fix: Bumping up package versions (#25750)

2026-05-12 16:10:30 +02:00 · 2026-02-14 08:21:22 +00:00 · 2026-02-14 08:21:22 +00:00 · 619a11b7a1
commit 619a11b7a1
parent 503676e0b9
9 changed files with 585 additions and 343 deletions
--- a/package.json
+++ b/package.json
@ -94,7 +94,7 @@
      "@mistralai/mistralai": "^1.10.0",
      "@n8n/typeorm>@sentry/node": "catalog:sentry",
      "@types/node": "^20.17.50",
-      "axios": "1.12.0",
+      "axios": "1.13.5",
      "chokidar": "4.0.3",
      "esbuild": "^0.25.0",
      "expr-eval@2.0.2": "npm:expr-eval-fork@3.0.0",
@ -126,13 +126,16 @@
      "glob@7": "7.2.3",
      "jws@3": "3.2.2",
      "jws@4": "4.0.1",
-      "qs@6": "6.14.1",
+      "qs@6": "6.14.2",
      "@smithy/config-resolver": ">=4.4.0",
      "@rudderstack/rudder-sdk-node@<=3.0.0": "3.0.0",
      "diff": "8.0.3",
      "undici@6": "^6.23.0",
      "undici@7": "^7.18.2",
-      "tar": "^7.5.4",
+      "tar": "^7.5.7",
+      "fast-xml-parser@5": "5.3.4",
+      "hono": "4.11.7",
+      "langsmith": ">=0.4.6",
      "lodash-es": "4.17.23"
    },
    "patchedDependencies": {
--- a/packages/@n8n/ai-workflow-builder.ee/package.json
+++ b/packages/@n8n/ai-workflow-builder.ee/package.json
@ -67,7 +67,7 @@
    "@n8n/workflow-sdk": "workspace:*",
    "@n8n_io/ai-assistant-sdk": "catalog:",
    "csv-parse": "5.5.0",
-    "langsmith": "^0.4.2",
+    "langsmith": "^0.4.6",
    "lodash": "catalog:",
    "n8n-workflow": "workspace:*",
    "picocolors": "catalog:",
--- a/packages/@n8n/nodes-langchain/package.json
+++ b/packages/@n8n/nodes-langchain/package.json
@ -233,7 +233,7 @@
    "@microsoft/agents-a365-tooling-extensions-langchain": "0.1.0-preview.64",
    "@microsoft/agents-activity": "1.1.0-alpha.85",
    "@microsoft/agents-hosting": "1.1.0-alpha.85",
-    "@modelcontextprotocol/sdk": "1.25.2",
+    "@modelcontextprotocol/sdk": "1.26.0",
    "@mozilla/readability": "0.6.0",
    "@n8n/ai-utilities": "workspace:*",
    "@n8n/client-oauth2": "workspace:*",
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@ -109,7 +109,7 @@
    "@n8n/decorators": "workspace:*",
    "@n8n/di": "workspace:*",
    "@n8n/errors": "workspace:*",
-    "@modelcontextprotocol/sdk": "1.25.2",
+    "@modelcontextprotocol/sdk": "1.26.0",
    "@n8n/n8n-nodes-langchain": "workspace:*",
    "@n8n/permissions": "workspace:*",
    "@n8n/syslog-client": "workspace:*",
--- a/packages/core/package.json
+++ b/packages/core/package.json
@ -74,7 +74,7 @@
    "picocolors": "catalog:",
    "pretty-bytes": "5.6.0",
    "proxy-from-env": "^1.1.0",
-    "qs": "6.14.1",
+    "qs": "6.14.2",
    "ssh2": "1.15.0",
    "uuid": "catalog:",
    "winston": "3.14.2",
--- a/packages/nodes-base/nodes/OpenWeatherMap/test/OpenWeatherMap.test.ts
+++ b/packages/nodes-base/nodes/OpenWeatherMap/test/OpenWeatherMap.test.ts
@ -9,7 +9,10 @@ describe('OpenWeatherMap', () => {
 			nock('https://api.openweathermap.org')
 				.get('/data/2.5/weather')
 				.query({ units: 'metric', q: 'berlin,de', lang: 'en' })
-				.reply(200, currentWeatherResponse);
+				.reply(200, currentWeatherResponse)
+				.get('/data/2.5/weather')
+				.query({ units: 'metric', q: 'invalid', lang: 'en' })
+				.reply(404, { cod: '404', message: 'city not found' });
 		});

 		new NodeTestHarness().setupTests();
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@ -26,7 +26,7 @@ catalog:
  '@lezer/lr': 1.4.5
  '@azure/identity': 4.13.0
  '@langchain/anthropic': 1.1.3
-  '@langchain/community': 1.0.5
+  '@langchain/community': 1.1.14
  '@langchain/core': 1.1.8
  '@langchain/openai': 1.1.3
  '@n8n/typeorm': 0.3.20-15
@ -40,7 +40,7 @@ catalog:
  '@types/uuid': ^10.0.0
  '@types/xml2js': ^0.4.14
  '@vitest/coverage-v8': 3.2.4
-  axios: 1.12.0
+  axios: 1.13.5
  basic-auth: 2.0.1
  callsites: 3.1.0
  chokidar: 4.0.3
@ -142,3 +142,4 @@ minimumReleaseAgeExclude:
  - node-forge
  - vm2
  - tar
+  - qs
--- a/vex.openvex.json
+++ b/vex.openvex.json
@ -3,7 +3,67 @@
 	"@context": "https://openvex.dev/ns/v0.2.0",
 	"@id": "https://github.com/n8n-io/n8n/vex",
 	"author": "n8n Security Team <security@n8n.io>",
-	"timestamp": "2026-01-15T00:00:00Z",
-	"version": 1,
-	"statements": []
+	"timestamp": "2026-02-13T00:00:00Z",
+	"version": 3,
+	"statements": [
+		{
+			"vulnerability": {
+				"@id": "https://nvd.nist.gov/vuln/detail/CVE-2025-32460",
+				"name": "CVE-2025-32460",
+				"description": "Heap-based buffer over-read in ReadJXLImage in coders/jxl.c in GraphicsMagick before 8e56520"
+			},
+			"products": [
+				{
+					"@id": "pkg:docker/n8nio/n8n",
+					"subcomponents": [
+						{
+							"@id": "pkg:apk/alpine/graphicsmagick@1.3.45-r0"
+						}
+					]
+				}
+			],
+			"status": "not_affected",
+			"justification": "vulnerable_code_not_in_execute_path",
+			"impact_statement": "The JXL (JPEG XL) coder requires libjxl delegate to be compiled into GraphicsMagick. Alpine's graphicsmagick package (1.3.45-r0) does not include libjxl support. Verified via `gm convert -list format` which shows no JXL entry. The vulnerable ReadJXLImage code path is unreachable."
+		},
+		{
+			"vulnerability": {
+				"@id": "https://nvd.nist.gov/vuln/detail/CVE-2025-27795",
+				"name": "CVE-2025-27795",
+				"description": "ReadJXLImage in JXL in GraphicsMagick before 1.3.46 lacks image dimension resource limits"
+			},
+			"products": [
+				{
+					"@id": "pkg:docker/n8nio/n8n",
+					"subcomponents": [
+						{
+							"@id": "pkg:apk/alpine/graphicsmagick@1.3.45-r0"
+						}
+					]
+				}
+			],
+			"status": "not_affected",
+			"justification": "vulnerable_code_not_in_execute_path",
+			"impact_statement": "The JXL (JPEG XL) coder requires libjxl delegate to be compiled into GraphicsMagick. Alpine's graphicsmagick package (1.3.45-r0) does not include libjxl support. Verified via `gm convert -list format` which shows no JXL entry. The vulnerable ReadJXLImage code path is unreachable."
+		},
+		{
+			"vulnerability": {
+				"@id": "https://nvd.nist.gov/vuln/detail/CVE-2025-27796",
+				"name": "CVE-2025-27796",
+				"description": "ReadWPGImage in WPG in GraphicsMagick before 1.3.46 mishandles palette buffer allocation"
+			},
+			"products": [
+				{
+					"@id": "pkg:docker/n8nio/n8n",
+					"subcomponents": [
+						{
+							"@id": "pkg:apk/alpine/graphicsmagick@1.3.45-r0"
+						}
+					]
+				}
+			],
+			"status": "affected",
+			"action_statement": "WPG (WordPerfect Graphics) coder is compiled into Alpine's graphicsmagick package. However, WPG is an obsolete format from the 1980s with no legitimate use case in n8n workflows. Exploitation requires a workflow author to deliberately fetch and process a crafted WPG file via the Edit Image node."
+		}
+	]
 }