Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency n8n to v1.34.2 #3953

Merged
merged 1 commit into from
Apr 2, 2024
Merged

Conversation

uniget-bot
Copy link

This PR contains the following updates:

Package Update Change
n8n (source) minor 1.33.1 -> 1.34.2

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

n8n-io/n8n (n8n)

v1.34.2

Compare Source

Bug Fixes

v1.34.1

Compare Source

Bug Fixes
  • Anthropic Chat Model Node: Fix detection of chat models in docker build & add support Claude Haiku (#​8953) (becc804)
  • core: Ensure the generic OAuth2 API credential uses the OAuth2 credential test (#​8941) (578f01a)
  • core: Stringify all Luxon DateTimes in cleanupParameterData (#​8959) (58d9983)
  • editor: Fix opening of chat window when executing a child node (#​8789) (e695927)
  • editor: Use bracket notation for all invalid identifiers in expressions (#​8933) (1316f2d)
  • MySQL Node: Set paired items correctly in single query batch mode (#​8940) (5d129ba)
  • Overhaul expression error messages related to paired item (#​8765) (09654f9)

v1.34.0

Compare Source

Bug Fixes
  • Chat Trigger exclude summarization node from valid ai nodes (#​8875) (4861556)
  • Cohere Model Node: Fix issue with credential test (#​8916) (4f0b52c)
  • core: Improve handling of invalid objects in cleanupParameterData (no-chanhelog) (#​8910) (33ab781)
  • core: Remove HTTP body for GET, HEAD, and OPTIONS requests (#​3621) (d85d0ec)
  • core: Update follow-redirects to address CVE-2024-28849 (#​8902) (a10120f)
  • editor: Add proper scroll to Environments push modal (#​8883) (bcbff76)
  • editor: Fix an issue with an empty chat response if not in output property (#​8913) (024be62)
  • editor: Fix design system component props (#​8923) (7176cd1)
  • editor: Fix source control docs link in add workflow button tooltip (#​8891) (a92d8bf)
  • editor: Improve expression editor performance by removing watchers (#​8900) (a5261d6)
  • editor: Remove isOwner from IUser interface (#​8888) (6955e89)
  • OpenAI Node function to preserve original tools after node execution (#​8872) (054a4fc)
  • Validate custom tool names for forbidden chars (#​8878) (edce632)
Features

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Copy link

@nicholasdille-bot nicholasdille-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved because label type/renovate is present.

Copy link

github-actions bot commented Apr 2, 2024

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/n8n:1.34.2

📦 Image Reference ghcr.io/uniget-org/tools/n8n:1.34.2
digestsha256:1c8885dd46aefd2acec5816b133a375a61cd732d3bf8227f83471bf2cfe678ee
vulnerabilitiescritical: 0 high: 0 medium: 2 low: 0
platformlinux/amd64
size133 MB
packages1282
critical: 0 high: 0 medium: 1 low: 0 semver 5.3.0 (npm)

pkg:npm/semver@5.3.0

medium 5.3: CVE--2022--25883 Inefficient Regular Expression Complexity

Affected range<5.7.2
Fixed version5.7.2
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Description

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

critical: 0 high: 0 medium: 1 low: 0 express 4.18.3 (npm)

pkg:npm/express@4.18.3

medium 6.1: CVE--2024--29041 Improper Validation of Syntactic Correctness of Input

Affected range<4.19.2
Fixed version4.19.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Description

Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.

The main method impacted is res.location() but this is also called from within res.redirect().

Patches

expressjs/express@0867302
expressjs/express@0b74695

An initial fix went out with express@4.19.0, we then patched a feature regression in 4.19.1 and added improved handling for the bypass in 4.19.2.

Workarounds

The fix for this involves pre-parsing the url string with either require('node:url').parse or new URL. These are steps you can take on your own before passing the user input string to res.location or res.redirect.

References

expressjs/express#5539
koajs/koa#1800
https://expressjs.com/en/4x/api.html#res.location

Copy link

github-actions bot commented Apr 2, 2024

Copy link

github-actions bot commented Apr 2, 2024

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/8526321100.

@github-actions github-actions bot merged commit ca3ea00 into main Apr 2, 2024
9 checks passed
@github-actions github-actions bot deleted the renovate/n8n-1.x branch April 2, 2024 16:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants