Skip to content

fix: 1.8.0 security fixes #11449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Adam-Aghili wants to merge 5 commits into
base: main
Choose a base branch
from
+8,985 −7,322
Open

fix: 1.8.0 security fixes #11449

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a21bd55
fix: 1.7.3 vulnerability patch for main
Adam-Aghili Jan 19, 2026
0b67719
fix: update locks after porting changes from 1.7.3
Adam-Aghili Jan 26, 2026
af83030
chore: upgrade package-lock
Adam-Aghili Jan 27, 2026
461f2ee
chore: upgrade uv.lock files
Adam-Aghili Jan 27, 2026
7b194af
Merge branch 'main' into 1.8.0-security-fixes
Adam-Aghili Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/typescript_test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ env:
# Define the directory where Playwright browsers will be installed.
# This path is used for caching across workflows
PLAYWRIGHT_BROWSERS_PATH: "ms-playwright"
PLAYWRIGHT_VERSION: "1.56.0"
PLAYWRIGHT_VERSION: "1.57.0"

jobs:
determine-test-suite:
Expand Down
26 changes: 18 additions & 8 deletions docker/build_and_push.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,21 +73,31 @@ RUN --mount=type=cache,target=/root/.cache/uv \
# RUNTIME
# Setup user, utilities and copy the virtual environment only
################################
FROM python:3.12.3-slim AS runtime
FROM python:3.12.12-slim-trixie AS runtime


RUN apt-get update \
&& apt-get upgrade -y \
&& apt-get install -y curl git libpq5 gnupg \
&& curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
&& apt-get install -y nodejs \
&& apt-get install --no-install-recommends -y curl git libpq5 gnupg xz-utils \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* \
&& useradd user -u 1000 -g 0 --no-create-home --home-dir /app/data
&& rm -rf /var/lib/apt/lists/*
RUN ARCH=$(dpkg --print-architecture) \
&& if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
else NODE_ARCH="$ARCH"; fi \
&& NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
| grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
| head -1) \
&& curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
| tar -xJ -C /usr/local --strip-components=1 \
&& npm install -g npm@latest \
&& npm cache clean --force
Comment on lines +84 to +94
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's check the file exists and read the specific lines
cd /tmp && find . -name "build_and_push.Dockerfile" 2>/dev/null | head -5

Repository: langflow-ai/langflow

Length of output: 46

🏁 Script executed:

# Let's search in common Docker paths
find . -name "*Dockerfile*" -type f 2>/dev/null | head -20

Repository: langflow-ai/langflow

Length of output: 666

🏁 Script executed:

# Search for the Dockerfile content
fd -e Dockerfile -e dockerfile 2>/dev/null

Repository: langflow-ai/langflow

Length of output: 499

🏁 Script executed:

# Read the specific Dockerfile to verify the lines 84-94
head -100 docker/build_and_push.Dockerfile | tail -20

Repository: langflow-ai/langflow

Length of output: 1081

🏁 Script executed:

# Get exact context around lines 84-94
sed -n '80,95p' docker/build_and_push.Dockerfile

Repository: langflow-ai/langflow

Length of output: 926

🌐 Web query:

Node.js official distribution SHASUMS256.txt verification downloads

💡 Result:

Where to download the official checksum files (per release)

For a specific Node.js version vX.Y.Z, the official artifacts live in the release directory, which includes:

  • SHASUMS256.txt (SHA-256 checksums)
  • SHASUMS256.txt.sig (GPG detached signature)
  • sometimes also SHASUMS256.txt.asc (ASCII-armored signature file)
    Example directory listing: .../download/release/v24.0.0/ shows these files. [1]

Download + verify (recommended: verify the signed checksums, then verify your binary)

# 1) Download the Node.js binary you want + the checksum + signature
curl -O https://nodejs.org/download/release/vX.Y.Z/node-vX.Y.Z-linux-x64.tar.xz
curl -O https://nodejs.org/download/release/vX.Y.Z/SHASUMS256.txt
curl -O https://nodejs.org/download/release/vX.Y.Z/SHASUMS256.txt.sig
# 2) Get trusted release signing keys (recommended source: nodejs/release-keys)
git clone https://github.com/nodejs/release-keys.git
# 3) Verify SHASUMS256.txt is signed by an authorized release key
GNUPGHOME="$PWD/release-keys/gpg" gpg --verify SHASUMS256.txt.sig SHASUMS256.txt
# 4) Verify your download matches the published checksum
sha256sum -c SHASUMS256.txt --ignore-missing

