fix: Sanitize folder names for CodeQL#12263
Merged
Merged
Conversation
Contributor
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
Frontend Unit Test Coverage ReportCoverage Summary
Unit Test Results
|
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## release-1.9.0 #12263 +/- ##
=================================================
+ Coverage 34.97% 38.26% +3.28%
=================================================
Files 1652 1652
Lines 82456 82459 +3
Branches 12239 12239
=================================================
+ Hits 28842 31552 +2710
+ Misses 51819 49112 -2707
Partials 1795 1795
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
Collaborator
|
lgtm |
Jkavia
approved these changes
Mar 20, 2026
github-actions
Bot
added
bug
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Apr 15, 2026
* test: add upgrade migration check to ci (#12061)
* Add upgrade migration check to ci
* [autofix.ci] apply automated fixes
* Add fetch step
* ruff
* Add merge migration
* Revert "Add merge migration"
This reverts commit fd32424739a758646e77c5967420198ff21b5970.
backups
* coderabbit suggestions
1. Shell hardening in workflow - set -euo pipefail, full path grep, quoted variables
2. _WORKSPACE_ROOT extracted as module constant (also addresses Cristhianzl's review comment about parents[5] duplication)
3. git missing returns None instead of raising FileNotFoundError
4. # noqa: S603 added to subprocess.run (fixes the Ruff CI failure)
5. FK noise filtering now also compares target table/column, not just ondelete/onupdate
6. Removed redundant git fetch origin main step (fetch-depth: 0 already fetches all branches)
7. Deduplicated Alembic config creation in _get_main_branch_head (moved before the if branch)
8. Simplified dict type hints (removed unnecessary dict[tuple, object])
* test: improve migration tests from PR review feedback
- Narrow broad except clause to only wrap subprocess.run call
- Add specific error messages for multi-head and unresolvable revisions
- Remove redundant hardcoded schema test (covered by compare_metadata)
- Fix SQLite FK noise filter to skip ondelete/onupdate comparison
- Add downgrade verification to test_upgrade_from_main_branch
- Add test file and workflow to CI trigger paths
- Add prompt for follow-up PostgreSQL migration test PR
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* add engine check on downgrade
* [autofix.ci] apply automated fixes
* fix: harden CI error handling and test robustness
- Set validationPassed=false when validator crashes so CI fails instead of passing silently
- Wrap GitHub API calls in try-catch so comment-posting failures don't mask validation results
- Preserve git stderr in warnings for better CI debugging
- Add defensive handling for unexpected FK constraint shapes in SQLite noise filter
- Clean up SQLite WAL/SHM/journal companion files in test teardown
* Add explicit fetch to main
* ruff
* [autofix.ci] apply automated fixes
* Add sqlite filter tests and remove redundant fetch
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(deployments): unify payload passthrough from api to adapter (#12190)
* feat(deployments): unify dynamic payload passthrough across api and adapter
* use datatime.timezone for python3.10 compatibility
* use appropriate type vars in slots and sanitize error message
* tweaks to schemas
* use policy to avoid dump churn
* fix: allow clearing Max Tokens field with Backspace/Delete (#12198)
* fix: allow clearing Max Tokens field with Backspace/Delete
Empty string input was being converted to 0 via Number(""), which
triggered the min-value guard and snapped the field back to 1 before
onChange could propagate. Adding an early return for empty input lets
the field clear correctly, propagating null (no limit) downstream.
* test: add IntComponent tests for handleInputChange clearing behavior
Covers the regression where Backspace/Delete was blocked by the
min-value guard, and verifies that below-min values still clamp
correctly.
* fix: Resolve CodeQL false positives for path injection and URL substring sanitization (#12201)
* fix: Add explicit left/right DataFrame inputs for merge operations (#12177)
* add explicit left/right DataFrame inputs for merge operations
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* [autofix.ci] apply automated fixes
* ruff style and checker fixes
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* fix: add dict to allowlist preventing TableInput data loss (#12074)
* fix: add dict to allowlist preventing TableInput data loss
Co-Authored-By: DeyLak <DeyLak@users.noreply.github.com>
* test: add regression test for TableInput list[dict] preservation
Regression test for: https://github.com/langflow-ai/langflow/issues/12062
Co-Authored-By: DeyLak <DeyLak@users.noreply.github.com>
---------
Co-authored-by: DeyLak <DeyLak@users.noreply.github.com>
Co-authored-by: Cristhian Zanforlin Lousa <cristhian.lousa@gmail.com>
* chore: update pyproject versions 1.9.0
update pyproject versions 1.9.0
* fix: 1.9.0 nightly
1.9.0 nightly fix
* feat: add wxO deployment adapter (#12079)
* checkout wxo deployment adapter implementation
* checkout wxo deps and flow reqs impl
* clean up / minor refactor with updated tests
* major refactor: split up the implementation into folders and files
* clean up logic
* refactor and clean up of execution logic, improve type safety of "retry_create" helper, and remove dead code
* remove unused wxo service file
* remove "provider_name" arg and references
* fix: harden watsonx orchestrate deployment adapter for PR readiness
- Fix rollback AttributeError when agent_create_response is None
- Fix NoneType access on params in list() when called without params
- Fix inconsistent error types: use DeploymentNotFoundError in get/update
- Fix typo "occured" -> "occurred" in all error prefix messages
- Fix variable shadowing of fastapi.status in get_status()
- Fix pre-existing test bugs (wrong exception types, stale method refs)
- Fix e2e monkey-patching of non-existent service methods
- Add structured logging to create, delete, retry, and rollback flows
- Add jitter to retry backoff to avoid thundering herd
- Add __repr__ to WxOCredentials that fully masks the API key
- Extract hard-coded LLM model string to DEFAULT_WXO_AGENT_LLM constant
- Remove commented-out snapshot update code
- Expand test coverage from 24 to 75 tests covering retry logic,
service methods, client auth, utilities, execution/status helpers,
and artifact roundtrip
* fix(deployment): fix bugs and harden watsonx orchestrate adapter
- Fix update method silently discarding changes instead of sending them
to the WXO API
- Wrap all synchronous SDK calls in asyncio.to_thread to avoid blocking
the event loop
- Add error handling to get_status (was propagating raw exceptions)
- Use DeploymentType enum values instead of raw strings for
SUPPORTED_ADAPTER_DEPLOYMENT_TYPES
- Fix type annotations in list method (list -> set)
- Fix typo in comment (reccomend -> recommend)
- Remove dead code: extract_agent_connection_ids,
require_exclusive_resource, require_non_empty_string,
resolve_health_environment_id, fetch_agent_release_status,
normalize_release_status, resolve_lfx_runner_requirement,
_pin_requirement_name, sync_langflow_tool_connections,
create_langflow_flow_tool, resolve_snapshot_connections, and unused constants
- Make assert_create_resources_available and validate_connection async
- Make create_agent_run and get_agent_run async
- Add tests for list_types, get_status error handling, and update
side-effects
- Update existing tests for async function signatures
* actually remove the dead code from tools.py
* properly await "validate_connection"
* update e2e test file
* add more scenarios to e2e test runner
* refactor(watsonx-orchestrate): improve WxOClient encapsulation and error messages
Encapsulate SDK private method access and endpoint paths inside
WxOClient wrappers so callers never handle raw paths or touch internal
_get/_post methods. Route all private HTTP calls through a single
_base client auto-created in __post_init__, removing the externally
constructed `base` field.
