
Security News
Suno Breached via Shai-Hulud Worm, Leaked Code Exposes AI Music Scraping
A Shai-Hulud infection exposed Suno's source code, which shows the AI music startup stream-ripped tracks to train its models.
@mintlify/assistant-web
Advanced tools
@mintlify/assistant-webThe Mintlify Assistant browser boundary provides the hosted loader, custom-trigger API, browser transport, and direct mount lifecycle. Importing the package has no browser side effects. Browser behavior begins only after calling an exported browser function or loading the hosted script.
Set the public Widget ID before loading the compatible release channel:
<script nonce="YOUR_CSP_NONCE">
window.MintlifyAssistantSettings = {
widgetId: 'mint_widget_example',
context: { currentPath: window.location.pathname },
styleNonce: 'YOUR_CSP_NONCE',
scriptNonce: 'YOUR_CSP_NONCE',
};
</script>
<script
type="module"
defer
nonce="YOUR_CSP_NONCE"
src="https://cdn.jsdelivr.net/npm/@mintlify/assistant-web@0.0/dist/browser/embed.js"
></script>
The @0.0 channel follows the latest compatible 0.0.x patch release. Breaking browser API
changes must move to a new minor channel so existing installations do not update across them.
The loader installs window.MintlifyAssistant. Every method returns a promise after the loader has
run. Calls made while its lazy runtime is loading are replayed once in invocation order.
baseUrl optionally replaces the full widget API base URL. It defaults to
https://api.mintlify.com/api/assistant-widget; set it only when routing the compatible Assistant
API through a proxy, regional endpoint, self-hosted deployment, or local development server.
await window.MintlifyAssistant.ready;
await window.MintlifyAssistant.open({ entryPoint: 'docs-header' });
await window.MintlifyAssistant.ask('How do I authenticate?', {
entryPoint: 'authentication-button',
});
await window.MintlifyAssistant.update({
context: { currentPath: window.location.pathname, version: 'v2' },
});
Entry points are trimmed strings from 1 through 100 characters. Custom triggers default to
custom-trigger; the maintained trigger defaults to floating-trigger.
For controls that can run before the external script executes, install the small preload stub shown
in examples/plain-html.html. Its queued open, close, focus,
ask, update, newThread, and destroy calls are adopted by the loader. Repeated script loads
and repeated initialization with the same Widget ID remain idempotent. Call destroy() before
initializing a different widget.
identityToken is optional and exchanged only for a short-lived Assistant session. Identity,
session, captcha, and trust tokens are kept in memory and are not included in browser lifecycle
events. update({ identityToken }) starts a fresh thread; context, theme, and trigger visibility
updates preserve the current thread.
@mintlify/assistant-core remains available unchanged for standalone headless integrations with
their own transports. The maintained browser widget in this package uses the AI SDK data protocol
directly and does not instantiate the custom streaming core.
Allow the following origins when the corresponding CSP directives are present:
script-src: https://cdn.jsdelivr.net, https://challenges.cloudflare.com, and
https://js.hcaptcha.comconnect-src: https://api.mintlify.com, https://challenges.cloudflare.com, and
https://*.hcaptcha.comframe-src: https://challenges.cloudflare.com and https://*.hcaptcha.comstyle-src: https://cdn.jsdelivr.net plus the nonce passed as styleNonce for the widget's
isolated inline base stylesReplace YOUR_CSP_NONCE with the request's nonce. A strict script-src policy must authorize the
inline settings/preload block itself with the <script nonce> attribute; scriptNonce only
propagates that value to dynamically loaded captcha scripts. The external loader may be authorized
by its host or a nonce. Pass the same value as styleNonce when style-src requires a nonce for the
widget's isolated inline base styles.
Browser errors include a stable code, retryable, and optional HTTP status, plus CSP guidance
for blocked runtime, API, or captcha resources. When using baseUrl, allow its origin in
connect-src instead of https://api.mintlify.com.
yarn build emits the versioned dist/browser/embed.js loader and a lazy
dist/browser/runtime-[hash].js runtime. Renderer assets use relative hashed paths under
dist/browser/assets. The build fails if browser JavaScript contains bare host-resolved imports or
if the loader reaches 8 KiB gzip. Exact byte counts are written to
dist/browser/size-report.json.
FAQs
Browser SDK and direct-mount boundary for Mintlify Assistant
We found that @mintlify/assistant-web demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
A Shai-Hulud infection exposed Suno's source code, which shows the AI music startup stream-ripped tracks to train its models.

Security News
Vercel is formalizing a monthly release program for Next.js. The change follows React2Shell and a sharp rise in AI-assisted vulnerability discovery.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.