@n8n/n8n-nodes-langchain
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:mysql2 | AI (phantom-deps): mysql2 is a declared optional/peer dep for MySQL vector store support; phantom-dep heuristic is a false positive here. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): n8n uses automated CI/CD releases; rapid successive publishes are normal for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are feature-driven integrations for a large LangChain node package; consistent with its expansion pattern across 351 versions. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are tokenizer JSON data and node implementations consistent with package scope. | ai | |
| dependencies | unvetted-dep:@n8n/typeorm | AI (dependencies): n8n-scoped TypeORM fork; expected stable dep for this package. | ai | |
| dependencies | unvetted-dep:@getzep/zep-js | AI (dependencies): Zep memory integration; legitimate dep for LangChain nodes package. | ai | |
| dependencies | unvetted-dep:@langchain/groq | AI (dependencies): Official LangChain Groq integration; expected dep. | ai | |
| dependencies | unvetted-dep:@xata.io/client | AI (dependencies): Xata vector store integration; expected dep for this package. | ai | |
| dependencies | unvetted-dep:generate-schema | AI (dependencies): Utility dep for schema generation; stable for this package. | ai | |
| dependencies | unvetted-dep:@getzep/zep-cloud | AI (dependencies): Zep Cloud memory integration; expected dep. | ai | |
| dependencies | unvetted-dep:@n8n/typescript-config | AI (dependencies): n8n-scoped TS config; same org, expected dev dep. | ai | |
| dependencies | unvetted-dep:@microsoft/agents-a365-notifications | AI (dependencies): Microsoft Agents SDK integration; expected dep for MicrosoftAgent365 node. | ai | |
| dependencies | unvetted-dep:@microsoft/agents-a365-observability | AI (dependencies): Microsoft Agents SDK integration; expected dep for MicrosoftAgent365 node. | ai | |
| phantom-deps | phantom-dep:tmp-promise | AI (phantom-deps): Utility dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@microsoft/agents-a365-runtime | AI (phantom-deps): New Microsoft Agent365 integration dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@microsoft/agents-a365-notifications | AI (phantom-deps): New Microsoft Agent365 integration dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:@microsoft/agents-a365-tooling-extensions-langchain | AI (phantom-deps): New Microsoft Agent365 integration dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:pg | AI (phantom-deps): pg is a transitive/optional dep used by MemoryPostgresChat; phantom-dep heuristic fires but it's legitimately declared. | ai | |
| phantom-deps | phantom-dep:langchain | AI (phantom-deps): Core langchain dep; declared correctly, phantom-dep heuristic is a false positive. | ai | |
| phantom-deps | phantom-dep:mime-types | AI (phantom-deps): Stable false positive; used in document loaders. | ai | |
| phantom-deps | phantom-dep:@getzep/zep-js | AI (phantom-deps): Zep memory integration; declared correctly. | ai | |
| phantom-deps | phantom-dep:@getzep/zep-cloud | AI (phantom-deps): Zep cloud integration; declared correctly. | ai | |
| phantom-deps | phantom-dep:@google/generative-ai | AI (phantom-deps): Google AI integration dep; declared correctly. | ai | |
| phantom-deps | phantom-dep:@n8n/typescript-config | AI (phantom-deps): Same-org build config package; phantom-dep is expected and benign. | ai | |
| phantom-deps | phantom-dep:@aws-sdk/client-sso-oidc | AI (phantom-deps): AWS SDK transitive dep loaded by convention; stable false positive. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Official n8n package; short README and no keywords are expected for a monorepo sub-package. | ai | |
| phantom-deps | phantom-dep:ignore | AI (phantom-deps): Stable false positive for this package; used in config/build tooling. | ai | |
| phantom-deps | phantom-dep:d3-dsv | AI (phantom-deps): Used by document loaders; declared correctly, phantom-dep is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:cohere-ai | AI (phantom-deps): Cohere integration dep; declared correctly, phantom-dep heuristic is a false positive. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 2.23.0 | 81 / 15 | |
| 2.22.3 | 81 / 15 | |
| 2.22.2 | 81 / 15 | |
| 2.21.5 | 80 / 15 | |
| 2.21.0 | 80 / 15 | |
| 2.20.6 | 80 / 12 | |
| 2.19.0 | 80 / 12 | |
| 2.18.0 | 80 / 12 | |
| 2.15.1 | 80 / 12 | |
| 1.122.34 | 74 / 13 | |
| 1.122.32 | 74 / 13 | |
| 1.122.31 | 74 / 13 | |
| 1.122.30 | 74 / 13 | |
| 1.122.26 | 74 / 13 | |
| 1.122.24 | 74 / 13 | |
| 1.122.23 | 74 / 13 | |
| 1.122.22 | 74 / 13 | |
| 1.122.21 | 74 / 13 |
v2.23.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.22.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.22.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.21.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.21.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.20.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.19.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.18.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.15.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.122.34
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.122.32
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.122.31
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.122.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.122.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.122.24
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.122.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.122.22
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.122.21
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.