* chore: Replace lodash with es-toolkit
Migrate all direct lodash imports to es-toolkit/compat for a smaller,
faster, lodash-compatible utility library. Transitive lodash usage from
other packages remains unchanged.
* fix: Restore isPlainObject semantics in CanCan policy
The lodash migration aliased `isObject` to `lodash/isPlainObject` and
the codemod incorrectly mapped the local name to es-toolkit's `isObject`,
which also returns true for arrays and functions. This caused condition
objects in policy definitions to be skipped, breaking authorization
checks across the codebase.
* fix: Restore unicode-aware length counting in validators
es-toolkit/compat's size() returns string.length, while lodash's _.size()
counts unicode code points. Switch to [...value].length to preserve the
previous behavior so multi-byte characters like emoji count as one.
* chore: Vendor request-filtering-agent
* fix: honor fetch timeout and undefined allow list in proxy pre-flight
Default allowIPAddressList to [] so an unset ALLOWED_PRIVATE_IP_ADDRESSES
env var doesn't overwrite the agent's default and crash on .length, and
race the pre-flight DNS lookup against the request's abort signal so the
configured fetch timeout applies to slow DNS resolution.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Replaces `as any` casts when constructing OAuth2Server Request/Response
with explicit objects containing the fields the library actually
consumes, and switches BaseStorage's manual header spread to a
node-fetch `Headers` instance to avoid the no-misused-spread warning.
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* perf: Add timeout and optimize URL unfurl performance
Fixes issue where urls.unfurl endpoint could take 15+ seconds due to external API timeouts and sequential plugin execution.
Changes:
- Add timeout support to fetch utility with AbortController (defaults to no timeout, configurable per request)
- Add 10 second timeout to Iframely plugin requests
- Add early URL pattern validation to GitHub and Linear plugins to avoid unnecessary database queries
- Add try-catch error handling to URL parsing in GitHub and Linear plugins
This reduces worst-case unfurl time from 15+ seconds to ~10 seconds maximum, and eliminates unnecessary overhead for URLs that don't match plugin patterns.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* lint
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
* Add ALLOW_IP_ADDRESS_LIST environment variable
This adds support for allowing specific private IP addresses to be accessed
by the request-filtering-agent, which is useful for OIDC providers and
webhooks on private networks.
The environment variable accepts a comma-separated list of IP addresses
that should be allowed even if they are private IP addresses.
Example: ALLOW_IP_ADDRESS_LIST=10.0.0.1,192.168.1.100
Fixes issue with OIDC providers on private IP addresses being blocked.
* Rename environment variable to ALLOWED_PRIVATE_IP_ADDRESSES
Changed from ALLOW_IP_ADDRESS_LIST to ALLOWED_PRIVATE_IP_ADDRESSES
for better clarity and naming consistency.
---------
Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com>
* fix: Files from local storage provider sometimes returned with incorrect content type
* fix: attachments.createFromUrl response values incorrect for successful upload
* fix: Reduce liklihood of image download requests being blocked on server
* fix: Content with HTML images should never be considered as markdown
* fix: Image caption sometimes uncentered
* test
Tom Moor