fix: Security patches (#22748)

2026-05-12 16:10:30 +02:00 · 2025-12-05 13:28:39 +00:00 · 2025-12-05 13:28:39 +00:00 · d22c173aec
commit d22c173aec
parent 8e68a67d38
7 changed files with 42 additions and 36 deletions
--- a/docker/images/n8n/Dockerfile
+++ b/docker/images/n8n/Dockerfile
@ -7,14 +7,7 @@ ARG N8N_VERSION=snapshot
 FROM n8nio/base:${NODE_VERSION} AS system-deps

 # ==============================================================================
-# STAGE 2: Application Artifact Processor
-# ==============================================================================
-FROM alpine:3.22.2 AS app-artifact-processor
-
-COPY ./compiled /app/
-
-# ==============================================================================
-# STAGE 3: Final Runtime Image
+# STAGE 2: Final Runtime Image
 # ==============================================================================
 FROM system-deps AS runtime

@ -27,9 +20,12 @@ ENV SHELL=/bin/sh

 WORKDIR /home/node

-COPY --from=app-artifact-processor /app /usr/local/lib/node_modules/n8n
+COPY ./compiled /usr/local/lib/node_modules/n8n
 COPY docker/images/n8n/docker-entrypoint.sh /

+# This version of npm has the fix for glob
+RUN npm install -g npm@11.6.4
+
 RUN cd /usr/local/lib/node_modules/n8n && \
 		npm rebuild sqlite3 && \
 		ln -s /usr/local/lib/node_modules/n8n/bin/n8n /usr/local/bin/n8n && \
--- a/docker/images/runners/Dockerfile
+++ b/docker/images/runners/Dockerfile
@ -123,9 +123,9 @@ COPY --from=node-alpine /usr/local/bin/node /usr/local/bin/node
 RUN apk add --no-cache ca-certificates tini libstdc++ libc6-compat

 # Bring corepack and pnpm over, to make the image easier to extend
-COPY --from=node-alpine /usr/local/lib/node_modules /usr/local/lib/node_modules
+COPY --from=node-alpine /usr/local/lib/node_modules/corepack /usr/local/lib/node_modules/corepack
 RUN ln -s ../lib/node_modules/corepack/dist/corepack.js /usr/local/bin/corepack && \
-    ln -s ../lib/node_modules/corepack/dist/pnpm.js /usr/local/bin/pnpm
+		ln -s ../lib/node_modules/corepack/dist/pnpm.js /usr/local/bin/pnpm

 RUN addgroup -g 1000 -S runner \
 && adduser  -u 1000 -S -G runner -h /home/runner -D runner
--- a/package.json
+++ b/package.json
@ -116,8 +116,8 @@
      "date-fns-tz": "2.0.0",
      "form-data": "4.0.4",
      "tmp": "0.2.4",
-      "nodemailer": "7.0.10",
-      "validator": "13.15.20",
+      "nodemailer": "7.0.11",
+      "validator": "13.15.22",
      "zod": "3.25.67",
      "js-yaml": "4.1.1",
      "node-forge": "1.3.2",
--- a/packages/cli/BREAKING-CHANGES.md
+++ b/packages/cli/BREAKING-CHANGES.md
@ -2,6 +2,16 @@

 This list shows all the versions which include breaking changes and how to upgrade.

+# 2.0.0
+
+### What changed?
+
+The `npm` command is no longer available in the `n8nio/runners` image. Only `pnpm` is available for package management.
+
+### When is action necessary?
+
+If you are extending the `n8nio/runners` image and using `npm` to install dependencies. Replace any `npm install` commands with `pnpm install` in your Dockerfile or scripts.
+
 # 1.122.0

