cve fixes

Signed-off-by: wwanarif <[email protected]>

Author: wanhakim

.github/workflows/manual-docker-scan.yml

@@ -69,6 +69,7 @@ jobs:
           ignore-unfixed: true
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
+          # timeout: '10m0s'
 
       - name: Cleanup
         if: always()

app-backend/Dockerfile

@@ -26,7 +26,8 @@ RUN git clone --depth 1 https://github.com/opea-project/GenAIComps.git
 WORKDIR /home/user/GenAIComps
 RUN pip install --no-cache-dir --upgrade pip==24.3.1 setuptools==78.1.1 && \
     pip install --no-cache-dir -r /home/user/GenAIComps/requirements.txt && \
-    pip install --no-cache-dir --upgrade mcp==1.10.0 pillow==11.3.0
+    pip install --no-cache-dir --upgrade mcp==1.23.0 pillow==11.3.0 \
+    langchain-core==0.3.80 urllib3==2.6.0 starlette==0.49.1
 
 COPY ./templates/microservices/* /home/user/templates/microservices/
 COPY ./megaservice.py /home/user/megaservice.py

studio-backend/app/requirements.txt

@@ -1,10 +1,10 @@
-fastapi==0.115.4
+fastapi==0.121.0
 uvicorn==0.30.6
 kubernetes==30.1.0
 requests==2.32.3
-urllib3==2.0.0
+urllib3==2.6.0
 pydantic==1.10.18
-starlette==0.41.2
+starlette==0.49.1
 websockets==10.3
 clickhouse-driver==0.2.9
 paramiko==3.5.1

studio-backend/tests/requirements.txt

@@ -1,6 +1,6 @@
 pytest==8.3.3
-fastapi==0.115.0
+fastapi==0.121.0
 httpx==0.27.2
 kubernetes==30.1.0
 pydantic==1.10.18
-urllib3==2.0.0
+urllib3==2.6.0

studio-frontend/Dockerfile

@@ -1,4 +1,5 @@
-FROM node:20-alpine
+# Build stage
+FROM node:20-alpine AS builder
 
 # Accept proxy build arguments
 ARG http_proxy
@@ -10,37 +11,62 @@ ENV http_proxy=${http_proxy}
 ENV https_proxy=${https_proxy}
 ENV no_proxy=${no_proxy}
 
-# Install necessary packages
+# Install build dependencies
 RUN apk update && apk upgrade && \
     apk add --no-cache gcompat python3 make g++ git \
-    # Needed for pdfjs-dist
-    build-base cairo-dev pango-dev \
-    # Install Chromium
-    chromium && \
-    # Install PNPM globally
+    build-base cairo-dev pango-dev && \
     npm install -g pnpm@9
 
-# Debug step to verify git installation
-RUN git --version
+ENV NODE_OPTIONS=--max-old-space-size=8192
+
+WORKDIR /usr/src
+
+# Copy package files first for better layer caching
+COPY package.json pnpm-workspace.yaml turbo.json ./
+COPY packages/server/package.json ./packages/server/
+COPY packages/ui/package.json ./packages/ui/
+
+# Install dependencies
+RUN pnpm install
+
+# Copy source code
+COPY . .
+
+# Build the app and clean up
+RUN pnpm build && \
+    # Prune to production dependencies only
+    pnpm prune --prod && \
+    rm -rf node_modules/.cache && \
+    rm -rf packages/*/node_modules/.cache
+
+# Production stage
+FROM node:20-alpine
+
+# Accept proxy build arguments
+ARG http_proxy
+ARG https_proxy
+ARG no_proxy
+
+ENV http_proxy=${http_proxy}
+ENV https_proxy=${https_proxy}
+ENV no_proxy=${no_proxy}
+
+# Install only runtime dependencies with patched npm
+RUN apk update && apk upgrade && \
+    apk add --no-cache gcompat chromium && \
+    npm install -g npm@latest pnpm@latest && \
+    rm -rf /var/cache/apk/*
 
