fix: Dependency bump backport (#25788)

2026-05-12 16:10:30 +02:00 · 2026-02-16 08:05:45 +00:00 · 2026-02-16 08:05:45 +00:00 · d1061826e9
commit d1061826e9
parent 300f429d9d
14 changed files with 584 additions and 415 deletions
--- a/.github/workflows/docker-build-push.yml
+++ b/.github/workflows/docker-build-push.yml
@ -7,7 +7,7 @@ name: 'Docker: Build and Push'

 env:
  NODE_OPTIONS: '--max-old-space-size=7168'
-  NODE_VERSION: '22.21.0'
+  NODE_VERSION: '24.13.1'

 on:
  schedule:
--- a/docker/images/n8n-base/Dockerfile
+++ b/docker/images/n8n-base/Dockerfile
@ -1,9 +1,6 @@
-ARG NODE_VERSION=22.21.0
+ARG NODE_VERSION=24.13.1

-# ==============================================================================
-# STAGE 1: Builder for Base Dependencies
-# ==============================================================================
-FROM node:${NODE_VERSION}-alpine AS builder
+FROM node:${NODE_VERSION}-alpine

 # Install fonts
 RUN \
@ -23,7 +20,7 @@ RUN echo "https://dl-cdn.alpinelinux.org/alpine/v3.22/main" >> /etc/apk/reposito
        git \
        openssh \
        openssl \
-        graphicsmagick \
+        graphicsmagick=1.3.45-r0 `# pinned to avoid ghostscript-fonts (AGPL)` \
        tini \
        tzdata \
        ca-certificates \
@ -36,13 +33,6 @@ RUN npm install -g full-icu@1.5.0
 RUN rm -rf /tmp/* /root/.npm /root/.cache/node /opt/yarn* && \
  apk del apk-tools

-# ==============================================================================
-# STAGE 2: Final Base Runtime Image
-# ==============================================================================
-FROM node:${NODE_VERSION}-alpine
-
-COPY --from=builder / /
-
 WORKDIR /home/node
 ENV NODE_ICU_DATA=/usr/local/lib/node_modules/full-icu
 EXPOSE 5678/tcp
--- a/docker/images/n8n/Dockerfile
+++ b/docker/images/n8n/Dockerfile
@ -1,6 +1,6 @@
-ARG NODE_VERSION=22.21.0
+ARG NODE_VERSION=24.13.1
 ARG N8N_VERSION=snapshot
-ARG LAUNCHER_VERSION=1.4.2
+ARG LAUNCHER_VERSION=1.4.3
 ARG TARGETPLATFORM

 # ==============================================================================
--- a/docker/images/runners/Dockerfile
+++ b/docker/images/runners/Dockerfile
@ -1,4 +1,4 @@
-ARG NODE_VERSION=22.21.0
+ARG NODE_VERSION=24.13.1
 ARG PYTHON_VERSION=3.13

 # ==============================================================================
@ -80,9 +80,9 @@ RUN uv pip install . && rm -rf /app/task-runner-python/src
 # ==============================================================================
 # STAGE 3: Task Runner Launcher download
 # ==============================================================================
-FROM alpine:3.22.1 AS launcher-downloader
+FROM alpine:3.22 AS launcher-downloader
 ARG TARGETPLATFORM
-ARG LAUNCHER_VERSION=1.4.2
+ARG LAUNCHER_VERSION=1.4.3

 RUN set -e; \
    case "$TARGETPLATFORM" in \
--- a/docker/images/runners/Dockerfile.distroless
+++ b/docker/images/runners/Dockerfile.distroless
@ -12,7 +12,7 @@
 # - Uses distroless nonroot user (UID 65532)
 # ==============================================================================

-ARG NODE_VERSION=22.21.0
+ARG NODE_VERSION=24.13.1
 ARG PYTHON_VERSION=3.13


@ -99,7 +99,7 @@ RUN uv pip install . && rm -rf /app/task-runner-python/src
 # ==============================================================================
 FROM debian:bookworm-slim AS launcher-downloader
 ARG TARGETPLATFORM
-ARG LAUNCHER_VERSION=1.4.2
+ARG LAUNCHER_VERSION=1.4.3

