Public scan — anyone with this URL can view this analysis. Sign up to track your own repos privately, run scheduled re-scans, and get AI fix prompts via your dashboard.
Sign up free Scan another repo
151 of your 325 findings came from Repobility's proprietary detections. ✓ Repobility tags below mark them.
Upstream (GitHub) caused delay on this scan — not Repobility.
  • GitHub API rate-limited (HTTP 403) — preflight skipped, fell back to direct git clone.
  • Clone from GitHub took 59.9s for a 140.1 MB repo slow.
  • Repobility's analysis ran in 44.0s after the clone landed.

n8n-io/n8n

https://github.com/n8n-io/n8n · scanned 2026-06-05 04:32 UTC (3 hours, 17 minutes ago) · 10 languages

2791 findings (269 legacy + 2522 scanner) 11/13 scanners ran 83rd percentile · Typescript · huge (>500K LoC) Scanner says 55 (higher by 35)

File as issue Image v2 schema
UNIFIED Repobility · multi-layer engine · AI coders

Complete repo analysis

Last scanned 3 hours, 17 minutes ago · v2 · 1530 findings from 2 sources. Findings combine the legacy security pipeline AND the multi-layer engine (atlas, wiring, flows, ranked) AND verified AI agent contributions.

JSON
Combined
69.2
/100
Repobility
83
269 legacy
9-layer
55
100.0% cov · 1261 gaps
Critical
85
click to filter
Agents
6
0 votes
Crowd
0
reported
Score breakdown â 2026-05-18-v5
Component Sub-score Weight Contribution
structure_score 60.0 0.15 9.00
security_score 100.0 0.25 25.00
testing_score 100.0 0.20 20.00
documentation_score 97.0 0.15 14.55
practices_score 91.0 0.15 13.65
code_quality 78.0 0.10 7.80
Overall 1.00 90.0
security_score may be inflated — optional security scanners were skipped on this fast scan
Severity distribution — click a segment to filter
Active filters: excluding tests × Reset all
Severity: Critical 85 High 219 Medium 138 Low 507 9-Layer: Software Security Quality Integrity Frontend Hardware Data Network Cicd Source: Legacy 269 9-layer 1261 Crowd 0 Layer: Software 127 Quality 689 Security 82 Cicd 92 Frontend 407 Network 9 Hardware 13 Api 111
Scan summary Repository scanned at 55.0/100 with 100.0% coverage. It contains 50889 nodes across 30 cross-layer flows, written primarily in mixed languages. Engine surfaced 1261 findings — concentrated in quality (541), frontend (407), api (111). Risk profile is high: 33 critical, 76 high, 123 medium. Recommended next step: open the quality layer findings first — that's where the highest-impact wins live.

Showing 889 of 1530 findings. Click TP / FP to vote on a finding's accuracy — votes adjust the confidence weighting and improve detection across the platform.

