mirror of https://github.com/n8n-io/n8n.git synced 2026-05-13 00:20:27 +02:00

History

Danny Martini c2ecb4d04b fix(core): Preserve nested arrays in VM expression engine output (#30246 ) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-05-12 15:25:59 +00:00
..
docs	feat(core): Add ExpressionEvaluator and integration tests (no-changelog) (#26230 )	2026-03-02 22:47:56 +00:00
src	fix(core): Preserve nested arrays in VM expression engine output (#30246 )	2026-05-12 15:25:59 +00:00
ARCHITECTURE.md	feat(core): Add runtime bundle and extension utilities (#26077 )	2026-02-24 17:18:25 +00:00
esbuild.config.js	feat(core): Add runtime bundle and extension utilities (#26077 )	2026-02-24 17:18:25 +00:00
package.json	🚀 Release 2.21.0 (#30283 )	2026-05-12 07:29:34 +00:00
README.md	feat(core): Add ExpressionEvaluator and integration tests (no-changelog) (#26230 )	2026-03-02 22:47:56 +00:00
tsconfig.build.cjs.json	feat(core): Wire expression-runtime behind N8N_EXPRESSION_ENGINE=vm flag (no-changelog) (#26528 )	2026-03-06 13:55:04 +00:00
tsconfig.build.esm.json	feat(core): Wire expression-runtime behind N8N_EXPRESSION_ENGINE=vm flag (no-changelog) (#26528 )	2026-03-06 13:55:04 +00:00
tsconfig.json	feat(core): Add package scaffold with public API types and architecture docs (#26047 )	2026-02-20 16:13:44 +00:00
vitest.config.ts	ci: Improve coverage reports (#27756 )	2026-03-31 05:42:44 +00:00

README.md

@n8n/expression-runtime

Secure, isolated expression evaluation runtime for n8n workflows.

Status

In progress — landing as a series of incremental PRs.

Implemented so far:

✅ TypeScript interfaces and architecture design (PR 1)
✅ Core architecture documentation (PR 1)
✅ Runtime bundle: extension functions, deep lazy proxy system (PR 2)
✅ IsolatedVmBridge: V8 isolate management via isolated-vm (PR 3)
✅ ExpressionEvaluator: tournament integration, expression code caching (PR 4)
✅ Integration tests (PR 4)

Coming in later PRs:

🚧 Workflow integration behind N8N_EXPRESSION_ENGINE=vm flag (PR 5)
🚧 Web Worker support (Phase 2+)
🚧 Performance optimizations (Phase 3)

Overview

This package provides a secure runtime for evaluating expressions in isolated contexts.

Currently supports:

Node.js Backend: Uses isolated-vm for V8 isolate-based isolation with lazy data loading

Future support (Phase 2+):

Browser Frontend: Will use Web Workers for browser-based isolation
Task Runners: Will use IPC for separate process isolation

Features

🔒 Secure: Expressions run in isolated V8 contexts with memory limits (128MB) and timeouts (5s)
🚀 Performant: Lazy data loading via proxies, script compilation caching, and expression code caching
📊 Observable: Built-in metrics, traces, and logs support (interfaces defined; providers coming later)
🌐 Universal: Works in Node.js backend (browsers and task runners in Phase 2+)
🛡️ AST Security: Tournament AST hooks (ThisSanitizer, PrototypeSanitizer, DollarSignValidator) validate expressions before execution

Architecture

The runtime uses a three-layer architecture:

Runtime (Layer 1): Runs inside isolated context, provides expression execution environment
Bridge (Layer 2): Manages communication between host and isolated context
Evaluator (Layer 3): Public API with Tournament integration and observability

See ARCHITECTURE.md for detailed design documentation.

Installation

pnpm add @n8n/expression-runtime

Usage

Basic Example

import { ExpressionEvaluator, IsolatedVmBridge } from '@n8n/expression-runtime';

// Create bridge
const bridge = new IsolatedVmBridge({
  memoryLimit: 128,
  timeout: 5000,
});

// Create evaluator
const evaluator = new ExpressionEvaluator({
  bridge,
});

// Initialize
await evaluator.initialize();

// Evaluate expression using {{ }} template syntax
const result = evaluator.evaluate(
  '{{ $json.user.email }}',
  {
    $json: {
      user: { email: 'test@example.com' }
    }
  }
);

console.log(result); // "test@example.com"

// Clean up
await evaluator.dispose();

With Security Hooks (Production)

Pass AST security hooks from expression-sandboxing.ts to enable full security validation. This is the pattern used by the workflow package:

import { ExpressionEvaluator, IsolatedVmBridge } from '@n8n/expression-runtime';
import {
  ThisSanitizer,
  PrototypeSanitizer,
  DollarSignValidator,
} from 'n8n-workflow/expression-sandboxing';

const bridge = new IsolatedVmBridge({ timeout: 5000 });
const evaluator = new ExpressionEvaluator({
  bridge,
  hooks: {
    before: [ThisSanitizer],
    after: [PrototypeSanitizer, DollarSignValidator],
  },
});

await evaluator.initialize();

When hooks is omitted the evaluator still runs tournament transformation (template parsing, this binding) but without AST security validation — suitable for development and testing.

