- Replace direct browser presigned PUT uploads with signed Typebot
upload proxy URLs.
- Generate or validate upload object keys server-side while preserving
legacy v1/v2/v3 file-input upload contracts.
- Keep builder slot uploads stable for replaceable assets and use
generated names for runtime file uploads.
- Store active file-input MIME types as safe attachment downloads while
keeping safe image uploads inline.
- Update upload clients and docs to support both raw PUT proxy uploads
and form-data uploads.
- Verify Meta WhatsApp webhooks with optional app secrets while
preserving soft compatibility for existing credentials.
- Add optional 360Dialog webhook secret validation and update flows for
existing WhatsApp credentials.
- Validate Meta WABA and phone number access, then auto-subscribe the
Meta app to the WABA during setup.
- Clear and disable WhatsApp integration when the active credentials are
removed, including published bot state.
- Preserve raw webhook request bodies, document preview app secret
configuration, and add focused webhook verification tests.
- Update related tooling, Biome ignore rules, opensrc guidance, and
small formatting/type-safety cleanup.
- Store newly created API tokens as SHA-256 hashes while returning the
raw token once.
- Authenticate bearer tokens against both hashed and legacy plaintext
records, then lazily hash legacy records on successful use.
- Seed Playwright API tokens as hashes.
- Add Conductor setup and run scripts for local workspaces.
## Summary
Fixes 18 open Dependabot alerts and migrates affected code to the new
major versions:
- `@opentelemetry/sdk-node` → `^0.217.0` (Prometheus exporter DoS,
GHSA-q7rr-3cgh-j5r3)
- `nodemailer` → `^8.0.5` across all manifests + root override
(GHSA-vvjj-xcjg-gr5g, GHSA-c7w3-x93f-qmm8)
- `ai` → `^5.0.52` (GHSA-rwvc-j5jr-mgvh); legacy 3.x dep removed from
`packages/deprecated/legacy` and replaced with a small in-tree
`OpenAIStream` + `StreamingTextResponse` shim
- Provider SDKs aligned to v5 peer: `@ai-sdk/openai`, `anthropic`,
`groq`, `mistral`, `perplexity`, `deepseek`, `togetherai`, `openRouter`,
`dify-ai-provider`
### AI SDK v4 → v5 migration
- `parseTools`: `parameters` renamed to `inputSchema`
- `runChatCompletion` / `runChatCompletionStream`: `maxSteps` replaced
by `stopWhen(stepCountIs(maxSteps))`;
`usage.{prompt,completion,total}Tokens` replaced by
`totalUsage.{input,output,total}Tokens`
- New `toLegacyDataStream` helper that re-emits the v4 data-stream
protocol (`0:text`, `3:error`, `9:tool_call`, …) so existing consumers
in `embeds/js` and the OpenAI `askAssistant` / `askModel` handlers keep
working
- `compatibility: "strict"` removed from `createOpenAI` (option dropped
in v5)
- `formatDataStreamPart` / `processDataStream` imports moved to
`@ai-sdk/ui-utils` (legacy package pinned at 1.2.11)
### E2E test follow-up
Second commit fixes Playwright tests that broke once the env-resolved
URLs / new SDK surface kicked in:
- `fileUpload`: assert exported URL contains `parseS3PublicBaseUrl()`
(not `S3_ENDPOINT`) so it works with `S3_PUBLIC_CUSTOM_DOMAIN`; verify
post-deletion via cache-busted `request.get` instead of a CDN-cached new
tab.
- `ssrf`: assert on the actual "Security validation failed" log emitted
by the pre-flight check; fixture now maps `response.statusCode` into a
`Status` variable so `Status: …` assertions resolve.
- Root `dev` script includes `@typebot.io/partykit` so the webhook
listener e2e test can hit PartyKit on `:1999`.
Also fixes a pre-existing broken anchor link in `whatsapp-ai-agent.mdx`
that blocked the landing-page link checker.
## Test plan
- [ ] `bunx nx test` passes
- [ ] `bunx nx typecheck` passes
- [ ] `bunx nx affected -t
format-and-lint,lint-repo,check-broken-links,test --parallel=4` passes
(pre-commit)
- [ ] `bun run dev` boots builder, viewer, workflows **and** PartyKit
- [ ] Viewer Playwright suite: `fileUpload.spec.ts`, `ssrf.spec.ts`,
`webhookListener.spec.ts` all green
- [ ] Manual smoke: OpenAI `askAssistant` block streams correctly in the
embed (v4 data-stream protocol preserved)
- [ ] Manual smoke: Anthropic / Mistral / Groq blocks still execute
end-to-end
- [ ] Manual smoke: send a test email through a workspace SMTP block
(nodemailer v8)
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Added a new "Is there a status page?" entry to the FAQ pointing to
status.typebot.io.
- Added a "Definitions" section to the analytics doc explaining Views,
Starts, Completions (no input remaining + at least one answer + no
pending client-side action expecting a dedicated reply) and the
per-block drop-off rate.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add `createSafeDispatcher` with a `validatingLookup` that checks
resolved IPs at TCP connection time, preventing DNS rebinding TOCTOU
attacks (GHSA-hgqq-whf5-mrrf)
- Pass the safe undici dispatcher in `safeFetchWithoutChunkedEncoding`
(`ky.ts`) and in the isolated VM fetch wrapper (`executeFunction.ts`)
- Export `parseIPAddress`, `validateIPAddress` and `ParsedIP` from
`validateHttpReqUrl.ts` for reuse in the dispatcher
- Add unit tests for `validatingLookup` and E2E test bot/spec for SSRF
scenarios
- Add `@types/bun` to `packages/lib` tsconfig
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- Fix stored XSS vulnerability where `javascript:` URIs in text bubble
links, image click links, and toast popup links could execute arbitrary
JS in visitors' browsers
- Add `sanitizeUrl` utility that allowlists only `http:`, `https:`,
`mailto:`, and `tel:` protocols
- Add explicit `typecheck` Nx targets for `builder` and `viewer`
(Next.js projects don't get one inferred by `@nx/js/typescript`)
- Bump `@typebot.io/js` and `@typebot.io/react` to `0.10.1`
## Test plan
- [ ] Create a bot with a text bubble link set to `javascript:alert(1)`
and verify it renders as `#`
- [ ] Same test with an image click link
- [ ] Verify normal `https://` links still work
- [ ] Run `bunx nx typecheck builder` and `bunx nx typecheck viewer`
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move builder, viewer, and workflows onto shared telemetry helpers so request logging, OTLP config, and workflow failures are reported consistently across runtimes.
## Summary
- Moved site metadata controls (title, description, favicon, preview
image) from Settings into Share page.
- Added a new LinkPreviewMetadataForm component and wired it to update
typebot settings from Share.
- Updated default preview image from PNG to JPEG and replaced the asset
under apps/viewer/public.
- Adjusted share page layout to show links and metadata side-by-side and
improved some responsive width styles.
Verification: commit hooks ran format-and-lint, lint-repo,
check-broken-links, and repository tests automatically during commit.