critical Legacy quality quality conf 1.00 ✓ Repobility [MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.
Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context.
packages/@n8n/nodes-langchain/nodes/agents/Agent/agents/ConversationalAgent/execute.ts:71 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.
Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context.
packages/@n8n/ai-workflow-builder.ee/src/prompts/chains/compact.prompt.ts:4 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED019] Ssti Jinja From String: jinja2.Environment().from_string(user_input) — full RCE via templates.
Review and fix per the pattern semantics. See CWE-94 / A03:2021 for context.
packages/@n8n/ai-workflow-builder.ee/src/prompts/chains/categorization.prompt.ts:76 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.
Review and fix per the pattern semantics. See CWE-95 / for context.
packages/@n8n/agents/src/evals/correctness.ts:9 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.
Review and fix per the pattern semantics. See CWE-95 / for context.
packages/@n8n/agents/src/evals/contains-keywords.ts:9 qualitylegacy
critical Legacy quality quality conf 1.00 ✓ Repobility [MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.
Review and fix per the pattern semantics. See CWE-95 / for context.
packages/@n8n/agents/src/evals/categorization.ts:5 qualitylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci-pull-requests.yml:17 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.DOCKER_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/docker-build-smoke.yml:42 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.DOCKER_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_USERNAME }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/docker-build-smoke.yml:41 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_ASSISTANT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/util-backport-bundle.yml:33 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_ASSISTANT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/sec-publish-fix.yml:20 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_ASSISTANT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/docker-build-smoke.yml:55 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_ASSISTANT_APP_ID` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_APP_ID }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/util-cleanup-abandoned-release-branches.yml:21 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_ASSISTANT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/sec-publish-fix.yml:21 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_ASSISTANT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/docker-build-smoke.yml:56 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_ASSISTANT_PRIVATE_KEY` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_ASSISTANT_PRIVATE_KEY }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/util-cleanup-abandoned-release-branches.yml:22 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_NOTIFY_PR_STATUS_CHANGED_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_NOTIFY_PR_STATUS_CHANGED_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/util-notify-pr-status.yml:28 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_NOTIFY_PR_STATUS_CHANGED_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_NOTIFY_PR_STATUS_CHANGED_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/util-notify-pr-status.yml:26 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.N8N_NOTIFY_PR_STATUS_CHANGED_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.N8N_NOTIFY_PR_STATUS_CHANGED_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/util-notify-pr-status.yml:18 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.QA_METRICS_WEBHOOK_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QA_METRICS_WEBHOOK_PASSWORD }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci-pull-requests.yml:20 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.QA_METRICS_WEBHOOK_URL` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QA_METRICS_WEBHOOK_URL }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci-pull-requests.yml:18 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.QA_METRICS_WEBHOOK_USER` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QA_METRICS_WEBHOOK_USER }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci-pull-requests.yml:19 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.QBOT_SLACK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QBOT_SLACK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/build-windows.yml:60 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.QBOT_SLACK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QBOT_SLACK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/sec-publish-fix.yml:57 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.QBOT_SLACK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.QBOT_SLACK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/docker-build-smoke.yml:77 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.RELEASE_HELPER_SLACK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RELEASE_HELPER_SLACK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/ci-detect-new-packages.yml:34 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.RELEASE_HELPER_SLACK_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.RELEASE_HELPER_SLACK_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/release-publish.yml:252 dependencylegacy
critical Legacy software dependency conf 0.90 ✓ Repobility [MINED116] Workflow uses `secrets.SENTRY_AUTH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.SENTRY_AUTH_TOKEN }` lets a PR from any fork exfiltrate the secret (modify a script, log the value, etc.). Use `pull_request_target` ONLY with strict checkout discipline (no fork code in the trusted context).
Either remove the secret reference, or switch the trigger to `pull_request_target` AND ensure no fork-controlled code runs before the secret is consumed.
.github/workflows/release-publish.yml:61 dependencylegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/sqlite/docker-compose.yml:36 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/sqlite/docker-compose.yml:8 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml:131 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml:121 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml:81 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml:71 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml:34 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml:17 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml:173 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml:135 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml:125 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml:83 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml:73 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml:34 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml:18 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml:57 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml:25 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml:8 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
.github/docker-compose.yml:1 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
.devcontainer/docker-compose.yml:13 dockerlegacy
critical Legacy cicd docker conf 0.96 Compose service contains a literal secret environment value
Rotate the value if real. Move it to Docker Compose secrets, a platform secret manager, or an uncommitted environment file.
.devcontainer/docker-compose.yml:4 dockerlegacy
critical 9-layer security owasp conf 1.00 Insecure pattern 'private_key_in_repo' in packages/nodes-base/credentials/GoogleApi.credentials.ts:258
Found a known-risky pattern (private_key_in_repo). Review and replace if possible.
packages/nodes-base/credentials/GoogleApi.credentials.ts:258 owaspprivate_key_in_repo
critical 9-layer security owasp conf 1.00 Insecure pattern 'private_key_in_repo' in packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:65
Found a known-risky pattern (private_key_in_repo). Review and replace if possible.
packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:65 owaspprivate_key_in_repo
