Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency n8n to v1.74.1 #9609

Merged
merged 1 commit into from
Jan 15, 2025
Merged

chore(deps): update dependency n8n to v1.74.1 #9609

merged 1 commit into from
Jan 15, 2025

Conversation

uniget-bot
Copy link

This PR contains the following updates:

Package Update Change
n8n (source) minor 1.73.1 -> 1.74.1

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

n8n-io/n8n (n8n)

v1.74.1

Compare Source

Bug Fixes

v1.74.0

Compare Source

Bug Fixes
  • core: Align concurrency and timeout defaults between instance and runner (#​12503) (9953477)
  • core: Allow index as top-level item key for Code node (#​12469) (1b91000)
  • core: Don't fail task runner task if logging fails (#​12401) (0860fbe)
  • core: Ensure tasks timeout even if they don't receive settings (#​12431) (b194026)
  • core: Fix execution cancellation issues in scaling mode (#​12343) (e26b406)
  • core: Fix manually running a pinned trigger with offloading enabled (#​12491) (be2dcff)
  • core: Fix task runner sending too many offers (#​12415) (4498e35)
  • core: Increase default concurrency and timeout in task runners (#​12496) (4182095)
  • core: Prevent __default__ jobs in scaling mode (#​12402) (072664b)
  • core: Register workflows as active only after all of the triggers and pollers setup successfully (#​12244) (f924f2a)
  • core: Return unredacted credentials from GET credentials/:id (#​12447) (ecabe34)
  • core: Use rate limiter for task runner endpoints (#​12486) (491cb60)
  • editor: Allow zooming when panning keycode is pressed on new canvas (#​12327) (983e87a)
  • editor: Consistent protected environment styling and messaging (#​12374) (6891cef)
  • editor: First project button tweaks border and copy (#​12376) (e234756)
  • editor: Fix Multi option parameter expression when the value is an array (#​12430) (452a7bf)
  • editor: Improve configurable nodes design on new canvas (#​12317) (0ecce10)
  • editor: Minor styling improvements in project settings page (#​12405) (09ddce0)
  • editor: Never show Pinned Data Callout for Input Panel (#​12446) (1d5c9bd)
  • editor: Nodes' icon color in dark mode (#​12279) (01b781a)
  • editor: Only ignore managed credentials in the HTTP node (#​12417) (6b46657)
  • editor: Remove primary highlight color from edge being executed on new canvas (#​12307) (50913de)
  • editor: Render empty string instead of [empty] (#​12448) (2c72047)
  • editor: Show all workflows in the error workflow dropdown in the workflow settings (#​12413) (ccda7f9)
  • editor: Unify disabled parameters background color (#​12306) (8c63599)
  • HTTP Request Node: Fix typo in hint (#​12439) (b6230b6)
  • OpenAI Node: Add quotes to default base URL (#​12312) (2e90eba)
  • OpenAI Node: Update node to account for URL in credentials (#​12356) (f78cceb)
  • Postgres Node: Account for JSON expressions (#​12012) (06b86af)
  • Postgres Node: Allow passing in arrays to JSON columns for insert (#​12452) (9dd0686)
  • Postgres Node: Re-use connection pool across executions (#​12346) (2ca37f5)
  • Run workflow if active and single webhook service has pin data (#​12425) (8053a4a)
  • Set correct default for added Resource Mapper boolean fields (#​12344) (b4c77f2)
  • Supabase Node: Allow for filtering on the same field multiple times (#​12429) (d7cc789)
  • Zep Vector Store Node: Cloud vector store integration (#​12353) (2433d6b)
Features

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

nicholasdille-bot
nicholasdille-bot approved these changes Jan 15, 2025
View reviewed changes
Copy link

@nicholasdille-bot nicholasdille-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved because label type/renovate is present.

@github-actions GitHub Actions
Copy link

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/n8n:1.74.1

📦 Image Reference ghcr.io/uniget-org/tools/n8n:1.74.1
digestsha256:d74bfad9c1c180ae7073d427b1e5863577cfe1561336eeea10d0d951dfd342ea
vulnerabilitiescritical: 0 high: 3 medium: 2 low: 1
platformlinux/amd64
size155 MB
packages1409
critical: 0 high: 1 medium: 0 low: 0 semver 5.3.0 (npm)

pkg:npm/[email protected]

high 7.5: CVE--2022--25883 Inefficient Regular Expression Complexity

Affected range<5.7.2
Fixed version5.7.2
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

critical: 0 high: 1 medium: 0 low: 0 pdfjs-dist 2.16.105 (npm)

pkg:npm/[email protected]

high : CVE--2024--4367

Affected range<=4.1.392
Fixed version4.2.67
Description

Impact

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

The patch removes the use of eval:
mozilla/pdf.js#18015

Workarounds

Set the option isEvalSupported to false.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

critical: 0 high: 1 medium: 0 low: 0 cross-spawn 4.0.2 (npm)

pkg:npm/[email protected]

high 7.5: CVE--2024--21538 Inefficient Regular Expression Complexity

Affected range<6.0.6
Fixed version7.0.5
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

critical: 0 high: 0 medium: 1 low: 0 path-to-regexp 0.1.10 (npm)

pkg:npm/[email protected]

medium : CVE--2024--52798 Inefficient Regular Expression Complexity

Affected range<0.1.12
Fixed version0.1.12
Description

Impact

The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp, originally reported in CVE-2024-45296

Patches

Upgrade to 0.1.12.

Workarounds

Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.

References

critical: 0 high: 0 medium: 1 low: 0 identity 3.4.2 (npm)

pkg:npm/%40azure/[email protected]

medium 6.8: CVE--2024--35255 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Affected range<4.2.1
Fixed version4.2.1
CVSS Score6.8
CVSS VectorCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Description

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

critical: 0 high: 0 medium: 0 low: 1 cookie 0.4.2 (npm)

pkg:npm/[email protected]

low : CVE--2024--47764 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Affected range<0.7.0
Fixed version0.7.0
Description

Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

@github-actions GitHub Actions
Copy link

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/12792997132.

@github-actions GitHub Actions
Copy link

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/12792997132.

@github-actions github-actions bot merged commit 8f636da into main Jan 15, 2025
10 of 11 checks passed
@github-actions github-actions bot deleted the renovate/n8n-1.x branch January 15, 2025 16:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicholasdille-bot nicholasdille-bot nicholasdille-bot approved these changes

Assignees
No one assigned
Labels
bump/minor type/renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@uniget-bot @nicholasdille-bot @renovate-bot