← Home

n8n-nodes-base

npm Repository Homepage
22
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

jan_n8n_iotomin8n

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/nodes/Microsoft/Entra/test/mocks.js AI (source-diff): File contains plain-text mock API response fixtures with long lines, not obfuscated/minified code. ai
source-diff large-new-source-files AI (source-diff): Large monorepo node package; file count growth reflects legitimate new node definitions across major version bump. ai
publish-pattern new-deps-added AI (publish-pattern): n8n-nodes-base regularly adds new deps with each release; isolated-vm and @thednp/dommatrix are legitimate libraries. ai
publish-pattern dormant-publish AI (publish-pattern): n8n-nodes-base is continuously published; dormancy flag is an artifact of comparing against a stale approved baseline. ai
dependencies unvetted-dep:minifaker AI (dependencies): Fake data generator used in n8n nodes; stable for this package. ai
npm-metadata url-dep:xlsx AI (npm-metadata): SheetJS distributes via their CDN after npm removal; stable pattern for this package. ai
dependencies unvetted-dep:generate-schema AI (dependencies): Schema generation utility; stable dep for n8n-nodes-base. ai
dependencies unvetted-dep:promise-ftp AI (dependencies): FTP client library for n8n FTP node; stable for this package. ai
dependencies unvetted-dep:xlsx AI (dependencies): Known SheetJS library distributed via CDN; stable for n8n-nodes-base. ai
dependencies unvetted-dep:js-nacl AI (dependencies): Established NaCl crypto binding; stable dependency for this package. ai
dependencies unvetted-dep:rfc2047 AI (dependencies): Email header encoding library; stable utility dep for n8n-nodes-base. ai
phantom-deps phantom-dep:rss-parser AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:eventsource AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:isolated-vm AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:html-to-text AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:pg AI (phantom-deps): n8n-nodes-base dynamically loads optional integrations; static import analysis produces false positives for this package. ai
phantom-deps phantom-dep:snowflake-sdk AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:xmlhttprequest-ssl AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:@mozilla/readability AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:@aws-sdk/client-sso-oidc AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:sanitize-html AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:cron AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:isbot AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:jsdom AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:redis AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:alasql AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:semver AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:otpauth AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:node-ssh AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:fast-glob AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai
phantom-deps phantom-dep:basic-auth AI (phantom-deps): Same dynamic-load architecture; stable false positive for this package. ai

Versions (showing 22 of 22)

Version Deps Published
2.25.1 76 / 33
2.24.0 76 / 33
2.22.3 75 / 32
2.22.2 75 / 32
2.22.0 75 / 32
2.20.7 75 / 32
2.15.1 75 / 32
1.121.35 74 / 28
1.121.33 74 / 28
1.121.32 74 / 28
1.121.31 74 / 28
1.121.30 74 / 28
1.121.29 74 / 28
1.121.28 74 / 28
1.121.27 74 / 28
1.121.26 74 / 28
1.121.25 74 / 28
1.121.24 74 / 28
1.121.23 74 / 28
1.121.22 74 / 28
1.121.21 74 / 28
1.121.20 74 / 28

v2.25.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.24.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.22.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.22.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.22.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.20.7

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.15.1

20 findings
HIGH Phantom dependency: pg phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: cron phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: isbot phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: jsdom phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: redis phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: alasql phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: semver phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: otpauth phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: node-ssh phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: fast-glob phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: basic-auth phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: rss-parser phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: eventsource phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: isolated-vm phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: html-to-text phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: sanitize-html phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: snowflake-sdk phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: xmlhttprequest-ssl phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

HIGH Phantom dependency: @mozilla/readability phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.35

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.33

2 findings
HIGH New obfuscated file: dist/nodes/Microsoft/Entra/test/mocks.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.32

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.31

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.30

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.29

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.28

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.27

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.26

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.25

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.24

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.23

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.22

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.21

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.121.20

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.