With Observability (Not Yet Implemented)

import { OpenTelemetryProvider } from '@n8n/expression-runtime/observability';

const observability = new OpenTelemetryProvider({
  serviceName: 'n8n-expressions',
});

const evaluator = new ExpressionEvaluator({
  bridge,
  observability,
});

Note: Observability providers are not yet implemented. The ObservabilityProvider interface exists but no implementations are available yet.

API

ExpressionEvaluator

Main class for expression evaluation.

class ExpressionEvaluator {
  constructor(config: EvaluatorConfig);
  initialize(): Promise<void>;
  evaluate(expression: string, data: WorkflowData, options?: EvaluateOptions): unknown;
  dispose(): Promise<void>;
  isDisposed(): boolean;
}

RuntimeBridge

Abstract interface for bridge implementations.

interface RuntimeBridge {
  initialize(): Promise<void>;
  execute(code: string, data: Record<string, unknown>): unknown;
  dispose(): Promise<void>;
  isDisposed(): boolean;
}

Bridge Implementations

IsolatedVmBridge: ✅ For Node.js backend (isolated-vm with V8 isolates)
- Memory isolation with hard 128MB limit
- Timeout enforcement (5s default)
- Deep lazy proxy system for workflow data
- Synchronous callbacks via ivm.Reference
- Security wrappers (SafeObject, SafeError)
- E() error handler for tournament-generated try-catch code
WebWorkerBridge: 🚧 For browser frontend (Web Workers) - Phase 2+
Task Runner Integration: 🚧 TBD - May use IsolatedVmBridge locally or direct evaluation - Phase 2+

Configuration

interface EvaluatorConfig {
  bridge: RuntimeBridge;                   // required
  observability?: ObservabilityProvider;   // optional - interfaces defined, providers not yet implemented
  hooks?: TournamentHooks;                 // optional - AST security hooks for tournament
}

interface BridgeConfig {
  memoryLimit?: number;        // Default: 128 MB
  timeout?: number;            // Default: 5000 ms
  debug?: boolean;             // Default: false
}

Environment Variables (Not Yet Implemented)

# Bridge configuration (not yet implemented)
N8N_EXPRESSION_MEMORY_LIMIT_MB=128
N8N_EXPRESSION_TIMEOUT_MS=5000
N8N_EXPRESSION_DEBUG=false

# Code cache (not yet implemented - caches transformed code, not results)
N8N_EXPRESSION_CODE_CACHE_ENABLED=true
N8N_EXPRESSION_CODE_CACHE_MAX_SIZE=1000

# Observability (not yet implemented)
N8N_EXPRESSION_OBSERVABILITY_ENABLED=true
N8N_EXPRESSION_METRICS_ENABLED=true
N8N_EXPRESSION_TRACES_ENABLED=true
N8N_EXPRESSION_TRACE_SAMPLE_RATE=0.01

Note: Currently, configuration is passed via constructor options. Environment variable support will be added in future phases.

Development

# Install dependencies
pnpm install

# Build package
pnpm build

# Run tests
pnpm test

# Run tests in watch mode
pnpm test:watch

# Type check
pnpm typecheck

# Lint
pnpm lint

Testing

The package uses vitest for fast, isolated testing:

import { ExpressionEvaluator, IsolatedVmBridge } from '@n8n/expression-runtime';

describe('ExpressionEvaluator', () => {
  it('evaluates simple expression', async () => {
    const bridge = new IsolatedVmBridge({ timeout: 5000 });
    const evaluator = new ExpressionEvaluator({ bridge });

    await evaluator.initialize();

    const result = evaluator.evaluate('{{ $json.value }}', { $json: { value: 42 } });
    expect(result).toBe(42);

    await evaluator.dispose();
  });
});

Run tests:

pnpm test                # Run all tests
pnpm test integration    # Run integration tests only

Performance

The runtime uses several optimizations (implemented in PRs 2–4):

Lazy Loading: Only fetch data fields that expressions actually access via proxy traps
Script Compilation Caching: Compiled scripts are cached to avoid recompilation
Metadata-Driven: Only structure (keys, lengths) transferred across isolate boundary, not full data
Expression Code Caching: Tournament-transformed code is cached per evaluator instance (same expressions repeat within a workflow, so cache hit rate is high in practice)

Performance characteristics:

Arrays: Always lazy-loaded — only length transferred, elements fetched on demand
Objects: Always lazy-loaded — only keys transferred, values fetched on demand

Security

The runtime enforces strict security at multiple layers (implemented in PRs 2–4):

Memory limits: Hard 128MB limit via isolated-vm (configurable)
Execution timeouts: 5s default timeout (configurable)
Complete isolation: No access to Node.js APIs (require, fs, process, etc.)
Security wrappers: SafeObject and SafeError prevent dangerous method access
Native function blocking: Prevents access to native code
AST transforms: ThisSanitizer rewrites $json → this.$json; PrototypeSanitizer wraps computed property access in this.__sanitize(key) to block prototype chain attacks; DollarSignValidator enforces correct $-variable usage
Runtime sanitizer: __sanitize() inside the isolate blocks access to __proto__, constructor, prototype, and other dangerous properties at runtime

Future security features (Phase 2+):

🚧 Additional sandboxing for browser environments

Contributing

See the main n8n repository for contribution guidelines.

License

See LICENSE.md in the n8n repository root.

README.md Unescape Escape