Additionally fix double-period and redundant text in error messages
produced by the ErrorPrefix + handler pattern, and update E2E/unit
assertions to match the sanitised error output.
Changes:
- types.py: bake endpoint paths into wrapper signatures (post_run,
get_run, upload_tool_artifact, get_agents_raw); auto-create _base
via __post_init__; remove base from constructor
- client.py: drop BaseWXOClient import and base= constructor arg
- core/execution.py: pass run_id / query_suffix instead of raw paths
- core/tools.py: pass tool_id instead of raw path
- service.py: fix double-period in ErrorPrefix interpolation; remove
redundant restatements in generic except handlers
- tests: update _with_wxo_wrappers helper and test doubles to use
_base; update FakeBaseClient._get to accept params
- e2e: update rollback scenario detail_contains to match sanitised msg
* skip import and tests of wxo adapter if current env is running python 3.10
* clarify random prefix / retry behavior
* implement comments
* fix: align watsonx adapter with updated deployment schema
- Add `deployment_type` parameter to `get`, `update`, `redeploy`,
`duplicate`, `delete`, `get_status`, and `undeploy_deployment` in
WatsonxOrchestrateDeploymentService to match the updated
BaseDeploymentService ABC
- Update e2e script to use renamed `add_ids` field on
SnapshotDeploymentBindingUpdate
* remove non-interface method undeploy_deployment
* implement listing configs and snapshots
* add update implementation and improve http->deployment error translation and add tests
* improve exception handling
* checkout payload slot work
* custom payload schema for update
* new update implementation
* stop passing client cache to helpers
* add docs for ordereduniquests
* improve import patterns and document future risks for wxo dependencies
* remove global-variable prefixing of flows
* ref: harden typing, DRY helpers, and correctness fixes
- Replace `db: Any` with `db: AsyncSession` across client, config, and
update_helpers modules
- Extract `_ensure_dict` / `ensure_langflow_connections_binding` helpers
to eliminate repeated nested-dict safety logic in tools.py and
update_helpers.py, with documentation explaining why malformed API
payloads are silently corrected rather than rejected
- Use `PayloadSlot.parse()` for update payload validation instead of
standalone helper; remove `parse_provider_update_payload`
- Fix lambda late-binding with default-argument captures in service.py
- Use `zip(strict=True)` in update_helpers for defensive mismatch
detection
- Replace O(n²) duplicate detection with `collections.Counter` in
payloads.py
- Simplify `dedupe_list` to `list(dict.fromkeys(...))`
- Move type-annotation-only imports into TYPE_CHECKING blocks in
types.py and config.py
- Introduce `UPDATE_MAX_RETRIES` as a distinct constant from
`CREATE_MAX_RETRIES`
- Fix "watsonX" → "watsonx" casing in error messages
- Clarify `get_status` docstring and `validate_connection` error message
- Add TODO(deployments-cache) for client cache invalidation on
credential updates
* ref: drop client cache and adopt typed deployment context across the wxo adapter path, add request-context memoization with strict mixed-context guards, and lazily initialize wxo SDK clients. Add safer credential handling by storing only authenticators in WxOCredentials. Also improve provider error-detail extraction/messages and make the direct wxo E2E conflict scenario diagnostics and expectations more resilient.
* use explicit naming for context class; providerId
* fix error handling, retry safety, and exception diagnostics in wxo adapter
- Raise DeploymentError on empty API responses instead of fabricating
fake success in create_agent_run_result and get_agent_run
- Elevate rollback failure logging from WARNING to ERROR for alerting
- Apply retryable filter to retry_rollback to skip 401/403/409/422
- Preserve exception chains (from exc) instead of suppressing (from None)
across service.py, utils.py, execution.py, and update_helpers.py
- Broaden credential resolution catch to handle arbitrary DB exceptions
- Separate status code dispatch from string heuristics in
raise_for_status_and_detail to prevent misclassification
- Add tests for all behavioral changes
* [autofix.ci] apply automated fixes
* fix: harden wxO adapter safety, immutability, and error diagnostics
- Make WxOClient and WxOCredentials frozen dataclasses with eager SDK
client initialization to eliminate thread-safety races from
asyncio.to_thread workers and prevent post-construction mutation
- Move instance_url validation and normalization into type __post_init__
- Raise DeploymentError on missing run_id instead of returning partial
success with execution_id=None
- Preserve exception chains (from exc) instead of suppressing (from None)
across create, update, and delete service methods
- Add warning logs when _ensure_dict replaces non-dict binding values
and when _resolve_lfx_requirement falls back to minimum version
- Initialize derived_spec before try block to prevent potential NameError
- Log all ToolUploadBatchError errors before re-raising the first
- Change SUPPORTED_ADAPTER_DEPLOYMENT_TYPES from mutable set to frozenset
- Add tests for 409/422 error mapping in create, unsupported deployment
type rejection, empty update rejection, zip artifact extraction paths,
validate_connection negative paths, missing run_id, multiple deployment
ID rejection, exception chain preservation, and _ensure_dict warning
* [autofix.ci] apply automated fixes
* fix ruff errors and and todo for status method
* fix mypy errors
* [autofix.ci] apply automated fixes
---------
Co-authored-by: Jordan Frazier <jordan.frazier@datastax.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* fix: 1.9.0 nightly (#12210)
fix 1.9.0 nightly
* fix(mcp): Add schema-driven type conversion (#11796)
* fix: nightly now properly gets 1.9.0 branch (#12215)
before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail
now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$'
* fix(mcp): Add schema-driven type conversion
- Add schema-driven type conversion (str→dict, str→int, etc.)
- normalize and unflatten tool arguments for MCP servers
- Unflatten flattened keys (e.g. params.search) into nested objects
* fix(mcp): handle dict type and array type in JSON schema for MCP tools
- Support "type": ["string", "null"] (JSON Schema array type)
- Normalize required to hashable elements (filter non-string entries)
- Add unit tests for create_input_schema_from_json_schema
* fix(mcp): map generic object type to dict for free-form params
When JSON schema has {"type": "object"} with no properties, treat it as
a free-form dict instead of building a nested Pydantic model. This allows
MCP servers expecting arbitrary key-value params to receive proper dicts,
and enables str→dict conversion via _normalize_arguments_for_mcp.
- Add conditional in parse_type: empty properties → dict, else nested model
- Add test_create_input_schema_generic_object_maps_to_dict
* fix(mcp): exclude None from tool arguments sent to MCP servers
* test_mcp: add more tests for datatypes
* fix(mcp): parse JSON strings for nested model params (e.g. foreman-mcp)
* fix(mcp): refactor _try_convert_value reducing repetition
* fix(mcp): add missing tests for remaining use cases
* fix(mcp): Fix mapping of None if expected is list, dict or str
* Update nightly_build.yml
---------
Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com>
Co-authored-by: Eric Hare <ericrhare@gmail.com>
* fix: prevent overwriting user-selected global variables in provider c… (#12217)
* fix: nightly now properly gets 1.9.0 branch (#12215)
before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail
now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$'
* docs: add search icon (#12216)
add-back-svg
* fix: prevent overwriting user-selected global variables in provider config
Previously, the apply_provider_variable_config_to_build_config function would
automatically overwrite field values with environment variable keys whenever
an env var was present, even if the user had already selected a different
global variable.
