Yonom
chore(docs): Update README.md
The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| assistant-ui | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | May 31, 2025 6:56am |
![vercel[bot] avatar](https://avatars.githubusercontent.com/in/8329?v=4 "Published by a pub.dev verified publisher"){kind=small}
Bug Report
| Name | Severity | Example test case | Description |
|---|---|---|---|
| Misleading description of Mastra integration in README.md | Medium | Read the "Choose your backend" section in README.md. The description of Mastra suggests it integrates directly into Vercel AI SDK, which is inaccurate. | The README.md states that "Mastra" has "First class integration into AI SDK by Vercel". This is misleading. While Mastra can be used with Assistant UI, and a Mastra backend might use the Vercel AI SDK, it does not integrate into the Vercel AI SDK. A more accurate description would clarify that Assistant UI supports integration with Mastra as a separate backend and that Mastra may optionally utilize Vercel AI SDK. |
Comments? Email us.
![jazzberry-ai[bot] avatar](https://avatars.githubusercontent.com/in/1231820?v=4 "Published by a pub.dev verified publisher"){kind=small}
⚠️ No Changeset found
Latest commit: 1781d95f26567ecf62ce98fdfb95644796077867
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
![changeset-bot[bot] avatar](https://avatars.githubusercontent.com/in/28616?v=4 "Published by a pub.dev verified publisher"){kind=small}
Bug Report
| Name | Severity | Example test case | Description |
|---|---|---|---|
| Incorrect Mastra Integration Description | Low | Check the "Choose your backend" section in README.md | The description for Mastra repeats the Vercel AI SDK description, indicating a copy/paste error. |
| Potential Roadmap Inaccuracy | Low | View the "2025 Q1 Roadmap" section in README.md | The roadmap lists "React 19, Tailwind v4, NextJS 19 support" as complete. This may be inaccurate depending on the release schedules of these libraries. |
Comments? Email us.
Bug Report
Name: Incorrect description of Mastra integration in README.md Severity: Medium Example test case: Read the README.md file and check the description of Mastra integration. It incorrectly claims that Mastra has "First class integration into AI SDK by Vercel." Description: The README.md file incorrectly states that Mastra has first class integration into AI SDK by Vercel. Mastra is an independent agent framework and not part of Vercel AI SDK.
Comments? Email us.
Bug Report
| Name | Severity | Example test case | Description |
|---|---|---|---|
| Mastra Backend Description | Medium | Check the 'Choose your backend' section in README.md | The description for Mastra backend integration incorrectly refers to Vercel AI SDK. |
| Outdated Roadmap | Low | Check the '2025 Q1 Roadmap' section in README.md | The roadmap section contains outdated information and should be updated. |
Comments? Email us.
Bug Report
Name: Inconsistent and potentially broken cloud service URLs Severity: High Example test case:
- Check the link to assistant-cloud in the README: https://cloud.assistant-ui.com - It redirects to a sign-in page and then returns a 403 Forbidden error.
- Inspect the AssistantCloudAPI.tsx file. The base URL for the apiKey authentication method is hardcoded to https://backend.assistant-api.com.
- Run nslookup on both URLs. They resolve to different IP addresses. Description: The README.md file links to cloud.assistant-ui.com which is inaccessible. The AssistantCloudAPI.tsx file has a hardcoded base URL (https://backend.assistant-api.com) for the apiKey authentication method. This URL differs from the one in the README and might be outdated or incorrect, potentially causing API calls to fail. This also creates inconsistency in the documentation. The inaccessibility of cloud.assistant-ui.com prevents users from accessing the cloud features, and the hardcoded URL might break the apiKey authentication flow.
Comments? Email us.
Bug Report
| Name | Severity | Example test case | Description |
|---|---|---|---|
| Misleading claim about LLM provider support in Mastra integration | Medium | Review the README.md and Mastra documentation. The README.md claims that Mastra integration provides 'First class integration with AI SDK by Vercel. Connect to any LLM provider supported by AI SDK.' However, the Mastra documentation doesn't explicitly confirm full support for all LLMs supported by the Vercel AI SDK. | The README.md makes a potentially misleading claim about the extent of LLM provider support in the Mastra integration. While integration exists, it might not be as comprehensive or seamless as the Vercel AI SDK integration, potentially leading to unexpected compatibility issues for developers using specific LLMs. |
Comments? Email us.
Bug Report
| Name | Severity | Example test case | Description |
|---|---|---|---|
| Incorrect description for Mastra integration | Medium | Check the README.md file. The description for Mastra incorrectly mentions AI SDK. | The description for Mastra says "First class integration into AI SDK by Vercel. Connect to any LLM provider supported by AI SDK." This is incorrect. |
| Typo in "Automartically" | Low | Check the README.md file under the Features section. | The word "Automartically" is misspelled. It should be "Automatically". |
Comments? Email us.
Bug Report
| Name | Severity | Example test case | Description |
|---|---|---|---|
| Typo in README | Low | Check the README.md file. | "customizabliity" should be "customizability". |
| Incorrect Mastra description | Medium | Check the README.md file under "Choose your backend". | The Mastra integration description is incorrect and should state "First class integration with Mastra." |
| Misleading assistant-cloud link | Medium | Click on the assistant-cloud link in README.md. | The assistant-cloud link requires authentication and might be misleading to users who expect direct access. |
| Potentially misleading "automatic wiring" description | Medium | Examine the code related to tool calls and agents. | The "Automartically wire up generative UI with tool calls and agents" claim might be an oversimplification, as some manual configuration is likely required. |
Comments? Email us.
