fix(bundles): stack-review fixes — symlink containment, idempotency, docs accuracy by erichare · Pull Request #13579 · langflow-ai/langflow

erichare · 2026-06-09T23:10:49Z

Bundle Separation Phase A — review fixes

Fixes accepted from the internal multi-agent review of the 10-PR stack, kept as a separate PR so the reviewed PRs' diffs stay frozen for QA's independent pass.

_bundles_root.py symlink containment (review: MEDIUM/security): a provider directory symlinked outside the bundle root is now skipped with a typed bundle-discovery-malformed warning, mirroring the seed-directory walk's is_within rule. + regression test.
consolidate_bundles.py idempotency guard (review: MEDIUM): migration appends dedupe on full entry content, so a partially-failed run can't duplicate rows on re-run.
langflow-base aws extra documented as deliberately retained (review suggested removing it for consistency with openai/anthropic/cohere — verification showed that would regress the server's own S3 storage backend, which also uses boto3).
Docs accuracy: lfx extension list shows manifest-shipping extensions only; manifest-less packages load at startup but aren't listed.

Sibling review fixes landed directly on their leaf branches: cross-bundle smoke extras-tolerance + schedule grid + concurrency (bundles/ci-matrix → #13566), freeze-gate __init__.py requirement (bundles/freeze-gate → #13567).

93 loader+migration tests pass (incl. the new symlink test); ruff clean. Base bundles/docs (PR 10) — the stack's final link.

Follow-up commits (post-review, user-requested)

release-1.11.0 base merged through the entire stack (all 11 branches): the component index now carries version 1.11.0 (regenerated at each index-bearing branch: 285 comps on bulk-move, 265 on graduate-partners and up), uv.lock regenerated at every lock-bearing branch (PR 3's anticipated merge conflict is resolved), and all 10 bundle lfx floors re-synced to >=1.11.0,<2.0.0 to match the base's pilot re-floor.
sync_bundle_lfx_pin.py bug fix (found during the re-floor): the whole-text first-match rewrite hit the lfx-pin example inside a comment that the port_bundle.py template places above the deps block — updating the comment and leaving the real dep stale. Now line-aware (skips comments); verified idempotent across all 10 bundles.
import_mod stabilized as a public BUNDLE_API utility: canonical home lfx.utils.lazy_import (BUNDLE_API.md surface + changelog entry); lfx.components._importing re-exports for back-compat; all 35 bundle-side imports rewritten; contract tests added.

Tip battery: index v1.11.0/265 comps sha-valid; 45 metapackage bundles + 5 partners disjoint, no errors; shims + both import paths verified; 561 extension/shim/lazy-import tests pass; lfx=langflow=1.11.0.

…ccuracy Fixes from the multi-agent stack review (kept as a separate PR so the reviewed PRs' diffs stay frozen for QA's independent pass): - _bundles_root.py: directory-level symlink containment — a provider dir that resolves outside the bundle root is skipped with a typed bundle-discovery-malformed warning, mirroring the seed-directory walk's is_within rule (+ regression test). Anchors the trust boundary to the installed package tree. - consolidate_bundles.py: migration-append idempotency guard — entries are deduped on full content so a partially-failed earlier run cannot duplicate rows on re-run (table stays append-only). - langflow-base pyproject: documented WHY the aws extra is deliberately retained after the lfx-amazon graduation (boto3 also backs the server's own S3 storage backend and lfx's S3 ingestion — review suggested removing it; that would regress S3 storage support). - extensions-overview.mdx: note that `lfx extension list` shows manifest-shipping extensions only; manifest-less packages load at startup but are not listed. 93 loader+migration tests pass (incl. the new symlink test); ruff clean.

coderabbitai · 2026-06-09T23:10:56Z

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 21c7f3b0-7269-4f70-abc9-6779bff83ce8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch bundles/review-fixes

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

The lazy-import helper that bundle packages call from their __getattr__-based __init__.py files lived at lfx.components._importing -- an internal path with no stability contract, imported by 35 separately-installed bundle __init__ files (30 lfx-bundles providers + the 5 graduated partners). - canonical home is now lfx.utils.lazy_import.import_mod (code unchanged); lfx.components._importing re-exports it so in-tree callers and any external code on the old path keep working - all 35 bundle-side imports rewritten to the stable path - BUNDLE_API.md: surface table entry + changelog (additive) - contract tests: re-export identity, both call forms, the AttributeError conversion Verified: identity holds across both paths; lazy __init__ loads work through the new path for both bundle families; 110 tests pass; ruff clean.

…13580) build_message_history targeted the zep-python v1 SDK (ZepClient + zep_python.langchain.ZepChatMessageHistory); both were removed in zep-python 2.x and the zep extra pins 2.0.2, so the method has been unable to run for as long as the pin has existed -- its ImportError guard misleadingly told users to 'pip install zep-python' (already installed). The component is legacy=True with helpers.Memory as its designated replacement, so rather than hand-write a new integration against the 2.x SDK, the method now raises a clear RuntimeError pointing at the Message History component. Flow identity is preserved: class/component name, display_name, description, inputs and the memory output are byte-identical, so saved flows keep loading, i18n locale keys are unchanged, and migration_table.json needs no edits. New bundle tests pin the stub contract (identity, actionable error, no zep_python import).

Risk-2 of the metapackage split: the generated `all` extra and the per-provider extras must never drift by hand-edit, or `pip install langflow` silently loses a provider's deps. Guard the four invariants: extras <-> provider dirs (PEP 685-normalized), `all` == the exact self-ref set, normalized keys collision-free, and the metapackage provider set disjoint from the graduated partner distributions.

# Conflicts: # BUNDLE_API.md

…tching the documented contract The lfx.bundles provider containment check (stack-review symlink fix) emitted bundle-discovery-malformed, whose template and hint describe a broken entry-point declaration. The changelog's path-safety entry already documents symlink escapes as path-escape on every other discovery path; use the same code here. Also resolves the semantic merge conflict with the per-mode code split (the removed _malformed_error location kwarg).

github-actions · 2026-06-10T21:42:19Z

Build successful! ✅
Deploying docs draft.
Deploy successful! View draft

github-actions Bot added the bug Something isn't working label Jun 9, 2026