This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+8 more
Affected surfaces
ReleasePort's take
Moderate signalThe permission model is replaced with a new flags‑based system; update any code that references the old permissions.
Why it matters: Affects permission management and requires immediate attention for affected surface areas. Severity = 70 (high).
Summary
AI summaryUpdates Notable improvements, ⚠️ Breaking changes, and Highlights across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Bumped protobufjs and esbuild dependencies to clear known CVEs Bumped protobufjs and esbuild dependencies to clear known CVEs Source: llm_adapter@2026-05-26 Confidence: low |
— |
| Security | High |
Updates protobufjs and esbuild to address known CVEs Updates protobufjs and esbuild to address known CVEs Source: granite4.1:30b@2026-05-26-audit Confidence: low |
— |
| Breaking | High |
Permission flags system replaces previous permission model Permission flags system replaces previous permission model Source: llm_adapter@2026-05-26 Confidence: low |
— |
| Breaking | Medium |
Introduces a new permission flags system defined by apps Introduces a new permission flags system defined by apps Source: granite4.1:30b@2026-05-26-audit Confidence: low |
— |
| Feature | Medium |
Adds Custom indexes UI for managing data model indexes in Settings Adds Custom indexes UI for managing data model indexes in Settings Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Feature | Medium |
Adds Text field widget editor mode (#20779) Adds Text field widget editor mode (#20779) Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Feature | Medium |
Adds AI Chat navigation menu item, webhook tool providers, and end‑to‑end observability (#20759, #20850) Adds AI Chat navigation menu item, webhook tool providers, and end‑to‑end observability (#20759, #20850) Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Feature | Medium |
Adds Partners app `twenty-partners` and website directory (#20792, #20632) Adds Partners app `twenty-partners` and website directory (#20792, #20632) Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Feature | Medium |
Adds `twenty_upgrade_instance_info` metric for upgrade observability (#20854) Adds `twenty_upgrade_instance_info` metric for upgrade observability (#20854) Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Deprecation | Medium |
Channel standard objects `messageChannel`, `messageFolder`, `calendarChannel` are deprecated and removed from workspace schemas Channel standard objects `messageChannel`, `messageFolder`, `calendarChannel` are deprecated and removed from workspace schemas Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Bugfix | Medium |
Fixes rotate connected‑account `connectionParameters` via `secret-encryption:rotate` command (#20807) Fixes rotate connected‑account `connectionParameters` via `secret-encryption:rotate` command (#20807) Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Bugfix | Medium |
Auto‑indexes polymorphic `target<X>Id` join columns to improve query performance (#20820) Auto‑indexes polymorphic `target<X>Id` join columns to improve query performance (#20820) Source: llm_adapter@2026-05-26 Confidence: high |
— |
Full changelog
Highlights
Features
- Custom indexes UI — manage data model indexes from the Settings UI (#20846)
- Text field widget editor mode (#20779)
- AI Chat — new navigation menu item, webhook tool providers (#20759), plus end-to-end observability (#20850)
- Partners app + directory — new
twenty-partnersapp and website directory (#20792, #20632)
⚠️ Breaking changes
- Permission flags — new system to define permission flags by apps
- Channel standard objects deprecated —
messageChannel,messageFolder,calendarChannelmoved out of workspace schemas into core metadata (#20836) — this is just a cleanup, had been deprecated for some time already
Upgrade notes
This release ships 3 per-workspace migrations that run on the first yarn command:prod upgrade after deploy:
- Drop deprecated channel standard objects from workspace schemas
- Backfill relation join column indexes
- Gate default command menu items by permission flag
Notable improvements
- Rotate connected-account
connectionParametersviasecret-encryption:rotate(#20807) - API breaking-change CI guard (#20848)
twenty_upgrade_instance_infometric for upgrade observability (#20854)- Auto-indexing of polymorphic
target<X>Idjoin columns (#20820) - Install applications via tarball download instead of
yarn install(#20835)
Security
- Bumped protobufjs and esbuild to clear CVEs (#20876)
Bug fixes
~20 fixes including billing cap writes & orphaned Stripe subs, localization date parsing, workflow UUID filter operands & cron-trigger cache TTL, AI Chat browser-context injection, API keys list refresh, onboarding modal layout, IMAP/SMTP message threading.
Full Changelog: https://github.com/twentyhq/twenty/compare/v2.7.0...v2.8.0
Breaking Changes
- Permission flags system introduced – apps now define permission flags via a new mechanism (requires configuration updates).
- Channel standard objects `messageChannel`, `messageFolder`, `calendarChannel` deprecated and removed from workspace schemas; they have been moved to core metadata.
Security Fixes
- dep: protobufjs and esbuild bumped to clear associated CVEs (#20876)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Earlier breaking changes
- v2.7.0 Unify connected account permissions.
- v2.7.0 Encrypt `ConnectedAccount` connectionParameters field.
- v2.6.0 Rename permissionFlag to rolePermissionFlag and add catalog/backfill
- v2.6.0 Drop APP_SECRET from approved-access-domain validation and session cookies
- v2.5.0 [breaking: deploy server before front] feat(view-sort): pick sort sub-field inline on the chip
Beta — feedback welcome: [email protected]