← Home

n8n-nodes-base

npm Repository Homepage
10
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

jan_n8n_iotomin8n

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern new-deps-added AI (publish-pattern): n8n-nodes-base regularly adds new deps with each release; isolated-vm and @thednp/dommatrix are legitimate libraries. ai
publish-pattern dormant-publish AI (publish-pattern): n8n-nodes-base is continuously published; dormancy flag is an artifact of comparing against a stale approved baseline. ai
dependencies unvetted-dep:js-nacl AI (dependencies): Established NaCl crypto binding; stable dependency for this package. ai
dependencies unvetted-dep:rfc2047 AI (dependencies): Email header encoding library; stable utility dep for n8n-nodes-base. ai
npm-metadata url-dep:xlsx AI (npm-metadata): SheetJS distributes via their CDN after npm removal; stable pattern for this package. ai
dependencies unvetted-dep:promise-ftp AI (dependencies): FTP client library for n8n FTP node; stable for this package. ai
dependencies unvetted-dep:generate-schema AI (dependencies): Schema generation utility; stable dep for n8n-nodes-base. ai
dependencies unvetted-dep:minifaker AI (dependencies): Fake data generator used in n8n nodes; stable for this package. ai
dependencies unvetted-dep:xlsx AI (dependencies): Known SheetJS library distributed via CDN; stable for n8n-nodes-base. ai
phantom-deps phantom-dep:fast-glob AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:basic-auth AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:rss-parser AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:eventsource AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:isolated-vm AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:pg AI (phantom-deps): n8n-nodes-base dynamically loads optional integrations; static import analysis produces false positives for this package. ai
phantom-deps phantom-dep:sanitize-html AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:snowflake-sdk AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:xmlhttprequest-ssl AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:@mozilla/readability AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:@aws-sdk/client-sso-oidc AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:html-to-text AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:cron AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:isbot AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:jsdom AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:redis AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:alasql AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:semver AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:otpauth AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:node-ssh AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai

Versions (showing 10 of 10)

Version Deps Published
2.20.7 75 / 32
2.15.1 75 / 32
1.121.28 74 / 28
1.121.27 74 / 28
1.121.26 74 / 28
1.121.25 74 / 28
1.121.24 74 / 28
1.121.23 74 / 28
1.121.21 74 / 28
1.121.20 74 / 28

v2.20.7

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.15.1

20 findings
HIGH Phantom dependency: pg phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: cron phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: isbot phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: jsdom phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: redis phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: alasql phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: semver phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: otpauth phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: node-ssh phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: fast-glob phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: basic-auth phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: rss-parser phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: eventsource phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: isolated-vm phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: html-to-text phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: sanitize-html phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: snowflake-sdk phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: xmlhttprequest-ssl phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: @mozilla/readability phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.28

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.27

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.26

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.25

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.24

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.23

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.21

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.20

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.