I am looking to deploy n8n within my organization, but we have run into a significant blocker. Our internal security policy explicitly flags and prohibits the use of the isolated-vm library.
Describe the problem/error/question
Our internal artifact repository (Nexus) blocks the download of isolated-vm entirely. As a result, npm install fails immediately because the dependency cannot be fetched. I also do not have direct access to GitHub to fork the repository.
As I understand it, n8n uses isolated-vm to sandbox the Code Node. Because this dependency is a violation of our security standards. Is there a way to install n8n without the isolated-vm dependency?
yeah isolated-vm is pretty locked down from a security perspective, so i get the restriction. honest answer is no direct substitute that gives you the same sandboxing in community edition — the code node is built around it.
couple practical workarounds though:
Push code out of n8n — use a simple webhook trigger that calls your own service (nodejs, python, whatever) for the logic. n8n just orchestrates the workflow. eliminates the isolated-vm dependency entirely. little more ops overhead but totally doable.
Use expression transformations instead — not as flexible as code nodes but covers a lot of cases. JSONata is surprisingly powerful if you need to manipulate data.
Evaluate with the org — if this is production critical stuff, might be worth pushing back on the isolated-vm restriction. most security teams flag it as a potential risk but don’t have hard reasons to block it. depends on your org’s risk tolerance.
which direction were you leaning? the webhook approach usually wins if you’ve got somewhere to host the service.
If you can run Docker, just use the official n8n Docker image instead of doing npm install, it comes pre-built so you skip the Nexus registry entirely and isolated-vm is already compiled in there