## Summary
Fixes 18 open Dependabot alerts and migrates affected code to the new
major versions:
- `@opentelemetry/sdk-node` → `^0.217.0` (Prometheus exporter DoS,
GHSA-q7rr-3cgh-j5r3)
- `nodemailer` → `^8.0.5` across all manifests + root override
(GHSA-vvjj-xcjg-gr5g, GHSA-c7w3-x93f-qmm8)
- `ai` → `^5.0.52` (GHSA-rwvc-j5jr-mgvh); legacy 3.x dep removed from
`packages/deprecated/legacy` and replaced with a small in-tree
`OpenAIStream` + `StreamingTextResponse` shim
- Provider SDKs aligned to v5 peer: `@ai-sdk/openai`, `anthropic`,
`groq`, `mistral`, `perplexity`, `deepseek`, `togetherai`, `openRouter`,
`dify-ai-provider`
### AI SDK v4 → v5 migration
- `parseTools`: `parameters` renamed to `inputSchema`
- `runChatCompletion` / `runChatCompletionStream`: `maxSteps` replaced
by `stopWhen(stepCountIs(maxSteps))`;
`usage.{prompt,completion,total}Tokens` replaced by
`totalUsage.{input,output,total}Tokens`
- New `toLegacyDataStream` helper that re-emits the v4 data-stream
protocol (`0:text`, `3:error`, `9:tool_call`, …) so existing consumers
in `embeds/js` and the OpenAI `askAssistant` / `askModel` handlers keep
working
- `compatibility: "strict"` removed from `createOpenAI` (option dropped
in v5)
- `formatDataStreamPart` / `processDataStream` imports moved to
`@ai-sdk/ui-utils` (legacy package pinned at 1.2.11)
### E2E test follow-up
Second commit fixes Playwright tests that broke once the env-resolved
URLs / new SDK surface kicked in:
- `fileUpload`: assert exported URL contains `parseS3PublicBaseUrl()`
(not `S3_ENDPOINT`) so it works with `S3_PUBLIC_CUSTOM_DOMAIN`; verify
post-deletion via cache-busted `request.get` instead of a CDN-cached new
tab.
- `ssrf`: assert on the actual "Security validation failed" log emitted
by the pre-flight check; fixture now maps `response.statusCode` into a
`Status` variable so `Status: …` assertions resolve.
- Root `dev` script includes `@typebot.io/partykit` so the webhook
listener e2e test can hit PartyKit on `:1999`.
Also fixes a pre-existing broken anchor link in `whatsapp-ai-agent.mdx`
that blocked the landing-page link checker.
## Test plan
- [ ] `bunx nx test` passes
- [ ] `bunx nx typecheck` passes
- [ ] `bunx nx affected -t
format-and-lint,lint-repo,check-broken-links,test --parallel=4` passes
(pre-commit)
- [ ] `bun run dev` boots builder, viewer, workflows **and** PartyKit
- [ ] Viewer Playwright suite: `fileUpload.spec.ts`, `ssrf.spec.ts`,
`webhookListener.spec.ts` all green
- [ ] Manual smoke: OpenAI `askAssistant` block streams correctly in the
embed (v4 data-stream protocol preserved)
- [ ] Manual smoke: Anthropic / Mistral / Groq blocks still execute
end-to-end
- [ ] Manual smoke: send a test email through a workspace SMTP block
(nodemailer v8)
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Switch the workflows, RPC clients, and shared service layers to the new Effect 4 APIs so the export and onboarding flows use a consistent runtime model. This also raises the background export threshold to keep smaller exports on the simpler path.
- Update workspace dependencies across apps and packages to align with
new lint/Effect expectations
- Adjust Prisma scripts and configs (db push, studio, adapters, read
replicas) for the latest CLI flags and tracing helpers
- Refresh generated locks and helper modules (emails, bot engine,
telemetry, rich text, scripts)
Add a retry policy for workflows RPC HTTP calls to make onboarding
best-effort on transient failures. Include a small onboarding email
divider for readability.
Adds onboarding email workflow with delayed send and suppression checks.
Introduces unsubscribe/resubscribe UI and API endpoints. Wires workflows
RPC config changes for user onboarding.
Closes#1154
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Added authentication functionality for user sessions in chat API.
- Introduced chat-related API endpoints for starting, previewing, and
continuing chat sessions, and streaming messages.
- Implemented WhatsApp API webhook handling for receiving and processing
messages.
- Added environment variable `NEXT_PUBLIC_CHAT_API_URL` for chat API URL
configuration.
- **Bug Fixes**
- Adjusted file upload logic to correctly determine the API host.
- Fixed message streaming URL in chat integration with OpenAI.
- **Documentation**
- Updated guides for creating blocks, local installation, self-hosting,
and deployment to use `bun` instead of `pnpm`.
- **Refactor**
- Refactored chat API functionalities to use modular architecture.
- Simplified client log saving and session update functionalities by
using external functions.
- Transitioned package management and workflow commands to use `bun`.
- **Chores**
- Switched to `bun` for package management in Dockerfiles and GitHub
workflows.
- Added new Dockerfile for chat API service setup with Bun framework.
- Updated `.prettierignore` and documentation with new commands.
- **Style**
- No visible changes to end-users.
- **Tests**
- No visible changes to end-users.
- **Revert**
- No reverts in this release.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
BREAKING CHANGE: Stripe environment variables simplified. Check out the
new configs to adapt your existing system.
Closes#906
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
### Summary by CodeRabbit
**New Features:**
- Introduced a usage-based billing system, providing more flexibility
and options for users.
- Integrated with Stripe for a smoother and more secure payment process.
- Enhanced the user interface with improvements to the billing,
workspace, and pricing pages for a more intuitive experience.
**Improvements:**
- Simplified the billing logic, removing additional chats and yearly
billing for a more streamlined user experience.
- Updated email notifications to keep users informed about their usage
and limits.
- Improved pricing and currency formatting for better clarity and
understanding.
**Testing:**
- Updated tests and specifications to ensure the reliability of new
features and improvements.
**Note:** These changes aim to provide a more flexible and user-friendly
billing system, with clearer pricing and improved notifications. Users
should find the new system more intuitive and easier to navigate.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
