Skip to content

twenty

v2.9.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 9h Productivity & Wikis
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

crm crm-system customer graphql javascript marketing
+8 more
monorepo nestjs postgresql react reactjs sales typescript web

Affected surfaces

deps

ReleasePort's take

Moderate signal
editorial:auto 6h

Bump esbuild to ^0.28.0 immediately to remediate CVE-2023-26116.

Why it matters: CVE‑2023‑26116 has a CVSS score of 10.0; upgrading esbuild to version 0.28.0 or later eliminates the vulnerability.

Summary

AI summary

Broad release touches fix, website, twenty-partners, and chore.

Changes in this release

Security Critical

Bump esbuild to ^0.28.0 to clear CVE-2023-26116 (CVSS: 10.0).

Bump esbuild to ^0.28.0 to clear CVE-2023-26116 (CVSS: 10.0).

Source: llm_adapter@2026-06-05

Confidence: high
Feature Medium

Add Logs tab in General settings for centralized log viewing (settings).

Add Logs tab in General settings for centralized log viewing (settings).

Source: llm_adapter@2026-06-05

Confidence: high
Feature Medium

Expose CURRENCY field settings (format/decimals) in shared types (core).

Expose CURRENCY field settings (format/decimals) in shared types (core).

Source: llm_adapter@2026-06-05

Confidence: high
Feature Medium

Allow many‑to‑one relations as advanced filter leaves (query).

Allow many‑to‑one relations as advanced filter leaves (query).

Source: llm_adapter@2026-06-05

Confidence: high
Feature Medium

Add LIVE / PREBUILT execution modes to logic‑function runtime (logic-function).

Add LIVE / PREBUILT execution modes to logic‑function runtime (logic-function).

Source: llm_adapter@2026-06-05

Confidence: low
Feature Medium

Optimize per‑tool schema resolution in AI resolveSchemas (ai).

Optimize per‑tool schema resolution in AI resolveSchemas (ai).

Source: llm_adapter@2026-06-05

Confidence: low
Feature Low

Add discovery hero rollout + ephemeral playground token (settings).

Add discovery hero rollout + ephemeral playground token (settings).

Source: llm_adapter@2026-06-05

Confidence: high
Feature Low

Always show Favorites section; add favorites via side panel (ui).

Always show Favorites section; add favorites via side panel (ui).

Source: llm_adapter@2026-06-05

Confidence: high
Feature Low

Optimize CRUD AI tools for reduced latency (ai).

Optimize CRUD AI tools for reduced latency (ai).

Source: llm_adapter@2026-06-05

Confidence: low
Other High

Introduce FRONT_AUTO_BASE_URL opt‑in for hostname‑relative API URLs (server).

Introduce FRONT_AUTO_BASE_URL opt‑in for hostname‑relative API URLs (server).