The gpg --verify ... flow and the checksum verification flow above are the standard Node.js instructions, and nodejs/release-keys provides a ready-to-use keyring for verification. [2] [3]

Notes

  • Current/LTS releases provide the GPG signature (SHASUMS256.txt.sig) for SHASUMS256.txt. [2]
  • Nightly builds may not have the same signature guarantees; always check the specific directory you’re downloading from. [2]

Sources
[1] Node.js release directory listing (example) showing SHASUMS256.txt, .sig, .asc files
[2] Node.js README “Verifying binaries” instructions (download checksums + verify with gpg + verify with sha256sum)
[3] nodejs/release-keys repository instructions for verifying release packages using the provided keyring

🏁 Script executed:

# Check if there are similar checksum verification patterns elsewhere in the codebase
rg -i "shasums\|sha256sum\|checksum" docker/

Repository: langflow-ai/langflow

Length of output: 46

🏁 Script executed:

# Check the base Dockerfile to see if there are related security concerns
cat docker/build_and_push_base.Dockerfile | head -150

Repository: langflow-ai/langflow

Length of output: 4458

Verify Node.js tarball integrity before extraction.

Checksum verification is missing for the downloaded Node.js tarball. Node.js releases provide SHASUMS256.txt files for this exact purpose, and integrity verification should be performed before extraction to ensure supply-chain security.

🔐 Suggested checksum verification 
 RUN ARCH=$(dpkg --print-architecture) \
     && if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
        elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
        else NODE_ARCH="$ARCH"; fi \
     && NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
                     | grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
                     | head -1) \
-    && curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
-    | tar -xJ -C /usr/local --strip-components=1 \
+    && curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/SHASUMS256.txt" \
+    && curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
+    && grep " node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz$" SHASUMS256.txt | sha256sum -c - \
+    && tar -xJf "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" -C /usr/local --strip-components=1 \
+    && rm -f "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" SHASUMS256.txt \
     && npm install -g npm@latest \
     && npm cache clean --force
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
RUN ARCH=$(dpkg --print-architecture) \
&& if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
else NODE_ARCH="$ARCH"; fi \
&& NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
| grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
| head -1) \
&& curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
| tar -xJ -C /usr/local --strip-components=1 \
&& npm install -g npm@latest \
&& npm cache clean --force
RUN ARCH=$(dpkg --print-architecture) \
&& if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
else NODE_ARCH="$ARCH"; fi \
&& NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
| grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
| head -1) \
&& curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/SHASUMS256.txt" \
&& curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
&& grep " node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz$" SHASUMS256.txt | sha256sum -c - \
&& tar -xJf "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" -C /usr/local --strip-components=1 \
&& rm -f "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" SHASUMS256.txt \
&& npm install -g npm@latest \
&& npm cache clean --force
🤖 Prompt for AI Agents 
In `@docker/build_and_push.Dockerfile` around lines 84 - 94, The Dockerfile
currently downloads and extracts the Node.js tarball without verifying
integrity; update the RUN block that sets ARCH/NODE_ARCH and computes
NODE_VERSION to also fetch the corresponding SHASUMS256.txt (from
https://nodejs.org/dist/v${NODE_VERSION}/SHASUMS256.txt), extract the expected
SHA256 for node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz, compute the checksum
of the downloaded tarball (e.g., via sha256sum) and compare it to the expected
value, and fail/exit if they do not match (removing the bad tarball). Keep the
existing variable names (ARCH, NODE_ARCH, NODE_VERSION) and ensure the
verification step runs before the tar -xJ extraction so extraction only happens
on a successful checksum match.

RUN useradd user -u 1000 -g 0 --no-create-home --home-dir /app/data

COPY --from=builder --chown=1000 /app/.venv /app/.venv

# Place executables in the environment at the front of the path
ENV PATH="/app/.venv/bin:$PATH"
RUN /app/.venv/bin/pip install --upgrade playwright \
&& /app/.venv/bin/playwright install

LABEL org.opencontainers.image.title=langflow
LABEL org.opencontainers.image.authors=['Langflow']
Expand Down
28 changes: 19 additions & 9 deletions docker/build_and_push_base.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,21 +74,31 @@ RUN --mount=type=cache,target=/root/.cache/uv \
# RUNTIME
# Setup user, utilities and copy the virtual environment only
################################
FROM python:3.12.3-slim AS runtime
FROM python:3.12.12-slim-trixie AS runtime


