Chore/Disable Available Dep By Default (#5231)

disable available dependencies by default, only allow when ALLOW_BUILTIN_DEP is set to true

packages/components/src/utils.ts

@@ -1543,7 +1543,7 @@ export const executeJavaScriptCode = async (
             ? defaultAllowBuiltInDep.concat(process.env.TOOL_FUNCTION_BUILTIN_DEP.split(','))
             : defaultAllowBuiltInDep
         const externalDeps = process.env.TOOL_FUNCTION_EXTERNAL_DEP ? process.env.TOOL_FUNCTION_EXTERNAL_DEP.split(',') : []
-        const deps = availableDependencies.concat(externalDeps)
+        const deps = process.env.ALLOW_BUILTIN_DEP === 'true' ? availableDependencies.concat(externalDeps) : externalDeps
 
         const defaultNodeVMOptions: any = {
             console: 'inherit',

packages/server/.env.example

@@ -39,6 +39,7 @@ PORT=3000
 # LOG_LEVEL=info #(error | warn | info | verbose | debug)
 # TOOL_FUNCTION_BUILTIN_DEP=crypto,fs
 # TOOL_FUNCTION_EXTERNAL_DEP=moment,lodash
+# ALLOW_BUILTIN_DEP=false
 
 
 ############################################################################################################

packages/server/src/commands/base.ts

@@ -22,6 +22,7 @@ export abstract class BaseCommand extends Command {
         LOG_LEVEL: Flags.string(),
         TOOL_FUNCTION_BUILTIN_DEP: Flags.string(),
         TOOL_FUNCTION_EXTERNAL_DEP: Flags.string(),
+        ALLOW_BUILTIN_DEP: Flags.string(),
         NUMBER_OF_PROXIES: Flags.string(),
         DATABASE_TYPE: Flags.string(),
         DATABASE_PATH: Flags.string(),
@@ -143,9 +144,10 @@ export abstract class BaseCommand extends Command {
         if (flags.LOG_PATH) process.env.LOG_PATH = flags.LOG_PATH
         if (flags.LOG_LEVEL) process.env.LOG_LEVEL = flags.LOG_LEVEL
 
-        // Tool functions
+        // Custom tool/function dependencies
         if (flags.TOOL_FUNCTION_BUILTIN_DEP) process.env.TOOL_FUNCTION_BUILTIN_DEP = flags.TOOL_FUNCTION_BUILTIN_DEP
         if (flags.TOOL_FUNCTION_EXTERNAL_DEP) process.env.TOOL_FUNCTION_EXTERNAL_DEP = flags.TOOL_FUNCTION_EXTERNAL_DEP
+        if (flags.ALLOW_BUILTIN_DEP) process.env.ALLOW_BUILTIN_DEP = flags.ALLOW_BUILTIN_DEP
 
         // Database config
         if (flags.DATABASE_TYPE) process.env.DATABASE_TYPE = flags.DATABASE_TYPE