fix: 1.8.0 security fixes

[Adam-Aghili]

bringing over the 1.7.3 securty patch changes to main. There have already been a few of changes since 1.7.3 release that break cherrypicking/merging the branch directly. So I am creating a fully new branch to go over the security vulnerabilities using the nightlies in the same way I did for 1.7.3 to make sure we catch them all.

Summary by CodeRabbit

• Chores
  • Updated Playwright from 1.56.0 to 1.57.0 across testing and frontend environments.
  • Upgraded Python runtime base image to version 3.12.12-slim-trixie in Docker configurations.
  • Enhanced Docker builds with dynamic, architecture-aware Node.js installation supporting amd64 and arm64.
  • Updated dependencies including langchain-core, setuptools, filelock, and pypdf to latest versions.
  • Added new dependency overrides and packages for improved environment compatibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

Walkthrough

This PR updates Playwright to version 1.57.0 across CI/CD and frontend configurations, modernizes Docker base images to Python 3.12.12 with architecture-aware Node.js installation, and bumps multiple Python dependencies including langchain-core, pypdf, and filelock across backend and LFx projects.

Changes

Cohort / File(s)	Summary
CI/CD Workflow .github/workflows/typescript_test.yml	Updated Playwright version cache from 1.56.0 to 1.57.0
Docker Runtime Configuration docker/build_and_push.Dockerfile, docker/build_and_push_base.Dockerfile, docker/build_and_push_ep.Dockerfile, docker/build_and_push_with_extras.Dockerfile	Upgraded base image from python:3.12.3-slim to python:3.12.12-slim-trixie; introduced architecture-aware Node.js installation with dynamic version detection; added Playwright installation and browser setup within virtual environment; enhanced apt utilities (xz-utils, curl, git, libpq5, gnupg); restructured PATH and user setup sequencing
Frontend Dependencies src/frontend/package.json	Bumped Playwright from ^1.56.0 to ^1.57.0; updated @modelcontextprotocol/server-everything to ^2026.1.14; upgraded Vite to ^7.3.1; added overrides for tar, glob, and test-exclude
Python Backend Dependencies src/backend/base/pyproject.toml	Updated langchain-core to >=0.3.81, filelock to >=3.20.1, pypdf to >=6.4.0; upgraded setuptools to >=80.0.0; added jaraco-context and wheel (>=0.46.2) dependencies
Python LFx Dependencies src/lfx/pyproject.toml	Bumped langchain-core to >=0.3.81; updated filelock and pypdf with versioning constraints; added setuptools (>=80.0.0) and wheel (>=0.46.2); upgraded langchain-community to >=0.3.27

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 7

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: 1.8.0 security fixes' accurately describes the primary purpose of the PR, which is to port security vulnerability patches to the main branch.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Test Coverage For New Implementations	✅ Passed	PR contains only configuration and dependency updates without new code or features requiring test coverage.
Test Quality And Coverage	✅ Passed	PR updates dependencies and infrastructure only; no new implementations require test coverage.
Test File Naming And Structure	✅ Passed	PR does not introduce or modify test files; only updates Playwright version in workflow. Existing tests follow proper naming conventions.
Excessive Mock Usage Warning	✅ Passed	No test source files were modified in this PR; it only contains configuration and dependency updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 1.8.0-security-fixes

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	17.54% (5050/28789)	10.96% (2432/22176)	11.63% (733/6299)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
2036	0 💤	0 ❌	0 🔥	26.872s ⏱️

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 34.69%. Comparing base (a097b68) to head (7b194af).

❌ Your project check has failed because the head coverage (41.70%) is below the target coverage (60.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11449      +/-   ##
==========================================
- Coverage   34.88%   34.69%   -0.20%     
==========================================
  Files        1420     1420              
  Lines       68215    68215              
  Branches     9984     9984              
==========================================
- Hits        23797    23665     -132     
- Misses      43184    43315     +131     
- Partials     1234     1235       +1     

Flag	Coverage Δ
backend	53.43% <ø> (-0.71%)	⬇️
frontend	16.05% <ø> (ø)
lfx	41.70% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 39 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ogabrielluiz]

LGTM

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/typescript_test.yml (1)

66-72: Update Playwright cache version to match resolved package version.