RUN apt-get update \
&& apt-get upgrade -y \
&& apt-get install -y git libpq5 curl gnupg \
&& curl -fsSL https://deb.nodesource.com/setup_18.x | bash - \
&& apt-get install -y nodejs \
&& apt-get install --no-install-recommends -y curl git libpq5 gnupg xz-utils \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* \
&& useradd user -u 1000 -g 0 --no-create-home --home-dir /app/data
# and we use the venv at the root because workspaces
COPY --from=builder --chown=1000 /app/.venv /app/.venv
&& rm -rf /var/lib/apt/lists/*
RUN ARCH=$(dpkg --print-architecture) \
&& if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
else NODE_ARCH="$ARCH"; fi \
&& NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
| grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
| head -1) \
&& curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
| tar -xJ -C /usr/local --strip-components=1 \
&& npm install -g npm@latest \
&& npm cache clean --force
Comment on lines +85 to +95
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate and examine the Dockerfile
fd -type f -name "build_and_push_base.Dockerfile"

Repository: langflow-ai/langflow

Length of output: 234

🏁 Script executed:

# Read the specific lines mentioned in the review (85-95)
sed -n '85,95p' docker/build_and_push_base.Dockerfile

Repository: langflow-ai/langflow

Length of output: 689

🏁 Script executed:

# Check if Node.js dist provides SHASUMS256.txt
# Test with a sample Node.js release URL
curl -fsSL --head https://nodejs.org/dist/latest-v22.x/SHASUMS256.txt | head -5

Repository: langflow-ai/langflow

Length of output: 205

🌐 Web query:

Node.js official verification tarball checksum SHASUMS256.txt best practices

💡 Result:

Best practices for verifying an official Node.js tarball with SHASUMS256.txt

  1. Prefer signature verification over “checksum-only”
  • Don’t just compare your tarball hash against SHASUMS256.txt; first verify that the checksum file itself is authentic by validating its GPG signature (SHASUMS256.txt.sig, sometimes also .asc). Current/LTS releases publish a detached signature; Nightlies generally don’t. [2]
  1. Get release signing keys from a trusted source (and lock them down)
  • Use the official Node.js release signing keys (and ideally the prebuilt keyring) from the Node.js Release Keys repo, and consider cross-checking key fingerprints with an independent source. The repo includes a ready-to-use gpg/ keyring and instructions. [1]
  1. Verify SHASUMS256.txt signature
# download checksums + signature for a specific version
curl -O https://nodejs.org/dist/vX.Y.Z/SHASUMS256.txt
curl -O https://nodejs.org/dist/vX.Y.Z/SHASUMS256.txt.sig

# verify signature using the Node release keyring
git clone https://github.com/nodejs/release-keys.git
GNUPGHOME=$PWD/release-keys/gpg gpg --verify SHASUMS256.txt.sig SHASUMS256.txt

(Using an isolated GNUPGHOME helps avoid “wrong key” / polluted keyring issues.) [1]

  1. Verify the tarball matches the (now-trusted) checksum entry
  • Check a single artifact:
grep ' node-vX.Y.Z.tar.gz$' SHASUMS256.txt | sha256sum -c -
  • Or verify all downloaded artifacts listed (ignoring ones you don’t have):
sha256sum -c SHASUMS256.txt --ignore-missing

[2]

  1. Operational hygiene
  • Pin the exact version (vX.Y.Z) and fetch over HTTPS from nodejs.org.
  • Treat any GPG warnings about unknown/untrusted keys as a sign you haven’t properly anchored trust (import/verify the correct release keys rather than “accepting” the result). [1]

Sources: Node.js release signing keys + verification workflow [1], Node.js “Verifying binaries” instructions (checksums + SHASUMS256.txt.sig) [2].

References:
[1] (github.com)
[2] (chromium.googlesource.com)

Citations:

Add checksum verification for Node.js tarball download.

