chore(deps): update dependency n8n to v1.78.0

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
n8n (source)	minor	1.77.3 -> 1.78.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

n8n-io/n8n (n8n)

v1.78.0

Compare Source

Bug Fixes

• AI Agent Node: Ignore SSL errors option for SQLAgent (#​13052) (a90529f)
• Code Node: Do not validate code within comments (#​12938) (cdfa225)
• core: "Respond to Webhook" should work with workflows with waiting nodes (#​12806) (e8635f2)
• core: Do not emit workflow-post-execute event for waiting executions (#​13065) (1593b6c)
• core: Do not enable strict type validation by default for resource mapper (#​13037) (fdcff90)
• core: Fix empty node execution stack (#​12945) (7031569)
• core: Only use new resource mapper type validation when it is enabled (#​13099) (a37c8e8)
• editor: Actually enforce the version and don't break for old values in local storage (#​13025) (884a7e2)
• editor: Add telemetry to source control feature (#​13016) (18eaa54)
• editor: Allow switch to Fixed for boolean and number parameters with invalid expressions (#​12948) (118be24)
• editor: Allow to re-open sub-connection node creator if already active (#​13041) (16d59e9)
• editor: Code node overwrites code when switching nodes after edits (#​13078) (00e3ebc)
• editor: Fix execution running status listener for chat messages (#​12951) (4d55a29)
• editor: Fix position of connector buttons when the line is straight (#​13034) (3a908ac)
• editor: Fix showing and hiding canvas edge toolbar when hovering (#​13009) (ac7bc4f)
• editor: Make AI transform node read only in executions view (#​12970) (ce1deb8)
• editor: Prevent infinite loop in expressions crashing the browser (#​12732) (8c2dbcf)
• editor: Refine push modal layout (#​12886) (212a5bf)
• editor: SchemaView renders duplicate structures properly (#​12943) (0d8a544)
• editor: Update node issues when opening execution (#​12972) (1a91523)
• editor: Use correct connection index when connecting adjancent nodes after deleting a node (#​12973) (c7a15d5)
• GitHub Node: Don't truncate filenames retrieved from GitHub (#​12923) (7e18447)
• Google Cloud Firestore Node: Fix potential prototype pollution vulnerability (#​13035) (f150f79)
• Increment runIndex in WorkflowToolV2 tool executions to avoid reusing out of date inputs (#​13008) (cc907fb)
• Sync partial execution version of FE and BE, also allow enforcing a specific version (#​12840) (a155043)
• Wise Node: Use ISO formatting for timestamps (#​10288) (1a2d39a)

Features

• Add reusable frontend composables package (#​13077) (ef87da4)
• Add support for client credentials with Azure Log monitor (#​13038) (2c2d631)
• Allow multi API creation via the UI (#​12845) (ad3250c)
• Allow setting API keys expiration (#​12954) (9bcbc2c)
• core: Add sorting to GET /workflows endpoint (#​13029) (b60011a)
• core: Enable usage as a tool for more nodes (#​12930) (9deb759)
• core: Handle Declarative nodes more like regular nodes (#​13007) (a65a9e6)
• Discord Node: New sendAndWait operation (#​12894) (d47bfdd)
• editor: Display schema preview for unexecuted nodes (#​12901) (0063bbb)
• editor: Easy $fromAI Button for AI Tools (#​12587) (2177376)
• editor: Show fixed collection parameter issues in UI (#​12899) (12d686c)
• Facebook Graph API Node: Update node to support API v22.0 (#​13024) (0bc0fc6)
• HTTP Request Tool Node: Relax binary data detection (#​13048) (b67a003)
• Human in the loop section (#​12883) (9590e5d)
• n8n Form Node: Add Hidden Fields (#​12803) (0da1114)
• n8n Form Node: Respond with Text (#​12979) (182fc15)
• OpenAI Chat Model Node, OpenAI Node: Include o3 models in model selection (#​13005) (37d152c)
• Summarize Node: Preserves original field data type (#​13069) (be5e49d)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/n8n:1.78.0

📦 Image Reference ghcr.io/uniget-org/tools/n8n:1.78.0

digest	sha256:8e60c9bdfb053f204883710adc2cfe3ecac7fb2521f328dd87657bafacc4c9c3
vulnerabilities
platform	linux/amd64
size	170 MB
packages	1434

path-to-regexp 0.1.10 (npm) pkg:npm/[email protected] Inefficient Regular Expression Complexity Affected range <0.1.12 Fixed version 0.1.12 CVSS Score 7.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P Description Impact The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp, originally reported in CVE-2024-45296 Patches Upgrade to 0.1.12. Workarounds Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking. References GHSA-9wv6-86v2-598j https://blakeembrey.com/posts/2024-09-web-redos/

cross-spawn 4.0.2 (npm) pkg:npm/[email protected] Inefficient Regular Expression Complexity Affected range <6.0.6 Fixed version 7.0.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

semver 5.3.0 (npm) pkg:npm/[email protected] Inefficient Regular Expression Complexity Affected range <5.7.2 Fixed version 5.7.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

pdfjs-dist 2.16.105 (npm) pkg:npm/[email protected] Affected range <=4.1.392 Fixed version 4.2.67 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Description Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. Patches The patch removes the use of eval: mozilla/pdf.js#18015 Workarounds Set the option isEvalSupported to false. References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

snowflake-sdk 1.12.0 (npm) pkg:npm/[email protected] Improper Preservation of Permissions Affected range >=1.12.0 <=2.0.1 Fixed version 2.0.2 CVSS Score 4.4 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Description Issue Snowflake discovered and remediated a vulnerability in the Snowflake NodeJS Driver. File permissions checks of the temporary credential cache could be bypassed by an attacker with write access to the local cache directory. This vulnerability affects versions 1.12.0 through 2.0.1 on Linux. Snowflake fixed the issue in version 2.0.2. Vulnerability Details On Linux, when either EXTERNALBROWSER or USERNAME_PASSWORD_MFA authentication methods are used with temporary credential caching enabled, the Snowflake NodeJS Driver will cache temporary credentials in a local file. Due to a bug, the check verifying that the cache file can be accessed only by the user running the Driver always succeeded, but didn’t verify the permissions or the ownership correctly. An attacker with write access to the local cache folder could plant an empty file there and the Driver would use it to store temporary credentials instead of rejecting it due to overly broad permissions. Solution Snowflake released version 2.0.2 of the Snowflake NodeJS Driver, which fixes this issue. We recommend users upgrade to version 2.0.2. Additional Information If you discover a security vulnerability in one of our products or websites, please report the issue to HackerOne. For more information, please see our Vulnerability Disclosure Policy.

identity 3.4.2 (npm) pkg:npm/%40azure/[email protected] Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Affected range <4.2.1 Fixed version 4.2.1 CVSS Score 6.8 CVSS Vector CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Description Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

cookie 0.4.2 (npm) pkg:npm/[email protected] Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affected range <0.7.0 Fixed version 0.7.0 Description Impact The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Patches Upgrade to 0.7.0, which updates the validation for name, path, and domain. Workarounds Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input. References fix: narrow the validation of cookies to match RFC6265 jshttp/cookie#167

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/13312929369.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/13312929369.