PLAYWRIGHT_VERSION is set to 1.57.0 but the lockfile resolves both playwright and @playwright/test to 1.58.0. This mismatch will cause the Playwright cache key to diverge from the actual installed browser binaries, potentially resulting in cache misses or version conflicts. Update the environment variable to 1.58.0.

src/lfx/pyproject.toml (1)

11-48: Fix langchain-community version pin to match langchain 0.3.23 requirements.

langchain-community>=0.3.27 requires langchain>=0.3.24, making it incompatible with langchain~=0.3.23. Use langchain-community<=0.3.21 in the integration group (line 89) to avoid resolver conflicts.

Additionally, setuptools and wheel (lines 47-48) should not be runtime dependencies—move them to build requirements or remove if only needed for development.

🤖 Fix all issues with AI agents

In `@docker/build_and_push_base.Dockerfile`:
- Around line 85-95: Download the matching SHASUMS256.txt for the selected
NODE_VERSION and NODE_ARCH (the same base URL used to fetch the tarball),
compute the SHA256 of the downloaded tarball and compare it against the expected
checksum from SHASUMS256.txt before running the tar -xJ extraction; update the
block that sets NODE_VERSION/NODE_ARCH and performs the curl | tar pipeline to
first curl and save the tarball and the SHASUMS256.txt, verify the tarball
checksum matches the entry for node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz,
and only then extract and run npm install; optionally add steps to download and
verify SHASUMS256.txt.sig with Node.js release GPG keys for stronger validation.

In `@docker/build_and_push.Dockerfile`:
- Around line 84-94: The Dockerfile currently downloads and extracts the Node.js
tarball without verifying integrity; update the RUN block that sets
ARCH/NODE_ARCH and computes NODE_VERSION to also fetch the corresponding
SHASUMS256.txt (from https://nodejs.org/dist/v${NODE_VERSION}/SHASUMS256.txt),
extract the expected SHA256 for node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz,
compute the checksum of the downloaded tarball (e.g., via sha256sum) and compare
it to the expected value, and fail/exit if they do not match (removing the bad
tarball). Keep the existing variable names (ARCH, NODE_ARCH, NODE_VERSION) and
ensure the verification step runs before the tar -xJ extraction so extraction
only happens on a successful checksum match.

In `@src/frontend/package.json`:
- Around line 8-12: The package.json overrides block includes "tar": "^7.5.4"
but the lockfile shows no resolved tar package, so confirm whether tar is
actually a transitive dependency; search dependency tree for "tar" (e.g., npm ls
tar or pnpm why tar) and if no consumer requires it remove the "tar" override
from the overrides block, otherwise update dependencies so a package pulls in
tar@^7.5.4 (or add a direct devDependency) and then regenerate the lockfile (npm
install / npm ci or pnpm install) to ensure the override is reflected; adjust
the overrides entry for "tar" only if you find a real consumer needing that
version.
- Line 71: The dependency upgrade to "playwright": "^1.57.0" can introduce
breaking changes—search the codebase for usages of page.accessibility(),
page.route( with glob patterns), and route.continue( to ensure no code relies on
removed page.accessibility(), that page.route() glob patterns don't use ? or []
(convert those patterns to RegExp in places where page.route( is called), and
that no code expects route.continue() to override the Cookie header (replace
such logic with browserContext.addCookies() calls). Also run WebKit tests on
macOS >=14 or adjust test targets if you rely on macOS 13. If these changes are
unacceptable, consider pinning or downgrading "playwright" in package.json or
add targeted code changes where the symbols page.accessibility, page.route,
route.continue, and browserContext.addCookies are referenced.

🧹 Nitpick comments (5)

src/backend/base/pyproject.toml (1)

70-97: Consider bounding jaraco-context and confirming runtime need for build tools.

jaraco-context is the only unbounded dependency here; adding an upper bound keeps consistency with the rest of the file. Also, please confirm setuptools/wheel are intended runtime dependencies (vs build-system constraints).

♻️ Suggested bound for consistency

-    "jaraco-context>=6.1.0",
+    "jaraco-context>=6.1.0,<7.0.0",

docker/build_and_push_base.Dockerfile (1)

100-101: Pin Playwright version to keep builds reproducible.

pip install --upgrade playwright pulls the latest version at build time, which can drift from the JS Playwright 1.57.0 used elsewhere. Consider pinning to a known version.