Source: llm_adapter@2026-06-05

Confidence: low
Full changelog

What's Changed

  • i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20893
  • Add definePermissionFlag for app-defined permission flags by @Weiko in https://github.com/twentyhq/twenty/pull/20887
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20895
  • i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20898
  • chore(server): remove unused REST→GraphQL HTTP bridge by @Weiko in https://github.com/twentyhq/twenty/pull/20897
  • Publish new cli tool version by @martmull in https://github.com/twentyhq/twenty/pull/20903
  • perf(website): cache prerendered pages in CF Cache API (withRegionalCache) by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20905
  • File service uniformize not found behavior and stream management by @prastoin in https://github.com/twentyhq/twenty/pull/20891
  • Edit actor chip icon style & read-only behavior by @Bonapara in https://github.com/twentyhq/twenty/pull/18552
  • Add application installation validation modale by @martmull in https://github.com/twentyhq/twenty/pull/20907
  • chore(security): bump esbuild to ^0.28.0 to clear CVE-2025-68121 (CVSS 10.0) by @charlesBochet in https://github.com/twentyhq/twenty/pull/20902
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20910
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20911
  • feat(twenty-partners): partnerContent catalog + TFT import improvements by @rashad in https://github.com/twentyhq/twenty/pull/20904
  • [Website] Generate release notes manifest at build time by @mabdullahabaid in https://github.com/twentyhq/twenty/pull/20913
  • Various fixes - some AI findings by @Weiko in https://github.com/twentyhq/twenty/pull/20921
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20924
  • Fix/restore channel association scalar field metadata by @neo773 in https://github.com/twentyhq/twenty/pull/20920
  • chore: bump version to 2.9.0 by @twenty-pr[bot] in https://github.com/twentyhq/twenty/pull/20925
  • i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20926
  • Refactor and centralize file mimeType integrity check and sanitization by @prastoin in https://github.com/twentyhq/twenty/pull/20889
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20930
  • Fix workflow step output schema not reflecting user-renamed step name by @thomtrp in https://github.com/twentyhq/twenty/pull/20922
  • Fix cross version upgrade for 2.8 by @prastoin in https://github.com/twentyhq/twenty/pull/20927
  • fix(billing) - fix orphaned stripe subs 2/2 by @etiennejouan in https://github.com/twentyhq/twenty/pull/20916
  • Fix index cache computation by @prastoin in https://github.com/twentyhq/twenty/pull/20933
  • [Website] Restore shared build dependency for typecheck by @mabdullahabaid in https://github.com/twentyhq/twenty/pull/20936
  • remove ai-model-preferences var env and config by @etiennejouan in https://github.com/twentyhq/twenty/pull/20859
  • chore: sync AI model catalog from models.dev by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20948
  • Basic app logo fixes by @martmull in https://github.com/twentyhq/twenty/pull/20919
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20951
  • feat: raise FILES field max number of values from 10 to 60 by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20950
  • fix(role): rebind API keys + agents before deleting their role by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20935
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20952
  • fix(website) - fix getPartners by @etiennejouan in https://github.com/twentyhq/twenty/pull/20947
  • Add a Table display mode to relation field widgets by @Weiko in https://github.com/twentyhq/twenty/pull/20929
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20959
  • Deprecate dummy enterprise key 1/2 by @ijreilly in https://github.com/twentyhq/twenty/pull/20890
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20963
  • fix(website): use Stripe fetch client on Cloudflare Workers by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20966
  • fix(front): ignore IME composition Enter in input hotkeys by @fyujiwara in https://github.com/twentyhq/twenty/pull/20958
  • fix: separate initial timeline loading from fetchMore loading state by @DeviSriSaiCharan in https://github.com/twentyhq/twenty/pull/20896
  • refactor(website): replace axios with native fetch by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20967
  • tt-fix-logic-function-error-handling by @thomtrp in https://github.com/twentyhq/twenty/pull/20928
  • revert(navigation-drawer): unwanted desktop design changes from #20634 by @ehconitin in https://github.com/twentyhq/twenty/pull/20955
  • Display which remote is used when twenty-sdk runs command by @martmull in https://github.com/twentyhq/twenty/pull/20969
  • Fix page layout widget tab moves by @ehconitin in https://github.com/twentyhq/twenty/pull/20915
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20975
  • fix(contact-creation): handle common email display-name shapes when auto-creating People by @clivemeister in https://github.com/twentyhq/twenty/pull/20639
  • Fix error when token invalid by @martmull in https://github.com/twentyhq/twenty/pull/20972
  • Fix focus in front components inputs by @bosiraphael in https://github.com/twentyhq/twenty/pull/20961