Bug Report
| Name | Severity | Example test case | Description |
|---|---|---|---|
| Incomplete Model Provider Support | Medium | Read the README, attempt to integrate Assistant UI with Google Gemini, observe that the integration is not as seamless as the OpenAI integration. | The README claims "wide model provider support" including a long list of providers. While some providers are demonstrably supported, the level of support for others is unclear and potentially less comprehensive. This discrepancy can mislead users. |
Comments? Email us.
Bug Report
| Name | Severity | Example test case | Description |
|---|---|---|---|
assistant-ui init command fails due to missing dependencies |
High | 1. Create a new Next.js project using npx create-next-app my-app. |
- Navigate to the project directory:
cd my-app. - Run
npx assistant-ui init.|Theassistant-ui initcommand fails to initialize assistant-ui in an existing project due to missing dependencies, specifically@babel/traverse. This prevents users from easily adding assistant-ui to existing projects as advertised in the README. The command also appears to try installingshadcnbut fails.
Comments? Email us.
Bug Report
| Name | Severity | Example test case | Description |
|---|---|---|---|
| Potential XSS vulnerability in Markdown rendering | High | Inject malicious HTML code (e.g., <img src=x onerror=alert('XSS')>) into a chat message. If the code is executed when the message is rendered, it indicates an XSS vulnerability. |
The application uses react-markdown to render Markdown content, but it doesn't appear to be performing any additional sanitization of user-provided content. While the current version of react-markdown should address known XSS vulnerabilities, relying solely on the library for sanitization is risky. A future vulnerability in react-markdown or a misconfiguration could lead to XSS attacks. The application should implement additional sanitization to mitigate this risk. |
Comments? Email us.
Bug Report
| Name | Severity | Example test case | Description |
|---|---|---|---|
| Typos | Low | Examine the "Features" section in README.md. |
The words "customizabliity" and "Automartically" contain typos. |
| Inconsistent Integration Description | Medium | Check the description for Mastra integration in README.md. |
The description for the Mastra integration appears to be a copy-paste error from the Vercel AI SDK integration description. It should accurately describe the Mastra integration. |
| Overstated Automatic Generative UI Claim | Low | Read the "Features" section in README.md |
The phrase "Automatically wire up generative UI with tool calls and agents" is a strong claim that might not be fully accurate. It could be clarified to manage user expectations. |
Comments? Email us.
Bug Report
| Name | Severity | Example test case | Description |
|---|---|---|---|
| Typo in README | Low | Read the features list in README.md | The word 'Automartically' should be 'Automatically' |
| Mastra backend description incorrect | Medium | Read the 'Choose your backend' section in README.md | The description for Mastra is copied from Vercel AI SDK and is incorrect. |
Comments? Email us.
Bug Report
| Name | Severity | Example test case | Description |
|---|---|---|---|
| Duplicated Integration Statement | Low | Read the README.md file. | The phrase "First class integration into AI SDK by Vercel. Connect to any LLM provider supported by AI SDK" is duplicated under both "Vercel AI SDK" and "Mastra" in the "Choose your backend" section of the README.md file. |
Comments? Email us.
Bug Report
| Name | Severity | Example test case | Description |
|---|---|---|---|
| Inaccurate Mastra description | Medium | Check the backend integration documentation for Mastra. | The README states that Mastra has "First class integration into AI SDK by Vercel", but it's unclear if this is accurate. The documentation should be reviewed and the README updated if needed. |
Comments? Email us.
Bug Report
| Name | Severity | Example test case | Description |
|---|---|---|---|
| CLI Create Command Timeout | High | Run npx assistant-ui create test-project |
The create command times out after 10 seconds, indicating a potential network issue, slow installation, or problem with the assistant-ui package. |
| CLI Init Command Hangs | Critical | Run npx assistant-ui init |
The init command is interactive and hangs indefinitely because interactive commands are not supported. |
Comments? Email us.
Bug Report
Name: Attachment Type Validation Missing
Severity: Medium
Example test case: Create a new chat thread. Craft a malicious attachment object where attachment.type is not a string, but an object, e.g., attachment = { type: { malicious: "object" }, ...otherAttachmentProps }. Add the crafted attachment to the composer. Send the message.
Description: The ComposerPrimitiveAttachments component in packages/react/src/primitives/composer/ComposerAttachments.tsx uses a switch statement to determine the component to render based on the attachment type. However, it doesn't validate that attachment.type is indeed a string before entering the switch statement. If attachment.type is a non-string value (e.g., an object), the switch statement's default case will be reached, resulting in an error being thrown. This error, while not directly leading to code execution, can still disrupt the application's functionality and potentially expose sensitive information about the codebase. A malicious user could craft a specific input that breaks the rendering of the attachment and cause a denial of service. The fix would be to add validation that attachment.type is a string, and if not, handle the invalid type gracefully (e.g. by logging an error and not rendering the attachment).
Comments? Email us.