critical 9-layer security secrets conf 1.00 Possible secret in packages/@n8n/instance-ai/evaluations/credentials/seeder.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/@n8n/instance-ai/evaluations/credentials/seeder.ts:81 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/cli/src/modules/sso-oidc/oidc.service.ee.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/cli/src/modules/sso-oidc/oidc.service.ee.ts:352 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/frontend/editor-ui/src/app/constants/navigation.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/frontend/editor-ui/src/app/constants/navigation.ts:22 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/frontend/editor-ui/src/app/constants/navigation.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/frontend/editor-ui/src/app/constants/navigation.ts:23 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/ElasticsearchApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/ElasticsearchApi.credentials.ts:52 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/F5BigIpApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/F5BigIpApi.credentials.ts:41 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/GongApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/GongApi.credentials.ts:47 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/JiraSoftwareCloudApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/JiraSoftwareCloudApi.credentials.ts:44 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/JiraSoftwareServerApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/JiraSoftwareServerApi.credentials.ts:46 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/KibanaApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/KibanaApi.credentials.ts:58 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/MailgunApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/MailgunApi.credentials.ts:53 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/MailjetEmailApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/MailjetEmailApi.credentials.ts:45 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/MauticApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/MauticApi.credentials.ts:45 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/QualysApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/QualysApi.credentials.ts:51 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/ServiceNowBasicApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/ServiceNowBasicApi.credentials.ts:50 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/SolarWindsIpamApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/SolarWindsIpamApi.credentials.ts:60 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/TogglApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/TogglApi.credentials.ts:36 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/TrellixEpoApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/TrellixEpoApi.credentials.ts:41 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/TwilioApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/TwilioApi.credentials.ts:84 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/VerticaApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/VerticaApi.credentials.ts:52 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/WordpressApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/WordpressApi.credentials.ts:52 secrets
critical 9-layer security secrets conf 1.00 Possible secret in packages/nodes-base/credentials/WufooApi.credentials.ts
Detected pattern matching password_literal. Rotate the credential and move to a secret manager.
packages/nodes-base/credentials/WufooApi.credentials.ts:36 secrets
low Legacy quality quality conf 1.00 ✓ Repobility [MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).
Review and fix per the pattern semantics. See CWE-327 / A02:2021 for context.
packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:127 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.
Review and fix per the pattern semantics. See CWE-705 / for context.
packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/compare_workflows.py:329 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
packages/@n8n/db/src/services/db-lock.service.ts:191 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.
Review and fix per the pattern semantics. See CWE-682 / for context.
packages/@n8n/ai-workflow-builder.ee/src/assistant/assistant-handler.ts:270 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials.
Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately — assume it is compromised.
packages/@n8n/mcp-browser/src/redaction/patterns.ts:25 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials.
Move the secret to an environment variable or secret manager. Rotate the exposed credential immediately — assume it is compromised.
packages/@n8n/instance-ai/evaluations/computer-use/graders/security.ts:23 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Attribute` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._add_violation = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:103 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Attribute` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._add_violation = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:96 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Attribute` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._add_violation = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:88 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Call` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._add_violation = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:138 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Global` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._add_violation = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:184 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Import` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._add_violation = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:53 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_ImportFrom` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._add_violation = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:72 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_ImportFrom` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._add_violation = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:68 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_ImportFrom` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._add_violation = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:62 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Name` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._add_violation = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:80 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._add_violation` used but never assigned in __init__: Method `visit_Subscript` of class `SecurityValidator` reads `self._add_violation`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._add_violation = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:165 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._check_format_string` used but never assigned in __init__: Method `visit_Constant` of class `SecurityValidator` reads `self._check_format_string`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._check_format_string = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:175 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._filter_out_ignored_errors` used but never assigned in __init__: Method `init` of class `TaskRunnerSentry` reads `self._filter_out_ignored_errors`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._filter_out_ignored_errors = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/sentry.py:50 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._is_from_user_code` used but never assigned in __init__: Method `_filter_out_ignored_errors` of class `TaskRunnerSentry` reads `self._is_from_user_code`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._is_from_user_code = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/sentry.py:86 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._validate_import` used but never assigned in __init__: Method `visit_Call` of class `SecurityValidator` reads `self._validate_import`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._validate_import = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:136 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._validate_import` used but never assigned in __init__: Method `visit_Import` of class `SecurityValidator` reads `self._validate_import`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._validate_import = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:51 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self._validate_import` used but never assigned in __init__: Method `visit_ImportFrom` of class `SecurityValidator` reads `self._validate_import`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self._validate_import = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:64 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Attribute` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.generic_visit = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:105 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Call` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.generic_visit = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:140 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Constant` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.generic_visit = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:177 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Global` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.generic_visit = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:187 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Import` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.generic_visit = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:56 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_ImportFrom` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.generic_visit = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:76 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Name` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.generic_visit = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:82 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Subscript` of class `SecurityValidator` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no class-level fallback). This raises AttributeError the first time the method runs against an instance.
Initialize `self.generic_visit = <default>` in __init__, or add a class-level default.
packages/@n8n/task-runner-python/src/task_analyzer.py:169 qualitylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
packages/@n8n/node-cli/src/template/templates/shared/default/.github/workflows/publish.yml:76 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/checkout@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
