chore(deps): update dependency n8n to v1.66.0

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
n8n (source)	minor	1.65.2 -> 1.66.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

n8n-io/n8n (n8n)

v1.66.0

Compare Source

Bug Fixes

• Asana Node: Fix issue with pagination (#​11415) (04c075a)
• core: Add 'user_id' to license-community-plus-registered telemetry event (#​11430) (7a8dafe)
• core: Add safeguard for command publishing (#​11337) (656439e)
• core: Ensure LoggerProxy is not scoped (#​11379) (f4ea943)
• core: Ensure remove-triggers-and-pollers command is not debounced (#​11486) (529d4fc)
• core: Ensure job processor does not reprocess amended executions (#​11438) (c152a3a)
• core: Fix Message Event Bus Metrics not counting up for labeled metrics (#​11396) (7fc3b25)
• core: Fix resolving of $fromAI expression via evaluateExpression (#​11397) (2e64464)
• core: Make execution and its data creation atomic (#​11392) (ed30d43)
• core: On unhandled rejections, extract the original exception correctly (#​11389) (8608bae)
• editor: Fix TypeError: Cannot read properties of undefined (reading '0') (#​11399) (ae37c52)
• editor: Add Retry button for AI Assistant errors (#​11345) (7699240)
• editor: Change tooltip for workflow with execute workflow trigger (#​11374) (dcd6038)
• editor: Ensure toasts show above modal overlays (#​11410) (351134f)
• editor: Fit view consistently after nodes are initialized on new canvas (#​11457) (497d637)
• editor: Fix adding connections when initializing workspace in templates view on new canvas (#​11451) (ea47b02)
• editor: Fix rendering of AI logs (#​11450) (73b0a80)
• editor: Hide data mapping tooltip in credential edit modal (#​11356) (ff14dcb)
• editor: Prevent running workflow that has issues if listening to webhook (#​11402) (8b0a48f)
• editor: Run external hooks after settings have been initialized (#​11423) (0ab24c8)
• editor: Support middle click to scroll when using a mouse on new canvas (#​11384) (46f3b4a)
• HTTP Request Tool Node: Fix HTML response optimization issue (#​11439) (cf37e94)
• n8n Form Node: Form Trigger does not wait in multi-form mode (#​11404) (151f4dd)
• Update required node js version in CONTRIBUTING.md (#​11437) (4f511aa)

Features

• Anthropic Chat Model Node: Add model claude-3-5-sonnet-20241022 (#​11465) (f6c8890)
• core: Handle nodes with multiple inputs and connections during partial executions (#​11376) (cb7c4d2)
• editor: Add descriptive header to projects /workflow (#​11203) (5d19e8f)
• editor: Improve placeholder for vector store tool (#​11483) (629e092)
• editor: Remove edge execution animation on new canvas (#​11446) (a701d87)
• editor: Update ownership pills (#​11155) (8147038)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/n8n:1.66.0

📦 Image Reference ghcr.io/uniget-org/tools/n8n:1.66.0

digest	sha256:7919d66757844cefa9794610431cb629de74d466b5cc0415dc5eef9bc656245e
vulnerabilities
platform	linux/amd64
size	142 MB
packages	1305

semver 5.3.0 (npm) pkg:npm/[email protected] Inefficient Regular Expression Complexity Affected range <5.7.2 Fixed version 5.7.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

pdfjs-dist 2.16.105 (npm) pkg:npm/[email protected] Affected range <=4.1.392 Fixed version 4.2.67 Description Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. Patches The patch removes the use of eval: mozilla/pdf.js#18015 Workarounds Set the option isEvalSupported to false. References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

identity 3.4.2 (npm) pkg:npm/%40azure/[email protected] Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Affected range <4.2.1 Fixed version 4.2.1 CVSS Score 5.5 CVSS Vector CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Description Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

cookie 0.4.2 (npm) pkg:npm/[email protected] Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affected range <0.7.0 Fixed version 0.7.0 Description Impact The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Patches Upgrade to 0.7.0, which updates the validation for name, path, and domain. Workarounds Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input. References fix: narrow the validation of cookies to match RFC6265 jshttp/cookie#167

community 0.3.2 (npm) pkg:npm/%40langchain/[email protected] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Affected range <0.3.3 Fixed version 0.3.3 CVSS Score 4.9 CVSS Vector CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Description A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/11708032166.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/11708032166.