 ### What changed?
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@ -183,7 +183,7 @@
    "syslog-client": "1.1.1",
    "undici": "^7.16.0",
    "uuid": "catalog:",
-    "validator": "13.15.20",
+    "validator": "13.15.22",
    "ws": "8.17.1",
    "xml2js": "catalog:",
    "xmllint-wasm": "3.0.1",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -220,8 +220,8 @@ overrides:
  date-fns-tz: 2.0.0
  form-data: 4.0.4
  tmp: 0.2.4
-  nodemailer: 7.0.10
-  validator: 13.15.20
+  nodemailer: 7.0.11
+  validator: 13.15.22
  zod: 3.25.67
  js-yaml: 4.1.1
  node-forge: 1.3.2
@ -1099,7 +1099,7 @@ importers:
        version: 1.0.1(@langchain/core@1.1.0(@opentelemetry/api@1.9.0)(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0))(openai@6.9.1(ws@8.18.3(bufferutil@4.0.9)(utf-8-validate@5.0.10))(zod@3.25.67)))(encoding@0.1.13)
      '@langchain/community':
        specifier: 'catalog:'
-        version: 1.0.5(e0c14078fc79d0957987f04ba80f836a)
+        version: 1.0.5(98d49f2e32edc045c97e45bba7d1d36c)
      '@langchain/core':
        specifier: 'catalog:'
        version: 1.1.0(@opentelemetry/api@1.9.0)(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0))(openai@6.9.1(ws@8.18.3(bufferutil@4.0.9)(utf-8-validate@5.0.10))(zod@3.25.67))
@ -1668,8 +1668,8 @@ importers:
        specifier: 'catalog:'
        version: 3.3.8
      nodemailer:
-        specifier: 7.0.10
-        version: 7.0.10
+        specifier: 7.0.11
+        version: 7.0.11
      oauth-1.0a:
        specifier: 2.2.6
        version: 2.2.6
@ -1749,8 +1749,8 @@ importers:
        specifier: 'catalog:'
        version: 10.0.0
      validator:
-        specifier: 13.15.20
-        version: 13.15.20
+        specifier: 13.15.22
+        version: 13.15.22
      ws:
        specifier: '>=8.17.1'
        version: 8.17.1(bufferutil@4.0.9)(utf-8-validate@5.0.10)
@ -3052,8 +3052,8 @@ importers:
        specifier: 13.2.0
        version: 13.2.0
      nodemailer:
-        specifier: 7.0.10
-        version: 7.0.10
+        specifier: 7.0.11
+        version: 7.0.11
      oracledb:
        specifier: 6.9.0
        version: 6.9.0
@ -14650,8 +14650,8 @@ packages:
    resolution: {integrity: sha512-X75ZN8DCLftGM5iKwoYLA3rjnrAEs97MkzvSd4q2746Tgpg8b8XWiBGiBG4ZpgcAqBgtgPHTiAc8ZMCvZuikDw==}
    engines: {node: '>=10'}

-  nodemailer@7.0.10:
-    resolution: {integrity: sha512-Us/Se1WtT0ylXgNFfyFSx4LElllVLJXQjWi2Xz17xWw7amDKO2MLtFnVp1WACy7GkVGs+oBlRopVNUzlrGSw1w==}
+  nodemailer@7.0.11:
+    resolution: {integrity: sha512-gnXhNRE0FNhD7wPSCGhdNh46Hs6nm+uTyg+Kq0cZukNQiYdnCsoQjodNP9BQVG9XrcK/v6/MgpAPBUFyzh9pvw==}
    engines: {node: '>=6.0.0'}

  nodemon@3.0.1:
@ -17708,8 +17708,8 @@ packages:
  validate-npm-package-license@3.0.4:
    resolution: {integrity: sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==}

-  validator@13.15.20:
-    resolution: {integrity: sha512-KxPOq3V2LmfQPP4eqf3Mq/zrT0Dqp2Vmx2Bn285LwVahLc+CsxOM0crBHczm8ijlcjZ0Q5Xd6LW3z3odTPnlrw==}
+  validator@13.15.22:
+    resolution: {integrity: sha512-uT/YQjiyLJP7HSrv/dPZqK9L28xf8hsNca01HSz1dfmI0DgMfjopp1rO/z13NeGF1tVystF0Ejx3y4rUKPw+bQ==}
    engines: {node: '>= 0.10'}

  vary@1.1.2:
@ -21076,13 +21076,13 @@ snapshots:
    transitivePeerDependencies:
      - encoding