packages/@n8n/node-cli/src/template/templates/shared/default/.github/workflows/ci.yml:19 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
packages/@n8n/node-cli/src/template/templates/shared/default/.github/workflows/publish.yml:79 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: actions/setup-node@<40-char-sha> # v4` and let Dependabot bump it on a scheduled cadence.
packages/@n8n/node-cli/src/template/templates/shared/default/.github/workflows/ci.yml:22 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml` pinned to mutable ref `@v2.1.0`: `uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@<40-char-sha> # v2.1.0` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-build-push.yml:356 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml` pinned to mutable ref `@v2.1.0`: `uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@<40-char-sha> # v2.1.0` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-build-push.yml:337 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED115] Action `slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml` pinned to mutable ref `@v2.1.0`: `uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate.
Replace with: `uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@<40-char-sha> # v2.1.0` and let Dependabot bump it on a scheduled cadence.
.github/workflows/docker-build-push.yml:318 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `alpine:3.22` not pinned by digest: `FROM alpine:3.22` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM alpine:3.22@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
docker/images/runners/Dockerfile:83 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM debian:bookworm-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
docker/images/runners/Dockerfile.distroless:140 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM debian:bookworm-slim@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
docker/images/runners/Dockerfile.distroless:107 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `gcr.io/distroless/cc-debian12:latest` not pinned by digest: `FROM gcr.io/distroless/cc-debian12:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM gcr.io/distroless/cc-debian12:latest@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
docker/images/runners/Dockerfile.distroless:180 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `n8nio/base (no tag)` not pinned by digest: `FROM n8nio/base (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM n8nio/base (no tag)@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
docker/images/n8n/Dockerfile:21 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED118] Dockerfile FROM `node:24.15.0` not pinned by digest: `FROM node:24.15.0` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially different. Production images should pin to `image@sha256:...` for reproducibility + supply-chain integrity.
Replace with: `FROM node:24.15.0@sha256:<digest>`. Get the digest from `docker manifest inspect`. Re-pin via a scheduled bot (Renovate, Dependabot).
packages/@n8n/benchmark/Dockerfile:2 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED122] package.json dep `wa-sqlite` pulled from URL/Git: `dependencies.wa-sqlite` = `github:rhashimoto/wa-sqlite#779219540f66cecaa159da32b3b8936697ba10a7` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI.
packages/frontend/editor-ui/package.json:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED122] package.json dep `xlsx` pulled from URL/Git: `dependencies.xlsx` = `https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI.
packages/@n8n/instance-ai/package.json:1 dependencylegacy
high Legacy software dependency conf 0.90 ✓ Repobility [MINED122] package.json dep `xlsx` pulled from URL/Git: `dependencies.xlsx` = `https://cdn.sheetjs.com/xlsx-0.20.2/xlsx-0.20.2.tgz` bypasses the npm registry. No integrity hash, no version locking, no registry-side scanning. If the URL or git host is compromised, every `npm install` pulls the new payload.
Publish the dependency to npm (or your private registry) and reference it by `^x.y.z`. If that's not possible, lock by commit SHA: `git+https://...#<full-sha>` AND verify the SHA in CI.
packages/nodes-base/package.json:1 dependencylegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
.github/scripts/github-helpers.mjs:257 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
.github/scripts/determine-version-info.mjs:78 xsslegacy
low Legacy software xss conf 1.00 [SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflected XSS vector. The browser parses the HTML and executes any <script> or event-handler attributes in the data. CWE-79. Especially dangerous when the data comes from a CV parser, profile field, or any user-input pipeline.
For plain text: use el.textContent = data.value (auto-escapes). For HTML you need to render: el.innerHTML = DOMPurify.sanitize(html). For React/Vue/Svelte: stop using innerHTML; use the framework's binding. When data comes from CV/PDF parsers, sanitize at the parser boundary too.
.github/scripts/claude-task/prepare-claude-prompt.mjs:49 xsslegacy
low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
packages/@n8n/instance-ai/evaluations/computer-use/graders/trace.ts:57 qualitylegacy
low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
packages/@n8n/instance-ai/evaluations/computer-use/graders/fs.ts:65 qualitylegacy
low Legacy quality quality conf 1.00 [SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).
Use a literal RegExp or whitelist-validate user input before constructing patterns.
packages/@n8n/computer-use/src/tools/filesystem/search-files.ts:83 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
packages/@n8n/agents/src/runtime/title-generation.ts:195 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
packages/@n8n/agents/src/runtime/observation-log-observer.ts:96 qualitylegacy
low Legacy quality quality conf 1.00 [SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
Use execFile / spawn with separate args array; never pass shell strings.
.github/scripts/retry.mjs:66 qualitylegacy
high Legacy cicd docker conf 0.92 Compose service explicitly runs as root
Run as a numeric non-root UID, or if root is needed for startup, drop privileges before starting the app process.
packages/@n8n/benchmark/scripts/n8n-setups/sqlite/docker-compose.yml:8 dockerlegacy
high Legacy cicd docker conf 0.92 Compose service explicitly runs as root
Run as a numeric non-root UID, or if root is needed for startup, drop privileges before starting the app process.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml:131 dockerlegacy
high Legacy cicd docker conf 0.92 Compose service explicitly runs as root
Run as a numeric non-root UID, or if root is needed for startup, drop privileges before starting the app process.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml:81 dockerlegacy
high Legacy cicd docker conf 0.92 Compose service explicitly runs as root
Run as a numeric non-root UID, or if root is needed for startup, drop privileges before starting the app process.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml:34 dockerlegacy
high Legacy cicd docker conf 0.92 Compose service explicitly runs as root
Run as a numeric non-root UID, or if root is needed for startup, drop privileges before starting the app process.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml:17 dockerlegacy
high Legacy cicd docker conf 0.92 Compose service explicitly runs as root
Run as a numeric non-root UID, or if root is needed for startup, drop privileges before starting the app process.
packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml:25 dockerlegacy
high Legacy cicd docker conf 0.92 Compose service explicitly runs as root
Run as a numeric non-root UID, or if root is needed for startup, drop privileges before starting the app process.
packages/@n8n/benchmark/scripts/n8n-setups/postgres/docker-compose.yml:8 dockerlegacy
high Legacy security auth conf 0.78 Consent is collected in UI without visible backend audit persistence
Persist consent as a backend record with subject, actor, purpose, scope, legal text version, timestamp, IP address, user agent, and revocation state.
packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:221 authlegacy
high Legacy cicd docker conf 0.90 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
.github/docker-compose.yml:1 dockerlegacy
high Legacy cicd docker conf 0.84 Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml:8 dockerlegacy
high Legacy cicd docker conf 0.84 Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml:8 dockerlegacy
high Legacy cicd docker conf 0.84 Database service publishes a host port
Use `expose` for service-to-service access, bind to 127.0.0.1 for local-only access, or protect the port with firewall rules.
.github/docker-compose.yml:1 dockerlegacy
high 9-layer api wiring conf 1.00 Dangling fetch: DELETE /rest/credentials/${id} (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:456)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:456` calls `DELETE /rest/credentials/${id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/credentials/<p>` If this points at an external API, prefix…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: DELETE /rest/instance-ai/threads/${threadId} (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:207)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:207` calls `DELETE /rest/instance-ai/threads/${threadId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/instance-ai/threads/<p>` If this points at a…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: DELETE /rest/projects/${projectId}/data-tables/${dataTableId} (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:497)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:497` calls `DELETE /rest/projects/${projectId}/data-tables/${dataTableId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/projects/<p>/data-tables/<p…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: DELETE /rest/workflows/${id} (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:419)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:419` calls `DELETE /rest/workflows/${id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/workflows/<p>` If this points at an external API, prefix it …
