Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency n8n to v1.50.1 #5993

Merged
merged 1 commit into from
Jul 17, 2024
Merged

Conversation

uniget-bot
Copy link

This PR contains the following updates:

Package Update Change
n8n (source) minor 1.49.0 -> 1.50.1

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

n8n-io/n8n (n8n)

v1.50.1

Compare Source

Bug Fixes
  • editor: Ensure all static assets are accessible from the server (#​10062) (c673209)
  • editor: Remove push event listeners when migrating away from the canvas (#​10063) (45afe78)

v1.50.0

Compare Source

Bug Fixes
  • core: Aborting manual trigger tests should call closeFunction (#​9980) (6107798)
  • core: Allow owner and admin to edit nodes with credentials that haven't been shared with them explicitly (#​9922) (0f49598)
  • core: Clear active execution on cancellation in scaling mode (#​9979) (7e972c7)
  • core: Disconnect Redis after pausing queue during worker shutdown (#​9928) (c82579b)
  • core: Don't execute 'workflowExecuteBefore' hook on execution continuations (#​9905) (adb8315)
  • core: Prevent multiple values in the execution metadata for the same key and executionId (#​9953) (2e6b03b)
  • Google Sheets Node: Append fails if cells have some default values added by data validation rules (#​9950) (d1821eb)
  • Invoice Ninja Node: Fix assigning an invoice to a payment (#​9590) (7a3c127)
  • Invoice Ninja Node: Fix emailing and marking invoice as paid / sent (#​9589) (908ddd8)
Features
  • Chat Trigger Node: Add support for file uploads & harmonize public and development chat (#​9802) (df78315)
  • Google Cloud Firestore Node: Add support for service account and document creation with id (#​9713) (cb1bbf5)
  • Orbit Node: Deprecate Orbit nicely (#​9962) (9577d9c)
  • Qdrant Vector Store search filter (#​9900) (fbe4bca)
  • Splunk Node: Overhaul (#​9813) (e5c3247)
  • Telegram Node: Add support to Keyboard Button Mini Apps (#​9511) (3a17943)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Copy link

@nicholasdille-bot nicholasdille-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved because label type/renovate is present.

Copy link

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/n8n:1.50.1

📦 Image Reference ghcr.io/uniget-org/tools/n8n:1.50.1
digestsha256:ff9e9a1387a8207ef36c03e171e3cf308753b5351d038f7de95a2ebacb993af6
vulnerabilitiescritical: 1 high: 1 medium: 2 low: 0
platformlinux/amd64
size153 MB
packages1374
critical: 1 high: 0 medium: 0 low: 0 protobufjs 7.2.4 (npm)

pkg:npm/protobufjs@7.2.4

critical 9.8: CVE--2023--36665 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Affected range>=7.0.0
<7.2.5
Fixed version7.2.5
CVSS Score9.8
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description

protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about Object.constructor.prototype.<new-property> = ...; whereas CVE-2022-25878 was about Object.__proto__.<new-property> = ...; instead.

critical: 0 high: 1 medium: 0 low: 0 pdfjs-dist 2.16.105 (npm)

pkg:npm/pdfjs-dist@2.16.105

high : CVE--2024--4367

Affected range<=4.1.392
Fixed version4.2.67
Description

Impact

If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.

Patches

The patch removes the use of eval:
mozilla/pdf.js#18015

Workarounds

Set the option isEvalSupported to false.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

critical: 0 high: 0 medium: 1 low: 0 identity 3.4.2 (npm)

pkg:npm/%40azure/identity@3.4.2

medium 5.5: CVE--2024--35255 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Affected range<4.2.1
Fixed version4.2.1
CVSS Score5.5
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Description

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

critical: 0 high: 0 medium: 1 low: 0 semver 5.3.0 (npm)

pkg:npm/semver@5.3.0

medium 5.3: CVE--2022--25883 Inefficient Regular Expression Complexity

Affected range<5.7.2
Fixed version5.7.2
CVSS Score5.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Description

Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Copy link

Copy link

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/9980144963.

@github-actions github-actions bot merged commit 439a9bc into main Jul 17, 2024
13 checks passed
@github-actions github-actions bot deleted the renovate/n8n-1.x branch July 17, 2024 19:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants