docs: warnings for dotenv vulnerability

[mendonk]

Dotenv warnings for 1.6.0:

• Readme
• Security.md
• release notes
  and recommendation to use 1.6.4 when it is available.
• Add exception for SECURITY.md to step around the pre-commit hooks.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Documentation updates across README, SECURITY, and release notes to warn about a .env environment variable loading bug in versions 1.6.0–1.6.3, recommend upgrading to 1.6.4, and annotate security-related config lines with allowlist pragmas.

Changes

Cohort / File(s)	Summary
.env loading bug documentation README.md, docs/docs/Support/release-notes.mdx, SECURITY.md	Added warnings/known-issue entries about .env variables not loading in 1.6.0–1.6.3 and guidance to upgrade to 1.6.4; included potential security impact notes in docs and security pages.
Security config annotations SECURITY.md	Appended “# pragma: allowlist secret” to LANGFLOW_DATABASE_URL, LANGFLOW_SECRET_KEY, and SECRET_KEY examples to mark secrets as allowlisted in documentation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

documentation, size:L, lgtm

Suggested reviewers

• jordanrfrazier
• aimurphy
• ogabrielluiz

Pre-merge checks and finishing touches

✅ Passed checks (7 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title “docs: warnings for dotenv vulnerability” succinctly and accurately describes the primary change, which is the addition of documentation warnings regarding the .env file loading bug. It clearly uses the “docs:” conventional prefix and references the specific vulnerability addressed by the pull request. The phrasing is concise and meaningful, enabling a quick understanding of the PR’s purpose without extraneous detail. Consequently, it aligns with the guidelines for a clear and focused title.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Test Coverage For New Implementations	✅ Passed	All files modified in this PR are documentation-only (README.md, SECURITY.md, docs/docs/Support/release-notes.mdx), with no new or updated code, components, or functionality introduced. Since the changes are purely informational, there are no corresponding tests required, and none are expected. Therefore the absence of new tests is appropriate and consistent with the scope of the PR.
Test Quality And Coverage	✅ Passed	The pull request exclusively updates documentation files (README.md, SECURITY.md, and docs/docs/Support/release-notes.mdx) without introducing or modifying any executable code, so there are no new behaviors that would require accompanying tests under the repository’s current testing strategy. Consequently, there are no gaps in test coverage attributable to this change set, and the existing test suite remains adequate. No further testing actions are needed for this documentation-only update.
Test File Naming And Structure	✅ Passed	The diff for this PR only touches README.md, SECURITY.md, and docs/docs/Support/release-notes.mdx, with no additions or modifications to backend, frontend, or integration test files. Since no test files are affected, the existing project test structure and naming conventions remain unchanged and therefore the check’s requirements continue to be satisfied. Consequently, there is nothing introduced in this PR that could violate the prescribed test patterns or organization.
Excessive Mock Usage Warning	✅ Passed	Documentation-only changes were introduced in this PR, and no test files were added or modified, meaning there is no new or updated usage of mocks to evaluate for excessiveness. Consequently, the existing test suite remains unaffected, and there are no indications of mock misuse or overreliance introduced by this change.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fc582f3 and 82949dc.

📒 Files selected for processing (3)

• README.md (1 hunks)
• SECURITY.md (2 hunks)
• docs/docs/Support/release-notes.mdx (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

docs/**/*.{md,mdx}

📄 CodeRabbit inference engine (.cursor/rules/docs_development.mdc)

docs/**/*.{md,mdx}: All Markdown/MDX pages must start with front matter including at least title and description; include sidebar_position for docs pages when applicable
Code blocks must specify a language and may include a title (```lang title="…")
Use sentence case for headings and keep paragraphs short and scannable
Write in second person, present tense, with a professional but approachable tone
Use inline code with backticks for code terms; use bold for UI elements and italics for emphasis; keep lists in parallel structure
Ensure internal links are functional and navigation works (update cross-references as needed)
Verify all code examples in docs and blog actually run as shown
Use correct terminology capitalization: Langflow, Component, Flow, API, JSON
Reference images with absolute paths under /img/... and provide descriptive alt text

Files:

• docs/docs/Support/release-notes.mdx

docs/docs/**/*.{md,mdx}

📄 CodeRabbit inference engine (.cursor/rules/docs_development.mdc)

Use Docusaurus admonitions (:::+tip|warning|danger) instead of custom callouts in docs pages

Files:

• docs/docs/Support/release-notes.mdx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Test Docs Build / Test Docs Build
• GitHub Check: build-and-deploy

🔇 Additional comments (1)

docs/docs/Support/release-notes.mdx (1)

59-62: Fix trailing punctuation in the impact list.

Each bullet ends with a comma, which reads awkwardly and breaks the list’s sentence structure. Please swap those trailing commas for periods so the list scans cleanly.

Apply this diff:

-If you deployed with `AUTO_LOGIN=false` in your `.env` file, upgrading to these versions will cause Langflow to fall back to default settings, potentially giving all users superuser access,
-Database credentials, API keys, and other sensitive configuration may not be loaded from `.env` files.
+If you deployed with `AUTO_LOGIN=false` in your `.env` file, upgrading to these versions will cause Langflow to fall back to default settings, potentially giving all users superuser access.
+Database credentials, API keys, and other sensitive configuration may not be loaded from `.env` files.

Likely an incorrect or invalid review comment.

[jordanrfrazier]

Sent a few comments offline. lgtm. 1.6.4 is releasing now.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Build successful! ✅
Deploying docs draft.
Deploy successful! View draft