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET /@fs${file}?t=${Date.now()} (packages/frontend/editor-ui/src/app/dev/i18nHmr.ts:36)
`packages/frontend/editor-ui/src/app/dev/i18nHmr.ts:36` calls `GET /@fs${file}?t=${Date.now()}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/@fs/<p>` If this points at an external API, prefix it with `https://` so…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET /rest/credentials (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:264)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:264` calls `GET /rest/credentials` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/credentials` If this points at an external API, prefix it with `htt…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET /rest/executions${query} (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:287)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:287` calls `GET /rest/executions${query}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/executions/<p>` If this points at an external API, prefix it…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET /rest/executions/${executionId} (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:318)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:318` calls `GET /rest/executions/${executionId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/executions/<p>` If this points at an external API, pr…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET /rest/instance-ai/gateway/status (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:229)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:229` calls `GET /rest/instance-ai/gateway/status` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/instance-ai/gateway/status` If this points at an ext…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET /rest/instance-ai/threads/${threadId}/messages (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:196)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:196` calls `GET /rest/instance-ai/threads/${threadId}/messages` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/instance-ai/threads/<p>/messages` If t…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET /rest/instance-ai/threads/${threadId}/status (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:188)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:188` calls `GET /rest/instance-ai/threads/${threadId}/status` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/instance-ai/threads/<p>/status` If this …
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET /rest/login (packages/@n8n/nodes-langchain/nodes/trigger/ChatTrigger/templates.ts:126)
`packages/@n8n/nodes-langchain/nodes/trigger/ChatTrigger/templates.ts:126` calls `GET /rest/login` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/login` If this points at an external API, prefix it with `https:…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET /rest/projects/${projectId}/data-tables (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:480)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:480` calls `GET /rest/projects/${projectId}/data-tables` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/projects/<p>/data-tables` If this points at a…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET /rest/projects/personal (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:466)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:466` calls `GET /rest/projects/personal` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/projects/personal` If this points at an external API, prefix …
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET /rest/workflows (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:240)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:240` calls `GET /rest/workflows` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/workflows` If this points at an external API, prefix it with `https:/…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET /rest/workflows/${id} (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:275)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:275` calls `GET /rest/workflows/${id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/workflows/<p>` If this points at an external API, prefix it wit…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET http://${container.getHost()}:${hostPort}/quicktunnel (packages/testing/containers/services/cloudflared.ts:83)
`packages/testing/containers/services/cloudflared.ts:83` calls `GET http://${container.getHost()}:${hostPort}/quicktunnel` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/<p>:/<p>/quicktunnel` If this points at…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET http://${host}:${hostPort}/api/tunnels (packages/testing/containers/services/ngrok.ts:85)
`packages/testing/containers/services/ngrok.ts:85` calls `GET http://${host}:${hostPort}/api/tunnels` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/http:/<p>:/<p>/api/tunnels` If this points at an external API, pre…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://api-rs.n8n.io/sourceConfig (packages/cli/src/controllers/telemetry.controller.ts:51)
`packages/cli/src/controllers/telemetry.controller.ts:51` calls `GET https://api-rs.n8n.io/sourceConfig` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api-rs.n8n.io/sourceconfig` If this points at an externa…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://api.example.com (packages/@n8n/eslint-plugin-community-nodes/src/rules/no-deprecated-workflow-functions.test.ts:31)
`packages/@n8n/eslint-plugin-community-nodes/src/rules/no-deprecated-workflow-functions.test.ts:31` calls `GET https://api.example.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/https:/api.example.com`…
wiringdangling-fetchhelper:request
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://api.example.com/data (packages/cli/src/utils/circuit-breaker.ts:264)
`packages/cli/src/utils/circuit-breaker.ts:264` calls `GET https://api.example.com/data` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.example.com/data` If this points at an external API, prefix it with …
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://api.example.com/data (packages/testing/janitor/src/rules/api-purity.rule.test.ts:70)
`packages/testing/janitor/src/rules/api-purity.rule.test.ts:70` calls `GET https://api.example.com/data` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.example.com/data` If this points at an external API,…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://example.com (packages/@n8n/nodes-langchain/nodes/mcp/shared/__test__/utils.test.ts:306)
`packages/@n8n/nodes-langchain/nodes/mcp/shared/__test__/utils.test.ts:306` calls `GET https://example.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.com` If this points at an external API, prefi…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://example.com (packages/@n8n/nodes-langchain/nodes/mcp/shared/__test__/utils.test.ts:339)
`packages/@n8n/nodes-langchain/nodes/mcp/shared/__test__/utils.test.ts:339` calls `GET https://example.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.com` If this points at an external API, prefi…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://example.com (packages/@n8n/nodes-langchain/nodes/mcp/shared/__test__/utils.test.ts:365)
`packages/@n8n/nodes-langchain/nodes/mcp/shared/__test__/utils.test.ts:365` calls `GET https://example.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.com` If this points at an external API, prefi…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://example.com (packages/@n8n/nodes-langchain/nodes/mcp/shared/__test__/utils.test.ts:387)
`packages/@n8n/nodes-langchain/nodes/mcp/shared/__test__/utils.test.ts:387` calls `GET https://example.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.com` If this points at an external API, prefi…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://example.com (packages/@n8n/nodes-langchain/nodes/mcp/shared/__test__/utils.test.ts:408)
`packages/@n8n/nodes-langchain/nodes/mcp/shared/__test__/utils.test.ts:408` calls `GET https://example.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.com` If this points at an external API, prefi…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://example.com/1 (packages/@n8n/eslint-plugin-community-nodes/src/rules/no-deprecated-workflow-functions.test.ts:103)
`packages/@n8n/eslint-plugin-community-nodes/src/rules/no-deprecated-workflow-functions.test.ts:103` calls `GET https://example.com/1` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/https:/example.com/<p>` …
wiringdangling-fetchhelper:request
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://example.com/1 (packages/@n8n/eslint-plugin-community-nodes/src/rules/no-deprecated-workflow-functions.test.ts:57)
`packages/@n8n/eslint-plugin-community-nodes/src/rules/no-deprecated-workflow-functions.test.ts:57` calls `GET https://example.com/1` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/https:/example.com/<p>` I…
wiringdangling-fetchhelper:request
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://example.com/1 (packages/@n8n/eslint-plugin-community-nodes/src/rules/no-deprecated-workflow-functions.test.ts:89)
