## Summary
- **Fix SSRF via open redirect bypass** (GHSA-jxv3-m939-w95c): HTTP
Request block now uses `safeKy` instead of `ky`, and Code block's
sandboxed `fetch` now follows redirects manually with `redirect:
"manual"` + re-validation of each `Location` hop via
`validateHttpReqUrl`.
- **Improved safeKy tests**: redirect bypass tests now run end-to-end
through `safeKy` (not just indirect Location header checks), including
chained redirect scenarios.
- **Skip Vercel preview builds**: `nx-ignore` now exits early with code
0 when `VERCEL_ENV=preview`.
## Test plan
- [x] `bunx nx test @typebot.io/lib` — 76 tests pass (0 fail, 6 skip)
- [x] `NODE_ENV=development bun test packages/lib/src/safeKy.test.ts` —
8 tests pass (redirect bypass verified end-to-end)
- [x] `bunx nx typecheck @typebot.io/bot-engine` — passes
- [x] `bunx nx typecheck @typebot.io/variables` — passes
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
