🔒 fix: remove deprecated SystemJS plugin renderer

[arvinxx]

Summary

• Remove the deprecated SystemJS plugin renderer (ui.mode === 'module') and systemjs dependency entirely
• The old plugin render system has been fully retired with no plugins using this mode

Details

The old plugin system used SystemJS to dynamically load and execute JS modules from untrusted URLs via System.import(url) without any sandbox, domain allowlist, or integrity check. This allowed arbitrary JavaScript execution in the LobeChat origin context, with RCE escalation possible in the Electron desktop app via the electronAPI IPC bridge.

Since no plugins use ui.mode === 'module' anymore, the entire SystemJsRender component and systemjs dependency have been removed. Plugin rendering now only goes through the iframe-based renderer.

Security advisory: GHSA-46v7-wvmj-6vf7

Test plan

• Plugin system still works with iframe-based plugins
• No regressions in tool/plugin rendering in conversations

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
lobehub	Ready	Preview, Comment	Mar 26, 2026 0:48am

[sourcery-ai]

We've reviewed this pull request using the Sourcery rules engine

[lobehubbot]

@ONLY-yours - This PR removes the deprecated SystemJS plugin renderer from the plugin system. Please take a look.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.72%. Comparing base (093fa7b) to head (069f8ab).
⚠️ Report is 3 commits behind head on canary.

Additional details and impacted files

@@           Coverage Diff            @@
##           canary   #13305    +/-   ##
========================================
  Coverage   66.71%   66.72%            
========================================
  Files        1884     1884            
  Lines      150871   150871            
  Branches    15184    14473   -711     
========================================
+ Hits       100660   100662     +2     
+ Misses      50100    50098     -2     
  Partials      111      111            

Flag	Coverage Δ
app	58.09% <ø> (+<0.01%)	⬆️
database	96.64% <ø> (ø)
packages/agent-runtime	89.61% <ø> (ø)
packages/context-engine	83.22% <ø> (ø)
packages/conversation-flow	92.36% <ø> (ø)
packages/file-loaders	87.02% <ø> (ø)
packages/memory-user-memory	66.68% <ø> (ø)
packages/model-bank	99.85% <ø> (ø)
packages/model-runtime	84.53% <ø> (ø)
packages/prompts	67.76% <ø> (ø)
packages/python-interpreter	92.90% <ø> (ø)
packages/ssrf-safe-fetch	0.00% <ø> (ø)
packages/utils	90.41% <ø> (ø)
packages/web-crawler	88.82% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
Store	66.07% <ø> (ø)
Services	49.56% <ø> (ø)
Server	67.40% <ø> (+<0.01%)	⬆️
Libs	45.46% <ø> (ø)
Utils	91.01% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[lobehubbot]

❤️ Great PR @arvinxx ❤️

The growth of project is inseparable from user feedback and contribution, thanks for your contribution! If you are interesting with the lobehub developer community, please join our discord and then dm @arvinxx or @canisminor1990. They will invite you to our private developer channel. We are talking about the lobe-chat development or sharing ai newsletter around the world.