (#20801)
2026-05-21 13:35:35 +02:00
CLAUDE.md
chore(website): rename twenty-website-new → twenty-website (#20745)
2026-05-19 23:42:09 +02:00
DESIGN.md
feat(website): surface partner Categories (partnerScope) in marketplace, drop deploymentExpertise facet (#21127)
2026-06-02 10:32:54 +00:00
jest.preset.js
Move tools/eslint-rules to packages/twenty-eslint-rules (#17203)
2026-01-17 07:37:17 +01:00
LICENSE
feat(sso): allow to use OIDC and SAML (#7246)
2024-10-21 20:07:08 +02:00
nx.json
Migrate twenty UI (#21407)
2026-06-11 11:02:28 +02:00
package.json
security: upgrade typeorm to 0.3.26 (CVE-2025-60542) (#21456)
2026-06-11 16:41:22 +02:00
PRODUCT.md
feat(website): surface partner Categories (partnerScope) in marketplace, drop deploymentExpertise facet (#21127)
2026-06-02 10:32:54 +00:00
README.md
fix: add missing space in README heading (#21271)
2026-06-06 10:41:16 +02:00
tsconfig.base.json
Revert "[hacktoberfest] feat: add fireflies" (#15589)
2025-11-04 12:25:23 +01:00
yarn.config.cjs
[ENHC] Create Yarn constraints to validate node version (#10542)
2025-02-27 15:18:07 +01:00
yarn.lock
security: upgrade typeorm to 0.3.26 (CVE-2025-60542) (#21456)
2026-06-11 16:41:22 +02:00

README.md

Twenty logo

The #1 Open-Source CRM

Website · Documentation · Roadmap · Discord · Figma

Twenty banner


Why Twenty

Twenty gives technical teams the building blocks for a custom CRM that meets complex business needs and quickly adapts as the business evolves. Twenty is the CRM you build, ship, and version like the rest of your stack.

Learn more about why we built Twenty


Installation

Cloud

The fastest way to get started. Sign up at twenty.com and spin up a workspace in under a minute, with no infrastructure to manage and always up to date.

Build an app

Scaffold a new app with the Twenty CLI:

npx create-twenty-app my-app

Define objects, fields, and views as code:

import { defineObject, FieldType } from 'twenty-sdk/define';

export default defineObject({
  nameSingular: 'deal',
  namePlural: 'deals',
  labelSingular: 'Deal',
  labelPlural: 'Deals',
  fields: [
    { name: 'name', label: 'Name', type: FieldType.TEXT },
    { name: 'amount', label: 'Amount', type: FieldType.CURRENCY },
    { name: 'closeDate', label: 'Close Date', type: FieldType.DATE_TIME },
  ],
});

Then ship it to your workspace:

npx twenty app:publish --private

See the app development guide for objects, views, agents, and logic functions.

Self-hosting

Run Twenty on your own infrastructure with Docker Compose, or contribute locally via the local setup guide.



Everything you need

Twenty gives you the building blocks of a modern CRM (objects, views, workflows, and agents) and lets you extend them as code. Here's a tour of what's in the box.

Want to go deeper? Read the User Guide for product walkthroughs, or the Documentation for developer reference.

Create your apps

Learn more about apps in doc

 Stay on top with version control

Learn more about version control in doc
All the tools you need to build anything

Learn more about primitives in doc

 Customize your layouts

Learn more about layouts in doc
AI agents and chats

Learn more about AI in doc

 Plus all the tools of a good CRM

Learn more about CRM features in doc

Stack

Thanks

Greptile      Sentry      Crowdin

Thanks to these amazing services that we use and recommend for code review (Greptile), catching bugs (Sentry) and translating (Crowdin).

Join the Community

Star the repo · Discord · Feature requests · Releases · X · LinkedIn · Crowdin · Contribute

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme AGPL-3.0 1.8 GiB
Languages
TypeScript 78.3%
MDX 18.2%
JavaScript 3%
Python 0.2%
SCSS 0.1%