Pull Request Explorer

Summary

Revert query changes, add regression tests

Restores expected MongoDB and REST query behavior, preventing broken create queries and unquoted JSON body bindings.

Health Assessment

• • Fast cycle time with quick review and minimal back‑and‑forth, but the revert required several commits to address AI‑identified security concerns.

Summary

Fix 498 error for public reCAPTCHA automation

Corrects cross‑site cookie handling for reCAPTCHA, ensuring public automation works without authentication errors.

Health Assessment

• • Fast cycle time and single review round indicate a straightforward, low‑risk bug fix. AI review confirmed no issues, reducing manual QA effort.

Summary

Fix relationship field name validation

Ensures that relationship columns use valid names and prevents creation of columns with illegal characters, improving data integrity and user experience.

Health Assessment

• • Fast cycle time and single review round indicate a smooth, low‑risk fix with minimal rework.

Summary

Bump vitest from 3.2.4 to 4.1.0

Upgrade the Vitest testing framework to 4.1.0, addressing CSS handling in tests without affecting application code.

Health Assessment

• • Fast merge with minimal review; low risk dependency update.

Summary

Authenticated embeds with configurable ancestors

Adds per‑workspace CSP and SSO for authenticated embeds, enabling secure embedding and single sign‑on via signed tokens.

Health Assessment

• • The PR underwent rapid iteration with multiple commits in a short window, indicating a complex feature addition that required quick fixes and adjustments. The review process was swift but involved several comments, reflecting careful scrutiny of security‑related changes.

Summary

Fix webhook trigger parameter override

Prevents webhook payloads from overriding internal automation execution context, ensuring reliable automation jobs.

Health Assessment

• • Quick fix with minimal changes and no review friction.

Summary

Fix PWA zip symlink file-read vulnerability

Prevents attackers from using symlinks in PWA zip uploads to read arbitrary server files, protecting user data and server integrity.

Health Assessment

• • Fast turnaround with minimal rework; AI-assisted review confirmed no issues.

Summary

Prevent NoSQL Operator Injection

Adds JSON‑escaping to user inputs in workspace queries, mitigating NoSQL injection attacks and ensuring data integrity.

Health Assessment

• • Security fix with minimal changes, quick review, no rework.

Summary

Ignore svelte dependency updates in Dependabot

Suppresses automatic version bump PRs for Svelte, reducing noise and allowing controlled upgrades.

Health Assessment

• • Fast, single-commit PR with no review friction, minimal scope.

Summary

Fix DNS rebinding bypass in outbound fetch

Prevents DNS rebinding attacks by validating all resolved IPs and pinning outbound HTTP(S) connections to a safe IP, strengthening outbound request security.

Health Assessment

• • Security fix required multiple iterations and review comments, but final approval was achieved after thorough testing and validation of the new DNS resolution logic.

Summary

Update automation condition value controls

Improves automation branch condition UI to align with app builder, enhancing user experience and reducing confusion.

Health Assessment

• • The PR required extensive rework after initial review, with multiple commits to address AI-generated review comments and complex UI changes, leading to a slow cycle time.

Summary

Revert linked relationship field name validation bug

Reverts a recent change that introduced a bug in linked relationship field name validation, restoring stable functionality for users.

Health Assessment

• • Quick revert with no review needed, indicating minimal impact and high confidence in the original state.

Summary

Add sticky note capability to automation canvas

Adds sticky notes to the automation canvas, enabling users to create, edit, drag, and resize notes that persist across sessions, improving workflow clarity.

Health Assessment

• • The PR involved extensive UI changes and many iterations after review, indicating moderate complexity and potential for regression.

Summary

Fix backup export and app manifest recovery

Ensures reliable CLI backups and restores, preventing data loss and downtime for users.

Health Assessment

• • Fast cycle time and single review round indicate a straightforward, low‑risk bug fix. AI review helped confirm correctness without additional human effort.

Summary

Fix SSRF in AI upload URL fetch

This patch mitigates a server‑side request forgery vulnerability in AI table generation by enforcing a blacklist‑protected fetch for upload URLs, reducing risk of malicious data exfiltration.

Health Assessment

• • Fast cycle time with minimal rework, indicating a straightforward bugfix with clear test coverage.

Summary

Validate linked relationship field names

Adds server‑side and client‑side validation to prevent invalid linked column names, improving data integrity and user experience.

Health Assessment

• • Fast cycle time and single review round indicate a straightforward bug fix with minimal rework; AI review helped confirm correctness.

Summary

Swap bindings drawer title to binding name

Fixes text overflow and updates the bindings drawer title to the binding name, improving UI clarity for API automation steps.