This fix adds a check to only auto-set the environment variable if:
- The field is currently empty, OR
- The field is not already configured to load from the database
This preserves user selections while still providing automatic configuration
for new/empty fields.
Added comprehensive unit tests to verify:
- Auto-setting env vars for empty fields
- Preserving user-selected global variables
- Overwriting hardcoded values (expected behavior)
- Skipping when env var is not set
- Applying component metadata correctly
* [autofix.ci] apply automated fixes
* style: use dictionary comprehension instead of for-loop
Fixed PERF403 Ruff style warning by replacing for-loop with dictionary
comprehension in update_projects_components_with_latest_component_versions
* chore: retrigger CI build
* test: improve test coverage and clarity for provider config
- Renamed test_apply_provider_config_overwrites_hardcoded_value to
test_apply_provider_config_replaces_hardcoded_with_env_var for clarity
- Added test_apply_provider_config_idempotent_when_already_set to document
idempotent behavior when value already matches env var key
- Removed sensitive value from debug log message to prevent potential
exposure of API keys or credentials
These changes improve test coverage by documenting the no-op scenario
and enhance security by avoiding logging of potentially sensitive data.
* chore: retrigger CI build
---------
Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com>
Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com>
Co-authored-by: Steve Haertel <shaertel@ca.ibm.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Eric Hare <ericrhare@gmail.com>
* fix: Fixed CodeQL security scan about Incomplete URL substring sanitization on watsonx test suite (#12212)
* fix: Fixed CodeQL security scan about Incomplete URL substring sanitization
* fix coderabbitai comments
* fix: nightly now properly gets 1.9.0 branch (#12215)
before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail
now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$'
* fix failing action
* docs: add search icon (#12216)
add-back-svg
* Revert "Merge branch 'main' into dev-fix-security-code-scan-watsonx"
This reverts commit 41eb034e1136f08fb4e5fe3748c14ff06c0c8a56, reversing
changes made to 4e51f4d836885552b93258e0e797750a22a36e14.
* Revert "Merge branch 'main' into dev-fix-security-code-scan-watsonx"
This reverts commit 4e51f4d836885552b93258e0e797750a22a36e14, reversing
changes made to 530bddd0a4193095bd575467d428d9d208e9c680.
---------
Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com>
Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com>
* fix: remove ibm-watsonx extra from complete installation (#12230)
* docs: lfx readme content (#11870)
* docs-add-lfx-content-to-readme
* github-link-syntax
* allowlist-blocklist
* docs: add a copy to markdown button to docusaurus theme (#12189)
* copy-page-component
* copy-theme-and-add-button
* docs: add versioning (#12218)
* fix: nightly now properly gets 1.9.0 branch (#12215)
before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail
now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$'
* docs: add search icon (#12216)
add-back-svg
* initial-content
* cut-1.8-release-and-include-next-version
* stage-1.8.0-and-next
---------
Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com>
* docs: replace api build automation (#12214)
* remove-workflows-file-and-script
* tag-hidden-endpoints
* update-scripts-and-specs
* fix: nightly now properly gets 1.9.0 branch (#12215)
before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail
now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$'
* docs: add search icon (#12216)
add-back-svg
---------
Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com>
Co-authored-by: Debojit Kaushik <Kaushik.debojit@gmail.com>
* fix: prevent arbitrary file write via path traversal in files endpoint (#12227)
* fix(security): prevent arbitrary file write via path traversal in file uploads
* [autofix.ci] apply automated fixes
---------
Co-authored-by: Janardan S Kavia <janardanskavia@Janardans-MacBook-Pro.local>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* docs: Add AI coding agent skills for code review, testing, and refactoring (#12241)
Add AI coding agent skills for code review, testing, and refactoring
* feat: Add Windows Playwright testing to nightly builds (#12221)
* feat: add Windows support for Playwright tests in nightly builds
- Add windows-latest as runner option in typescript_test.yml
- Update Playwright browser installation to be OS-aware (Windows doesn't support --with-deps)
- Add matrix strategy to nightly_build.yml to run tests on both Linux and Windows
- Update Slack notifications to indicate multi-platform testing
- Tests now run in parallel on ubuntu-latest and windows-latest
This enables catching Windows-specific regressions early in the nightly build process.
* fix: add shell: bash to all script steps for Windows compatibility
Windows runners default to PowerShell which doesn't understand bash syntax.
All steps with bash scripts now explicitly specify shell: bash to ensure
cross-platform compatibility.
* feat: make Windows Playwright tests non-blocking initially
Add continue-on-error for Windows tests to allow nightly builds to succeed
even if Windows-specific issues are found. This gives us visibility into
Windows bugs without blocking releases.
Windows tests will still run every night and report failures, but won't
block the build. Once Windows tests are stable, we can remove this flag.
* chore: fix white space
chore: fix white space
* fix: replace matrix strategy with separate jobs for Windows Playwright tests
- GitHub Actions reusable workflows don't support matrix strategy
- Split frontend-tests into frontend-tests-linux and frontend-tests-windows
- Windows tests are non-blocking (continue-on-error: true)
- Updated all job dependencies and Slack notification logic
- Addresses PR review comment about matrix limitation
* chore: trigger workflow validation refresh
---------
Co-authored-by: Adam Aghili <Adam.Aghili@ibm.com>
* fix: Avoid foreign key violation on span table with topological sort (#12232)
* fix: Foreign key violation on span table
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* address review comments
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* fix: use deepcopy to prevent shared reference mutation in component updates (#12252)
* fix: use deepcopy to prevent shared reference mutation in component updates
Copies template data via deepcopy when updating project components to
prevent mutations from leaking between projects through all_types_dict.
Also fixes edge updates to use the copied project data and adds
cloneDeep in the frontend templatesGenerator.
* fix: deepcopy mutable FIELD_FORMAT_ATTRIBUTES and add coverage test
- Add deepcopy on field_dict[attr] assignment (line 192) to prevent
shared references for mutable attributes like input_types, options,
and fileTypes leaking back into all_types_dict
- Add test_update_components_does_not_mutate_field_format_attributes
to verify the fix covers the FIELD_FORMAT_ATTRIBUTES update path
* feat: add support for Langchain 1.0 (#11114)
* feat: upgrade to LangChain 1.0
- langchain ~=1.2.0
- langchain-core ~=1.2.3
- langchain-community ~=0.4.1
Updated all langchain-* integration packages to versions compatible with langchain-core 1.0+.
* feat(lfx): add langchain-classic dependency for legacy agent classes
LangChain 1.0 removed AgentExecutor and related classes to langchain-classic.
This adds the dependency to maintain backward compatibility.
* refactor(lfx): update imports for LangChain 1.0 compatibility
- Move AgentExecutor, agent creators from langchain to langchain_classic
- Move AsyncCallbackHandler from langchain.callbacks to langchain_core.callbacks
- Move Chain, BaseChatMemory from langchain to langchain_classic
- Update LANGCHAIN_IMPORT_STRING for code generation
* fix(lfx): make sqlalchemy import lazy in session_scope
LangChain 1.0 no longer includes sqlalchemy as a transitive dependency.
