@lobehub/lobehub 2.0.0-next.154 → 2.0.0-next.156

package/CHANGELOG.md

@@ -2,6 +2,56 @@
 
 # Changelog
 
+## [Version 2.0.0-next.156](https://github.com/lobehub/lobe-chat/compare/v2.0.0-next.155...v2.0.0-next.156)
+
+<sup>Released on **2025-12-04**</sup>
+
+#### 🐛 Bug Fixes
+
+- **misc**: Fix React CVE issue.
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+#### What's fixed
+
+- **misc**: Fix React CVE issue, closes [#10593](https://github.com/lobehub/lobe-chat/issues/10593) ([abd850f](https://github.com/lobehub/lobe-chat/commit/abd850f))
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
+## [Version 2.0.0-next.155](https://github.com/lobehub/lobe-chat/compare/v2.0.0-next.154...v2.0.0-next.155)
+
+<sup>Released on **2025-12-03**</sup>
+
+#### 🐛 Bug Fixes
+
+- **misc**: Missing init user after user creation.
+
+<br/>
+
+<details>
+<summary><kbd>Improvements and Fixes</kbd></summary>
+
+#### What's fixed
+
+- **misc**: Missing init user after user creation, closes [#10587](https://github.com/lobehub/lobe-chat/issues/10587) ([0e97a42](https://github.com/lobehub/lobe-chat/commit/0e97a42))
+
+</details>
+
+<div align="right">
+
+[![](https://img.shields.io/badge/-BACK_TO_TOP-151515?style=flat-square)](#readme-top)
+
+</div>
+
 ## [Version 2.0.0-next.154](https://github.com/lobehub/lobe-chat/compare/v2.0.0-next.153...v2.0.0-next.154)
 
 <sup>Released on **2025-12-03**</sup>

package/changelog/v1.json

@@ -1,4 +1,22 @@
 [
+  {
+    "children": {
+      "fixes": [
+        "Fix React CVE issue."
+      ]
+    },
+    "date": "2025-12-04",
+    "version": "2.0.0-next.156"
+  },
+  {
+    "children": {
+      "fixes": [
+        "Missing init user after user creation."
+      ]
+    },
+    "date": "2025-12-03",
+    "version": "2.0.0-next.155"
+  },
   {
     "children": {
       "fixes": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lobehub/lobehub",
-  "version": "2.0.0-next.154",
+  "version": "2.0.0-next.156",
   "description": "LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application.",
   "keywords": [
     "framework",
@@ -239,7 +239,7 @@
     "mdast-util-to-markdown": "^2.1.2",
     "model-bank": "workspace:*",
     "nanoid": "^5.1.6",
-    "next": "16.0.5",
+    "next": "^16.0.7",
     "next-auth": "5.0.0-beta.30",
     "next-mdx-remote": "^5.0.0",
     "nextjs-toploader": "^3.9.17",
@@ -267,10 +267,10 @@
     "query-string": "^9.3.1",
     "random-words": "^2.0.1",
     "rc-util": "^5.44.4",
-    "react": "19.2.0",
+    "react": "^19.2.1",
     "react-confetti": "^6.4.0",
     "react-diff-view": "^3.3.2",
-    "react-dom": "19.2.0",
+    "react-dom": "^19.2.1",
     "react-fast-marquee": "^1.6.5",
     "react-hotkeys-hook": "^5.2.1",
     "react-i18next": "^15.7.4",

package/packages/python-interpreter/src/types.ts

@@ -4,9 +4,9 @@ export interface PythonOptions {
    */
   pyodideIndexUrl?: string;
   /**
-   * PyPI 索引 URL，要求支持 [JSON API](https://warehouse.pypa.io/api-reference/json.html)
+   * PyPI index URL, must support [JSON API](https://warehouse.pypa.io/api-reference/json.html)
    *
-   * 默认值：`https://pypi.org/pypi/{package_name}/json`
+   * Default value: `https://pypi.org/pypi/{package_name}/json`
    */
   pypiIndexUrl?: string;
 }

package/scripts/migrateServerDB/index.ts

@@ -1,4 +1,5 @@
 import * as dotenv from 'dotenv';
+import dotenvExpand from 'dotenv-expand';
 import { migrate as neonMigrate } from 'drizzle-orm/neon-serverless/migrator';
 import { migrate as nodeMigrate } from 'drizzle-orm/node-postgres/migrator';
 import { join } from 'node:path';
@@ -6,9 +7,15 @@ import { join } from 'node:path';
 // @ts-ignore tsgo handle esm import cjs and compatibility issues
 import { DB_FAIL_INIT_HINT, DUPLICATE_EMAIL_HINT, PGVECTOR_HINT } from './errorHint';
 