 ENV PUPPETEER_SKIP_DOWNLOAD=true
 ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser
 ENV NODE_OPTIONS=--max-old-space-size=8192
 
 WORKDIR /usr/src
 
-# Copy app source
-COPY . .
-
-# Install dependencies and build the app
-RUN pnpm config set store-dir .pnpm-store && \
-    pnpm install && \
-    pnpm update [email protected] && \
-    pnpm build && \
-    pnpm remove esbuild && \
-    rm -rf .pnpm-store && \
-    rm -rf /root/.local/share/pnpm && \
-    pnpm prune --prod
+# Copy only necessary files from builder
+COPY --from=builder /usr/src/package.json /usr/src/pnpm-workspace.yaml ./
+COPY --from=builder /usr/src/packages ./packages
+COPY --from=builder /usr/src/node_modules ./node_modules
 
 EXPOSE 3000
 

studio-frontend/package.json

@@ -1,17 +1,15 @@
 {
     "name": "flowise",
-    "version": "2.1.4",
+    "version": "3.0.10",
     "private": true,
     "homepage": "https://flowiseai.com",
     "workspaces": [
-        "packages/*",
-        "flowise",
-        "ui"
+        "packages/*"
     ],
     "scripts": {
         "build": "turbo run build",
         "build-force": "pnpm clean && turbo run build --force",
-        "dev": "turbo run dev --parallel",
+        "dev": "turbo run dev --parallel --no-cache",
         "start": "run-script-os",
         "start:windows": "cd packages/server/bin && run start",
         "start:default": "cd packages/server/bin && ./run start",
@@ -32,7 +30,6 @@
         "@babel/preset-typescript": "7.18.6",
         "@types/express": "^4.17.13",
         "@typescript-eslint/typescript-estree": "^7.13.1",
-        "esbuild": ">=0.25.0",
         "eslint": "^8.24.0",
         "eslint-config-prettier": "^8.3.0",
         "eslint-config-react-app": "^7.0.1",
@@ -42,14 +39,17 @@
         "eslint-plugin-react": "^7.26.1",
         "eslint-plugin-react-hooks": "^4.6.0",
         "eslint-plugin-unused-imports": "^2.0.0",
+        "cross-spawn": "^7.0.6",
+        "glob": "^10.5.0",
+        "tar-fs": "^3.1.1",
         "husky": "^8.0.1",
         "kill-port": "^2.0.1",
         "lint-staged": "^13.0.3",
         "prettier": "^2.7.1",
         "pretty-quick": "^3.1.3",
         "rimraf": "^3.0.2",
         "run-script-os": "^1.1.6",
-        "turbo": "latest",
+        "turbo": "^2.3.3",
         "typescript": "^5.4.5"
     },
     "pnpm": {
@@ -58,8 +58,30 @@
             "sqlite3"
         ],
         "overrides": {
-            "set-value": "^3.0.3",
-            "form-data": "4.0.4"
+            "@modelcontextprotocol/sdk": ">=1.24.0",
+            "axios": "1.12.0",
+            "body-parser": "2.0.2",
+            "braces": "3.0.3",
+            "cross-spawn": "7.0.6",
+            "esbuild": "0.27.1",
+            "form-data": "4.0.4",
+            "glob": "10.5.0",
+            "glob-parent": "6.0.2",
+            "http-proxy-middleware": "3.0.3",
+            "json5": "2.2.3",
+            "nth-check": "2.1.1",
+            "path-to-regexp": "0.1.12",
+            "prismjs": "1.29.0",
+            "rollup": "4.45.0",
+            "semver": "7.7.1",
+            "set-value": "4.1.0",
+            "solid-js": "1.9.7",
+            "tar-fs": ">=3.1.1",
+            "unset-value": "2.0.1",
+            "webpack-dev-middleware": "7.4.2",
+            "ws": "8.18.3",
+            "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz",
+            "zod": "^3.25.0"
         },
         "peerDependencyRules": {
             "ignoreMissing": [],
@@ -71,22 +93,12 @@
         "pnpm": ">=9"
     },
     "resolutions": {
+        "@google/generative-ai": "^0.24.0",
+        "@grpc/grpc-js": "^1.10.10",
+        "@langchain/core": "0.3.61",
         "@qdrant/openapi-typescript-fetch": "1.2.6",
-        "@google/generative-ai": "^0.15.0",
-        "openai": "4.57.3",
-        "@langchain/core": "0.2.18",
-        "axios": "1.8.2",
-        "nth-check": "2.0.1",
-        "pdfjs-dist": "4.2.67",
-        "prismjs": "1.27.0",
-        "semver": "7.5.2",
-        "ws": "8.17.1",
-        "esbuild": ">=0.25.0",
-        "cross-spawn": ">=7.0.5",
-        "solid-js": ">=1.9.4",
-        "tar-fs": ">=3.0.8",
-        "form-data": "4.0.4",
-        "zod": ">=3.23.0"
+        "openai": "4.96.0",
+        "protobufjs": "7.4.0"
     },
     "eslintIgnore": [
         "**/dist",