♻️ Suggested pin

+ARG PLAYWRIGHT_PY_VERSION=1.57.0
-RUN /app/.venv/bin/pip install --upgrade playwright \
+RUN /app/.venv/bin/pip install --upgrade "playwright==${PLAYWRIGHT_PY_VERSION}" \
     && /app/.venv/bin/playwright install

docker/build_and_push.Dockerfile (1)

99-100: Pin Playwright version to keep builds reproducible.

Upgrading to the latest Playwright at build time makes the image non-deterministic and may drift from the JS Playwright version used elsewhere.

♻️ Suggested pin

+ARG PLAYWRIGHT_PY_VERSION=1.57.0
-RUN /app/.venv/bin/pip install --upgrade playwright \
+RUN /app/.venv/bin/pip install --upgrade "playwright==${PLAYWRIGHT_PY_VERSION}" \
     && /app/.venv/bin/playwright install

docker/build_and_push_with_extras.Dockerfile (2)

9-11: Stale comment references outdated base image.

Line 9 still references python:3.12.3-slim but the runtime image (line 73) now uses python:3.12.12-slim-trixie. Consider updating or removing the comment to avoid confusion.

Also applies to: 73-74

---

81-91: Consider verifying Node.js tarball checksum for supply chain security.

For a security-focused PR, downloading and extracting the Node.js tarball without verifying its SHA256 checksum introduces supply chain risk. Node.js publishes SHASUMS256.txt (GPG-signed) alongside releases.

Additionally, the architecture fallback on line 84 (else NODE_ARCH="$ARCH") may silently fail for architectures where Node.js uses different naming conventions (e.g., armv7l → armv7l but Node uses armv7l differently).

🔒 Proposed fix to add checksum verification

 RUN ARCH=$(dpkg --print-architecture) \
     && if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
        elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
-       else NODE_ARCH="$ARCH"; fi \
+       else echo "Unsupported architecture: $ARCH" && exit 1; fi \
     && NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
                     | grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
                     | head -1) \
+    && curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/SHASUMS256.txt" -o /tmp/SHASUMS256.txt \
+    && curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" -o /tmp/node.tar.xz \
+    && grep "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" /tmp/SHASUMS256.txt | sha256sum -c - \
+    && tar -xJf /tmp/node.tar.xz -C /usr/local --strip-components=1 \
+    && rm -f /tmp/node.tar.xz /tmp/SHASUMS256.txt \
-    && curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
-    | tar -xJ -C /usr/local --strip-components=1 \
     && npm install -g npm@latest \
     && npm cache clean --force

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate and examine the Dockerfile
fd -type f -name "build_and_push_base.Dockerfile"

Repository: langflow-ai/langflow

Length of output: 234

---

🏁 Script executed:

# Read the specific lines mentioned in the review (85-95)
sed -n '85,95p' docker/build_and_push_base.Dockerfile

Repository: langflow-ai/langflow

Length of output: 689

---

🏁 Script executed:

# Check if Node.js dist provides SHASUMS256.txt
# Test with a sample Node.js release URL
curl -fsSL --head https://nodejs.org/dist/latest-v22.x/SHASUMS256.txt | head -5

Repository: langflow-ai/langflow

Length of output: 205

---

🌐 Web query:

Node.js official verification tarball checksum SHASUMS256.txt best practices

💡 Result:

Best practices for verifying an official Node.js tarball with SHASUMS256.txt

1. Prefer signature verification over “checksum-only”

• Don’t just compare your tarball hash against SHASUMS256.txt; first verify that the checksum file itself is authentic by validating its GPG signature (SHASUMS256.txt.sig, sometimes also .asc). Current/LTS releases publish a detached signature; Nightlies generally don’t. [2]

2. Get release signing keys from a trusted source (and lock them down)

• Use the official Node.js release signing keys (and ideally the prebuilt keyring) from the Node.js Release Keys repo, and consider cross-checking key fingerprints with an independent source. The repo includes a ready-to-use gpg/ keyring and instructions. [1]

