Summary
Dependabot/Snyk report advisories on this repo, but none reach consumers of the published node. The package publishes only dist/ (files: ["dist"]) with zero runtime dependencies and n8n-workflow as a peer. Every finding is build/test/release tooling or a host-provided peer. This issue tracks the ones we cannot fix locally until upstream cuts releases.
Already addressed in #8abc2eb (our own direct devDeps): vitest 2.1.9 → 3.2.6 (critical) and release-it 19.x → 20.2.0 (undici). esbuild is now pinned via pnpm.overrides ("esbuild": ">=0.28.1"). The linked graph now resolves those to patched versions.
Refresh 2026-06-15. @n8n/node-cli is still 0.34.0 (= npm latest), so the upstream-blocked items below are unchanged. Current pnpm audit: 7 findings (5 high / 2 moderate) — all build/peer tooling, none shipped. Added the new form-data CRLF advisory; checked off esbuild (handled via override). Still no path to a clean local audit until upstream moves.
Blocked on upstream
@n8n/node-cli@0.34.0 (already the latest)
Bundles its own Vite-5 build toolchain + langchain. Forcing these via pnpm.overrides risks breaking n8n-node build/dev/lint/release, for zero shipped benefit.
Action: re-run pnpm up @n8n/node-cli when a release > 0.34.0 lands, then pnpm audit.
n8n-workflow (peer — host-provided at runtime)
The n8n instance supplies its own copy at runtime; not ours to pin.
Lockfile ghost entries
pnpm-lock.yaml retains old snapshots (vitest@2.1.9, release-it@19.2.4, undici@6.23.0) pulled internally by @n8n/node-cli. pnpm why attributes the linked graph to patched versions; these clear once @n8n/node-cli updates.
Why not just override?
- Overriding
@n8n/node-cli's internal toolchain (vite/minimatch/form-data/uuid) risks the official build/test/release path.
lodash >=4.18.0 has no published release to override to.
- Nothing here ships, so the risk/benefit favors waiting on upstream.
Done when
Summary
Dependabot/Snyk report advisories on this repo, but none reach consumers of the published node. The package publishes only
dist/(files: ["dist"]) with zero runtimedependenciesandn8n-workflowas a peer. Every finding is build/test/release tooling or a host-provided peer. This issue tracks the ones we cannot fix locally until upstream cuts releases.Already addressed in #8abc2eb (our own direct devDeps):
vitest 2.1.9 → 3.2.6(critical) andrelease-it 19.x → 20.2.0(undici).esbuildis now pinned viapnpm.overrides("esbuild": ">=0.28.1"). The linked graph now resolves those to patched versions.Blocked on upstream
@n8n/node-cli@0.34.0(already the latest)Bundles its own Vite-5 build toolchain + langchain. Forcing these via
pnpm.overridesrisks breakingn8n-node build/dev/lint/release, for zero shipped benefit.esbuild0.21.5 → needs>=0.28.1(via itsvite5.x) — resolved viapnpm.overrides("esbuild": ">=0.28.1")vite5.4.21 → needs>=6.4.2minimatch9.0.3 → needs>=9.0.7(×3 paths, ReDoS — viaeslint-plugin-n8n-nodes-*)uuid10.0.0 → needs>=11.1.1(via@n8n/ai-node-sdk > … > @langchain/classic)form-data→ needs>=4.0.6(CRLF injection, CWE-93 — via@n8n/ai-node-sdk)Action: re-run
pnpm up @n8n/node-cliwhen a release > 0.34.0 lands, thenpnpm audit.n8n-workflow(peer — host-provided at runtime)The n8n instance supplies its own copy at runtime; not ours to pin.
lodash<=4.17.23→ advisory patched version>=4.18.0is unreleased (newest stable is 4.17.x) — effectively unfixable today. Two advisories: Code Injection via_.template(high) + Prototype Pollution in_.unset/_.omit(moderate).uuid→ needs>=11.1.1Lockfile ghost entries
pnpm-lock.yamlretains old snapshots (vitest@2.1.9,release-it@19.2.4,undici@6.23.0) pulled internally by@n8n/node-cli.pnpm whyattributes the linked graph to patched versions; these clear once@n8n/node-cliupdates.Why not just override?
@n8n/node-cli's internal toolchain (vite/minimatch/form-data/uuid) risks the official build/test/release path.lodash >=4.18.0has no published release to override to.Done when
@n8n/node-cliupdated past 0.34.0 andpnpm auditre-runn8n-workflowpeer advisories resolved upstream (or confirmed host-only, non-shipping)pnpm auditclean, or every remaining finding documented as non-shipping with no available fix