studio-frontend/packages/server/package.json

@@ -1,6 +1,6 @@
 {
     "name": "flowise",
-    "version": "2.1.4",
+    "version": "3.0.10",
     "description": "Flowiseai Server",
     "main": "dist/index",
     "types": "dist/index.d.ts",
@@ -26,7 +26,7 @@
         "nuke": "rimraf dist node_modules .turbo",
         "start:windows": "cd bin && run start",
         "start:default": "cd bin && ./run start",
-        "dev": "tsc-watch --noClear -p ./tsconfig.json --onSuccess \"pnpm start\"",
+        "dev": "nodemon",
         "oclif-dev": "run-script-os",
         "oclif-dev:windows": "cd bin && dev start",
         "oclif-dev:default": "cd bin && ./dev start",
@@ -35,13 +35,14 @@
         "typeorm": "typeorm-ts-node-commonjs",
         "typeorm:migration-generate": "pnpm typeorm migration:generate -d ./src/utils/typeormDataSource.ts",
         "typeorm:migration-run": "pnpm typeorm migration:run -d ./src/utils/typeormDataSource.ts",
+        "typeorm:migration-revert": "pnpm typeorm migration:revert -d ./src/utils/typeormDataSource.ts",
         "watch": "tsc --watch",
         "version": "oclif readme && git add README.md",
         "cypress:open": "cypress open",
         "cypress:run": "cypress run",
         "e2e": "start-server-and-test dev http://localhost:3000 cypress:run",
         "cypress:ci": "START_SERVER_AND_TEST_INSECURE=1 start-server-and-test start https-get://localhost:3000 cypress:run",
-        "test": "jest"
+        "test": "jest --runInBand --detectOpenHandles --forceExit"
     },
     "keywords": [],
     "homepage": "https://flowiseai.com",
@@ -54,30 +55,32 @@
     },
     "license": "SEE LICENSE IN LICENSE.md",
     "dependencies": {
-        "@oclif/core": "^1.13.10",
-        "@types/lodash": "^4.14.202",
+        "@oclif/core": "4.0.7",
+        "@types/lodash": "^4.17.20",
         "@types/uuid": "^9.0.7",
         "async-mutex": "^0.4.0",
-        "axios": "^1.8.2",
+        "axios": "1.12.0",
         "content-disposition": "0.5.4",
         "cors": "^2.8.5",
         "crypto-js": "^4.1.1",
         "dotenv": "^16.0.0",
         "express": "^4.17.3",
         "express-basic-auth": "^1.2.1",
         "express-rate-limit": "^6.9.0",
-        "flowise-components": "^2.1.4",
+        "flowise-components": "^3.0.8",
         "flowise-ui": "workspace:^",
         "http-errors": "^2.0.0",
         "http-status-codes": "^2.3.0",
+        "@langchain/core": "^0.2.0",
+        "@langchain/langgraph": "^0.0.15",
         "langchainhub": "^0.0.11",
         "lodash": "^4.17.21",
         "moment": "^2.29.3",
         "moment-timezone": "^0.5.34",
         "multer": "^1.4.5-lts.1",
-        "mysql2": "^3.9.2",
+        "mysql2": "^3.11.3",
         "form-data": "^4.0.0",
-        "openai": "^4.57.3",
+        "openai": "^4.96.0",
         "pg": "^8.11.1",
         "posthog-node": "^3.5.0",
         "reflect-metadata": "^0.1.13",
@@ -93,13 +96,14 @@
     "devDependencies": {
         "@types/content-disposition": "0.5.8",
         "@types/cors": "^2.8.12",
+        "@types/express": "^4.17.17",
         "@types/crypto-js": "^4.1.1",
         "@types/multer": "^1.4.7",
         "@types/sanitize-html": "^2.9.5",
         "concurrently": "^7.1.0",
         "cypress": "^13.13.0",
         "nodemon": "^2.0.22",
-        "oclif": "^3",
+        "oclif": "^4.20.5",
         "rimraf": "^5.0.5",
         "run-script-os": "^1.1.6",
         "shx": "^0.3.3",

