* Updated the executeJavaScriptCode function to automatically detect and install required libraries from import/require statements in the provided code.
* Update utils.ts
* lint-fix
* feat(security): enhance file path validation and implement non-root Docker user
- Validate resolved full file paths including workspace boundaries in SecureFileStore
- Resolve paths before validation in readFile and writeFile operations
- Run Docker container as non-root flowise user (uid/gid 1001)
- Apply proper file ownership and permissions for application files
Prevents path traversal attacks and follows container security best practices
* Add sensitive system directory validation and Flowise internal file protection
* Update Dockerfile to use default node user
* update validation patterns to include additional system binary directories (/usr/bin, /usr/sbin, /usr/local/bin)
* added isSafeBrowserExecutable function to validate browser executable paths for Playwright and Puppeteer loaders
---------
Co-authored-by: taraka-vishnumolakala <taraka.vishnumolakala@workday.com>
Co-authored-by: Henry Heng <henryheng@flowiseai.com>
Co-authored-by: Henry <hzj94@hotmail.com>
* implement parseWithTypeConversion - parse a value against a Zod schema with automatic type conversion for common type mismatches
* Enhance parseWithTypeConversion to include maxDepth parameter for recursion control, preventing infinite loops during parsing.
* add tools warning
* Enhance file handling tools with security features
- Introduced new input parameters: workspacePath, enforceWorkspaceBoundaries, maxFileSize, and allowedExtensions for better control over file operations.
- Added validation for file paths and sizes to prevent unsafe operations.
- Implemented workspace boundary checks to restrict file access based on user-defined settings.
* Add tts UI
* Add tts backend
* Add description to eleven labs credentials
* Fix issue with fetching eleven labs voices
* Fix issue with text to speech tab not showing correct saved voice
* Add option to autoplay tts audio after prediction completes
* Fix crash issue when first changing tts provider
* Set up streaming response for text to speech audio
* Update controllers - fix issue with sse client getting removed before tts events are sent
* Use existing sse streamer to stream tts audio before sse client is removed
* Add tts sse to redis publisher
* Fix issues with TTS - openai voices, streaming audio, rate limiting, speed of speech
* Refactor
* Refactor TTS - fix issues with tts loading and stop audio buttons
* Abort TTS SSE when clicking the stop button
* Update SSE handling for TTS
* Fix issue with test voice feature
* Fix issue with tts voices not loading
* Update generate tts endpoint and its usage in internal chat
* Whitelist tts generate endpoint
* Refactor Text-to-Speech Provider Selection and Enhance UI Components
- Updated the text-to-speech controller to select the active provider based on status instead of the first available provider
- Added audio waveform controls and test audio functionality in the TextToSpeech component, allowing users to play and pause test audio
- Integrated Autocomplete for voice selection in the TextToSpeech component
- Implemented TTS action management in ChatMessage to prevent auto-scrolling during TTS actions
* - Implemented stopAllTTS function calls to halt existing TTS audio before playing new audio or starting a new TTS stream
* Updated the condition for enabling TTS providers to exclude the 'none' provider, ensuring only valid providers are considered for text-to-speech functionality.
* Remove unnecessary code
* Add ability to abort audio streaming in TTS and release lock on chat input
* Remove logger
* Fix tts audio not playing when clicking speaker button
* update
* TTS abort controller
* Fix abort not working for TTS autoplay
* Send metadata event when aborting autoplay TTS
* Fix UI issue
* Remove elevenlabs sdk from root package.json
* Remove redundant condition for tts autoplay in chatflow
---------
Co-authored-by: Henry <hzj94@hotmail.com>
* disable available dependencies by default, only allow when ALLOW_BUILTIN_DEP is set to true
* update contributing.md
* update pnpm lock
* Enhance security by adding secure wrappers for Axios and Node Fetch in utils.ts, and update dependency handling to include default external dependencies.
* Fix formatting in pnpm-lock.yaml
- Added `secureFetch` and `checkDenyList` functions from `httpSecurity` to enhance security in web crawling and link fetching processes.
- Updated relevant functions to utilize these new security measures, ensuring safer data handling.
* fix gsuite tool params
* custom assistant only check for mandatory fields for visible params
* azure chat openai fix for gpt5
* return raw from executeJavaScriptCode
* add json5 for parsing
* azure chatopenai use maxCompletionTokens
refactor: Update code execution sandbox implementation across components
- Replaced NodeVM usage with a new createCodeExecutionSandbox function for improved sandbox management.
- Enhanced JavaScript code execution with executeJavaScriptCode function, allowing for better handling of libraries and output streaming.
- Updated multiple components to utilize the new sandboxing approach, ensuring consistent execution environment.
- Added validation for UUIDs and URLs in various tools to enhance input safety.
- Refactored input handling in CustomFunction and IfElseFunction to streamline variable management.
* refactor: Implement SecureZodSchemaParser for safe Zod schema handling and add FilterParser for Supabase filters
* Replaced direct Zod schema evaluation with SecureZodSchemaParser in StructuredOutputParserAdvanced and CustomTool.
* Introduced FilterParser to safely handle Supabase filter strings, preventing arbitrary code execution.
* Added new filterParser.ts file to encapsulate filter parsing logic.
* Updated Supabase vector store to utilize the new FilterParser for RPC filters.
* Created secureZodParser.ts for secure parsing of Zod schemas.
* remove console log
Enhance file upload capabilities by adding support for additional file types (html, css, js, xml, md, excel, powerpoint) and updating related MIME type mappings. Improve user interface for file type selection in FileUpload component.
* Enhancement: Update issue templates and add new tools
- Updated bug report template to include a default label of 'bug'.
- Updated feature request template to include a default label of 'enhancement'.
- Added new credential class for Agentflow API.
- Enhanced Agent and HTTP nodes to improve tool management and error handling.
- Added deprecation badges to several agent and chain classes.
- Introduced new tools for handling requests (GET, POST, DELETE, PUT) with improved error handling.
- Added new chatflows and agentflows for various use cases, including document QnA and translation.
- Updated UI components for better handling of agent flows and marketplace interactions.
- Refactored utility functions for improved functionality and clarity.
* Refactor: Remove beta badge and streamline template title assignment
- Removed the 'BETA' badge from the ExtractMetadataRetriever class.
- Simplified the title assignment in the agentflowv2 generator by using a variable instead of inline string manipulation.
* Enhancement: Add recursive key normalization for metadata in Weaviate vector store
- Introduced `normalizeKeysRecursively` utility to standardize metadata keys.
- Updated Weaviate vector store to apply normalization on document metadata before processing.
* format(compnonents/utils): format for ci
* Update utils.ts
---------
Co-authored-by: Henry Heng <henryheng@flowiseai.com>
* add teams, gmail, outlook tools
* update docs link
* update credentials for oauth2
* add jira tool
* add google drive, google calendar, google sheets tools, powerpoint, excel, word doc loader
* update jira logo
* Refactor Gmail and Outlook tools to remove maxOutputLength parameter and enhance request handling. Update response formatting to include parameters in the output. Adjust Google Drive tools to simplify success messages by removing unnecessary parameter details.
* support google cloud storage
* update example and docs for supporting google cloud storage
* recover the indent of pnpm-lock-yaml
* populate the logs to google logging
* normalize gcs storage paths
---------
Co-authored-by: Ilango <rajagopalilango@gmail.com>
Co-authored-by: Henry <hzj94@hotmail.com>
Siddharth Chauhan