3. Verify SHASUMS256.txt signature

# download checksums + signature for a specific version
curl -O https://nodejs.org/dist/vX.Y.Z/SHASUMS256.txt
curl -O https://nodejs.org/dist/vX.Y.Z/SHASUMS256.txt.sig

# verify signature using the Node release keyring
git clone https://github.com/nodejs/release-keys.git
GNUPGHOME=$PWD/release-keys/gpg gpg --verify SHASUMS256.txt.sig SHASUMS256.txt

(Using an isolated GNUPGHOME helps avoid “wrong key” / polluted keyring issues.) [1]

4. Verify the tarball matches the (now-trusted) checksum entry

• Check a single artifact:

grep ' node-vX.Y.Z.tar.gz$' SHASUMS256.txt | sha256sum -c -

• Or verify all downloaded artifacts listed (ignoring ones you don’t have):

sha256sum -c SHASUMS256.txt --ignore-missing

[2]

5. Operational hygiene

• Pin the exact version (vX.Y.Z) and fetch over HTTPS from nodejs.org.
• Treat any GPG warnings about unknown/untrusted keys as a sign you haven’t properly anchored trust (import/verify the correct release keys rather than “accepting” the result). [1]

Sources: Node.js release signing keys + verification workflow [1], Node.js “Verifying binaries” instructions (checksums + SHASUMS256.txt.sig) [2].

References:
[1] (github.com)
[2] (chromium.googlesource.com)

Citations:

• 1: https://github.com/nodejs/release-keys?utm_source=openai
• 2: https://chromium.googlesource.com/external/github.com/v8/node.git/%2B/9ec278772335ad9f8f225afd80d4dfbb8a7b9c6c/README.md?utm_source=openai

---

Add checksum verification for Node.js tarball download.

The current download/extract does not verify tarball integrity, creating a supply-chain vulnerability. Download SHASUMS256.txt and verify the tarball checksum before extraction. For complete security, also verify the GPG signature of SHASUMS256.txt.sig against the official Node.js release keys, but at minimum:

Checksum verification

 RUN ARCH=$(dpkg --print-architecture) \
     && if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
        elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
        else NODE_ARCH="$ARCH"; fi \
     && NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
                     | grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
                     | head -1) \
-    && curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
-    | tar -xJ -C /usr/local --strip-components=1 \
+    && curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/SHASUMS256.txt" \
+    && curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
+    && grep " node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz$" SHASUMS256.txt | sha256sum -c - \
+    && tar -xJf "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" -C /usr/local --strip-components=1 \
+    && rm -f "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" SHASUMS256.txt \
     && npm install -g npm@latest \
     && npm cache clean --force

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN ARCH=$(dpkg --print-architecture) \
	&& if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
	elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
	else NODE_ARCH="$ARCH"; fi \
	&& NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
	| grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
	| head -1) \
	&& curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
	| tar -xJ -C /usr/local --strip-components=1 \
	&& npm install -g npm@latest \
	&& npm cache clean --force
	RUN ARCH=$(dpkg --print-architecture) \
	&& if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
	elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
	else NODE_ARCH="$ARCH"; fi \
	&& NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
	| grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
	| head -1) \
	&& curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/SHASUMS256.txt" \
	&& curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
	&& grep " node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz$" SHASUMS256.txt | sha256sum -c - \
	&& tar -xJf "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" -C /usr/local --strip-components=1 \
	&& rm -f "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" SHASUMS256.txt \
	&& npm install -g npm@latest \
	&& npm cache clean --force

🤖 Prompt for AI Agents

In `@docker/build_and_push_base.Dockerfile` around lines 85 - 95, Download the
matching SHASUMS256.txt for the selected NODE_VERSION and NODE_ARCH (the same
base URL used to fetch the tarball), compute the SHA256 of the downloaded
tarball and compare it against the expected checksum from SHASUMS256.txt before
running the tar -xJ extraction; update the block that sets
NODE_VERSION/NODE_ARCH and performs the curl | tar pipeline to first curl and
save the tarball and the SHASUMS256.txt, verify the tarball checksum matches the
entry for node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz, and only then extract
and run npm install; optionally add steps to download and verify
SHASUMS256.txt.sig with Node.js release GPG keys for stronger validation.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's check the file exists and read the specific lines
cd /tmp && find . -name "build_and_push.Dockerfile" 2>/dev/null | head -5