`packages/@n8n/eslint-plugin-community-nodes/src/rules/no-deprecated-workflow-functions.test.ts:89` calls `GET https://example.com/1` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: helper:request Normalized path used for matching: `/https:/example.com/<p>` I…
wiringdangling-fetchhelper:request
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://example.com/mcp (packages/@n8n/nodes-langchain/nodes/mcp/shared/__test__/utils.test.ts:269)
`packages/@n8n/nodes-langchain/nodes/mcp/shared/__test__/utils.test.ts:269` calls `GET https://example.com/mcp` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.com/mcp` If this points at an external AP…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://example.test/mcp (packages/cli/src/modules/agents/json-config/__tests__/mcp-client-factory.test.ts:196)
`packages/cli/src/modules/agents/json-config/__tests__/mcp-client-factory.test.ts:196` calls `GET https://example.test/mcp` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.test/mcp` If this points at a…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://example.test/mcp (packages/cli/src/modules/agents/json-config/__tests__/mcp-client-factory.test.ts:277)
`packages/cli/src/modules/agents/json-config/__tests__/mcp-client-factory.test.ts:277` calls `GET https://example.test/mcp` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.test/mcp` If this points at a…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://example.test/mcp (packages/cli/src/modules/agents/json-config/__tests__/mcp-client-factory.test.ts:365)
`packages/cli/src/modules/agents/json-config/__tests__/mcp-client-factory.test.ts:365` calls `GET https://example.test/mcp` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.test/mcp` If this points at a…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://example.test/mcp (packages/cli/src/modules/agents/json-config/__tests__/mcp-client-factory.test.ts:387)
`packages/cli/src/modules/agents/json-config/__tests__/mcp-client-factory.test.ts:387` calls `GET https://example.test/mcp` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/example.test/mcp` If this points at a…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: GET https://webhook.example.com/endpoint (packages/cli/src/utils/circuit-breaker.ts:110)
`packages/cli/src/utils/circuit-breaker.ts:110` calls `GET https://webhook.example.com/endpoint` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/webhook.example.com/endpoint` If this points at an external API,…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: PATCH /rest/workflows/${id} (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:329)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:329` calls `PATCH /rest/workflows/${id}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/workflows/<p>` If this points at an external API, prefix it w…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /mcp-server/http (packages/testing/playwright/services/mcp-api-helper.ts:877)
`packages/testing/playwright/services/mcp-api-helper.ts:877` calls `POST /mcp-server/http` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/mcp-server/http` If this points at an external API, prefix it with `https://`…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /mcp-server/http (packages/testing/playwright/services/mcp-api-helper.ts:900)
`packages/testing/playwright/services/mcp-api-helper.ts:900` calls `POST /mcp-server/http` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/mcp-server/http` If this points at an external API, prefix it with `https://`…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /rest/credentials (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:431)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:431` calls `POST /rest/credentials` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/credentials` If this points at an external API, prefix it with `ht…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /rest/instance-ai/chat/${threadId} (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:154)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:154` calls `POST /rest/instance-ai/chat/${threadId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/instance-ai/chat/<p>` If this points at an extern…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /rest/instance-ai/chat/${threadId}/cancel (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:178)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:178` calls `POST /rest/instance-ai/chat/${threadId}/cancel` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/instance-ai/chat/<p>/cancel` If this point…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /rest/instance-ai/confirm/${requestId} (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:167)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:167` calls `POST /rest/instance-ai/confirm/${requestId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/instance-ai/confirm/<p>` If this points at an…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /rest/instance-ai/eval/execute-with-llm-mock/${workflowId} (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:524)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:524` calls `POST /rest/instance-ai/eval/execute-with-llm-mock/${workflowId}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/instance-ai/eval/execute-…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /rest/instance-ai/gateway/create-link (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:217)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:217` calls `POST /rest/instance-ai/gateway/create-link` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/instance-ai/gateway/create-link` If this point…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /rest/instance-ai/threads (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:143)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:143` calls `POST /rest/instance-ai/threads` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/instance-ai/threads` If this points at an external API, pr…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /rest/login (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:126)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:126` calls `POST /rest/login` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/login` If this points at an external API, prefix it with `https://` so t…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /rest/mcp-registry/test/seed (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:445)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:445` calls `POST /rest/mcp-registry/test/seed` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/mcp-registry/test/seed` If this points at an external A…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /rest/workflows (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:255)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:255` calls `POST /rest/workflows` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/workflows` If this points at an external API, prefix it with `https:…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /rest/workflows/${id}/activate (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:351)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:351` calls `POST /rest/workflows/${id}/activate` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/workflows/<p>/activate` If this points at an external…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /rest/workflows/${id}/archive (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:410)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:410` calls `POST /rest/workflows/${id}/archive` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/workflows/<p>/archive` If this points at an external A…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /rest/workflows/${id}/deactivate (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:366)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:366` calls `POST /rest/workflows/${id}/deactivate` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/workflows/<p>/deactivate` If this points at an exte…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /rest/workflows/${workflowId}/run (packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:306)
`packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:306` calls `POST /rest/workflows/${workflowId}/run` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/rest/workflows/<p>/run` If this points at an external A…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /webhook/app/items/add (packages/@n8n/workflow-sdk/src/prompts/best-practices/guides/web-app.ts:87)
`packages/@n8n/workflow-sdk/src/prompts/best-practices/guides/web-app.ts:87` calls `POST /webhook/app/items/add` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/webhook/app/items/add` If this points at an external AP…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST /webhook/app/items/toggle (packages/@n8n/workflow-sdk/src/prompts/best-practices/guides/web-app.ts:79)
`packages/@n8n/workflow-sdk/src/prompts/best-practices/guides/web-app.ts:79` calls `POST /webhook/app/items/toggle` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/webhook/app/items/toggle` If this points at an exter…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST https://api.${region}.cisco.com/v3/access_tokens (packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:89)
`packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:89` calls `POST https://api.${region}.cisco.com/v3/access_tokens` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: axios-obj Normalized path used for matching: `/https:/api./<p>.cisco.com/v…
wiringdangling-fetchaxios-obj