Move the import inside the function where it's used to avoid import errors
when sqlalchemy is not installed.
* chore: update uv.lock for langchain-classic
* feat: enable nv-ingest optional dependencies for langchain 1.0
- Uncomment nv-ingest-api and nv-ingest-client, update to >=26.1.0
(no longer has openai version conflict)
- Bump datasets from <4.0.0 to <5.0.0 to allow fsspec>=2025.5.1
required by nv-ingest
- Update mlx-vlm TODO comment with accurate blocking reason
* chore: update nv-ingest to 26.1.1
nv-ingest 26.1.1 removes the openai dependency, resolving the
conflict with langchain-openai>=1.0.0 (which requires openai>=1.109.1).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: enable mlx and mlx-vlm dependencies for langchain 1.0
opencv-python 4.13+ now supports numpy>=2, resolving the conflict
with langchain-aws>=1.0.0 (which requires numpy>=2.2 on Python 3.12+).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* style: fix import order in callback.py
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* refactor: update imports to use langchain_classic for agent modules
* [autofix.ci] apply automated fixes
* fix: remove .item() calls in knowledge_bases.py
* fix(lfx): import BaseMemory from langchain_classic for langchain 1.0
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* refactor: update deprecated langchain imports for langchain 1.0
- langchain.callbacks.base -> langchain_core.callbacks.base
- langchain.tools -> langchain_core.tools
- langchain.schema -> langchain_core.messages/documents
- langchain.chains -> langchain_classic.chains
- langchain.retrievers -> langchain_classic.retrievers
- langchain.memory -> langchain_classic.memory
- langchain.globals -> langchain_core.globals
- langchain.docstore -> langchain_core.documents
- langchain.prompts -> langchain_core.prompts
Also simplified GoogleGenerativeAIEmbeddingsComponent to use native
langchain-google-genai 4.x which now supports output_dimensionality.
* [autofix.ci] apply automated fixes
* fix: add _to_int helper for pandas sum() compatibility across Python versions
* fix: update langfuse>=3.8.0 and fix cuga_agent.py (#11519)
* fix: update langfuse>=3.8.0 and fix cuga_agent.py
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* feat: implement LangFuseTracer for langfuse v3 API compatibility and add unit tests
* fix: upgrade cuga to 0.2.9 for langchain 1.0 compatibility
* fix: improve error handling and return value in get_langchain_callback method
* fix: update package versions for compatibility and improvements
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* [autofix.ci] apply automated fixes (attempt 3/3)
* fix: update langwatch dependency to version 0.10.0 for compatibility
* fix: update environment variable for Langfuse host to LANGFUSE_BASE_URL
* Update dependency versions in Youtube Analysis project
- Downgraded googleapiclient from 2.188.0 to 2.154.0
- Updated langchain_core from 1.2.7 to 1.2.9
- Updated fastapi from 0.128.1 to 0.128.5
- Downgraded youtube_transcript_api from 1.2.4 to 1.2.3
- Changed langchain_core version from 1.2.7 to 0.3.81
- Cleared input_types in model selection
# Conflicts:
# src/backend/base/langflow/initial_setup/starter_projects/Basic Prompt Chaining.json
# src/backend/base/langflow/initial_setup/starter_projects/Basic Prompting.json
# src/backend/base/langflow/initial_setup/starter_projects/Blog Writer.json
# src/backend/base/langflow/initial_setup/starter_projects/Custom Component Generator.json
# src/backend/base/langflow/initial_setup/starter_projects/Document Q&A.json
# src/backend/base/langflow/initial_setup/starter_projects/Financial Report Parser.json
# src/backend/base/langflow/initial_setup/starter_projects/Hybrid Search RAG.json
# src/backend/base/langflow/initial_setup/starter_projects/Image Sentiment Analysis.json
# src/backend/base/langflow/initial_setup/starter_projects/Instagram Copywriter.json
# src/backend/base/langflow/initial_setup/starter_projects/Invoice Summarizer.json
# src/backend/base/langflow/initial_setup/starter_projects/Knowledge Retrieval.json
# src/backend/base/langflow/initial_setup/starter_projects/Market Research.json
# src/backend/base/langflow/initial_setup/starter_projects/Meeting Summary.json
# src/backend/base/langflow/initial_setup/starter_projects/Memory Chatbot.json
# src/backend/base/langflow/initial_setup/starter_projects/News Aggregator.json
# src/backend/base/langflow/initial_setup/starter_projects/Nvidia Remix.json
# src/backend/base/langflow/initial_setup/starter_projects/Pokédex Agent.json
# src/backend/base/langflow/initial_setup/starter_projects/Portfolio Website Code Generator.json
# src/backend/base/langflow/initial_setup/starter_projects/Price Deal Finder.json
# src/backend/base/langflow/initial_setup/starter_projects/Research Agent.json
# src/backend/base/langflow/initial_setup/starter_projects/Research Translation Loop.json
# src/backend/base/langflow/initial_setup/starter_projects/SEO Keyword Generator.json
# src/backend/base/langflow/initial_setup/starter_projects/SaaS Pricing.json
# src/backend/base/langflow/initial_setup/starter_projects/Search agent.json
# src/backend/base/langflow/initial_setup/starter_projects/Sequential Tasks Agents.json
# src/backend/base/langflow/initial_setup/starter_projects/Simple Agent.json
# src/backend/base/langflow/initial_setup/starter_projects/Social Media Agent.json
# src/backend/base/langflow/initial_setup/starter_projects/Text Sentiment Analysis.json
# src/backend/base/langflow/initial_setup/starter_projects/Travel Planning Agents.json
# src/backend/base/langflow/initial_setup/starter_projects/Twitter Thread Generator.json
# src/backend/base/langflow/initial_setup/starter_projects/Vector Store RAG.json
# src/backend/base/langflow/initial_setup/starter_projects/Youtube Analysis.json
* fix: handle InvalidRequestError during session rollback
* update projects
* ⚡️ Speed up method `LangFuseTracer.end` by 141% in PR #11114 (`feat/langchain-1.0`) (#11682)
Optimize LangFuseTracer.end
The optimized code achieves a **140% speedup** (8.23ms → 3.42ms) through two complementary optimizations:
## 1. Fast-path for Common Primitives in `serialize()`
**What changed:** Added an early-exit check that returns immutable primitives (`str`, `int`, `float`, `bool`) directly when no truncation or special handling is needed:
```python
if max_length is None and max_items is None and not to_str:
if isinstance(obj, (str, int, float, bool)):
return obj
```
**Why it's faster:**
- The profiler shows `_serialize_dispatcher()` consumed **81.5% of runtime** in the original code (40.4ms out of 49.6ms)
- This optimization reduced dispatcher calls from **8,040 to 1,013** (~87% reduction), as primitives now bypass the expensive pattern-matching dispatcher entirely
- The fast-path check itself is extremely cheap: just two quick conditionals and an `isinstance()` check against a tuple of built-in types
**When it helps:** This optimization is particularly effective for workloads with many primitive values in dictionaries and lists—which is exactly what the tracing use case provides (metadata dicts with strings, numbers, booleans).
