ChatbotX, an open-source alternative to ManyChat

v0.2.5 Breaking

This release includes 3 breaking changes for platform teams planning a safe upgrade.

Published 15d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

agentic-ai agentic-omnichannel-chatbot llm marketing-automation nextjs omnichannel

+2 more

redis typescript

Affected surfaces

auth breaking_upgrade crypto_tls

Summary

AI summary

Updates ✨ New Features, 💥 Breaking Changes, and feat across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Breaking	High	Self‑hosted deployments must set ENCRYPTION_KEY environment variable and run migration and credential backfill scripts. Self‑hosted deployments must set ENCRYPTION_KEY environment variable and run migration and credential backfill scripts. Source: granite4.1:30b@2026-05-19-audit Confidence: low	—
Breaking	Medium	Provider credentials now encrypted at rest using AES-256-GCM in new OrganizationCredential table. Provider credentials now encrypted at rest using AES-256-GCM in new OrganizationCredential table. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Feature
Feature	Medium	Added function connect to human feature. Added function connect to human feature. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	AI function added edit, duplicate, and delete capabilities. AI function added edit, duplicate, and delete capabilities. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	API v1 added misc workspace token APIs (error-logs, whatsapp-templates, inbox-teams). API v1 added misc workspace token APIs (error-logs, whatsapp-templates, inbox-teams). Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Feature	Medium	AI text now handles success and error responses. AI text now handles success and error responses. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Fixed drizzel snapshot issue. Fixed drizzel snapshot issue. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Refactor	Medium	Extracted bot-field and folder business logic to service layer. Extracted bot-field and folder business logic to service layer. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—

Full changelog

What's Changed

💥 Breaking Changes

feat!: add encryption for auth — #433 by @realcodesiman

Provider credentials (WhatsApp, Messenger, Instagram, Google, Zalo, Stripe, Giphy) are now encrypted at rest using
AES-256-GCM and stored in a new OrganizationCredential table instead of plaintext in Organization.settings.

Action required for all self-hosted deployments:

1. Add ENCRYPTION_KEY to your environment (required — app will fail to start without it):

ENCRYPTION_KEY=$(openssl rand -hex 32)

2. Run the database migration:

pnpm --filter @chatbotx.io/database db:migrate

3. Run the credential backfill (migrates existing plaintext credentials to encrypted storage):

pnpm --filter @chatbotx.io/database backfill:organization-credentials

The backfill is idempotent and safe to re-run. After it completes, credentials are removed from the legacy
Organization.settings column — there is no rollback path without a database restore.

Key rotation (future use — changing ENCRYPTION_KEY):

ENCRYPTION_KEY_PREV=<old-key>  # set temporarily during rotation only
ENCRYPTION_KEY=<new-key>
pnpm --filter @chatbotx.io/database rotate:encryption-key
# then remove ENCRYPTION_KEY_PREV from env

✨ New Features

feat: add function connect to human by @nguyenvantruc92 in https://github.com/ChatbotXIO/ChatbotX/pull/367
feat: ai function add feature edit/duplicate and delete by @nguyenvantruc92 in
https://github.com/ChatbotXIO/ChatbotX/pull/389
feat(api/v1): add misc workspace token APIs (error-logs, whatsapp-templates, inbox-teams) by @realcodesiman in
https://github.com/ChatbotXIO/ChatbotX/pull/445
feat: ai text add handle succes, error by @nguyenvantruc92 in https://github.com/ChatbotXIO/ChatbotX/pull/390

🐛 Bug Fixes

fix: drizzel snapshot by @sunghajung43 in https://github.com/ChatbotXIO/ChatbotX/pull/460

⚡ Improvements

refactor: extract bot-field and folder business logic to service layer by @realcodesiman in
https://github.com/ChatbotXIO/ChatbotX/pull/443

Changelog: https://github.com/ChatbotXIO/ChatbotX/compare/v0.2.4...v0.2.5

Breaking Changes

Provider credentials (WhatsApp, Messenger, Instagram, Google, Zalo, Stripe, Giphy) are now encrypted at rest using AES-256-GCM and stored in a new OrganizationCredential table; plaintext storage in Organization.settings is removed.
A new required environment variable `ENCRYPTION_KEY` must be set for all self‑hosted deployments.
Database migration (`pnpm --filter @chatbotx.io/database db:migrate`) and credential backfill (`backfill:organization-credentials`) are mandatory; no rollback path without restoring the database.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ChatbotX, an open-source alternative to ManyChat

Get notified when new releases ship.

About ChatbotX, an open-source alternative to ManyChat

All releases →