high 9-layer api wiring conf 1.00 Dangling fetch: POST https://api.linear.app/graphql (packages/cli/src/modules/agents/integrations/platforms/linear-integration.ts:164)
`packages/cli/src/modules/agents/integrations/platforms/linear-integration.ts:164` calls `POST https://api.linear.app/graphql` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/api.linear.app/graphql` If this po…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST https://enterprise.n8n.io/enterprise-trial (packages/cli/src/license/license.service.ts:60)
`packages/cli/src/license/license.service.ts:60` calls `POST https://enterprise.n8n.io/enterprise-trial` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: axios Normalized path used for matching: `/https:/enterprise.n8n.io/enterprise-trial` If this points at an…
wiringdangling-fetchaxios
high 9-layer api wiring conf 1.00 Dangling fetch: POST https://slack.com/api/${method} (packages/cli/src/modules/agents/integrations/slack-app-setup.service.ts:389)
`packages/cli/src/modules/agents/integrations/slack-app-setup.service.ts:389` calls `POST https://slack.com/api/${method}` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/slack.com/api/<p>` If this points at a…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST https://sts.amazonaws.com (packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:321)
`packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:321` calls `POST https://sts.amazonaws.com` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: fetch Normalized path used for matching: `/https:/sts.amazonaws.com` If this points at an exter…
wiringdangling-fetchfetch
high 9-layer api wiring conf 1.00 Dangling fetch: POST https://visibility.${region}.cisco.com/iroh/oauth2/token (packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:73)
`packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:73` calls `POST https://visibility.${region}.cisco.com/iroh/oauth2/token` but no backend route matches that path. This is a runtime 404 waiting to happen. Tool: axios-obj Normalized path used for matching: `/https:/visibility./…
wiringdangling-fetchaxios-obj
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in packages/@n8n/agents/src/sdk/agent.ts:333
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/@n8n/agents/src/sdk/agent.ts:333 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in packages/@n8n/agents/src/types/sdk/agent-builder.ts:31
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/@n8n/agents/src/types/sdk/agent-builder.ts:31 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in packages/@n8n/expression-runtime/src/bridge/isolated-vm-bridge.ts:174
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/@n8n/expression-runtime/src/bridge/isolated-vm-bridge.ts:174 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in packages/cli/src/modules/agents/runtime/agent-secure-runtime.ts:317
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/cli/src/modules/agents/runtime/agent-secure-runtime.ts:317 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in packages/cli/src/modules/instance-registry/storage/redis-instance-storage.ts:50
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/cli/src/modules/instance-registry/storage/redis-instance-storage.ts:50 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in packages/cli/src/scaling/leader-election-client.ts:111
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/cli/src/scaling/leader-election-client.ts:111 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'eval_used' in packages/nodes-base/nodes/Merge/v3/helpers/sandbox-utils.ts:47
Found a known-risky pattern (eval_used). Review and replace if possible.
packages/nodes-base/nodes/Merge/v3/helpers/sandbox-utils.ts:47 owaspeval_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in packages/@n8n/task-runner-python/src/task_executor.py:262
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/@n8n/task-runner-python/src/task_executor.py:262 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in packages/frontend/editor-ui/src/app/workers/coordinator/worker.ts:79
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/frontend/editor-ui/src/app/workers/coordinator/worker.ts:79 owaspexec_used
high 9-layer security owasp conf 1.00 Insecure pattern 'exec_used' in packages/nodes-base/nodes/ExecuteCommand/ExecuteCommand.node.ts:30
Found a known-risky pattern (exec_used). Review and replace if possible.
packages/nodes-base/nodes/ExecuteCommand/ExecuteCommand.node.ts:30 owaspexec_used
medium Legacy security auth conf 0.92 [AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
Add .repobility/access.yml mapping routes to anonymous, authenticated, owner, admin, and super_admin. Keep business-specific rules in the repo so CI can enforce them.
authlegacy
high Legacy security auth conf 0.74 [AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
Review the access matrix and add explicit framework auth declarations or policy-file exceptions for intentionally public routes.
authlegacy
high Legacy security auth conf 0.68 [AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: GET /${this.restEndpoint}/options/timezones.
Require an explicit admin, maintainer, super_admin, or scoped service role in code and .repobility/access.yml.
packages/cli/src/server.ts:240 authlegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
packages/@n8n/agents/src/sdk/mcp-client.ts:141 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
packages/@n8n/agents/src/runtime/runtime-helpers.ts:40 error_handlinglegacy
medium Legacy quality error_handling conf 1.00 [ERR002] Empty Catch Block: Empty catch blocks hide errors.
Log the error or rethrow it. Use console.error() at minimum.
packages/@n8n/agents/src/runtime/mcp-connection.ts:119 error_handlinglegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/compare_workflows.py:332 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/compare_workflows.py:293 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/compare_workflows.py:282 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/compare_workflows.py:274 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/compare_workflows.py:89 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/src/similarity.py:123 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
packages/@n8n/task-runner-python/src/task_executor.py:422 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
packages/@n8n/task-runner-python/src/task_executor.py:325 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
packages/@n8n/task-runner-python/src/task_executor.py:267 qualitylegacy
high Legacy quality quality conf 1.00 ✓ Repobility [MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.
Either narrow the exception type, log the exception with `logger.exception(...)`, or re-raise after handling.
packages/@n8n/task-runner-python/src/pipe_reader.py:41 qualitylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `export interface RequirementsExtractor<TRequirement> {` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `export interface RequirementsExtractor<TRequirement> {` with `export interface RequirementsExtractor<TRequirement> {==<version>` and manage upgrades through PRs / Dependabot.
packages/cli/src/modules/n8n-packages/entities/requirements-extractor.ts:3 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `extract(workflow: WorkflowEntity): TRequirement[];` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `extract(workflow: WorkflowEntity): TRequirement[];` with `extract(workflow: WorkflowEntity): TRequirement[];==<version>` and manage upgrades through PRs / Dependabot.
packages/cli/src/modules/n8n-packages/entities/requirements-extractor.ts:4 dependencylegacy
medium Legacy software dependency conf 0.90 ✓ Repobility [MINED124] requirements.txt: `}` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, account compromises). Reproducible installs need exact pins.
Replace `}` with `}==<version>` and manage upgrades through PRs / Dependabot.
packages/cli/src/modules/n8n-packages/entities/requirements-extractor.ts:5 dependencylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
packages/@n8n/nodes-langchain/nodes/agents/Agent/V2/AgentV2.node.ts:54 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
packages/@n8n/expression-runtime/src/extensions/number-extensions.ts:144 securitylegacy
low Legacy security security conf 1.00 [SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run window.opener.location = 'phishing-site' and the parent tab quietly navigates to attacker-controlled content (reverse tabnabbing). OWASP-classic; modern browsers default rel='noopener' for new windows but explicit attribute is still required for compatibility.
Add rel="noopener noreferrer" to every <a target="_blank">: <a href="..." target="_blank" rel="noopener noreferrer">link</a> For dynamically generated links from JS, set rel on the element before appending. Even safe-looking subdomains should harden — costs nothing.
packages/@n8n/ai-utilities/src/utils/shared-fields.ts:39 securitylegacy
medium Legacy quality quality conf 1.00 [SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes concept (Apache-2.0).
Use `crypto.randomBytes(32).toString('hex')` (Node) or `crypto.getRandomValues()` (browser).
packages/@n8n/benchmark/scenarios/data-table-node/data-table-node.script.js:12 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
packages/@n8n/nodes-langchain/nodes/mcp/shared/utils.ts:336 qualitylegacy
medium Legacy quality quality conf 1.00 [SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unfamiliar API throws — wrap, swallow, return success. Real bugs are masked, observability is destroyed, and callers think the operation worked. CWE-396 (improperly-generalized exception). Distinct from intentional fallback because there's no log line and the success value is fabricated.
