LibreChat/packages
Dustin Healy 624a6d8f4b fix(mcp): gate apps per-request on app connections and embedded UI resources
Resolve the allowlist-derived appsEnabled value when creating app-level connections in
ConnectionsRepository so a tenant/role/user override that toggles apps is honored instead of the
boot YAML default.

Gate ui:// resources embedded in tool results on the same per-request setting so a disabled scope
renders them as plain resource text rather than a sandboxed app, resolving appsEnabled lazily only
when a result actually carries a renderable UI resource.

Fail closed in canonicalizeUri when a URI does not stabilize within the decode cap so traversal
encoded more deeply than the cap cannot satisfy a template guard a fully-decoding server resolves
as a parent-directory path.
2026-06-29 11:07:55 -07:00
..
api fix(mcp): gate apps per-request on app connections and embedded UI resources 2026-06-29 11:07:55 -07:00
client 👐 a11y: Bump @ariakit/react, Improve a11y of Token Usage, Archived Chats, Reduce Table Layout Shifts (#13874) 2026-06-21 12:53:24 -04:00
data-provider fix(mcp): harden MCP Apps host security and CJS compatibility 2026-06-28 21:56:28 -07:00
data-schemas 🖇️ feat: Reference Selected Chat Text with Multi-Quote Popup (#13868) 2026-06-21 08:33:11 -04:00