-// Read the `.env` file if it exists, or a file specified by the
-// dotenv_config_path parameter that's passed to Node.js
-dotenv.config();
+// Load environment variables in priority order:
+// 1. .env (lowest priority)
+// 2. .env.[env] (medium priority, overrides .env)
+// 3. .env.[env].local (highest priority, overrides previous)
+// Use dotenv-expand to support ${var} variable expansion
+const env = process.env.NODE_ENV || 'development';
+dotenvExpand.expand(dotenv.config()); // Load .env
+dotenvExpand.expand(dotenv.config({ override: true, path: `.env.${env}` })); // Load .env.[env] and override
+dotenvExpand.expand(dotenv.config({ override: true, path: `.env.${env}.local` })); // Load .env.[env].local and override
 
 const migrationsFolder = join(__dirname, '../../packages/database/migrations');
 

package/src/auth.ts

@@ -13,6 +13,7 @@ import {
 import { initBetterAuthSSOProviders } from '@/libs/better-auth/sso';
 import { parseSSOProviders } from '@/libs/better-auth/utils/server';
 import { EmailService } from '@/server/services/email';
+import { UserService } from '@/server/services/user';
 
 // Email verification link expiration time (in seconds)
 // Default is 1 hour (3600 seconds) as per Better Auth documentation
@@ -120,6 +121,26 @@ export const auth = betterAuth({
   database: drizzleAdapter(serverDB, {
     provider: 'pg',
   }),
+  /**
+   * Run user bootstrap for every newly created account (email, magic link, OAuth/social, etc.).
+   * Using Better Auth database hooks ensures we catch social flows that bypass /sign-up/* routes.
+   * Ref: https://www.better-auth.com/docs/reference/options#databasehooks
+   */
+  databaseHooks: {
+    user: {
+      create: {
+        after: async (user) => {
+          const userService = new UserService(serverDB);
+          await userService.initUser({
+            email: user.email,
+            id: user.id,
+            username: user.username as string | null,
+            // TODO: if add phone plugin, we should fill phone here
+          });
+        },
+      },
+    },
+  },
   user: {
     additionalFields: {
       username: {

package/src/server/services/user/index.ts

@@ -8,6 +8,15 @@ import { KeyVaultsGateKeeper } from '@/server/modules/KeyVaultsEncrypt';
 import { S3 } from '@/server/modules/S3';
 import { AgentService } from '@/server/services/agent';
 
+type CreatedUser = {
+  email?: string | null;
+  firstName?: string | null;
+  id: string;
+  lastName?: string | null;
+  phone?: string | null;
+  username?: string | null;
+};
+
 export class UserService {
   private db: LobeChatDatabase;
 
@@ -15,6 +24,30 @@ export class UserService {
     this.db = db;
   }
 
+  async initUser(user: CreatedUser) {
+    const agentService = new AgentService(this.db, user.id);
+    await agentService.createInbox();
+
+    /* ↓ cloud slot ↓ */
+    /* ↑ cloud slot ↑ */
+
+    const analytics = await initializeServerAnalytics();
+    analytics?.identify(user.id, {
+      email: user.email ?? undefined,
+      firstName: user.firstName ?? undefined,
+      lastName: user.lastName ?? undefined,
+      phone: user.phone ?? undefined,
+      username: user.username ?? undefined,
+    });
+    analytics?.track({
+      name: 'user_register_completed',
+      properties: {
+        spm: 'user_service.init_user.user_created',
+      },
+      userId: user.id,
+    });
+  }
+
   createUser = async (id: string, params: UserJSON) => {
     // Check if user already exists
     const res = await UserModel.findById(this.db, id);
@@ -34,10 +67,6 @@ export class UserService {
       return index === 0;
     });
 
-    /* ↓ cloud slot ↓ */
-
-    /* ↑ cloud slot ↑ */
-
     // 2. create user in database
     await UserModel.createUser(this.db, {
       avatar: params.image_url,
@@ -50,30 +79,14 @@ export class UserService {
       username: params.username,
     });
 
-    // 3. Create an inbox session for the user
-    const agentService = new AgentService(this.db, id);
-    await agentService.createInbox();
-
-    /* ↓ cloud slot ↓ */
-
-    /* ↑ cloud slot ↑ */
-
-    //analytics
-    const analytics = await initializeServerAnalytics();
-    analytics?.identify(id, {
+    await this.initUser({
       email: email?.email_address,
       firstName: params.first_name,
+      id,
       lastName: params.last_name,
       phone: phone?.phone_number,
       username: params.username,
     });
-    analytics?.track({
-      name: 'user_register_completed',
-      properties: {
-        spm: 'user_service.create_user.user_created',
-      },
-      userId: id,
-    });
 
     return { message: 'user created', success: true };
   };