studio-frontend/packages/server/src/NodesPool.ts

@@ -108,7 +108,7 @@ export class NodesPool {
     private async getFiles(dir: string): Promise<string[]> {
         const dirents = await promises.readdir(dir, { withFileTypes: true })
         const files = await Promise.all(
-            dirents.map((dirent: Dirent) => {
+            dirents.map((dirent) => {
                 const res = path.resolve(dir, dirent.name)
                 return dirent.isDirectory() ? this.getFiles(res) : res
             })

studio-frontend/packages/server/src/commands/start.ts

@@ -1,4 +1,4 @@
-import { Command, Flags } from '@oclif/core'
+import { Command, Flags, Args } from '@oclif/core'
 import path from 'path'
 import * as Server from '../index'
 import * as DataSource from '../DataSource'
@@ -14,7 +14,7 @@ enum EXIT_CODE {
 let processExitCode = EXIT_CODE.SUCCESS
 
 export default class Start extends Command {
-    static args = []
+    static args = {}
     static flags = {
         FLOWISE_USERNAME: Flags.string(),
         FLOWISE_PASSWORD: Flags.string(),

studio-frontend/packages/server/src/controllers/get-upload-file/index.ts

@@ -5,6 +5,12 @@ import { streamStorageFile } from 'flowise-components'
 import { StatusCodes } from 'http-status-codes'
 import { InternalFlowiseError } from '../../errors/internalFlowiseError'
 
+interface AuthenticatedRequest extends Request {
+    user?: {
+        activeOrganizationId?: string
+    }
+}
+
 const streamUploadedFile = async (req: Request, res: Response, next: NextFunction) => {
     try {
         if (!req.query.chatflowId || !req.query.chatId || !req.query.fileName) {
@@ -13,8 +19,9 @@ const streamUploadedFile = async (req: Request, res: Response, next: NextFunctio
         const chatflowId = req.query.chatflowId as string
         const chatId = req.query.chatId as string
         const fileName = req.query.fileName as string
+        const orgId = (req as AuthenticatedRequest).user?.activeOrganizationId || ''
         res.setHeader('Content-Disposition', contentDisposition(fileName))
-        const fileStream = await streamStorageFile(chatflowId, chatId, fileName)
+        const fileStream = await streamStorageFile(chatflowId, chatId, fileName, orgId)
 
         if (!fileStream) throw new InternalFlowiseError(StatusCodes.INTERNAL_SERVER_ERROR, `Error: streamStorageFile`)