  • feat(twenty-orm): introduce WorkspaceScopedRepository for core/metadata workspace-scoped entities by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20953
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20978
  • Display application info in workflow side panel by @martmull in https://github.com/twentyhq/twenty/pull/20976
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20979
  • Ses outbound followup by @neo773 in https://github.com/twentyhq/twenty/pull/20610
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/20982
  • fix: exclude system objects and workflow/dashboard from AI/MCP write tool descriptors by @mvanhorn in https://github.com/twentyhq/twenty/pull/20973
  • Fix lambda timeout diagnostics by @thomtrp in https://github.com/twentyhq/twenty/pull/21002
  • fix: refresh admin panel feature flags after toggling by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21007
  • feat(settings): move email handles and emailing domains to dedicated Email page by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21008
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21013
  • fix(ai): expose MORPH_RELATION join columns in AI/MCP tool schemas by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21012
  • Export STANDARD_PAGE_LAYOUT_UNIVERSAL_IDENTIFIERS by @martmull in https://github.com/twentyhq/twenty/pull/21010
  • chore(deps): bump @apollo/client from 4.1.6 to 4.2.0 by @dependabot[bot] in https://github.com/twentyhq/twenty/pull/20993
  • Fix twenty sdk billing exports by @bosiraphael in https://github.com/twentyhq/twenty/pull/21016
  • i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21019
  • Support the "Me" filter for workspace members in dashboard widgets and add multi select by @bosiraphael in https://github.com/twentyhq/twenty/pull/20971
  • Add darkmode for oAuth screen by @martmull in https://github.com/twentyhq/twenty/pull/21005
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21021
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21022
  • Fix playwright CI by @Weiko in https://github.com/twentyhq/twenty/pull/21024
  • EncryptedString PlaintextString branded string types by @prastoin in https://github.com/twentyhq/twenty/pull/21001
  • Fix AI permission gating: use Ask AI for chat UI, AI Settings for admin endpoints by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21030
  • refactor(twenty-orm): migrate 23 grandfathered entities to WorkspaceScopedRepository by @FelixMalfait in https://github.com/twentyhq/twenty/pull/20987
  • fix(contact-creation): enrich missing names on auto-created contacts by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21018
  • chore(deps): bump js-cookie from 3.0.5 to 3.0.7 by @dependabot[bot] in https://github.com/twentyhq/twenty/pull/20992
  • Fix: focus stack overwritten when auto-opening title cell on new record by @bosiraphael in https://github.com/twentyhq/twenty/pull/21029
  • refactor(agents): split tool resolution into native and action rails by @ehconitin in https://github.com/twentyhq/twenty/pull/20331
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21032
  • fix: correct typo occurence -> occurrence in metadata-event-emitter.ts by @ltianyi992 in https://github.com/twentyhq/twenty/pull/21036
  • fix(dashboards): isolate pie chart slice labels per widget by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21034
  • fix(address): show saved address in record detail when street1 is null by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21033
  • chore(deps): bump typescript from 5.9.2 to 5.9.3 by @dependabot[bot] in https://github.com/twentyhq/twenty/pull/20991
  • chore: sync AI model catalog from models.dev by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21041
  • Fix workflow creation on view filtered by status by @ijreilly in https://github.com/twentyhq/twenty/pull/21027
  • Fix latency spike on application lookup by @martmull in https://github.com/twentyhq/twenty/pull/21042
  • [Dashboards] Remove gauge chart types and code by @ehconitin in https://github.com/twentyhq/twenty/pull/20410
  • i18n - website translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21045
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21047
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21048
  • Fix admin pannel server variable config tab by @martmull in https://github.com/twentyhq/twenty/pull/21017
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21050
  • fix: harden email-group SES provisioning, cleanup, and inbound replay by @neo773 in https://github.com/twentyhq/twenty/pull/21046
  • 2439 improve command menu item display in right panel by @martmull in https://github.com/twentyhq/twenty/pull/21020
  • fix(sso): accept HTTP-POST binding and surface descriptive parser errors by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21051
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21055
  • Docs update: Calling a logic function from a front component by @bosiraphael in https://github.com/twentyhq/twenty/pull/21057
  • fix: resolve workflow form step auto-open race condition by @thomtrp in https://github.com/twentyhq/twenty/pull/21053
  • i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21062
  • Docs: clarify numberOfSelectedRecords usage for RECORD_SELECTION items by @bosiraphael in https://github.com/twentyhq/twenty/pull/21059
  • feat(server): opt-in FRONT_AUTO_BASE_URL for hostname-relative API URL by @LazyBouy in https://github.com/twentyhq/twenty/pull/20504