## 2. Eliminate Redundant Serialization in `LangFuseTracer.end()`
**What changed:** Serialize `inputs`, `outputs`, and `metadata` once each, then reuse the results:
```python
inputs_ser = serialize(inputs)
outputs_ser = serialize(outputs)
metadata_ser = serialize(metadata) if metadata else None
```
**Why it's faster:**
- The original code called `serialize()` **6 times total** (3 for `.update()` + 3 for `.update_trace()`)
- The optimized version calls it **3 times**, then passes the cached results
- Profiler shows the time spent in `serialize()` calls dropped from **72.2ms to 31.2ms** (~57% reduction)
- This is pure elimination of redundant work—the same dictionaries were being serialized twice with identical results
**Impact on workloads:** The `test_end_multiple_iterations_calls_end_each_time` test (500 iterations) demonstrates this matters in hot paths. If `LangFuseTracer.end()` is called frequently during flow execution, avoiding duplicate serialization provides compounding benefits.
## Combined Effect
Both optimizations target the serialization bottleneck from different angles:
- The fast-path reduces the cost of *each* serialize call by ~75% for primitive-heavy data
- The caching reduces the *number* of serialize calls by 50%
Together, they deliver the observed 140% speedup, with the optimization being especially effective for the common case of metadata dictionaries containing mostly primitive types.
Co-authored-by: codeflash-ai[bot] <148906541+codeflash-ai[bot]@users.noreply.github.com>
* refactor: reorder imports and simplify serialization logic for primitives
* [autofix.ci] apply automated fixes
* fix: update google dependency version to 0.4.0 in component_index.json
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* fix: pin z3-solver<4.15.7 to restore Linux wheels for Docker build
z3-solver 4.15.7 dropped manylinux wheels, causing the Docker build to
fail when trying to compile from source. Temporary pin until codeflash
is removed.
* [autofix.ci] apply automated fixes
* fix: update google dependency version to 0.4.0
* [autofix.ci] apply automated fixes
* fix: update langchain_core version to 1.2.17 in multiple starter project JSON files
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* fix: update deprecated langchain imports to langchain_classic for 1.0 compatibility
* fix: align langchain-chroma version in optional chroma dependency group
* fix: nightly now properly gets 1.9.0 branch (#12215)
before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail
now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$'
* docs: add search icon (#12216)
add-back-svg
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* feat: fall back to langchain_classic for pre-1.0 imports in user components
Old flows using removed langchain imports (e.g. langchain.memory,
langchain.schema, langchain.chains) now resolve via langchain_classic
at two levels: module-level for entirely removed modules, and
attribute-level for removed attributes in modules that still exist
in langchain 1.0. New langchain 1.0 imports are never affected since
fallbacks only trigger on import failure.
* urllib parse module import bug
* Update component_index.json
* [autofix.ci] apply automated fixes
* chore: rebuild component index
* [autofix.ci] apply automated fixes
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Harold Ship <harold.ship@gmail.com>
Co-authored-by: codeflash-ai[bot] <148906541+codeflash-ai[bot]@users.noreply.github.com>
Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com>
Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com>
Co-authored-by: Eric Hare <ericrhare@gmail.com>
* fix: prevent CI injection via unsanitized GitHub context interpolation (#12224)
Pass github.event.pull_request.head.ref through env: instead of
interpolating it directly into run: shell steps. This prevents bash
from evaluating command substitutions embedded in malicious branch names
before input validation runs.
Co-authored-by: Janardan Singh Kavia <janardankavia@ibm.com>
* feat: Refactor and Unify the ModelInput Selector Across Components (#12025)
* fix: Fixes Kubernetes deployment crash on runtime_port parsing (#11968) (#11975)
* feat: add runtime port validation for Kubernetes service discovery
* test: add unit tests for runtime port validation in Settings
* fix: improve runtime port validation to handle exceptions and edge cases
Co-authored-by: Gabriel Luiz Freitas Almeida <gabriel@logspace.ai>
* fix(frontend): show delete option for default session when it has messages (#11969)
* feat: add documentation link to Guardrails component (#11978)
* feat: add documentation link to Guardrails component
* [autofix.ci] apply automated fixes
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* feat: traces v0 (#11689) (#11983)
* feat: traces v0
v0 for traces includes:
- filters: status, token usage range and datatime
- accordian rows per trace
Could add:
- more filter options. Ecamples: session_id, trace_id and latency range
* fix: token range
* feat: create sidebar buttons for logs and trace
add sidebar buttons for logs and trace
remove lods canvas control
* fix: fix duplicate trace ID insertion
hopefully fix duplicate trace ID insertion on windows
* fix: update tests and alembic tables for uts
update tests and alembic tables for uts
* chore: add session_id
* chore: allo grouping by session_id and flow_id
* chore: update race input output
* chore: change run name to flow_name - flow_id
was flow_name - trace_id
now flow_name - flow_id
* facelift
* clean up and add testcases
* clean up and add testcases
* merge Alembic detected multiple heads
* [autofix.ci] apply automated fixes
* improve testcases
* remodel files
* chore: address gabriel simple changes
address gabriel simple changes in traces.py and native.py
* clean up and testcases
* chore: address OTel and PG status comments
https://github.com/langflow-ai/langflow/pull/11689#discussion_r2854630438
https://github.com/langflow-ai/langflow/pull/11689#discussion_r2854630446
* chore: OTel span naming convention
model name is now set using name = f"{operation} {model_name}" if model_name else operation
* add traces
* feat: use uv sources for CPU-only PyTorch (#11884)
* feat: use uv sources for CPU-only PyTorch
Configure [tool.uv.sources] with pytorch-cpu index to avoid ~6GB CUDA
dependencies in Docker images. This replaces hardcoded wheel URLs with
a cleaner index-based approach.
- Add pytorch-cpu index with explicit = true
- Add torch/torchvision to [tool.uv.sources]
- Add explicit torch/torchvision deps to trigger source override
- Regenerate lockfile without nvidia/cuda/triton packages
- Add required-environments for multi-platform support
* fix: update regex to only replace name in [project] section
The previous regex matched all lines starting with `name = "..."`,
which incorrectly renamed the UV index `pytorch-cpu` to `langflow-nightly`
during nightly builds. This caused `uv lock` to fail with:
"Package torch references an undeclared index: pytorch-cpu"
The new regex specifically targets the name field within the [project]
section only, avoiding unintended replacements in other sections like
[[tool.uv.index]].
* style: fix ruff quote style
* fix: remove required-environments to fix Python 3.13 macOS x86_64 CI
The required-environments setting was causing hard failures when packages
like torch didn't have wheels for specific platform/Python combinations.
Without this setting, uv resolves optimistically and handles missing wheels
gracefully at runtime instead of failing during resolution.
---------
* LE-270: Hydration and Console Log error (#11628)
* LE-270: add fix hydration issues
* LE-270: fix disable field on max token on language model
---------
* test: add wait for selector in mcp server tests (#11883)
* Add wait for selector in mcp server tests
* [autofix.ci] apply automated fixes
* Add more awit for selectors
* [autofix.ci] apply automated fixes
---------
* fix: reduce visual lag in frontend (#11686)
* Reduce lag in frontend by batching react events and reducing minimval visual build time
* Cleanup
* [autofix.ci] apply automated fixes
* add tests and improve code read
* [autofix.ci] apply automated fixes
* Remove debug log
---------
* feat: lazy load imports for language model component (#11737)
* Lazy load imports for language model component
Ensures that only the necessary dependencies are required.
