N8n via npm on macOS Montery Silicon

Hi there,

just installed n8n via npm on a development machine, and now I’m getting the following warnings:

npm WARN deprecated [email protected]: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: Please upgrade to @mapbox/node-pre-gyp: the non-scoped node-pre-gyp package is deprecated and only the @mapbox scoped package will recieve updates in the future
npm WARN deprecated [email protected]: This version of tar is no longer supported, and will not receive security updates. Please upgrade asap.
npm WARN deprecated [email protected]: core-js@<3.4 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.

added 832 packages, changed 2 packages, and audited 968 packages in 1m

82 packages are looking for funding
  run `npm fund` for details

14 vulnerabilities (1 moderate, 13 high)

Should I be worried now?

also tried npm install [email protected] -g … down to 8 high severity vulnerabilities

Hi @dickhoning, in general it’s always a good idea to be concerned about possible vulnerabilities.

n8n integrates with several external services, quite a few of which require a very specific set of dependencies. Not all functionalities of the affected libraries are used by n8n, so in many cases the vulnerabilities require methods not used by n8n to be exploited. So one would need to take a closer look at each CVE and the respective n8n code to gather more information.

How problematic a vulnerability is will also depend on the context you run n8n in. Are you exposing your instance via the internet to unknown users or are you the only one with access to it? Do you process user-entered data or your own data?

You can always narrow down the nodes your n8n instance loads by setting the NODES_INCLUDE and NODES_EXCLUDE environment variables to have n8n only load the nodes you really need.

would it be safe to have npm fix these problems via npm audit fix --force or would this affect the working of n8n?

I don’t know. This command will update some dependencies with potentially breaking changes. You could try it out but I can’t predict the outcome I am afraid.

@MutedJam I’ve been thinking about this for some time now, and I’m wondering whether vulnerabilities isn’t something that n8n team should be looking at, since they’re putting together all the node_modules that make n8n work. Don’t get me wrong, I’m very happy to look at this myself as well, but I’m not sure what I might be breaking by removing deprecated code. I’ve started by analysing all the package.json file and found the following list which contain one of the following criteria: ‘deprecated’, ‘please upgrade’, ‘no longer supported’ and ‘legacy’, and this is the list:

At the same time, also some statistical info on the node_modules:

  • 237,5 MB
  • 34.499 items
  • 718 nodes
  • 136 contributors (identified as human names). And some of time are contributing quite a lot, like for example Sindre Sorhus … https://sindresorhus.com