The current download/extract does not verify tarball integrity, creating a supply-chain vulnerability. Download SHASUMS256.txt and verify the tarball checksum before extraction. For complete security, also verify the GPG signature of SHASUMS256.txt.sig against the official Node.js release keys, but at minimum:

Checksum verification 
 RUN ARCH=$(dpkg --print-architecture) \
     && if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
        elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
        else NODE_ARCH="$ARCH"; fi \
     && NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
                     | grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
                     | head -1) \
-    && curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
-    | tar -xJ -C /usr/local --strip-components=1 \
+    && curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/SHASUMS256.txt" \
+    && curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
+    && grep " node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz$" SHASUMS256.txt | sha256sum -c - \
+    && tar -xJf "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" -C /usr/local --strip-components=1 \
+    && rm -f "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" SHASUMS256.txt \
     && npm install -g npm@latest \
     && npm cache clean --force
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
RUN ARCH=$(dpkg --print-architecture) \
&& if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
else NODE_ARCH="$ARCH"; fi \
&& NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
| grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
| head -1) \
&& curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
| tar -xJ -C /usr/local --strip-components=1 \
&& npm install -g npm@latest \
&& npm cache clean --force
RUN ARCH=$(dpkg --print-architecture) \
&& if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
else NODE_ARCH="$ARCH"; fi \
&& NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
| grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
| head -1) \
&& curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/SHASUMS256.txt" \
&& curl -fsSLO "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
&& grep " node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz$" SHASUMS256.txt | sha256sum -c - \
&& tar -xJf "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" -C /usr/local --strip-components=1 \
&& rm -f "node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" SHASUMS256.txt \
&& npm install -g npm@latest \
&& npm cache clean --force
🤖 Prompt for AI Agents 
In `@docker/build_and_push_base.Dockerfile` around lines 85 - 95, Download the
matching SHASUMS256.txt for the selected NODE_VERSION and NODE_ARCH (the same
base URL used to fetch the tarball), compute the SHA256 of the downloaded
tarball and compare it against the expected checksum from SHASUMS256.txt before
running the tar -xJ extraction; update the block that sets
NODE_VERSION/NODE_ARCH and performs the curl | tar pipeline to first curl and
save the tarball and the SHASUMS256.txt, verify the tarball checksum matches the
entry for node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz, and only then extract
and run npm install; optionally add steps to download and verify
SHASUMS256.txt.sig with Node.js release GPG keys for stronger validation.

RUN useradd user -u 1000 -g 0 --no-create-home --home-dir /app/data

# Place executables in the environment at the front of the path
COPY --from=builder --chown=1000 /app/.venv /app/.venv
ENV PATH="/app/.venv/bin:$PATH"
RUN /app/.venv/bin/pip install --upgrade playwright \
&& /app/.venv/bin/playwright install

LABEL org.opencontainers.image.title=langflow
LABEL org.opencontainers.image.authors=['Langflow']
Expand Down
35 changes: 17 additions & 18 deletions docker/build_and_push_ep.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,31 +70,30 @@ RUN --mount=type=cache,target=/root/.cache/uv \
# RUNTIME
# Setup user, utilities and copy the virtual environment only
################################
FROM python:3.12.3-slim AS runtime
FROM python:3.12.12-slim-trixie AS runtime

RUN apt-get update \
&& apt-get upgrade -y \
&& apt-get install --no-install-recommends -y \
curl \
git \
# Add PostgreSQL client libraries
libpq5 \
gnupg \
&& curl -fsSL https://deb.nodesource.com/setup_18.x | bash - \
&& apt-get install -y nodejs \
&& apt-get install --no-install-recommends -y curl git libpq5 gnupg xz-utils \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* \
&& useradd user -u 1000 -g 0 --no-create-home --home-dir /app/data -s /usr/bin/false \
&& mkdir /data && chown -R 1000:0 /data
&& rm -rf /var/lib/apt/lists/*
RUN ARCH=$(dpkg --print-architecture) \
&& if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
else NODE_ARCH="$ARCH"; fi \
&& NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
| grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
| head -1) \
&& curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
| tar -xJ -C /usr/local --strip-components=1 \
&& npm install -g npm@latest \
&& npm cache clean --force
RUN useradd user -u 1000 -g 0 --no-create-home --home-dir /app/data

COPY --from=builder --chown=1000 /app/.venv /app/.venv

# Remove shell binaries to completely disable shell access
RUN rm -f /bin/sh /bin/bash /bin/dash /usr/bin/sh /usr/bin/bash /usr/bin/dash \
/bin/ash /bin/zsh /bin/csh /bin/tcsh /bin/ksh 2>/dev/null || true

# Place executables in the environment at the front of the path
ENV PATH="/app/.venv/bin:$PATH"
RUN /app/.venv/bin/pip install --upgrade playwright \
&& /app/.venv/bin/playwright install

