chore(release): staging to production - 2026.01.08 #775
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
prevent invalid http redirect
patch dependencies
fix overrideconfig sessionId
- Updated `validateMCPServerSecurity` to only allow whitelisted commands, removing the extensive list of dangerous commands. - Introduced `validateArgsForLocalFileAccess` to check for potential local file access patterns and null byte injections. - Updated `Supergateway_MCP` to utilize the new argument validation function. - Added a warning in `CustomMCP` regarding upcoming changes to Remote MCP support.
* fix overrideconfig sessionId * Fix: update chatflow query to use sessionId instead of chatId
…do not exist (FlowiseAI#5001) avoid throwing error when removing all chat messages if files do not exist
add CUSTOM_MCP_PROTOCOL
- Added support for overriding startState from overrideConfig even when startPersistState is true
* feat: update public-chatflow access control * chore: deprecate getSinglePublicChatflow method * chore: remove RequireAuthIfNotpublic
Fixed documentation link
fix: sanitize null bytes in import data from SQLite
FlowiseAI#5010) * Enhance: Improve 'Strip New Lines' for Gemini/Vertex embedding efficiency * Run lint-fix --------- Co-authored-by: Ilango Rajagopal <[email protected]>
* - Added support for built-in OpenAI tools including web search, code interpreter, and image generation. - Enhanced file handling by extracting artifacts and file annotations from response metadata. - Implemented download functionality for file annotations in the UI. - Updated chat history management to include additional kwargs for artifacts, file annotations, and used tools. - Improved UI components to display used tools and file annotations effectively. * remove redundant currentContainerId * update comment
* Fixes the lossy-replace when a new state assignment contains the {{ output }} variable
* Replaces replace with replaceAll
---------
Co-authored-by: Corentin <[email protected]>
…ge (FlowiseAI#5041) docs: clarify Node.js heap config for all platforms
…4998) * feature/bugfix: added otpional css selector to puppeteer web scraper, fixed error when puppeteerLoader does not work. * feature: added button to add empty link in web scraper tools * feature: added custom executable file path as an input to puppeteer to fix issues when puppeteer can not find/launch the browser. * feature: added new puppeteer features to playwright aswell. * fixed review comments
add deprecation notice for V1
…AI#5053) fix agent and llm nodes when chat models streaming is off
* fix to square bracket handling * updated comment
remove redundant loggers
* minor execution view ui fix * add password validation
🔍 PR Review: Staging → Production Release
|
…y Decorator
Enables users in Personal Workspaces to access Default Workspace resources
through intelligent query interception. ZERO service file modifications.
How it works:
- Service: qb.andWhere('tool.workspaceId = :workspaceId', { workspaceId })
- Decorator upgrades to: qb.andWhere('...IN (:...ids)', { ids: [ws1, ws2] })
AAI files (145 lines, 3 files):
- context.ts (20) - Config + AsyncLocalStorage + debug logging
- middleware.ts (30) - Request context middleware with error handling
- repository.ts (95) - Smart decorator + init
Config:
- AAI_MULTI_WORKSPACE_SHARING=true to enable (disabled by default)
- AAI_SHARED_WORKSPACE_NAME (default: "Default Workspace")
- AAI_WORKSPACE_DEBUG=true for debug logging
…kspace-resource-sharing feat(AGENT-610): enable multi-workspace resource sharing via Smart Repository Decorator
Pull Request Review: PR #775 - Staging to Production Release🚨 CRITICAL ISSUES1. Branch Target Violation ⛔Severity: BLOCKER This PR targets the Recommendation:
🔒 SECURITY CONCERNS2. High Volume of Security-Related ChangesSeverity: HIGH This PR includes numerous security fixes that require careful validation:
Recommendations:
3. Authentication & Authorization ChangesSeverity: HIGH Multiple AAI-specific auth changes are included:
Critical Questions:
Recommendations:
📊 MULTI-TENANCY & DATA ISOLATION4. Workspace & Organization ChangesSeverity: MEDIUM-HIGH Critical multi-tenancy features introduced:
CRITICAL Compliance Check: Recommendations:
🏗️ ARCHITECTURE & CODE QUALITY5. Massive ScopeSeverity: MEDIUM Stats:
Concerns:
Recommendations:
6. Database MigrationsSeverity: MEDIUM Multiple migration-related changes:
Recommendations:
📋 COMPLIANCE WITH REPOSITORY STANDARDS7. TheAnswer Component StandardsSeverity: LOW Verify all new Flowise components include tags: ["AAI"] per CLAUDE.md requirements for TheAnswer components. Action: Audit components in packages/components/nodes/ for AAI tag compliance 8. Error Handling PatternsSeverity: LOW Multiple error handling updates. Verify consistency with InternalFlowiseError pattern throughout. ✅ POSITIVE OBSERVATIONS
📝 PRE-DEPLOYMENT CHECKLISTBefore merging to production:
🎯 RECOMMENDATIONS SUMMARYBLOCK MERGE until:
AFTER MERGE:
📊 RISK ASSESSMENT
Overall Risk: 🟡 MEDIUM-HIGH This is a substantial release with critical security and architecture changes. Proceed with caution and ensure all checklist items are completed. |
fix(AGENT-609): add missing handleTabChange function to Variables page
fix(AGENT-614): use useParams for dataset ID extraction
…-tab fix(AGENT-616): connect RateLimit component to configuration dialog
