@n8n/chat — Greenflagged

This is an embeddable Chat widget for n8n. It allows the execution of AI-Powered Workflows through a Chat window.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

n8n-matsuuutomin8njan_n8n_iocornelius.suermann

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/node-icons-DDGCDo-0.mjs	AI (source-diff): Long lines are URL-encoded SVG data URIs bundled by Vite; not obfuscated code.	ai	2026/05/30
source-diff	obfuscated-file:dist/node-icons-Dvx0PGtJ.mjs	AI (source-diff): Long lines are URL-encoded SVG data URIs from Vite bundling; not obfuscation. Stable pattern for this package.	ai	2026/05/29
source-diff	obfuscated-file:dist/node-icons-5KeulgLA.mjs	AI (source-diff): Long lines are URL-encoded SVG data URIs in a bundled icon module; not obfuscation.	ai	2026/05/29
source-diff	obfuscated-file:dist/node-icons-CYbnl_VP.mjs	AI (source-diff): Long lines are URL-encoded SVG data URIs in a bundled icon file, not obfuscated executable code.	ai	2026/05/29
source-diff	obfuscated-file:dist/node-icons-ChKUwU1B.mjs	AI (source-diff): Long lines are URL-encoded SVG data URIs from Vite bundling, not obfuscation; stable pattern for this package.	ai	2026/05/29
source-diff	obfuscated-file:dist/node-icons-O5Clj8BC.mjs	AI (source-diff): File contains only URL-encoded SVG icon data; long lines are expected for data URIs, not obfuscated code.	ai	2026/05/29
source-diff	obfuscated-file:dist/node-icons-CGsST0zi.mjs	AI (source-diff): Long lines are URL-encoded SVG data URIs for node icons, not obfuscated executable code.	ai	2026/05/25
source-diff	obfuscated-file:dist/node-icons-BfpANqUU.mjs	AI (source-diff): File contains URL-encoded SVG icon data from n8n's design-system; long lines are a build artifact, not obfuscation.	ai	2026/05/20
source-diff	obfuscated-file:dist/node-icons-CKgMxpAY.mjs	AI (source-diff): File contains URL-encoded SVG icon data URIs; long lines are expected minified build output, not obfuscation.	ai	2026/05/06
source-diff	obfuscated-file:dist/node-icons-Ca5tmG4k.mjs	AI (source-diff): File contains URL-encoded SVG data URIs for node icons — standard build output, not obfuscation.	ai	2026/05/06
source-diff	obfuscated-file:dist/node-icons-B8yj9hZx.mjs	AI (source-diff): Long lines are URL-encoded SVG data URIs for node icons, not obfuscated malicious code; pattern is stable for this package.	ai	2026/05/06
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are n8n org members; consistent with internal team expansion, not a hostile takeover.	ai	2026/05/03
provenance	publisher-changed	AI (provenance): tomin8n is an n8n org account with 10 approved packages; SLSA provenance confirms CI/CD publish from official repo.	ai	2026/05/03
phantom-deps	phantom-dep:@n8n/design-system	AI (phantom-deps): Same-org scoped package; consumed at build time in bundled output.	ai	2026/04/29
phantom-deps	phantom-dep:highlight.js	AI (phantom-deps): Bundled Vue component; deps consumed at build time, not via direct imports in analyzed source.	ai	2026/04/29
phantom-deps	phantom-dep:@vueuse/core	AI (phantom-deps): Bundled Vue component; deps consumed at build time, not via direct imports in analyzed source.	ai	2026/04/29
typosquat	typosquat.levenshtein:chalk	AI (typosquat): @n8n/chat is the official n8n chat widget; no relation to chalk; scoped package name makes typosquatting implausible.	ai	2026/04/29
phantom-deps	phantom-dep:uuid	AI (phantom-deps): Bundled Vue component; deps consumed at build time, not via direct imports in analyzed source.	ai	2026/04/29
phantom-deps	phantom-dep:markdown-it-link-attributes	AI (phantom-deps): Bundled Vue component; deps consumed at build time, not via direct imports in analyzed source.	ai	2026/04/29
phantom-deps	phantom-dep:vue-markdown-render	AI (phantom-deps): Bundled Vue component; deps consumed at build time, not via direct imports in analyzed source.	ai	2026/04/29

Versions (showing 51 of 51)

Version	Deps	Published
1.23.0	7 / 0	2026-05-27
1.21.0	7 / 0	2026-05-12
1.20.1	7 / 0	2026-05-07
1.20.0	7 / 0	2026-05-05
1.19.0	7 / 0	2026-04-28
1.18.3	7 / 0	2026-04-28
1.18.2	7 / 0	2026-04-27
1.18.1	7 / 0	2026-04-22
1.18.0	7 / 0	2026-04-21
1.17.2	7 / 0	2026-04-22
1.17.1	7 / 0	2026-04-15
1.17.0	7 / 0	2026-04-13
1.16.0	7 / 0	2026-04-07
1.15.0	7 / 0	2026-03-30
1.14.0	7 / 0	2026-03-24
1.13.2	7 / 0	2026-03-20
1.13.1	7 / 0	2026-03-18
1.13.0	7 / 0	2026-03-16
1.12.0	7 / 0	2026-03-09
1.11.2	7 / 0	2026-03-11
1.11.1	7 / 0	2026-03-09
1.11.0	7 / 0	2026-03-02
1.10.1	7 / 0	2026-02-27
1.10.0	7 / 0	2026-02-23
1.9.3	7 / 0	2026-02-25
1.9.2	7 / 0	2026-02-23
1.9.1	7 / 0	2026-02-18
1.9.0	7 / 0	2026-02-16
1.8.0	7 / 0	2026-02-10
1.7.1	7 / 0	2026-02-09
1.7.0	7 / 0	2026-02-02
1.6.1	7 / 0	2026-01-28
1.6.0	7 / 0	2026-01-26
1.5.1	7 / 0	2026-01-23
1.5.0	7 / 0	2026-01-20
1.4.0	7 / 0	2026-01-12
1.3.0	7 / 0	2026-01-05
1.2.1	7 / 0	2025-12-23
1.2.0	7 / 0	2025-12-22
1.1.1	7 / 0	2025-12-23
1.1.0	7 / 0	2025-12-15
1.0.0	7 / 0	2025-12-08
0.68.3	7 / 0	2026-04-24
0.68.2	7 / 0	2026-04-23
0.68.1	7 / 0	2025-12-23
0.68.0	7 / 0	2025-12-01
0.67.0	7 / 0	2025-11-24
0.66.1	7 / 0	2025-11-20
0.66.0	7 / 0	2025-11-18
0.65.0	7 / 0	2025-11-10
0.64.0	7 / 0	2025-11-03

v1.23.0

2 findings

HIGH New obfuscated file: dist/node-icons-DDGCDo-0.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.