chore(deps): update dependency n8n to v1.59.3

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
n8n (source)	minor	1.58.2 -> 1.59.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

n8n-io/n8n (n8n)

v1.59.3

Compare Source

Bug Fixes

• core: Upgrade uuid (#​10860) (5657b6a)

v1.59.2

Compare Source

Bug Fixes

• core: Restore queue listeners for webhook process (#​10781) (9831dbc)

v1.59.1

Compare Source

Bug Fixes

• Fix telemetry causing console error (#​10828) (7a778c6)
• Prevent copying workflow when copying outside of canvas (#​10813) (35fa3a5)

v1.59.0

Compare Source

Bug Fixes

• Chat Trigger Node: Fix auth in "Embedded Chat" mode (#​10734) (96db501)
• core: Allow license:clear command to be used for licenses that failed renewal (#​10665) (a422c5a)
• core: Update subworkflow execution status correctly (#​10764) (4f94319)
• editor: Add arrow end to connection line (#​10704) (43713dc)
• editor: Add sticky note readonly state in new canvas (#​10678) (c5bc8e6)
• editor: Auto-focus expression input when switching from "fixed" mode (#​10686) (54ab2b1)
• editor: Don't render pinned icon for disabled nodes (#​10712) (879b837)
• editor: Fix error rendering and indexing of LLM sub-node outputs (#​10688) (50459ba)
• editor: Fix xss issues in toast usages (#​10733) (6df6f5f)
• editor: Follow up fixes and improvements to viewer role (#​10684) (63548e6)
• editor: Increase connector snap radius (#​10757) (297b668)
• editor: Plus node button should not be visible on readonly mode (#​10692) (62cb189)
• editor: Prevent action's panel flickering while dragging a node (#​10739) (efa5573)
• editor: Restrict when the collision avoidance algorithm is used (#​10755) (bf43d67)
• editor: Show docs link in credential modal when docs sidebar is hidden (#​10750) (87333cb)
• Email Trigger (IMAP) Node: Ensure connection close does not block deactivation (#​10689) (156eb72)
• Fix the issue in Trigger Nodes where poll time was not loaded (#​10695) (1dea8f4)
• Gmail Trigger Node: Change Gmail Trigger dedupe logic (#​10717) (9f3e03d)
• Google Contacts node warm up request, Google Calendar node events>getAll fields option (#​10700) (22c70d5)
• If Node: Update copy for type conversion parameter (#​10769) (ee5fbc5)
• n8n Form Trigger Node: Do not rerun trigger when it has run data (#​10687) (3adbcab)
• OpenAI Chat Model Node: Prevent filtering of fine-tuned models in model selector (#​10662) (4e89912)
• Prevent AI assistant session reset when workflow is saved (#​10707) (91d9be2)
• Show a more user friendly error message if initial Db connection times out (#​10682) (4efcbc5)
• Webflow Node: Update scopes to include forms (#​10554) (d3861b3)
• YouTube Node: Fix Date filters (#​10725) (21936c8)

Features

• Code Tool Node: Option to specify input schema (#​10693) (421aa71)
• editor: Add lint for $('Node').item in runOnceForAllItems mode (#​10743) (1b04be1)
• editor: Logs markdown block improvements (#​10681) (db6e832)
• Filter parameter: Improve loose type validation for booleans (#​10702) (e9b8d99)
• Lemlist Node: Add V2 to support more API operations (#​10615) (20b1cf2)
• OpenAI Node: Add Max Tools Iteration parameter and prevent tool calling after execution is aborted (#​10735) (5c47a5f)

Performance Improvements

• editor: Fix WorkflowDetails excessive re-rendering (#​10767) (00013a2)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/n8n:1.59.3

📦 Image Reference ghcr.io/uniget-org/tools/n8n:1.59.3

digest	sha256:0b7820c5f971fe443188c27a81381e484f24846c98936a19206a95c3af000531
vulnerabilities
platform	linux/amd64
size	143 MB
packages	1305

axios 1.6.7 (npm) pkg:npm/[email protected] Server-Side Request Forgery (SSRF) Affected range >=1.3.2 <=1.7.3 Fixed version 1.7.4 Description axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

path-to-regexp 0.1.7 (npm) pkg:npm/[email protected] Inefficient Regular Expression Complexity Affected range <0.1.10 Fixed version 0.1.10 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b. Patches For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0. These versions add backtrack protection when a custom regex pattern is not provided: 0.1.10 1.9.0 3.3.0 6.3.0 They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability. Version 7.1.0 can enable strict: true and get an error when the regular expression might be bad. Version 8.0.0 removes the features that can cause a ReDoS. Workarounds All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b to /:a-:b([^-/]+). If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster. Details Using /:a-:b will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as /a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but the TL;DR is the /a at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the :a-:b on the repeated 8,000 -a. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms. References OWASP Detailed blog post

semver 5.3.0 (npm) pkg:npm/[email protected] Inefficient Regular Expression Complexity Affected range <5.7.2 Fixed version 5.7.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

body-parser 1.20.2 (npm) pkg:npm/[email protected] Asymmetric Resource Consumption (Amplification) Affected range <1.20.3 Fixed version 1.20.3 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. Patches this issue is patched in 1.20.3 References

pdfjs-dist 2.16.105 (npm) pkg:npm/[email protected] Affected range <=4.1.392 Fixed version 4.2.67 Description Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. Patches The patch removes the use of eval: mozilla/pdf.js#18015 Workarounds Set the option isEvalSupported to false. References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

identity 3.4.2 (npm) pkg:npm/%40azure/[email protected] Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Affected range <4.2.1 Fixed version 4.2.1 CVSS Score 5.5 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Description Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

express 4.19.2 (npm) pkg:npm/[email protected] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <4.20.0 Fixed version 4.20.0 CVSS Score 5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L Description Impact In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code Patches this issue is patched in express 4.20.0 Workarounds users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist Details successful exploitation of this vector requires the following: The attacker MUST control the input to response.redirect() express MUST NOT redirect before the template appears the browser MUST NOT complete redirection before: the user MUST click on the link in the template

serve-static 1.15.0 (npm) pkg:npm/[email protected] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.16.0 Fixed version 1.16.0 CVSS Score 5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L Description Impact passing untrusted user input - even after sanitizing it - to redirect() may execute untrusted code Patches this issue is patched in serve-static 1.16.0 Workarounds users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist Details successful exploitation of this vector requires the following: The attacker MUST control the input to response.redirect() express MUST NOT redirect before the template appears the browser MUST NOT complete redirection before: the user MUST click on the link in the template

send 0.18.0 (npm) pkg:npm/[email protected] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <0.19.0 Fixed version 0.19.0 CVSS Score 5 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L Description Impact passing untrusted user input - even after sanitizing it - to SendStream.redirect() may execute untrusted code Patches this issue is patched in send 0.19.0 Workarounds users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist Details successful exploitation of this vector requires the following: The attacker MUST control the input to response.redirect() express MUST NOT redirect before the template appears the browser MUST NOT complete redirection before: the user MUST click on the link in the template

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/10926486660.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/10926486660.