← Home

@n8n/node-cli

npm Repository Homepage

Official CLI for developing community nodes for n8n

14
Versions
SEE LICENSE IN LICENSE.md
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

n8n-matsuuutomin8njan_n8n_iocornelius.suermann

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Transition to GitHub Actions CI publishing with SLSA attestation from n8n-io org; legitimate automation change. ai
maintainer-change maintainer-removed AI (maintainer-change): Removed maintainers part of same org transition; not indicative of hostile takeover given SLSA provenance. ai
maintainer-change maintainer-added AI (maintainer-change): New maintainers are n8n org members; consistent with org-level team transition. ai
phantom-deps phantom-dep:@n8n/eslint-plugin-community-nodes AI (phantom-deps): Same-org dep re-exported via ./eslint export path; not directly imported in source but legitimately bundled. ai
dependencies unvetted-dep:eslint-plugin-n8n-nodes-base AI (dependencies): First-party n8n ESLint plugin; expected dependency for this CLI tool. ai
dependencies unvetted-dep:handlebars AI (dependencies): Handlebars is a well-established templating library; pinned to 4.7.8 which has no active critical advisories. ai
bogus-package bogus-package AI (bogus-package): Official n8n org CLI; README/keyword signals are false positives for a scoped monorepo package. ai
phantom-deps phantom-dep:prompts AI (phantom-deps): prompts is declared in dependencies; phantom-dep heuristic misfires on CLI tools using it indirectly. ai

Versions (showing 14 of 14)

Version Deps Published
0.33.0 16 / 8
0.31.0 16 / 8
0.30.1 16 / 8
0.28.0 16 / 8
0.25.0 16 / 8
0.22.0 16 / 8
0.18.0 15 / 8
0.17.1 15 / 8
0.16.0 15 / 8
0.15.0 15 / 8
0.10.0 15 / 7
0.2.0 14 / 7
0.1.1 14 / 7
0.1.0 7 / 12

v0.33.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.31.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.30.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.28.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.25.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.22.0

2 findings
HIGH Publisher changed: jan_n8n_io → GitHub Actions (on 2026-03-02) provenance

This version was published by a different npm account than previous versions on 2026-03-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.18.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.17.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.16.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.15.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.10.0

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: ivov.src → jan_n8n_io (on 2025-09-29, known maintainer) provenance

This version was published by a different npm account (jan_n8n_io) than the most recent previously approved version (ivov.src) on 2025-09-29, but jan_n8n_io is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v0.2.0

2 findings
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: ivov.src → jan_n8n_io (on 2025-08-25, known maintainer) provenance

This version was published by a different npm account (jan_n8n_io) than the most recent previously approved version (ivov.src) on 2025-08-25, but jan_n8n_io is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v0.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.