For example, if OpenAI provider is used, it will now only
import langchain_openai, rather than requiring langchain_anthropic,
langchain_ibm, etc.
* Add backwards-compat functions
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* Add exception handling
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* comp index
* docs: azure default temperature (#11829)
* change-azure-openai-default-temperature-to-1.0
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* [autofix.ci] apply automated fixes (attempt 3/3)
* [autofix.ci] apply automated fixes
---------
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* fix unit test?
* add no-group dev to docker builds
* [autofix.ci] apply automated fixes
---------
* feat: generate requirements.txt from dependencies (#11810)
* Base script to generate requirements
Dymanically picks dependency for LanguageM Comp.
Requires separate change to remove eager loading.
* Lazy load imports for language model component
Ensures that only the necessary dependencies are required.
For example, if OpenAI provider is used, it will now only
import langchain_openai, rather than requiring langchain_anthropic,
langchain_ibm, etc.
* Add backwards-compat functions
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* Add exception handling
* Add CLI command to create reqs
* correctly exclude langchain imports
* Add versions to reqs
* dynamically resolve provider imports for language model comp
* Lazy load imports for reqs, some ruff fixes
* Add dynamic resolves for embedding model comp
* Add install hints
* Add missing provider tests; add warnings in reqs script
* Add a few warnings and fix install hint
* update comments add logging
* Package hints, warnings, comments, tests
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* [autofix.ci] apply automated fixes (attempt 3/3)
* Add alias for watsonx
* Fix anthropic for basic prompt, azure mapping
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* ruff
* [autofix.ci] apply automated fixes
* test formatting
* ruff
* [autofix.ci] apply automated fixes
---------
* fix: add handle to file input to be able to receive text (#11825)
* changed base file and file components to support muitiple files and files from messages
* update component index
* update input file component to clear value and show placeholder
* updated starter projects
* [autofix.ci] apply automated fixes
* updated base file, file and video file to share robust file verification method
* updated component index
* updated templates
* fix whitespaces
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* add file upload test for files fed through the handle
* [autofix.ci] apply automated fixes
* added tests and fixed things pointed out by revies
* update component index
* fixed test
* ruff fixes
* Update component_index.json
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* [autofix.ci] apply automated fixes (attempt 3/3)
* updated component index
* updated component index
* removed handle from file input
* Added functionality to use multiple files on the File Path, and to allow files on the langflow file system.
* [autofix.ci] apply automated fixes
* fixed lfx test
* build component index
---------
* docs: Add AGENTS.md development guide (#11922)
* add AGENTS.md rule to project
* change to agents-example
* remove agents.md
* add example description
* chore: address cris I1 comment
address cris I1 comment
* chore: address cris I5
address cris I5
* chore: address cris I6
address cris I6
* chore: address cris R7
address cris R7
* fix testcase
* chore: address cris R2
address cris R2
* restructure insight page into sidenav
* added header and total run node
* restructing branch
* chore: address gab otel model changes
address gab otel model changes will need no migration tables
* chore: update alembic migration tables
update alembic migration tables after model changes
* add empty state for gropu sessions
* remove invalid mock
* test: update and add backend tests
update and add backend tests
* chore: address backend code rabbit comments
address backend code rabbit comments
* chore: address code rabbit frontend comments
address code rabbit frontend comments
* chore: test_native_tracer minor fix address c1
test_native_tracer minor fix address c1
* chore: address C2 + C3
address C2 + C3
* chore: address H1-H5
address H1-H5
* test: update test_native_tracer
update test_native_tracer
* fixes
* chore: address M2
address m2
* chore: address M1
address M1
* dry changes, factorization
* chore: fix 422 spam and clean comments
fix 422 spam and clean comments
* chore: address M12
address M12
* chore: address M3
address M3
* chore: address M4
address M4
* chore: address M5
address M5
* chore: clean up for M7, M9, M11
clean up for M7, M9, M11
* chore: address L2,L4,L5,L6 + any test
address L2,L4,L5 and L6 + any test
* chore: alembic + comment clean up
alembic + comment clean up
* chore: remove depricated test_traces file
remove depricated test_traces file. test have all been moved to test_traces_api.py
* fix datetime
* chore: fix test_trace_api ge=0 is allowed now
fix test_trace_api ge=0 is allowed now
* chore: remove unused traces cost flow
remove unused traces cost flow
* fix traces test
* fix traces test
* fix traces test
* fix traces test
* fix traces test
* chore: address gabriels otel coment
address gabriels otel coment latest
---------
Co-authored-by: Olayinka Adelakun <olayinkaadelakun@Olayinkas-MacBook-Pro.local>
Co-authored-by: Olayinka Adelakun <olayinkaadelakun@mac.war.can.ibm.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Ram Gopal Srikar Katakam <44802869+RamGopalSrikar@users.noreply.github.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: olayinkaadelakun <olayinka.adelakun@ibm.com>
Co-authored-by: Jordan Frazier <122494242+jordanrfrazier@users.noreply.github.com>
Co-authored-by: cristhianzl <cristhian.lousa@gmail.com>
Co-authored-by: Hamza Rashid <74062092+HzaRashid@users.noreply.github.com>
Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com>
Co-authored-by: Lucas Oliveira <62335616+lucaseduoli@users.noreply.github.com>
Co-authored-by: Edwin Jose <edwin.jose@datastax.com>
Co-authored-by: Himavarsha <40851462+HimavarshaVS@users.noreply.github.com>
* fix(test): Fix superuser timeout test errors by replacing heavy clien… (#11982)
fix(test): Fix superuser timeout test errors by replacing heavy client fixture (#11972)
* fix super user timeout test error
* fix fixture db test
* remove canary test
* [autofix.ci] apply automated fixes
* flaky test
---------
Co-authored-by: Cristhian Zanforlin Lousa <cristhian.lousa@gmail.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* refactor(components): Replace eager import with lazy loading in agentics module (#11974)
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* fix: add ondelete=CASCADE to TraceBase.flow_id to match migration (#12002)
* fix: add ondelete=CASCADE to TraceBase.flow_id to match migration
The migration file creates the trace table's flow_id foreign key with
ondelete="CASCADE", but the model was missing this parameter. This
mismatch caused the migration validator to block startup.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: add defensive migration to ensure trace.flow_id has CASCADE
Adds a migration that ensures the trace.flow_id foreign key has
ondelete=CASCADE. While the original migration already creates it
with CASCADE, this provides a safety net for any databases that may
have gotten into an inconsistent state.
* fix: dynamically find FK constraint name in migration
The original migration did not name the FK constraint, so it gets an
auto-generated name that varies by database. This fix queries the
database to find the actual constraint name before dropping it.
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* fix: LE-456 - Update ButtonSendWrapper to handle building state and improve button functionality (#12000)
* fix: Update ButtonSendWrapper to handle building state and improve button functionality
* fix(frontend): rename stop button title to avoid Playwright selector conflict
The "Stop building" title caused getByRole('button', { name: 'Stop' })
to match two elements, breaking Playwright tests in shards 19, 20, 22, 25.