  • i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21064
  • [Website] i18n module, page-local sections, translatable copy by @mabdullahabaid in https://github.com/twentyhq/twenty/pull/21082
  • fix(ai): route xAI search through Responses API as native tools by @ehconitin in https://github.com/twentyhq/twenty/pull/21037
  • fix: SSE event stream reconnection after idle connection death by @thomtrp in https://github.com/twentyhq/twenty/pull/21061
  • fix(front): scroll long content in rich text editor by @Nik1125 in https://github.com/twentyhq/twenty/pull/20319
  • fix(twenty-sdk): minify front-component bundles & set NODE_ENV=production in deploy build by @8Maverik8 in https://github.com/twentyhq/twenty/pull/20937
  • fix(front): keep app variable cache in sync after update by @nicolas-besnard in https://github.com/twentyhq/twenty/pull/20861
  • Twenty server:Fix REST pagination issues by @git-init-priyanshu in https://github.com/twentyhq/twenty/pull/20980
  • fix(kanban): contain checkbox hover reveal within card bounds by @ehconitin in https://github.com/twentyhq/twenty/pull/21100
  • feat(settings): discovery hero rollout + ephemeral playground token by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21072
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21103
  • Fix array-typed parameters in code/logic-function action forms by @ijreilly in https://github.com/twentyhq/twenty/pull/21102
  • fix navigation item tree breadcrumb active state by @ehconitin in https://github.com/twentyhq/twenty/pull/21101
  • Billing - Fix credit upgrade invoice error by @etiennejouan in https://github.com/twentyhq/twenty/pull/21097
  • fix: broadcast timeline activities to live SSE subscriptions by @Weiko in https://github.com/twentyhq/twenty/pull/21104
  • Fix else branches not properly skipped in nested if/else workflows by @thomtrp in https://github.com/twentyhq/twenty/pull/20938
  • fix: show relation field changes in the timeline by @parshipcy in https://github.com/twentyhq/twenty/pull/21052
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21112
  • Bump playwright by @prastoin in https://github.com/twentyhq/twenty/pull/21113
  • fix: return proper FORBIDDEN GraphQL errors from ApiKeyResolver by @Weiko in https://github.com/twentyhq/twenty/pull/21107
  • Strictly type encryption rotation key site maps constants through entity type derivation by @prastoin in https://github.com/twentyhq/twenty/pull/21085
  • Public assets server s3 redirection by @prastoin in https://github.com/twentyhq/twenty/pull/21108
  • chore(settings): address review comments from PR 21072 by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21121
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21128
  • fix: REST cursor encoding for nested order_by composite fields by @mvanhorn in https://github.com/twentyhq/twenty/pull/20974
  • i18n - website translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21088
  • docs: remove the self-host cloud providers page by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21134
  • fix: lowercase OAuth handle to prevent duplicate connected accounts by @neo773 in https://github.com/twentyhq/twenty/pull/21120
  • feat: expose CURRENCY field settings (format/decimals) in shared types by @josephj in https://github.com/twentyhq/twenty/pull/21090
  • Front component s3 redirect by @prastoin in https://github.com/twentyhq/twenty/pull/21116
  • [Website] Partner application wizard + logic-function handover by @rashad in https://github.com/twentyhq/twenty/pull/21039
  • feat(twenty-partners): expose partnerScope on list + by-slug endpoints by @rashad in https://github.com/twentyhq/twenty/pull/21126
  • i18n - website translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21135
  • feat(twenty-partners): submit-partner-application HTTP logic function by @rashad in https://github.com/twentyhq/twenty/pull/21040
  • feat(website): surface partner Categories (partnerScope) in marketplace, drop deploymentExpertise facet by @rashad in https://github.com/twentyhq/twenty/pull/21127
  • fix(twenty-front): enable text selection for display-mode fields by @dev-kp-eloper in https://github.com/twentyhq/twenty/pull/21068
  • fix(ai): correct find-records tool description (top-level filter fields) by @richroberts-prog in https://github.com/twentyhq/twenty/pull/21109
  • feat(logic-function): add LIVE / PREBUILT execution modes by @charlesBochet in https://github.com/twentyhq/twenty/pull/20873
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21141
  • fix(record-table): keep column header dropdown open after Move Left/Right by @prakhartripath0001 in https://github.com/twentyhq/twenty/pull/21015
  • Prevent conditional availability variables from being used at runtime by @bosiraphael in https://github.com/twentyhq/twenty/pull/21110
  • chore(twenty-partners): bump app version to 0.3.3 by @rashad in https://github.com/twentyhq/twenty/pull/21140
  • feat(settings): move settings chrome into a single rounded card by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21131
  • Always show Favorites section and add favorites via the side panel by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21087
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21148
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21149