 RUN set -e; \
    apt-get update && apt-get install -y --no-install-recommends wget ca-certificates && \
--- a/package.json
+++ b/package.json
@ -94,7 +94,7 @@
      "@mistralai/mistralai": "^1.10.0",
      "@n8n/typeorm>@sentry/node": "catalog:",
      "@types/node": "^20.17.50",
-      "axios": "1.12.0",
+      "axios": "1.13.5",
      "chokidar": "4.0.3",
      "esbuild": "^0.25.0",
      "expr-eval@2.0.2": "npm:expr-eval-fork@3.0.0",
@ -127,14 +127,18 @@
      "undici@7": "7.18.2",
      "node-forge": "1.3.2",
      "body-parser": "2.2.1",
+      "@isaacs/brace-expansion@5": "5.0.1",
+      "fast-xml-parser@5": "5.3.4",
+      "diff@5": "5.2.2",
      "glob@10": "10.5.0",
      "glob@7": "7.2.3",
      "jws@3": "3.2.3",
      "jws@4": "4.0.1",
-      "qs@6": "6.14.1",
-      "@modelcontextprotocol/sdk": "1.25.2",
+      "qs@6": "6.14.2",
+      "@modelcontextprotocol/sdk": "1.26.0",
      "langchain": "1.2.3",
-      "@rudderstack/rudder-sdk-node@<=3.0.0": "3.0.0"
+      "@rudderstack/rudder-sdk-node@<=3.0.0": "3.0.0",
+      "@smithy/config-resolver": ">=4.4.0"
    },
    "patchedDependencies": {
      "bull@4.16.4": "patches/bull@4.16.4.patch",
--- a/packages/@n8n/ai-workflow-builder.ee/package.json
+++ b/packages/@n8n/ai-workflow-builder.ee/package.json
@ -58,7 +58,7 @@
    "@n8n/utils": "workspace:*",
    "@n8n_io/ai-assistant-sdk": "catalog:",
    "csv-parse": "5.5.0",
-    "langsmith": "^0.3.45",
+    "langsmith": "^0.4.6",
    "lodash": "catalog:",
    "n8n-workflow": "workspace:*",
    "picocolors": "catalog:",
--- a/packages/@n8n/benchmark/Dockerfile
+++ b/packages/@n8n/benchmark/Dockerfile
@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1
-FROM node:22.21.0 AS base
+FROM node:24.13.1 AS base

 # Install required dependencies
 RUN apt-get update && apt-get install -y gnupg2 curl
--- a/packages/@n8n/nodes-langchain/package.json
+++ b/packages/@n8n/nodes-langchain/package.json
@ -203,7 +203,7 @@
    "@langchain/redis": "1.0.1",
    "@langchain/textsplitters": "1.0.1",
    "@langchain/weaviate": "1.0.1",
-    "@modelcontextprotocol/sdk": "1.20.0",
+    "@modelcontextprotocol/sdk": "^1.26.0",
    "@mozilla/readability": "0.6.0",
    "@n8n/client-oauth2": "workspace:*",
    "@n8n/config": "workspace:*",
--- a/packages/core/package.json
+++ b/packages/core/package.json
@ -71,7 +71,7 @@
    "picocolors": "catalog:",
    "pretty-bytes": "5.6.0",
    "proxy-from-env": "^1.1.0",
-    "qs": "6.11.0",
+    "qs": "6.14.2",
    "ssh2": "1.15.0",
    "uuid": "catalog:",
    "winston": "3.14.2",
--- a/packages/nodes-base/nodes/OpenWeatherMap/test/OpenWeatherMap.test.ts
+++ b/packages/nodes-base/nodes/OpenWeatherMap/test/OpenWeatherMap.test.ts
@ -9,7 +9,10 @@ describe('OpenWeatherMap', () => {
 			nock('https://api.openweathermap.org')
 				.get('/data/2.5/weather')
 				.query({ units: 'metric', q: 'berlin,de', lang: 'en' })
-				.reply(200, currentWeatherResponse);
+				.reply(200, currentWeatherResponse)
+				.get('/data/2.5/weather')
+				.query({ units: 'metric', q: 'invalid', lang: 'en' })
+				.reply(404, { cod: '404', message: 'city not found' });
 		});

 		new NodeTestHarness().setupTests();
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@ -7,7 +7,7 @@ packages:

 catalog:
  '@langchain/anthropic': 1.1.3
-  '@langchain/community': 1.0.5
+  '@langchain/community': 1.1.14
  '@langchain/core': 1.1.8
  '@langchain/openai': 1.1.3
  '@n8n/typeorm': 0.3.20-15
@ -21,7 +21,7 @@ catalog:
  '@types/uuid': ^10.0.0
  '@types/xml2js': ^0.4.14
  '@vitest/coverage-v8': 3.2.4
-  axios: 1.12.0
+  axios: 1.13.5
  basic-auth: 2.0.1
  callsites: 3.1.0
  chokidar: 4.0.3
--- a/vex.openvex.json
+++ b/vex.openvex.json
@ -1,7 +1,69 @@
 {
-  "@context": "https://openvex.dev/ns/v0.2.0",
-  "@id": "https://github.com/n8n-io/n8n/vex/1.x",
-  "author": "n8n Security",
-  "timestamp": "2026-01-23T00:00:00Z",
-  "statements": []
+	"_comment": "VEX - CVE false positive triage. To add entries, see Quality Corner or .github/WORKFLOWS.md#vex",
+	"@context": "https://openvex.dev/ns/v0.2.0",
+	"@id": "https://github.com/n8n-io/n8n/vex/1.x",
+	"author": "n8n Security Team <security@n8n.io>",
+	"timestamp": "2026-02-15T00:00:00Z",
+	"version": 1,
+	"statements": [
+		{
+			"vulnerability": {
+				"@id": "https://nvd.nist.gov/vuln/detail/CVE-2025-32460",
+				"name": "CVE-2025-32460",
+				"description": "Heap-based buffer over-read in ReadJXLImage in coders/jxl.c in GraphicsMagick before 8e56520"
+			},
+			"products": [
+				{
+					"@id": "pkg:docker/n8nio/n8n",
+					"subcomponents": [
+						{
+							"@id": "pkg:apk/alpine/graphicsmagick@1.3.45-r0"
+						}
+					]
+				}
+			],
+			"status": "not_affected",
+			"justification": "vulnerable_code_not_in_execute_path",
+			"impact_statement": "The JXL (JPEG XL) coder requires libjxl delegate to be compiled into GraphicsMagick. Alpine's graphicsmagick package (1.3.45-r0) does not include libjxl support. Verified via `gm convert -list format` which shows no JXL entry. The vulnerable ReadJXLImage code path is unreachable."
+		},
+		{
+			"vulnerability": {
+				"@id": "https://nvd.nist.gov/vuln/detail/CVE-2025-27795",
+				"name": "CVE-2025-27795",
+				"description": "ReadJXLImage in JXL in GraphicsMagick before 1.3.46 lacks image dimension resource limits"
+			},
+			"products": [
+				{
+					"@id": "pkg:docker/n8nio/n8n",
+					"subcomponents": [
+						{
+							"@id": "pkg:apk/alpine/graphicsmagick@1.3.45-r0"
+						}
+					]
+				}
+			],
+			"status": "not_affected",
+			"justification": "vulnerable_code_not_in_execute_path",
+			"impact_statement": "The JXL (JPEG XL) coder requires libjxl delegate to be compiled into GraphicsMagick. Alpine's graphicsmagick package (1.3.45-r0) does not include libjxl support. Verified via `gm convert -list format` which shows no JXL entry. The vulnerable ReadJXLImage code path is unreachable."
+		},
+		{
+			"vulnerability": {
+				"@id": "https://nvd.nist.gov/vuln/detail/CVE-2025-27796",
+				"name": "CVE-2025-27796",
+				"description": "ReadWPGImage in WPG in GraphicsMagick before 1.3.46 mishandles palette buffer allocation"
+			},
+			"products": [
+				{
+					"@id": "pkg:docker/n8nio/n8n",
+					"subcomponents": [
+						{
+							"@id": "pkg:apk/alpine/graphicsmagick@1.3.45-r0"
+						}
+					]
+				}
+			],
+			"status": "affected",
+			"action_statement": "WPG (WordPerfect Graphics) coder is compiled into Alpine's graphicsmagick package. However, WPG is an obsolete format from the 1980s with no legitimate use case in n8n workflows. Exploitation requires a workflow author to deliberately fetch and process a crafted WPG file via the Edit Image node."
+		}
+	]
 }