LABEL org.opencontainers.image.title=langflow
LABEL org.opencontainers.image.authors=['Langflow']
Expand Down
26 changes: 18 additions & 8 deletions docker/build_and_push_with_extras.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,21 +70,31 @@ RUN --mount=type=cache,target=/root/.cache/uv \
# RUNTIME
# Setup user, utilities and copy the virtual environment only
################################
FROM python:3.12.3-slim AS runtime
FROM python:3.12.12-slim-trixie AS runtime


RUN apt-get update \
&& apt-get upgrade -y \
&& apt-get install -y curl git libpq5 gnupg \
&& curl -fsSL https://deb.nodesource.com/setup_18.x | bash - \
&& apt-get install -y nodejs \
&& apt-get install --no-install-recommends -y curl git libpq5 gnupg xz-utils \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* \
&& useradd user -u 1000 -g 0 --no-create-home --home-dir /app/data
&& rm -rf /var/lib/apt/lists/*
RUN ARCH=$(dpkg --print-architecture) \
&& if [ "$ARCH" = "amd64" ]; then NODE_ARCH="x64"; \
elif [ "$ARCH" = "arm64" ]; then NODE_ARCH="arm64"; \
else NODE_ARCH="$ARCH"; fi \
&& NODE_VERSION=$(curl -fsSL https://nodejs.org/dist/latest-v22.x/ \
| grep -oP "node-v\K[0-9]+\.[0-9]+\.[0-9]+(?=-linux-${NODE_ARCH}\.tar\.xz)" \
| head -1) \
&& curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
| tar -xJ -C /usr/local --strip-components=1 \
&& npm install -g npm@latest \
&& npm cache clean --force
RUN useradd user -u 1000 -g 0 --no-create-home --home-dir /app/data

COPY --from=builder --chown=1000 /app/.venv /app/.venv

# Place executables in the environment at the front of the path
ENV PATH="/app/.venv/bin:$PATH"
RUN /app/.venv/bin/pip install --upgrade playwright \
&& /app/.venv/bin/playwright install

LABEL org.opencontainers.image.title=langflow
LABEL org.opencontainers.image.authors=['Langflow']
Expand Down
12 changes: 7 additions & 5 deletions src/backend/base/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ dependencies = [
"gunicorn>=22.0.0,<23.0.0",
"langchain~=0.3.27",
"langchain-community>=0.3.28,<1.0.0",
"langchain-core>=0.3.45,<1.0.0",
"langchain-core>=0.3.81,<1.0.0",
"langchainhub~=0.1.15",
"loguru>=0.7.1,<1.0.0",
"structlog>=25.4.0,<26.0.0",
Expand Down Expand Up @@ -67,17 +67,17 @@ dependencies = [
"prometheus-client>=0.20.0,<1.0.0",
"aiofiles>=24.1.0,<25.0.0",
"pip>=25.3,<26.0.0",
"setuptools>=78.1.1,<79.0.0",
"setuptools>=80.0.0,<81.0.0",
"nanoid>=2.0.0,<3.0.0",
"filelock>=3.15.4,<4.0.0",
"filelock>=3.20.1,<4.0.0",
"grandalf>=0.8.0,<1.0.0",
"spider-client>=0.0.27,<1.0.0",
"diskcache>=5.6.3,<6.0.0",
"clickhouse-connect==0.7.19",
"assemblyai>=0.33.0,<1.0.0",
"fastapi-pagination>=0.13.1,<1.0.0",
"defusedxml>=0.7.1,<1.0.0",
"pypdf~=5.1.0",
"pypdf>=6.4.0,<7.0.0",
"validators>=0.34.0,<1.0.0",
"networkx>=3.4.2,<4.0.0",
"json-repair>=0.30.3,<1.0.0",
Expand All @@ -93,6 +93,8 @@ dependencies = [
"langchain-ibm>=0.3.8,<1.0.0",
"trustcall>=0.0.38,<1.0.0",
"langchain-chroma>=0.1.4,<1.0.0",
"jaraco-context>=6.1.0",
"wheel>=0.46.2,<1.0.0",
]

[dependency-groups]
Expand Down Expand Up @@ -245,7 +247,7 @@ langsmith = ["langsmith>=0.3.42,<1.0.0"]
arize = ["arize-phoenix-otel>=0.6.1"]

# Individual document loaders
pypdf = ["pypdf~=5.1.0"]
pypdf = ["pypdf~=6.6.2"]
docx = ["python-docx>=1.1.0"]
pytube = ["pytube==15.0.0"]

Expand Down
Loading
Loading