  • chore(twenty-partners): refine design-doc skill doctrine by @rashad in https://github.com/twentyhq/twenty/pull/21151
  • Allow functional iframes in front components while blocking sandbox escapes by @bosiraphael in https://github.com/twentyhq/twenty/pull/21145
  • fix: block self-impersonation in admin panel by @parshipcy in https://github.com/twentyhq/twenty/pull/21130
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21154
  • feat: allow many-to-one relations as advanced filter leaves by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21147
  • i18n - website translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21137
  • refactor(server): merge duplicate TypeOrmModule.forFeature calls in MessagingMessageCleanerModule by @Rpaudel379 in https://github.com/twentyhq/twenty/pull/21150
  • refactor(twenty-server): collapse workspace migration build orchestrator by @charlesBochet in https://github.com/twentyhq/twenty/pull/21144
  • Bonapara/twenty codex plugin by @Bonapara in https://github.com/twentyhq/twenty/pull/20857
  • Fix front component pointer/mouse event coordinates by @bosiraphael in https://github.com/twentyhq/twenty/pull/21117
  • refactor(server): split LambdaDriver and LocalDriver into focused sub-services by @charlesBochet in https://github.com/twentyhq/twenty/pull/21153
  • fix(twenty-server): fix AI tools description for SELECT view filter values by @thomtrp in https://github.com/twentyhq/twenty/pull/21156
  • feat(partners): remove Project Budget Typical field, rework partner views & nav order by @rashad in https://github.com/twentyhq/twenty/pull/21162
  • feat(website): partner marketplace UI fixes & CTA improvements by @rashad in https://github.com/twentyhq/twenty/pull/21163
  • chore: sync AI model catalog from models.dev by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21170
  • (partners): bump app version 0.3.3 -> 0.3.4 by @rashad in https://github.com/twentyhq/twenty/pull/21167
  • Fix Unzipped size must be smaller than 250Mb error by @martmull in https://github.com/twentyhq/twenty/pull/21172
  • i18n - website translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21165
  • fix: update yarn.lock after removing dotenv and zod from twenty-sdk by @rashad in https://github.com/twentyhq/twenty/pull/21174
  • Refactor email composer by @prastoin in https://github.com/twentyhq/twenty/pull/21177
  • fix(ai-chat): refresh JWT token on SSE reconnect to prevent login red… by @b3nito404 in https://github.com/twentyhq/twenty/pull/20176
  • Fix fields widget new field visibility by @Weiko in https://github.com/twentyhq/twenty/pull/21111
  • fix: eliminate workflow editing flicker on active-to-draft transitions by @thomtrp in https://github.com/twentyhq/twenty/pull/21176
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21189
  • perf(ai) - per-tool schema resolution in resolveSchemas by @etiennejouan in https://github.com/twentyhq/twenty/pull/21188
  • Fix lambda error by @martmull in https://github.com/twentyhq/twenty/pull/21179
  • Provide additional logsobservability to workflow runs (per node) by @ijreilly in https://github.com/twentyhq/twenty/pull/21142
  • feat(mcp) - optimize instruction prompt and hide get_tool_catalog by @etiennejouan in https://github.com/twentyhq/twenty/pull/21183
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21191
  • Fix: Not able to add multiple handles to Blocklist in settings/accounts by @git-init-priyanshu in https://github.com/twentyhq/twenty/pull/21049
  • i18n - translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21192
  • Update axios in package.json of seed-dependencies by @mabdullahabaid in https://github.com/twentyhq/twenty/pull/21190
  • fix(ai) - optimize crud tools by @etiennejouan in https://github.com/twentyhq/twenty/pull/21133
  • i18n - docs translations by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21195
  • Fix axios related dependabot alerts generated against root yarn.lock by @mabdullahabaid in https://github.com/twentyhq/twenty/pull/21187
  • feat(ci): integrate Argos visual regression via vitest screenshots by @charlesBochet in https://github.com/twentyhq/twenty/pull/21210
  • feat(settings): add Logs as a dedicated tab in General settings by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21180
  • chore: sync AI model catalog from models.dev by @github-actions[bot] in https://github.com/twentyhq/twenty/pull/21212
  • fix(front): settings skeleton, app-detail header & empty favorites by @FelixMalfait in https://github.com/twentyhq/twenty/pull/21209
  • chore(deps): bump @mantine/hooks from 8.3.15 to 8.3.18 by @dependabot[bot] in https://github.com/twentyhq/twenty/pull/21203
  • chore(deps-dev): bump @types/passport-microsoft from 2.1.0 to 2.1.1 by @dependabot[bot] in https://github.com/twentyhq/twenty/pull/21204
  • chore(deps-dev): bump prettier from 3.4.2 to 3.8.3 by @dependabot[bot] in https://github.com/twentyhq/twenty/pull/21205
  • fix(upgrade): resequence workflow step logs command by @ehconitin in https://github.com/twentyhq/twenty/pull/21213
  • Set 200 code for post requests by @martmull in https://github.com/twentyhq/twenty/pull/21214
  • [AUDIT] Run knip over twenty-server by @prastoin in https://github.com/twentyhq/twenty/pull/21159
  • feat(ci): simplify visual regression dispatch to twenty-ui only by @charlesBochet in https://github.com/twentyhq/twenty/pull/21215

