Docker Desktop detected there’re multiple vulnerabilites in the docker images. Suggest to upgrade the version.
Protobufjs 7.2.4: 1C
xlsx 0.19.3: 1H
pdfjs-dist 2.16.105: 1H
It looks like your topic is missing some important information. Could you provide the following if applicable.
Hi @N8Wolf! Thanks for reaching out and sharing that. If you’re interested in reporting any vulnerabilities, you can do so via [email protected] as per our security policy.
protobufjs is a transitive dependency that’s pulled in via @google-ai/generativelanguage. If we upgrade @google-ai/generativelanguage, this could be “addressed”, but then that’ll break langchain since it uses an year old version of this package as a peer-dependency. We are looking into fixing this in langchain, and sending them a PR. But we don’t manage to do that, we’ll consider removing support for any nodes that need these dependencies, since we can’t granularly upgrade each transitive dependency in our stack. If this is a blocker for you, please do not use any of the AI nodes. Since n8n uses lazy-loading for nodes, if a node isn’t used, its dependencies are never loaded into memory.Thanks for pointing these out. That said, we have Synk, Aikido, and GitHub dependabot already configured to keep us informed about vulnerable dependencies. Users creating posts about these here or on GitHub issues doesn’t really do much but create additional work for support folks who now need to answer these posts.
If you see a vulnerable NPM or operating-system dependency in any of your scans, rest assured that we at n8n are already aware and doing our best to address these in a timely manner, even if we are not actually vulnerable to any of these vulnerabilites. 
New version [email protected] got released which includes the GitHub PR 9498.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.