Repository: langflow-ai/langflow

Length of output: 46

---

🏁 Script executed:

# Let's search in common Docker paths
find . -name "*Dockerfile*" -type f 2>/dev/null | head -20

Repository: langflow-ai/langflow

Length of output: 666

---

🏁 Script executed:

# Search for the Dockerfile content
fd -e Dockerfile -e dockerfile 2>/dev/null

Repository: langflow-ai/langflow

Length of output: 499

---

🏁 Script executed:

# Read the specific Dockerfile to verify the lines 84-94
head -100 docker/build_and_push.Dockerfile | tail -20

Repository: langflow-ai/langflow

Length of output: 1081

---

🏁 Script executed:

# Get exact context around lines 84-94
sed -n '80,95p' docker/build_and_push.Dockerfile

Repository: langflow-ai/langflow

Length of output: 926

---

🌐 Web query:

Node.js official distribution SHASUMS256.txt verification downloads

💡 Result:

Where to download the official checksum files (per release)

For a specific Node.js version vX.Y.Z, the official artifacts live in the release directory, which includes:

• SHASUMS256.txt (SHA-256 checksums)
• SHASUMS256.txt.sig (GPG detached signature)
• sometimes also SHASUMS256.txt.asc (ASCII-armored signature file)
  Example directory listing: .../download/release/v24.0.0/ shows these files. [1]

Download + verify (recommended: verify the signed checksums, then verify your binary)

# 1) Download the Node.js binary you want + the checksum + signature
curl -O https://nodejs.org/download/release/vX.Y.Z/node-vX.Y.Z-linux-x64.tar.xz
curl -O https://nodejs.org/download/release/vX.Y.Z/SHASUMS256.txt
curl -O https://nodejs.org/download/release/vX.Y.Z/SHASUMS256.txt.sig

# 2) Get trusted release signing keys (recommended source: nodejs/release-keys)
git clone https://github.com/nodejs/release-keys.git

# 3) Verify SHASUMS256.txt is signed by an authorized release key
GNUPGHOME="$PWD/release-keys/gpg" gpg --verify SHASUMS256.txt.sig SHASUMS256.txt

# 4) Verify your download matches the published checksum
sha256sum -c SHASUMS256.txt --ignore-missing

The gpg --verify ... flow and the checksum verification flow above are the standard Node.js instructions, and nodejs/release-keys provides a ready-to-use keyring for verification. [2] [3]

Notes

• Current/LTS releases provide the GPG signature (SHASUMS256.txt.sig) for SHASUMS256.txt. [2]
• Nightly builds may not have the same signature guarantees; always check the specific directory you’re downloading from. [2]

Sources
[1] Node.js release directory listing (example) showing SHASUMS256.txt, .sig, .asc files
[2] Node.js README “Verifying binaries” instructions (download checksums + verify with gpg + verify with sha256sum)
[3] nodejs/release-keys repository instructions for verifying release packages using the provided keyring

---

🏁 Script executed:

# Check if there are similar checksum verification patterns elsewhere in the codebase
rg -i "shasums\|sha256sum\|checksum" docker/

Repository: langflow-ai/langflow

Length of output: 46

---

🏁 Script executed:

# Check the base Dockerfile to see if there are related security concerns
cat docker/build_and_push_base.Dockerfile | head -150

Repository: langflow-ai/langflow

Length of output: 4458

---

Verify Node.js tarball integrity before extraction.

Checksum verification is missing for the downloaded Node.js tarball. Node.js releases provide SHASUMS256.txt files for this exact purpose, and integrity verification should be performed before extraction to ensure supply-chain security.