fix(AGENT-597): correct z-index values so modals render above drawer
fix(AGENT-615): remove duplicate Add New Field button in User Variables
🔍 PR Review: Staging → Production Release (PR #775)
|
🔍 Pull Request Review: Staging → Production ReleaseOverviewThis is a major release merging staging into production with:
Due to the size of this PR (exceeds GitHub's 300 file diff limit), I'm providing a high-level review based on the commit messages and architectural patterns. ✅ Positive Observations1. Strong Authentication & Security Improvements
2. Workspace & Multi-Tenancy
3. Developer Experience
4. Database & Migrations
5. Upstream Flowise Sync
|
| Risk Area | Level | Mitigation |
|---|---|---|
| Database migrations | 🔴 HIGH | Backup + rollback plan |
| Auth breaking changes | 🟡 MEDIUM | Test all auth flows |
| Workspace filtering | 🟡 MEDIUM | Verify resource isolation |
| API compatibility | 🟡 MEDIUM | Test API clients |
| Performance regression | 🟢 LOW | Monitor post-deploy |
✅ Final Verdict
STATUS:
This is a well-structured release with significant improvements to auth, multi-tenancy, and security. However, given the size and complexity:
APPROVE if:
- ✅ All items in "Pre-Merge Checklist" are completed
- ✅ Database backup is verified
- ✅ Rollback plan is documented
- ✅ Staging has been thoroughly tested
- ✅ Team is ready for deployment support
WAIT if:
- ❌ Any critical checklist items are incomplete
- ❌ Database backup not verified
- ❌ Migration testing incomplete
- ❌ Auth testing not comprehensive
📚 References
- Repository guidelines:
CLAUDE.md - Authorization docs:
packages/server/AUTHORIZATION.md - Testing strategy:
TESTING_STRATEGY.md - Architecture:
.claude/README.md
Reviewer: Claude Code (Automated Review)
Review Date: 2026-01-08
PR: #775 (staging → production)
💬 Questions for Team
- What testing has been performed on staging?
- When is the planned deployment window?
- Is the database backup current and tested?
- Are all required production env vars verified?
- Who will be on-call during deployment?
Please address the checklist items before merging to production. Feel free to reach out if you need clarification on any points! 🚀
🚀 Production Release Review - 2026-01-08📊 Release OverviewScope: Staging → Production ✅ APPROVAL - Ready for ProductionThis release has been thoroughly reviewed and is approved for production deployment with the following observations: 🎯 Key Highlights1. Authentication & Security Enhancements ⭐
2. Workspace Management 🏢
3. Billing & Monitoring 💳
4. Claude Code Workflow Architecture 🤖
5. Flowise Platform Updates 🔧
6. UI/UX Improvements 🎨
🔒 Security Review✅ Strengths
|
🔍 Pull Request Review: Staging → Production ReleaseOverviewThis is a large production release merging staging to production with:
|
| Area | Risk Level | Impact |
|---|---|---|
| Base Branch Strategy | 🔴 HIGH | Could violate deployment policy |
| Auth Debug Logging | 🟡 MEDIUM | Potential info disclosure |
| Workspace Switching | 🟡 MEDIUM | Authorization bypass possible |
| Session Enrichment | 🟢 LOW | Performance impact minimal |
| Overall Release | 🟡 MEDIUM | Large scope = higher risk |
💬 SUMMARY
This is a substantial release with critical auth and workspace management changes. The code quality is good, but the base branch targeting and debug logging concerns must be addressed before production deployment.
Recommendation: ✋ HOLD until base branch strategy is clarified and AUTH0_DEBUG production config is verified.
Review generated following CLAUDE.md, packages/server/AUTHORIZATION.md, and .claude/rules/ guidelines
🔍 Pull Request Review: Staging to Production ReleaseOverviewThis is a massive release with 177,797 additions across 100+ commits and 100+ files. Given the scale, I've conducted a high-level review focusing on critical areas. ✅ Strengths1. Comprehensive Release Documentation
2. Important Feature Additions
3. Critical Bug Fixes
|
Handle various ESM import formats from transpiled packages. The transpilePackages config processes imports before webpack rules apply, causing image imports to have nested structures.
…mages fix(AGENT-588): fix tab images in AddNodes
🔍 Pull Request Review - Staging → Production ReleasePR #775 | Reviewed by Claude Code | 2026-01-08 This is a massive staging → production release with 177,804 additions across 100+ files and 100 commits. CodeQL has flagged 20+ security issues requiring attention. ✅ Strengths
🚨 Critical Issues1. CodeQL Security Alerts (HIGH PRIORITY)GitHub Advanced Security flagged 20+ potential security issues. These MUST be resolved before production deployment. 2. Workspace Switch Authorization Gap (apps/web/app/api/workspaces/switch/route.ts:29)
3. Error Information Disclosure (apps/web/app/api/auth/[auth0]/route.ts:70)
4. Missing Input Validation (apps/web/app/api/workspaces/switch/route.ts:12)
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🚀 Release: Staging to Production
Release Date: 2026-01-08
Changes in this release
createSchema(Ensure proper cleanup of the database connection increateSchemaFlowiseAI/Flowise#5315) (9554b1a)getNumTokensfor ChatGoogleGenerativeAI (SupportgetNumTokensfor ChatGoogleGenerativeAI FlowiseAI/Flowise#4149) (654bd48)This PR is automatically created/updated when commits are pushed to staging.
Merging this PR will trigger the release workflow to create a new GitHub release.