Health Assessment

• • Single AI review, quick approval, minimal changes, smooth process.

Summary

Fix S3 upload authorization issue

Resolves 403 errors for non-builder users uploading to S3 by enforcing role-based permissions.

Health Assessment

• • PR was merged quickly but required several iterations after the initial AI review, indicating some complexity in the permission logic.

Summary

Add Helm chart startup probe and timing tweaks

Improves rollout stability and health check reliability for the litellm service by adding a startup probe and tuning shutdown/probe timings across services. Updated defaults and tests ensure consistent deployment reliability.

Health Assessment

• • PR had a long cycle time due to merge into master, but the review was quick and the scope was small, indicating low risk and minimal friction.

Summary

Fix schema field expansion in Query Viewer

This fix ensures that schema changes are properly applied in the Query Viewer, preventing data inconsistencies and improving user experience.

Health Assessment

• • The PR had a quick initial review but required additional testing after a merge, leading to a longer cycle time. The small scope and single file changes kept risk low.

Summary

Add custom CA support to single-image runner

Enables custom CA bundle loading for secure API calls and warns on missing secrets to prevent silent auth issues, improving reliability for production deployments.

Health Assessment

• • Quick review cycle with a single commit and minimal code changes indicates low complexity and risk.

Summary

Revert Svelte upgrade to restore compatibility

Reverts the Svelte upgrade to 5.40.2 to prevent compatibility issues until affected components are migrated.

Health Assessment

• • Quick revert resolved compatibility issues with minimal changes and fast review.

Summary

Enhance Validation Rule Editor UX

Improves form validation experience by simplifying rule editing, adding default error messages, and providing clearer UI, reducing user errors and support tickets.

Health Assessment

• • The PR received a rapid initial review (0.2h) and only one round of changes, indicating low review friction. However, the overall cycle time of ~8 days reflects extended merge activity and a large scope of 819 lines across 10 files.

Summary

Update tmp dependency to 0.2.6

Ensures the project uses the latest patch of tmp, improving security and stability with no breaking changes.

Health Assessment

• • Quick merge with minimal changes, indicating low risk and efficient process.

Summary

Add Front Companion chat widget

Introduces a new chat widget behind a feature flag, enabling safe QA testing without impacting production users.

Health Assessment

• • Fast cycle time and minimal changes led to a smooth review and quick merge. The feature is gated behind a flag, reducing risk to existing users.

Summary

Health Assessment

Summary

Response buffering to avoid premature close errors in server

Enable response buffering in NGINX to prevent ERR_STREAM_PREMATURE_CLOSE when clients abort requests, improving reliability without affecting user experience.

Health Assessment

• • Quick fix with minimal changes, AI-assisted review and description, no blockers.

Summary

Require auth for S3 signed upload URLs

Adds authentication checks before generating S3 signed upload URLs, mitigating unauthorized data uploads and addressing a security vulnerability. This change protects user data and ensures compliance with security advisories.

Health Assessment

• • The PR addressed a critical security vulnerability but experienced a prolonged review cycle, likely due to integration with the main branch and merging delays.

Summary

Add users to organisation groups

Admins can now invite or create users at the organisation level and assign them to groups without adding them to the current workspace, improving onboarding and group management.

Health Assessment

• • The PR was reviewed quickly with AI assistance, but the overall cycle time was slow due to merge delays; scope was large with moderate review friction, indicating a medium risk level for the change.

Summary

Combobox update event fixes

Fixes combobox update handling so typing no longer gets overwritten, improving user experience in field settings and across the app.

Health Assessment

• • The PR had a quick review but a long cycle time due to integration merges; the change was a small bug fix to improve combobox UX.

Summary

Remove agent and RAG flags

Simplifies the UI and removes feature flags for agents and RAG, making them always enabled across the application.

Health Assessment

• • Rapid iteration with minimal review time indicates high confidence, but the large scope and multiple commits suggest a higher risk of unintended side effects.

Summary

Update js-cookie to 3.0.7 for security

Fixes a cookie attribute injection vulnerability and ensures consistent cookie reads.

Health Assessment

• • Fast merge with minimal changes, indicating low risk and quick resolution of a security update.

Summary

Bump ws from 7.5.10 to 7.5.11

Update the ws library to the latest patch to include a security fix that limits retained message parts, improving application security.

Health Assessment

• • Quick dependency update with minimal changes and fast review, indicating low risk and efficient process.

Summary

Update Svelte to 5.55.7

Keeps the UI framework up to date with the latest security and bug fixes, improving stability and security.

Health Assessment

• • Long review time indicates low priority; minimal changes; quick merge.