Renamed to "Cancel" to avoid the collision with the no-input stop button.
* Fix: pydantic fail because output is list, instead of a dict (#11987)
pydantic fail because output is list, instead of a dict
Co-authored-by: Olayinka Adelakun <olayinkaadelakun@Olayinkas-MacBook-Pro.local>
* refactor: Update guardrails icons (#12016)
* Update guardrails.py
Changing the heuristic threshold icons.
The field was using the default icons. I added icons related to the security theme.
* [autofix.ci] apply automated fixes
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Viktor Avelino <64113566+viktoravelino@users.noreply.github.com>
* feat: Clean up the modelinput unification
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* Update test_embedding_model_component.py
* [autofix.ci] apply automated fixes
* Revert to main for other files
* More reversions
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* [autofix.ci] apply automated fixes (attempt 3/3)
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* [autofix.ci] apply automated fixes (attempt 3/3)
* Handle first run more elegantly in astra
* [autofix.ci] apply automated fixes
* Fix knowledge embedding dialog (#12071)
* fix: Handle message inputs when ingesting knowledge
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* [autofix.ci] apply automated fixes (attempt 3/3)
* Update test_ingestion.py
* [autofix.ci] apply automated fixes
* fix: Unify the knowledge creation model selector
* Revert tracing
* Update ingestion.py
* Rebuild comp index
* [autofix.ci] apply automated fixes
* Update test_ingestion.py
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* Update test_ingestion.py
* Update component_index.json
* [autofix.ci] apply automated fixes
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
* [autofix.ci] apply automated fixes
* Update comp index
* Update test_astradb_base_component.py
* Update Knowledge Ingestion.json
* [autofix.ci] apply automated fixes
* Fix broken tests
* Cleanup from claude
* [autofix.ci] apply automated fixes
* Fix failing tests
* Update test_unified_models.py
* [autofix.ci] apply automated fixes
* Update Nvidia Remix.json
* Refactor ingest
* Rebuild templates and component index
* Fix test
* [autofix.ci] apply automated fixes
* Update component_index.json
* [autofix.ci] apply automated fixes
* test: add update_build_config visibility tests and PR review fixes (#12114)
- Add update_build_config field-visibility tests to LanguageModelComponent,
ToolCallingAgentComponent, and BatchRunComponent covering Ollama, WatsonX,
OpenAI, and no-model-selected cases
- Remove 16 stale @pytest.mark.skip tests from test_agent_component.py
- Wire up validate_model_selection in agent.py for early input validation
- Document AstraDB intentional use of lower-level update_model_options_in_build_config
- Clarify model_kwargs info text to note provider-specific support
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* Update embedding_model.py
* fix: address PR review recommendations for feat-unify-models++ (#12116)
- Fix 9 skipped tests in test_batch_run_component.py by replacing model
list with _MockLLM instances, following the existing pattern used by
test_with_config_failure_handling
- Fix test_agent_component.py: set component.model to a valid list before
calling get_agent_requirements() in the three max_tokens tests, since
validate_model_selection now requires a list-format model
- Replace os.environ direct reads in apply_provider_variable_config_to_build_config
with get_all_variables_for_provider() (DB-first, env fallback), and pass
user_id through from handle_model_input_update
- Add deprecated stubs for update_provider_fields_visibility, _update_watsonx_fields,
and _update_ollama_fields in model_config.py with DeprecationWarning pointing
to handle_model_input_update
- Fix typo: "deault" -> "default" in structured_output.py TODO comment
- Add 4 new KnowledgeIngestionComponent tests: new-format model_selection
metadata path, allow_duplicates=True, missing metadata file error, and
_build_embedding_metadata without API key
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* Ruff errors
* Update test_ingestion.py
* Update component index
* Test updates
* Update component_index.json
* Update stable_hash_history.json
* Template updates
* Update batch_run.py
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* Update Youtube Analysis.json
* Fix tests
* [autofix.ci] apply automated fixes
* [autofix.ci] apply automated fixes (attempt 2/3)
* [autofix.ci] apply automated fixes (attempt 3/3)
* Some cleanup and refactoring
* [autofix.ci] apply automated fixes
* Update Nvidia Remix.json
* Update Nvidia Remix.json
* Update unified_models.py
* Coderabbit AI review comments
* Component index update
* [autofix.ci] apply automated fixes
* Template updates
* [autofix.ci] apply automated fixes
* Template update
* [autofix.ci] apply automated fixes
* Review comments addressed
* [autofix.ci] apply automated fixes
* Update component_index.json
* Update stable_hash_history.json
* [autofix.ci] apply automated fixes
* Test updates
* Update test_ingestion.py
* Update test_ingestion.py
* Update test_ingestion.py
* [autofix.ci] apply automated fixes
* More clear tooltip text
* [autofix.ci] apply automated fixes
* Template updates
* Index and templates
* [autofix.ci] apply automated fixes
* Fix lambda build
* Template updates
* Rebuild comp index
* [autofix.ci] apply automated fixes
* Fix templates
* Fix failing test
* Update templates
* Update comp index
* [autofix.ci] apply automated fixes
* API key field in astra db
* Update starter
* Update comp index
* Starter proj update
* Add api key to field order
* Update test_unified_models.py
* Update test_unified_models.py
* [autofix.ci] apply automated fixes
* Update setup.py
* Update setup.py
* Update component_index.json
* [autofix.ci] apply automated fixes
* Return embedding models directly in KB
* [autofix.ci] apply automated fixes
* Update component_index.json
* fix: Refactor the unified models code
* Ruff checks
* Update flow_preparation.py
* [autofix.ci] apply automated fixes
* Update test_language_model_component.py
* fix: prevent overwriting user-selected global variables in provider c… (#12217)
* fix: nightly now properly gets 1.9.0 branch (#12215)
before it was attempting to pull release-notes as letters are alphanumerically after numbers when we sort -V then grab tail
now we only look at branch names that follow the pattern '^release-[0-9]+\.[0-9]+\.[0-9]+$'
* docs: add search icon (#12216)
add-back-svg
* fix: prevent overwriting user-selected global variables in provider config
Previously, the apply_provider_variable_config_to_build_config function would
automatically overwrite field values with environment variable keys whenever
an env var was present, even if the user had already selected a different
global variable.
This fix adds a check to only auto-set the environment variable if:
- The field is currently empty, OR
- The field is not already configured to load from the database
This preserves user selections while still providing automatic configuration
for new/empty fields.
Added comprehensive unit tests to verify:
- Auto-setting env vars for empty fields
- Preserving user-selected global variables
- Overwriting hardcoded values (expected behavior)
- Skipping when env var is not set
- Applying component metadata correctly
* [autofix.ci] apply automated fixes
* style: use dictionary comprehension instead of for-loop
Fixed PERF403 Ruff style warning by replacing for-loop with dictionary
comprehension in update_projects_components_with_latest_component_versions
* chore: retrigger CI build
* test: improve test coverage and clarity for provider config
- Renamed test_apply_provider_config_overwrites_hardcoded_value to
test_apply_provider_config_replaces_hardcoded_with_env_var for clarity
- Added test_apply_provider_config_idempotent_when_already_set to document
idempotent behavior when value already matches env var key
- Removed sensitive value from debug log message to prevent potential
exposure of API keys or credentials
These changes improve test coverage by documenting the no-op scenario
and enhance security by avoiding logging of potentially sensitive data.
