← Home

n8n

npm Repository Homepage

n8n Workflow Automation Tool

6
Versions
SEE LICENSE IN LICENSE.md
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

jan_n8n_ion8n-matsuuutomin8n

Keywords

automateautomationIaaSiPaaSn8nworkflow

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:fastest-levenshtein AI (phantom-deps): Config-referenced dependency; stable pattern for n8n's monorepo structure. ai
source-diff large-new-source-files AI (source-diff): n8n is a large, actively developed monorepo; adding 100+ files per release is normal for this package. ai
publish-pattern rapid-publish AI (publish-pattern): n8n uses automated CI/CD releases; rapid publishes are normal and backed by SLSA provenance attestation. ai
phantom-deps phantom-dep:@opentelemetry/sdk-trace-base AI (phantom-deps): Peer/optional telemetry dep; used via config rather than direct import in this monorepo package. ai
phantom-deps phantom-dep:langsmith AI (phantom-deps): Referenced in config/optional integration paths; stable false positive for this package. ai
phantom-deps phantom-dep:prettier AI (phantom-deps): Used as a config/tooling dep in large monorepo; not directly imported in runtime code. ai
publish-pattern new-deps-added AI (publish-pattern): New dep is first-party @n8n/ scoped package from the same monorepo; not a third-party supply chain risk. ai
dependencies unvetted-dep:@n8n/typeorm AI (dependencies): n8n's own fork of TypeORM; first-party dependency. ai
dependencies unvetted-dep:p-lazy AI (dependencies): Established n8n package; dep is a well-known utility, no malware signal. ai
dependencies unvetted-dep:samlify AI (dependencies): Used for SAML SSO in n8n; legitimate enterprise auth dependency. ai
dependencies unvetted-dep:handlebars AI (dependencies): Standard templating library; stable dep for n8n across versions. ai
dependencies unvetted-dep:infisical-node AI (dependencies): Secrets manager integration; legitimate external service SDK. ai
dependencies unvetted-dep:@1password/connect AI (dependencies): 1Password Connect SDK; legitimate secrets integration. ai
dependencies unvetted-dep:@n8n_io/license-sdk AI (dependencies): n8n's own license SDK; first-party dependency. ai
dependencies unvetted-dep:@azure/keyvault-secrets AI (dependencies): Official Azure SDK; legitimate secrets integration. ai
dependencies unvetted-dep:@n8n/n8n-nodes-langchain AI (dependencies): n8n's own LangChain nodes package; first-party dependency. ai
dependencies unvetted-dep:@n8n_io/ai-assistant-sdk AI (dependencies): n8n's own AI assistant SDK; first-party dependency. ai
dependencies unvetted-dep:@rudderstack/rudder-sdk-node AI (dependencies): RudderStack analytics SDK; legitimate telemetry dependency. ai
phantom-deps phantom-dep:p-lazy AI (phantom-deps): Monorepo config reference; stable false positive. ai
phantom-deps phantom-dep:dotenv AI (phantom-deps): Config-driven env loading; stable false positive for this package. ai
phantom-deps phantom-dep:yargs-parser AI (phantom-deps): CLI arg parsing via config; stable false positive. ai
phantom-deps phantom-dep:@n8n/ai-node-sdk AI (phantom-deps): First-party scoped package referenced via config; stable false positive. ai
phantom-deps phantom-dep:source-map-support AI (phantom-deps): Dev/runtime tooling loaded via config; stable false positive. ai
phantom-deps phantom-dep:@opentelemetry/instrumentation AI (phantom-deps): OTel instrumentation loaded via SDK config, not direct import; stable false positive. ai
phantom-deps phantom-dep:flat AI (phantom-deps): Utility referenced via config in monorepo, not direct import. ai
phantom-deps phantom-dep:aws4 AI (phantom-deps): AWS signing helper referenced via config, stable false positive for this package. ai
phantom-deps phantom-dep:xss AI (phantom-deps): Used via config/template references in monorepo build, not direct import. ai
phantom-deps phantom-dep:pg AI (phantom-deps): Large monorepo; pg used via config-driven DB adapter, not direct import. ai
phantom-deps phantom-dep:sqlite3 AI (phantom-deps): DB adapter loaded via config, not direct import; stable false positive. ai
phantom-deps phantom-dep:shelljs AI (phantom-deps): Build tooling reference; stable false positive for this package. ai

Versions (showing 6 of 6)

Version Deps Published
2.27.0 136 / 36
2.25.7 136 / 36
2.25.3 136 / 36
2.25.2 136 / 36
2.22.6 131 / 34
2.20.12 117 / 33

v2.27.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.25.7

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.25.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.25.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.22.6

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.20.12

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.