Summary

Add automation toolbar

Fixes automation toolbar add-step targeting to highlight and pan to the actual end-of-flow insertion point.

Health Assessment

• • Fast cycle time and review time indicate efficient development and review process.

Summary

Make channel deployment linking optional

This PR allows users to disable automatic linking of channel deployments (Slack, Teams, Discord) to Budibase accounts, reducing friction for users who prefer transient identities and simplifying onboarding.

Health Assessment

• • The PR had a long cycle time and slow review, but only a single review round, indicating a complex change that required extensive testing and integration across multiple services.

Summary

Fix loop node header contrast in light theme

Improves readability of automation loop node header in light theme, ensuring labels, icons, and borders remain visible for better user experience.

Health Assessment

• • Quick fix with minimal changes, AI review confirmed no issues, merged within minutes.

Summary

Fix loop step light theme styling

Loop subflow nodes now keep a visible surface in light theme while preserving internal edge lines and existing dark-theme styling.

Health Assessment

• • Quick approval with minimal changes indicates low complexity and high confidence in the fix.

Summary

Fix condition drawer bindable inputs

This change removes legacy binding options and makes condition drawer inputs type‑aware, improving reliability and user experience for condition configuration.

Health Assessment

• • The PR was merged quickly with minimal review friction, but required several rework commits after the initial review, indicating moderate complexity in the changes.

Summary

Add setting to suppress frontend error notifications

This PR introduces a workspace setting that hides transient frontend error pop-ups, improving user experience by reducing notification fatigue. Errors remain logged for diagnostics.

Health Assessment

• • The PR had a long cycle time with a single review round and multiple merges from master, indicating integration delays. The feature adds a new setting that improves user experience but requires careful testing to avoid masking critical errors.

Summary

Add consent step for chat identity linking

Adds an authenticated confirmation step before external chat identities are linked to Budibase users, enhancing security and compliance.

Health Assessment

• • The PR had a long cycle time and required multiple merges after the initial review, indicating significant rework and coordination overhead.

Summary

Add OAuth2 support to email received trigger

Enables users to use existing OAuth2 connections for email triggers and test connections without storing passwords, improving security and flexibility.

Health Assessment

• • PR required extensive security review and multiple iterations, but was ultimately merged after addressing concerns.

Summary

Fix automation branch edge routing

Corrects visual routing of automation branches, ensuring orthogonal paths and alignment with the action bar, improving UI reliability and developer confidence.

Health Assessment

• • Despite a fast initial review, the PR required multiple iterations and a large code change, indicating moderate complexity and potential for bugs.

Summary

Add Slack pending releases summary

Enables automated Slack notifications of pending releases, improving visibility for teams.

Health Assessment

• • Quick review and merge with minimal rework, indicating a straightforward change.

Summary

Fix SharePoint token refresh on auth failure

Ensures SharePoint connections retry with a fresh token after permission changes, preventing stale token errors and improving reliability.

Health Assessment

• • The PR required multiple merges and a large number of commits after the initial review, indicating significant rework and integration with external SharePoint permissions.

Summary

Chore: Clean up automation test coverage

Improves automation test reliability by refactoring status assertions and simplifying SMTP test inputs, tightening test helpers.

Health Assessment

• • Fast review and merge with no issues; AI-assisted review helped streamline the process.

Summary

Improve automation test coverage

Expands server‑side automation tests, adding comprehensive coverage and bug fixes to enhance reliability and stability.

Health Assessment

• • Large test suite expansion with minimal review, but a 13‑day cycle time indicates a slow process and potential bottlenecks in the review pipeline.

Summary

Fix query editor shortcut handling

This PR corrects shortcut handling in the query editor, ensuring only Cmd/Ctrl+Enter triggers a query, preventing accidental execution during copy/paste operations. It also adds TypeScript annotations to improve type safety.

Health Assessment

• • The PR had a slow cycle time but a quick initial review, with multiple merge commits indicating integration with master and type improvements. The single review comment suggests minimal friction after the initial fix.

Summary

Update fast-xml-parser dependency to 5.8.0

Keeps XML parsing library up to date, ensuring security and bug fixes.

Health Assessment

• • Long review delay due to automated dependency update; minimal code changes; low risk.

Summary

Bump @tootallnate/once from 1.1.2 to 2.0.1

Updates the once library to v2.0.1, incorporating a fix for promise hangs when AbortSignal is aborted, ensuring more reliable event handling for downstream consumers.

Health Assessment

• • Automated dependency update with minimal code changes; long review and merge times are typical for such PRs, posing low risk to the codebase.