Skip to content

Track upstream dependency advisories (build/peer tooling only — nothing shipped) #2

Description

@noctisreus

Summary

Dependabot/Snyk report advisories on this repo, but none reach consumers of the published node. The package publishes only dist/ (files: ["dist"]) with zero runtime dependencies and n8n-workflow as a peer. Every finding is build/test/release tooling or a host-provided peer. This issue tracks the ones we cannot fix locally until upstream cuts releases.

Already addressed in #8abc2eb (our own direct devDeps): vitest 2.1.9 → 3.2.6 (critical) and release-it 19.x → 20.2.0 (undici). esbuild is now pinned via pnpm.overrides ("esbuild": ">=0.28.1"). The linked graph now resolves those to patched versions.

Refresh 2026-06-15. @n8n/node-cli is still 0.34.0 (= npm latest), so the upstream-blocked items below are unchanged. Current pnpm audit: 7 findings (5 high / 2 moderate) — all build/peer tooling, none shipped. Added the new form-data CRLF advisory; checked off esbuild (handled via override). Still no path to a clean local audit until upstream moves.

Blocked on upstream

@n8n/node-cli@0.34.0 (already the latest)

Bundles its own Vite-5 build toolchain + langchain. Forcing these via pnpm.overrides risks breaking n8n-node build/dev/lint/release, for zero shipped benefit.

  • esbuild 0.21.5 → needs >=0.28.1 (via its vite 5.x) — resolved via pnpm.overrides ("esbuild": ">=0.28.1")
  • vite 5.4.21 → needs >=6.4.2
  • minimatch 9.0.3 → needs >=9.0.7 (×3 paths, ReDoS — via eslint-plugin-n8n-nodes-*)
  • uuid 10.0.0 → needs >=11.1.1 (via @n8n/ai-node-sdk > … > @langchain/classic)
  • form-data → needs >=4.0.6 (CRLF injection, CWE-93 — via @n8n/ai-node-sdk)

Action: re-run pnpm up @n8n/node-cli when a release > 0.34.0 lands, then pnpm audit.

n8n-workflow (peer — host-provided at runtime)

The n8n instance supplies its own copy at runtime; not ours to pin.

  • lodash <=4.17.23 → advisory patched version >=4.18.0 is unreleased (newest stable is 4.17.x) — effectively unfixable today. Two advisories: Code Injection via _.template (high) + Prototype Pollution in _.unset/_.omit (moderate).
  • uuid → needs >=11.1.1

Lockfile ghost entries

pnpm-lock.yaml retains old snapshots (vitest@2.1.9, release-it@19.2.4, undici@6.23.0) pulled internally by @n8n/node-cli. pnpm why attributes the linked graph to patched versions; these clear once @n8n/node-cli updates.

Why not just override?

  • Overriding @n8n/node-cli's internal toolchain (vite/minimatch/form-data/uuid) risks the official build/test/release path.
  • lodash >=4.18.0 has no published release to override to.
  • Nothing here ships, so the risk/benefit favors waiting on upstream.

Done when

  • @n8n/node-cli updated past 0.34.0 and pnpm audit re-run
  • n8n-workflow peer advisories resolved upstream (or confirmed host-only, non-shipping)
  • pnpm audit clean, or every remaining finding documented as non-shipping with no available fix

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency file

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions