From 189c1047bcf1d6ef997d1af5e4386901926d94e2 Mon Sep 17 00:00:00 2001
From: Matsu <huhta.matias@gmail.com>
Date: Mon, 30 Mar 2026 18:24:42 +0300
Subject: [PATCH] ci: Prevent buffer overflow in other helper scripts (#27774)

---
 .github/scripts/bump-versions.mjs            | 10 ++++++++--
 .github/scripts/ensure-provenance-fields.mjs |  8 +++++++-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/.github/scripts/bump-versions.mjs b/.github/scripts/bump-versions.mjs
index 2306c1daa84..fbeabe31ff0 100644
--- a/.github/scripts/bump-versions.mjs
+++ b/.github/scripts/bump-versions.mjs
@@ -29,10 +29,16 @@ assert.match(releaseType, /^(patch|minor|major|experimental|premajor)$/, 'Invali
 // TODO: if releaseType is `auto` determine release type based on the changelog
 
 const lastTag = (await exec('git describe --tags --match "n8n@*" --abbrev=0')).stdout.trim();
-const packages = JSON.parse((await exec('pnpm ls -r --only-projects --json')).stdout);
+const packages = JSON.parse(
+	(
+		await exec(
+			`pnpm ls -r --only-projects --json | jq -r '[.[] | { name: .name, version: .version, path: .path,  private: .private}]'`,
+		)
+	).stdout,
+);
 
 const packageMap = {};
-for (let { name, path, version, private: isPrivate, dependencies } of packages) {
+for (let { name, path, version, private: isPrivate } of packages) {
 	if (isPrivate && path !== rootDir) continue;
 	if (path === rootDir) name = 'monorepo-root';
 
diff --git a/.github/scripts/ensure-provenance-fields.mjs b/.github/scripts/ensure-provenance-fields.mjs
index 2fad319a625..f6362a238a7 100644
--- a/.github/scripts/ensure-provenance-fields.mjs
+++ b/.github/scripts/ensure-provenance-fields.mjs
@@ -9,7 +9,13 @@ const exec = promisify(child_process.exec);
 const commonFiles = ['LICENSE.md', 'LICENSE_EE.md'];
 
 const baseDir = resolve(dirname(fileURLToPath(import.meta.url)), '../..');
-const packages = JSON.parse((await exec('pnpm ls -r --only-projects --json')).stdout);
+const packages = JSON.parse(
+	(
+		await exec(
+			`pnpm ls -r --only-projects --json | jq -r '[.[] | { name: .name, version: .version, path: .path,  private: .private}]'`,
+		)
+	).stdout,
+);
 
 for (let { name, path, version, private: isPrivate } of packages) {
 	if (isPrivate) continue;