Catch the specific exception type, log at error level with full exception info, and return a failure-shaped result. If the operation is genuinely best-effort, log at warning and document why in a comment so the next reader (or scanner) knows.
packages/@n8n/node-cli/src/utils/json.ts:4 qualitylegacy
medium Legacy cicd docker conf 0.88 Database service has no healthcheck
Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command.
.github/docker-compose.yml:1 dockerlegacy
medium Legacy cicd docker conf 0.88 Database service has no healthcheck
Add a database-native healthcheck such as pg_isready, mysqladmin ping, redis-cli ping, or the vendor's readiness command.
.devcontainer/docker-compose.yml:4 dockerlegacy
medium Legacy cicd docker conf 0.74 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-single-main/docker-compose.yml:8 dockerlegacy
medium Legacy cicd docker conf 0.74 Database service has no persistent data volume
Mount the database data directory to a named Docker volume or managed persistent disk, and document backup and restore testing.
packages/@n8n/benchmark/scripts/n8n-setups/scaling-multi-main/docker-compose.yml:8 dockerlegacy
high Legacy cicd docker conf 0.82 Docker final stage has no non-root USER
Add a non-root USER in the final runtime stage after files and permissions are prepared.
docker/images/n8n-base/Dockerfile:5 dockerlegacy
medium Legacy cicd docker conf 0.94 Dockerfile base image uses the latest tag
Pin to a maintained version tag or digest and update it deliberately through dependency automation.
docker/images/runners/Dockerfile.distroless:180 dockerlegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
packages/@n8n/nodes-langchain/nodes/vendors/AlibabaCloud/actions/video/generate.t2v.operation.ts:238 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
packages/@n8n/nodes-langchain/nodes/vendors/AlibabaCloud/actions/video/generate.i2v.operation.ts:300 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
packages/@n8n/nodes-langchain/nodes/vendors/AlibabaCloud/actions/text/message.operation.ts:349 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
packages/@n8n/nodes-langchain/nodes/vendors/AlibabaCloud/actions/text/message.operation.ts:348 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
packages/@n8n/nodes-langchain/nodes/vendors/AlibabaCloud/actions/image/generate.operation.ts:196 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
packages/@n8n/nodes-langchain/nodes/vendors/AlibabaCloud/actions/image/analyze.operation.ts:201 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
packages/@n8n/nodes-langchain/nodes/llms/LMOllama/description.ts:28 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
packages/@n8n/nodes-langchain/credentials/ZepApi.credentials.ts:64 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
packages/@n8n/nodes-langchain/credentials/OllamaApi.credentials.ts:46 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
packages/@n8n/nodes-langchain/credentials/HuggingFaceApi.credentials.ts:38 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
packages/@n8n/nodes-langchain/credentials/ChromaSelfHostedApi.credentials.ts:86 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
packages/@n8n/nodes-langchain/credentials/ChromaCloudApi.credentials.ts:60 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
packages/@n8n/cli/src/client.ts:74 qualitylegacy
high Legacy quality quality conf 0.74 Frontend API reference is not matched by discovered backend routes
Add the backend route, update the frontend constant to the implemented endpoint, or document that the route is served by another service and exclude it with .repobilityignore.
packages/@n8n/cli/src/client.ts:32 qualitylegacy
high Legacy software dependency conf 0.70 Remote install command pipes network code directly to a shell
Publish a package-manager install path or add checksum/signature verification before execution. For docs, show the inspect-then-run flow and pin the downloaded artifact version.
packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/python/README.md:25 dependencylegacy
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/agents/src/runtime/model-factory.ts:39
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/agents/src/sdk/catalog.ts:101
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/ai-utilities/src/utils/http-proxy-agent.ts:72
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/ai-utilities/src/web-search/brave-search.ts:63
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/ai-utilities/src/web-search/searxng-search.ts:46
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/ai-workflow-builder.ee/evaluations/cli/webhook.ts:252
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/ai-workflow-builder.ee/src/tools/web/templates.ts:72
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/benchmark/src/test-execution/k6-executor.ts:137
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/computer-use/src/gateway-client.ts:303
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/imap/src/imap-simple.ts:60
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/instance-ai/evaluations/binaryChecks/checks/item-flow-independent-source-execute-once.ts:6
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:126
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/instance-ai/evaluations/clients/sse-client.ts:5
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:91
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/instance-ai/src/types.ts:643
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:29
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/nodes-langchain/nodes/mcp/shared/__test__/utils.test.ts:269
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/@n8n/workflow-sdk/src/prompts/best-practices/guides/web-app.ts:37
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/controllers/telemetry.controller.ts:51
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/modules/agents/integrations/platforms/telegram-integration.ts:136
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/modules/agents/json-config/__tests__/mcp-client-factory.test.ts:196
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/modules/instance-ai/eval/__tests__/credential-rewrite-roundtrip.test.ts:115
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/modules/instance-ai/eval/__tests__/llm-wire-server.test.ts:9
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/modules/instance-ai/eval/__tests__/m3-fixtures.test.ts:80
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/modules/instance-ai/eval/__tests__/mock-handler-integration.test.ts:64
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/modules/instance-ai/instance-ai.service.ts:412
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/modules/instance-ai/web-research/fetch-and-extract.ts:58
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/modules/source-control.ee/source-control-git.service.ee.ts:423
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/modules/source-control.ee/source-control.service.ee.ts:263
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/modules/sso-oidc/oidc.service.ee.ts:705
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/scaling/__tests__/job-processor.service.test.ts:138
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/cli/src/services/ai-gateway.service.ts:150
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/@n8n/chat/src/api/message.ts:237
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/editor-ui/src/features/ai/assistant/composables/useBuilderTodos.test.ts:89
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/editor-ui/src/features/ai/evaluation.ee/views/TestRunDetailView.test.ts:340
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiSettings.store.ts:397
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/frontend/editor-ui/src/features/shared/editors/plugins/codemirror/typescript/worker/npmTypesLoader.ts:11
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/nodes-base/credentials/common/aws/utils.ts:390
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/nodes-base/nodes/Form/test/utils.test.ts:107
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/nodes-base/nodes/Git/Git.node.ts:598
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/nodes-base/nodes/Merge/test/v3/combineBtSql.test.ts:141
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness
medium 9-layer quality integrity conf 1.00 `fetch()` without try/.catch or AbortSignal — packages/nodes-base/nodes/NocoDB/v2/helpers/columns-fetcher.ts:160
Bare `fetch(...)` will throw an unhandled rejection on network failure. Wrap in try/catch, attach a `.catch(...)`, or pass an AbortSignal with a timeout.
integrityfragile-runtimerobustness

Showing first 300 of 889. Refine filters or use the legacy findings page for deep search.

For AI agents: Voting guide (TP/FP) MCP manifest Stdio wrapper SARIF Integrate Findings queue Vote TP/FP on findings to calibrate the engine.
For AI agents + API integrations
Email me when this repo regresses
Free. We re-scan periodically; new criticals → your inbox. No signup required for the scan itself.
API access

This page is publicly accessible at: https://repobility.com/scan/7b1f984f-8cdc-41d5-9e24-88be612a5d44/

To check status programmatically (no auth required): 

curl -s https://repobility.com/api/v1/public/scan/7b1f984f-8cdc-41d5-9e24-88be612a5d44/

Important — please don't re-submit the same URL repeatedly. The submission endpoint is idempotent: re-submitting the same git URL returns this same scan_token, not a new one. To re-scan this repo, sign up free and use the dashboard.