🔐 Suggested checksum verification

 RUN ARCH=$(dpkg --print-architecture) \
     && if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
        elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
        else NODE_ARCH="$ARCH"; fi \
     && NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
                     | grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
                     | head -1) \
-    && curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
-    | tar -xJ -C /usr/local --strip-components=1 \
+    && curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/SHASUMS256.txt" \
+    && curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
+    && grep " node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz$" SHASUMS256.txt | sha256sum -c - \
+    && tar -xJf "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" -C /usr/local --strip-components=1 \
+    && rm -f "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" SHASUMS256.txt \
     && npm install -g npm@latest \
     && npm cache clean --force

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN ARCH=$(dpkg --print-architecture) \
	&& if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
	elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
	else NODE_ARCH="$ARCH"; fi \
	&& NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
	| grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
	| head -1) \
	&& curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
	| tar -xJ -C /usr/local --strip-components=1 \
	&& npm install -g npm@latest \
	&& npm cache clean --force
	RUN ARCH=$(dpkg --print-architecture) \
	&& if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
	elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
	else NODE_ARCH="$ARCH"; fi \
	&& NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
	| grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
	| head -1) \
	&& curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/SHASUMS256.txt" \
	&& curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
	&& grep " node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz$" SHASUMS256.txt | sha256sum -c - \
	&& tar -xJf "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" -C /usr/local --strip-components=1 \
	&& rm -f "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" SHASUMS256.txt \
	&& npm install -g npm@latest \
	&& npm cache clean --force

🤖 Prompt for AI Agents

In `@docker/build_and_push.Dockerfile` around lines 84 - 94, The Dockerfile
currently downloads and extracts the Node.js tarball without verifying
integrity; update the RUN block that sets ARCH/NODE_ARCH and computes
NODE_VERSION to also fetch the corresponding SHASUMS256.txt (from
https://nodejs.org/dist/v${NODE_VERSION}/SHASUMS256.txt), extract the expected
SHA256 for node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz, compute the checksum
of the downloaded tarball (e.g., via sha256sum) and compare it to the expected
value, and fail/exit if they do not match (removing the bad tarball). Keep the
existing variable names (ARCH, NODE_ARCH, NODE_VERSION) and ensure the
verification step runs before the tar -xJ extraction so extraction only happens
on a successful checksum match.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
python - <<'PY'
import json, pathlib
p = pathlib.Path("src/frontend/package-lock.json")
if not p.exists():
    print("package-lock.json not found")
    raise SystemExit(1)
data = json.loads(p.read_text())
pkgs = data.get("packages", {})
for name in ("tar", "glob", "test-exclude"):
    v = pkgs.get(f"node_modules/{name}", {}).get("version")
    if v:
        print(f"{name}: {v}")
PY

Repository: langflow-ai/langflow

Length of output: 96

---

🏁 Script executed:

#!/bin/bash
python - <<'PY'
import json, pathlib
p = pathlib.Path("src/frontend/package-lock.json")
data = json.loads(p.read_text())
pkgs = data.get("packages", {})

# Check all keys that contain "tar"
print("=== Keys containing 'tar' ===")
tar_keys = [k for k in pkgs.keys() if 'tar' in k.lower()]
for key in tar_keys:
    print(f"{key}: {pkgs[key].get('version', 'N/A')}")

# Also check top-level dependencies
print("\n=== Checking dependencies section ===")
deps = data.get("dependencies", {})
if "tar" in deps:
    print(f"tar in dependencies: {deps['tar']}")
PY

Repository: langflow-ai/langflow

Length of output: 566

---

🏁 Script executed:

#!/bin/bash
cat src/frontend/package.json | grep -A 50 '"dependencies"' | grep -B 5 -A 5 '"tar"'

Repository: langflow-ai/langflow

Length of output: 46

---

🏁 Script executed:

#!/bin/bash
cat src/frontend/package.json

Repository: langflow-ai/langflow

Length of output: 5707

---

Verify npm overrides are captured in the lockfile—tar override not found.

Two of three overrides are properly locked:

• glob: 11.1.0 ✓
• test-exclude: 7.0.1 ✓

However, tar does not appear in the lockfile at all. The override for tar@^7.5.4 has no effect because tar is not a resolved transitive dependency. Verify whether this override is necessary or should be removed.

