Hey there everyone!
We wanted to give a quick update about the ongoing Shai Hulud Supply chain attack that impacts a lot of packages on NPM and also clarify how that affects n8n.
We performed a detailed analysis and confirmed none of the NPM packages used in n8n are currently affected. Some packages are indeed on the compromised list, but the versions we use are safe for now.
We found 2 impacted (unverified) community nodes and we urge all of you to not install them. If you have been using them, you need to take immediate action.
Impacted nodes:
- @hapheus/n8n-nodes-pgp
- n8n-nodes-tmdb
We continue keeping a close eye on the situation and will update this post and drop a comment if anything changes.
