v0.5.27: sidebar updates, ssrf patches, gpt-5.2

[waleedlatif1]

• fix(workflow-changes): changes detected in autolayout (fix(workflow-changes): changes detected in autolayout #2313)
• improvement(sidebar): auto-scroll (improvement(sidebar): auto-scroll #2312)
• fix(vuln): fix dns rebinding/ssrf vulnerability (fix(vuln): fix dns rebinding/ssrf vulnerability #2316)
• fix(parallel): variable resolution in collection (fix(parallel): variable resolution in collection #2314)
• fix(ollama): fixed messages array for ollama, added gpt-5.2 (fix(ollama): fixed messages array for ollama, added gpt-5.2 #2315)
• fix(pg): for pg tools, use count isntead of length for number of rows impacted (fix(pg): for pg tools, use count isntead of length for number of rows impacted #2317)
• fix(tools): updated browser use and stagehand to use the latest models (fix(tools): updated browser use and stagehand to use the latest models #2319)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
docs	Skipped			Dec 11, 2025 10:39pm

[greptile-apps]

Greptile Overview

Greptile Summary

This release (v0.5.27) bundles six bug fixes and improvements:

• SSRF/DNS Rebinding Protection: Added async DNS resolution with IP pinning to prevent DNS rebinding attacks in the proxy and file parse APIs. URLs are now validated by resolving hostnames to IPs at validation time, then using the resolved IP directly in fetch requests with the original hostname in the Host header.

• Sidebar Auto-scroll Fix: Refactored scroll behavior to use an event-driven approach (SIDEBAR_SCROLL_EVENT) instead of triggering on every navigation, eliminating scroll jitter while maintaining scroll-into-view for newly created items.

• Parallel Variable Resolution: Fixed variable resolution in parallel forEach collections by adding dynamic DAG expansion when runtime item count exceeds pre-built branches, and properly wiring the resolver to the ParallelOrchestrator.

• Workflow Change Detection: Updated change detection to ignore autolayout-related fields (layout, height, width) that were causing false positives.

• Ollama Messages Fix: Corrected the context field assignment in the agent handler to avoid duplicating context when messages are already properly formatted.

• PostgreSQL Row Count: Changed to use result.count instead of result.length for accurate row count reporting.

• GPT-5.2 Model: Added GPT-5.2 model definitions for OpenAI and Azure OpenAI providers.

Confidence Score: 5/5

• This PR is safe to merge - it includes well-tested security improvements and targeted bug fixes with no breaking changes.
• The changes are well-structured: security fixes include comprehensive tests, sidebar refactoring uses a clean event-driven pattern, executor changes follow existing patterns, and all modifications are appropriately scoped to their domains.
• No files require special attention - all changes are well-tested and follow established patterns.

Important Files Changed

File Analysis

Filename	Score	Overview
apps/sim/lib/core/security/input-validation.ts	5/5	Added DNS rebinding/SSRF protection with validateUrlWithDNS that resolves hostnames and validates resolved IPs aren't private, plus createPinnedUrl for DNS pinning to prevent TOCTOU attacks.
apps/sim/app/api/files/parse/route.ts	5/5	Updated to use new DNS-validated URL fetching with IP pinning to prevent SSRF via DNS rebinding attacks.
apps/sim/app/api/proxy/route.ts	5/5	Updated to use new DNS-validated URL fetching with IP pinning for SSRF protection.
apps/sim/app/api/tools/postgresql/utils.ts	5/5	Changed rowCount calculation to use result.count property when available, falling back to result.length, fixing incorrect row count reporting for PostgreSQL operations.
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/sidebar.tsx	5/5	Refactored sidebar auto-scroll behavior to use event-driven approach via SIDEBAR_SCROLL_EVENT custom events, fixing scroll jitter by only scrolling on explicit triggers rather than on every navigation.
apps/sim/executor/orchestrators/parallel.ts	4/5	Added dynamic parallel branch expansion to handle cases where runtime item count exceeds pre-built branch count, enabling proper variable resolution in parallel forEach with references like <previousBlock.items>.
apps/sim/executor/handlers/agent/agent-handler.ts	5/5	Fixed context field assignment to set it to undefined when validMessages is true, preventing duplicate context when messages are already properly formatted.
apps/sim/lib/workflows/utils.ts	5/5	Updated hasWorkflowChanged to exclude layout-related fields (layout, height, width) from change detection, preventing false positives from autolayout measurements.
apps/sim/providers/models.ts	5/5	Added GPT-5.2 model definition for OpenAI and Azure OpenAI providers with pricing, reasoning effort, and verbosity capabilities.

Sequence Diagram

sequenceDiagram
    participant Client
    participant ProxyAPI as Proxy/Parse API
    participant Validator as URL Validator
    participant DNS as DNS Resolver
    participant Target as External Server

    Client->>ProxyAPI: Request with URL
    ProxyAPI->>Validator: validateUrlWithDNS(url)
    Validator->>Validator: Basic URL validation (protocol, format)
    Validator->>DNS: dns.lookup(hostname)
    DNS-->>Validator: Resolved IP address
    Validator->>Validator: Check IP not private/reserved
    Validator-->>ProxyAPI: {isValid, resolvedIP, originalHostname}
    ProxyAPI->>ProxyAPI: createPinnedUrl(url, resolvedIP)
    ProxyAPI->>Target: fetch(pinnedUrl, {Host: originalHostname})
    Target-->>ProxyAPI: Response
    ProxyAPI-->>Client: Proxied Response

Loading

[greptile-apps]

_{21 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}