🤖 Prompt for AI Agents

In `@src/frontend/package.json` around lines 8 - 12, The package.json overrides
block includes "tar": "^7.5.4" but the lockfile shows no resolved tar package,
so confirm whether tar is actually a transitive dependency; search dependency
tree for "tar" (e.g., npm ls tar or pnpm why tar) and if no consumer requires it
remove the "tar" override from the overrides block, otherwise update
dependencies so a package pulls in tar@^7.5.4 (or add a direct devDependency)
and then regenerate the lockfile (npm install / npm ci or pnpm install) to
ensure the override is reflected; adjust the overrides entry for "tar" only if
you find a real consumer needing that version.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Playwright 1.57.0 release notes breaking changes

💡 Result:

Playwright 1.57.0 breaking changes (from the official release notes):

• Removed accessibility API: page.accessibility() / page.accessibility / Page#accessibility was removed after long deprecation; use an external tool like axe-core instead. [2][3]
• URL glob patterns tightened: Glob URL patterns used by APIs like page.route() no longer support ? and []—use a RegExp instead. [1]
• route.continue() can’t override Cookie header: Any provided Cookie header is now ignored; cookies come from the browser cookie store. Use browserContext.addCookies() to set cookies. [1]
• macOS 13 WebKit updates deprecated: macOS 13 is deprecated for WebKit updates; upgrade macOS to keep receiving new WebKit versions. [1]

Sources: official Playwright release notes (Node) [1] and language-specific release notes highlighting the removed accessibility API [2][3].

---

🌐 Web query:

Vite 7.3.1 release notes breaking changes

💡 Result:

Vite v7.3.1 (released Jan 7, 2026) is a patch release, and the project does not list any breaking changes specific to 7.3.1 (the release entry points to the changelog for details, but does not call out breaking changes). [1]

If you’re upgrading to Vite 7 (from Vite 6 or earlier), the main breaking changes to account for are at the Vite 7.0 level—most notably the Node.js requirement change (Node 20.19+ / 22.12+) and the ESM-only distribution. [2] Vite also maintains a central “Breaking Changes” page for cross-version tracking; it doesn’t list anything that would indicate a new breaking change introduced specifically in 7.3.1. [3]

Sources: [1] [2] [3]

---

🌐 Web query:

@modelcontextprotocol/server-everything 2026.1.14 changelog breaking changes

💡 Result:

For @modelcontextprotocol/server-everything 2026.1.14 (released Jan 14, 2026), there isn’t a dedicated changelog entry or “Breaking Changes” section published for that package/version—release notes for that date only list which packages were bumped. [1]

What the release notes do say (v2026.1.14):

• Updated packages:
  • @modelcontextprotocol/[email protected]
  • @modelcontextprotocol/[email protected]
  • [email protected] [1]

Breaking changes: none are explicitly documented for @modelcontextprotocol/[email protected] in the published release notes. [1]

Sources: [1] (github.com) [2] (jsdelivr.com)

Citations:

• 1: https://github.com/modelcontextprotocol/servers/releases/tag/2026.1.14
• 2: https://www.jsdelivr.com/package/npm/%40modelcontextprotocol/server-everything?utm_source=openai

---

Review Playwright 1.57.0 for breaking changes.

Playwright 1.57.0 introduces breaking changes:

• Removed page.accessibility() API—use an external tool like axe-core instead
• URL glob patterns in page.route() no longer support ? and []—use RegExp instead
• route.continue() can no longer override the Cookie header—use browserContext.addCookies() instead
• macOS 13 is deprecated for WebKit updates

Confirm the codebase handles these changes. Vite 7.3.1 is a patch release with no breaking changes. @modelcontextprotocol/server-everything 2026.1.14 has no documented breaking changes.

Also applies to: 143-145, 175-175

🤖 Prompt for AI Agents

In `@src/frontend/package.json` at line 71, The dependency upgrade to
"playwright": "^1.57.0" can introduce breaking changes—search the codebase for
usages of page.accessibility(), page.route( with glob patterns), and
route.continue( to ensure no code relies on removed page.accessibility(), that
page.route() glob patterns don't use ? or [] (convert those patterns to RegExp
in places where page.route( is called), and that no code expects
route.continue() to override the Cookie header (replace such logic with
browserContext.addCookies() calls). Also run WebKit tests on macOS >=14 or
adjust test targets if you rely on macOS 13. If these changes are unacceptable,
consider pinning or downgrading "playwright" in package.json or add targeted
code changes where the symbols page.accessibility, page.route, route.continue,
and browserContext.addCookies are referenced.