New Contributors

  • @fyujiwara made their first contribution in https://github.com/twentyhq/twenty/pull/20958
  • @DeviSriSaiCharan made their first contribution in https://github.com/twentyhq/twenty/pull/20896
  • @clivemeister made their first contribution in https://github.com/twentyhq/twenty/pull/20639
  • @mvanhorn made their first contribution in https://github.com/twentyhq/twenty/pull/20973
  • @ltianyi992 made their first contribution in https://github.com/twentyhq/twenty/pull/21036
  • @LazyBouy made their first contribution in https://github.com/twentyhq/twenty/pull/20504
  • @Nik1125 made their first contribution in https://github.com/twentyhq/twenty/pull/20319
  • @8Maverik8 made their first contribution in https://github.com/twentyhq/twenty/pull/20937
  • @nicolas-besnard made their first contribution in https://github.com/twentyhq/twenty/pull/20861
  • @parshipcy made their first contribution in https://github.com/twentyhq/twenty/pull/21052
  • @dev-kp-eloper made their first contribution in https://github.com/twentyhq/twenty/pull/21068
  • @richroberts-prog made their first contribution in https://github.com/twentyhq/twenty/pull/21109
  • @prakhartripath0001 made their first contribution in https://github.com/twentyhq/twenty/pull/21015
  • @b3nito404 made their first contribution in https://github.com/twentyhq/twenty/pull/20176

Full Changelog: https://github.com/twentyhq/twenty/compare/v2.8.0...v2.9.0

Breaking Changes

  • Removed unused REST→GraphQL HTTP bridge in server (chore(server)).
  • Removed `ai-model-preferences` environment variable and configuration key.

Security Fixes

  • chore(security): bump esbuild to ^0.28.0 to clear CVE-2025-68121 (CVSS 10.0).
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track twenty

Get notified when new releases ship.

Sign up free

About twenty

Building a modern alternative to Salesforce, powered by the community.

All releases →

Related context

Related CVEs

Earlier breaking changes

  • v2.8.0 Introduces a new permission flags system defined by apps
  • v2.8.0 Permission flags system replaces previous permission model
  • v2.7.0 Unify connected account permissions.
  • v2.7.0 Encrypt `ConnectedAccount` connectionParameters field.
  • v2.6.0 Rename permissionFlag to rolePermissionFlag and add catalog/backfill

Beta — feedback welcome: [email protected]