* chore: retrigger CI build
---------
Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com>
Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com>
Co-authored-by: Steve Haertel <shaertel@ca.ibm.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Eric Hare <ericrhare@gmail.com>
* Update build_config.py
* [autofix.ci] apply automated fixes
* Update build_config.py
* Fix tests
* fix: Dropdown issue with field population
* Update test_unified_models.py
* Clean up key config
* [autofix.ci] apply automated fixes
* fix tests
* Fix tests
* fix: Update tests
* Update tests
* Update test_tool_calling_agent.py
* Update test_unified_models.py
* Update test_tool_calling_agent.py
* Update tests
* Google AI generative embeddings fixes
* [autofix.ci] apply automated fixes
* Merge release branch
* Template update
* Merge release branch
* [autofix.ci] apply automated fixes
* Update openai_constants.py
* Update openai_constants.py
---------
Co-authored-by: Adam-Aghili <149833988+Adam-Aghili@users.noreply.github.com>
Co-authored-by: Gabriel Luiz Freitas Almeida <gabriel@logspace.ai>
Co-authored-by: keval shah <kevalvirat@gmail.com>
Co-authored-by: Antônio Alexandre Borges Lima <104531655+AntonioABLima@users.noreply.github.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Olayinka Adelakun <olayinkaadelakun@Olayinkas-MacBook-Pro.local>
Co-authored-by: Olayinka Adelakun <olayinkaadelakun@mac.war.can.ibm.com>
Co-authored-by: Ram Gopal Srikar Katakam <44802869+RamGopalSrikar@users.noreply.github.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: olayinkaadelakun <olayinka.adelakun@ibm.com>
Co-authored-by: Jordan Frazier <122494242+jordanrfrazier@users.noreply.github.com>
Co-authored-by: cristhianzl <cristhian.lousa@gmail.com>
Co-authored-by: Hamza Rashid <74062092+HzaRashid@users.noreply.github.com>
Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com>
Co-authored-by: Lucas Oliveira <62335616+lucaseduoli@users.noreply.github.com>
Co-authored-by: Edwin Jose <edwin.jose@datastax.com>
Co-authored-by: Himavarsha <40851462+HimavarshaVS@users.noreply.github.com>
Co-authored-by: Viktor Avelino <64113566+viktoravelino@users.noreply.github.com>
Co-authored-by: Lucas Democh <ldgoularte@gmail.com>
Co-authored-by: Steve Haertel <stevehaertel@users.noreply.github.com>
Co-authored-by: Steve Haertel <shaertel@ca.ibm.com>
* fix: Wait for dynamic model fetch in Nvidia (#12229)
* fix: Wait for dynamic model fetch in Nvidia
* [autofix.ci] apply automated fixes
* Create test_nvidia_component.py
* Update test_nvidia_component.py
* [autofix.ci] apply automated fixes
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* [autofix.ci] apply automated fixes
* Update test_nvidia_component.py
* Update component_index.json
* [autofix.ci] apply automated fixes
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* fix: protect image downloads by flow ownership (#12234)
* fix: protect image downloads by flow ownership
* test: add clarifying comments for image access review
---------
Co-authored-by: Janardan Singh Kavia <janardankavia@ibm.com>
* feat: Add Windows Playwright test fixes to RC (#12265)
* feat: Add Windows Playwright tests to nightly builds
- Add windows-latest to typescript_test.yml runner options
- Add shell: bash to all script steps for cross-platform compatibility
- Split Playwright installation into OS-aware steps (Linux uses --with-deps, Windows/macOS/self-hosted don't)
- Fix artifact naming with OS prefix to prevent conflicts: blob-report-${{ runner.os }}-${{ matrix.shardIndex }}
- Split frontend-tests into separate Linux and Windows jobs in nightly_build.yml
- Add ref parameter to all test jobs to checkout code from release branch
- Add resolve-release-branch to needs dependencies
- Update Slack notifications to handle both Linux and Windows test results
- Windows tests are non-blocking (not checked in release-nightly-build condition)
- Update .secrets.baseline with new line number (263 -> 347) for LANGFLOW_ENG_SLACK_WEBHOOK_URL
Fixes LE-566
* fix: Use contains() for self-hosted runner detection
- Replace exact string equality (==, !=) with contains() for substring matching
- Fixes issue when inputs.runs-on is array format: '["self-hosted", "linux", "ARM64", ...]'
- Ensures self-hosted Linux runners correctly skip --with-deps flag
Addresses CodeRabbit feedback on PR #12264
* fix: Sanitize folder names for CodeQL (#12263)
* fix(deps): pin tar-fs to >=2.1.4 to fix symlink following vulnerability (#12078)
Adds override for tar-fs in package.json to ensure versions prior to
2.1.4 are never resolved. Addresses CVE in tar-fs <2.1.4 (PVR0686558)
where symlink validation bypass was possible with a crafted tarball.
* fix: Rebuild the embedding model in the nv template (#12275)
* fix: support ZIP file upload for flows and projects endpoints (#12253)
* feat: support ZIP file upload for flows and projects endpoints
Add ZIP upload support to both /flows/upload/ and /projects/upload/
endpoints, enabling round-trip download-then-upload workflows. Extract
shared ZIP parsing logic into a dedicated utility with zip bomb
protections (entry count and file size limits). Fix batch flow name
deduplication to avoid infinite loops and DB collisions. Add tests for
ZIP upload, empty ZIP rejection, and download-upload round-trip.
* fix: add type annotation to satisfy mypy union narrowing
* fix: address PR review for ZIP upload (#12253)
- Add BadZipFile handling in extract_flows_from_zip for defense-in-depth
- Wrap blocking Z…
Adam-Aghili
pushed a commit
that referenced
this pull request
Apr 15, 2026
Adam-Aghili
pushed a commit
that referenced
this pull request
Apr 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes https://github.com/langflow-ai/langflow/security/code-scanning/164, https://github.com/langflow-ai/langflow/security/code-scanning/165, https://github.com/langflow-ai/langflow/security/code-scanning/166
This pull request enhances the security and robustness of file and folder name validation for profile picture downloads, primarily to prevent path traversal attacks. It introduces stricter input validation using new dependency types, refactors the endpoint to use these validators, and improves defense-in-depth by sanitizing path components. Relevant tests and exports are updated accordingly.
Security and Validation Improvements:
ValidatedFolderNamedependency incore.pyto validate folder names and prevent path traversal attacks, mirroring the existingValidatedFileNamelogic./profile_pictures/{folder_name}/{file_name}endpoint to useValidatedFolderNameandValidatedFileName, removing manual validation logic in favor of dependency-based validation. [1] [2]Path(...).nameto ensure only the final path component is used, and switched tois_relative_tofor secure path checks.Codebase and API Consistency:
ValidatedFolderNamein__init__.pyand updated imports throughout the codebase to use the new validator. [1] [2] [3]Testing Updates:
Miscellaneous:
.secrets.baselinemetadata to reflect line number changes and new generation timestamp. [1] [2]