-  '@browserbasehq/stagehand@1.9.0(@playwright/test@1.56.0)(bufferutil@4.0.9)(deepmerge@4.3.1)(dotenv@16.6.1)(encoding@0.1.13)(openai@6.9.1(ws@8.18.3(bufferutil@4.0.9)(utf-8-validate@5.0.10))(zod@3.25.67))(utf-8-validate@5.0.10)(zod@3.25.67)':
+  '@browserbasehq/stagehand@1.9.0(@playwright/test@1.56.0)(bufferutil@4.0.9)(deepmerge@4.3.1)(dotenv@17.2.3)(encoding@0.1.13)(openai@6.9.1(ws@8.18.3(bufferutil@4.0.9)(utf-8-validate@5.0.10))(zod@3.25.67))(utf-8-validate@5.0.10)(zod@3.25.67)':
    dependencies:
      '@anthropic-ai/sdk': 0.27.3(encoding@0.1.13)
      '@browserbasehq/sdk': 2.6.0(encoding@0.1.13)
      '@playwright/test': 1.56.0
      deepmerge: 4.3.1
-      dotenv: 16.6.1
+      dotenv: 17.2.3
      openai: 6.9.1(ws@8.18.3(bufferutil@4.0.9)(utf-8-validate@5.0.10))(zod@3.25.67)
      sharp: 0.33.5
      ws: 8.18.3(bufferutil@4.0.9)(utf-8-validate@5.0.10)
@ -22303,9 +22303,9 @@ snapshots:
      - aws-crt
      - encoding

-  '@langchain/community@1.0.5(e0c14078fc79d0957987f04ba80f836a)':
+  '@langchain/community@1.0.5(98d49f2e32edc045c97e45bba7d1d36c)':
    dependencies:
-      '@browserbasehq/stagehand': 1.9.0(@playwright/test@1.56.0)(bufferutil@4.0.9)(deepmerge@4.3.1)(dotenv@16.6.1)(encoding@0.1.13)(openai@6.9.1(ws@8.18.3(bufferutil@4.0.9)(utf-8-validate@5.0.10))(zod@3.25.67))(utf-8-validate@5.0.10)(zod@3.25.67)
+      '@browserbasehq/stagehand': 1.9.0(@playwright/test@1.56.0)(bufferutil@4.0.9)(deepmerge@4.3.1)(dotenv@17.2.3)(encoding@0.1.13)(openai@6.9.1(ws@8.18.3(bufferutil@4.0.9)(utf-8-validate@5.0.10))(zod@3.25.67))(utf-8-validate@5.0.10)(zod@3.25.67)
      '@ibm-cloud/watsonx-ai': 1.1.2
      '@langchain/classic': 1.0.5(@langchain/core@1.1.0(@opentelemetry/api@1.9.0)(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0))(openai@6.9.1(ws@8.18.3(bufferutil@4.0.9)(utf-8-validate@5.0.10))(zod@3.25.67)))(@opentelemetry/api@1.9.0)(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0))(cheerio@1.0.0)(openai@6.9.1(ws@8.18.3(bufferutil@4.0.9)(utf-8-validate@5.0.10))(zod@3.25.67))(ws@8.18.3(bufferutil@4.0.9)(utf-8-validate@5.0.10))
      '@langchain/core': 1.1.0(@opentelemetry/api@1.9.0)(@opentelemetry/sdk-trace-base@1.30.1(@opentelemetry/api@1.9.0))(openai@6.9.1(ws@8.18.3(bufferutil@4.0.9)(utf-8-validate@5.0.10))(zod@3.25.67))
@ -27377,7 +27377,7 @@ snapshots:
    dependencies:
      '@types/validator': 13.7.10
      libphonenumber-js: 1.10.14
-      validator: 13.15.20
+      validator: 13.15.22

  classnames@2.5.1: {}

@ -32064,7 +32064,7 @@ snapshots:
      libmime: 5.2.1
      linkify-it: 5.0.0
      mailsplit: 5.4.0
-      nodemailer: 7.0.10
+      nodemailer: 7.0.11
      tlds: 1.248.0

  mailsplit@5.4.0:
@ -33025,7 +33025,7 @@ snapshots:
      util: 0.12.5
      vm-browserify: 1.1.2

-  nodemailer@7.0.10: {}
+  nodemailer@7.0.11: {}

  nodemon@3.0.1:
    dependencies:
@ -36712,7 +36712,7 @@ snapshots:
      spdx-correct: 3.2.0
      spdx-expression-parse: 3.0.1

-  validator@13.15.20: {}
+  validator@13.15.22: {}

  vary@1.1.2: {}

--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@ -41,7 +41,7 @@ catalog:
  mime-types: 3.0.1
  mysql2: 3.15.0
  nanoid: 3.3.8
-  nodemailer: 7.0.10
+  nodemailer: 7.0.11
  picocolors: 1.0.1
  reflect-metadata: 0.2.2
  rimraf: 6.0.1