chore(deps): update dependency n8n to v1.95.2

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
n8n (source)	minor	1.94.1 -> 1.95.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

n8n-io/n8n (n8n)

v1.95.2

Compare Source

Bug Fixes

• editor: Handle Insights calculations to prevent Infinity numbers (#​15727) (8b76694)
• Microsoft SharePoint Node: Add back the support for cred only node (#​15806) (e16fbaa)

v1.95.1

Compare Source

Bug Fixes

• Community packages update check (#​15684) (5ed1306)

v1.95.0

Compare Source

Bug Fixes

• Chat Trigger Node: Don't continue when action is load previous session and option is not set (#​15438) (8fd0738)
• core: Add support for proxy using forward headers (#​15006) (b1687c6)
• core: Fix community package installation on windows (#​15685) (647cb85)
• core: Fix license reloading flow in scaling mode (#​15650) (c2449ee)
• core: Use destination node to select the correct pinned trigger to start from (#​15633) (dc0802b)
• editor: Add type definition for $getWorkflowStaticData to code node (#​15544) (bca03ca)
• editor: Don't mark node as dirty when NDV is opened (#​15222) (8d1170e)
• editor: Fix how deviation percentage is calculated in Insights summary (#​15526) (26de979)
• editor: Fix notification toast offset outside of NodeView if chat/logs were opened (#​15622) (70ea7a8)
• editor: Fix schema view showing incorrect data on loop node done branch (#​15635) (f762c59)
• editor: Fix update panel icon display. Fix title on insights dashboard (#​15593) (075b035)
• editor: Handle Loop node execution data preview correctly when inserting a node (#​15351) (5967c13)
• editor: Make deleting Call n8n Workflow Tool fromAI workflow input descriptions work (#​15459) (0e708dd)
• Fix jobs for secrets inherit (#​15532) (cf29b5f)
• Google Drive Node: Incorrect MIME type when uploading files on cloud (#​15478) (2060498)
• HTTP Request Node: Fix prototype pollution vulnerability (#​15463) (1ffc33d)
• Information Extractor Node: Improve error handling for empty inputs (#​15590) (bb2f675)
• Jira Software Node: Use old endpoints to get all issues on self-hosted instances (#​15591) (e23ffcc)
• MongoDB Node: Stop overwriting nested values on update (#​15543) (3ee15a8)
• Summarize Node: Convert v1 split by values to string (#​15525) (4d037ca)
• Telegram Node: Include error message in output when continueOnFail is set (#​15540) (b8ee275)

Features

• Airtop Node: Add File operations and scroll micro-interaction (#​15089) (86885a7)
• Anthropic Chat Model Node: Set the new Claude 4 Sonnet model to be the default (#​15609) (cf8b611)
• core: Add logs for insights flushing and compaction (#​15519) (3743a8c)
• core: Invalidate all sessions when MFA is enabled/disabled (#​15524) (2a35c19)
• core: Scope getStatus for environments for project admin role (#​15404) (f9f9597)
• editor: "Executing" state in the output panel (#​15470) (7e3bcd3)
• editor: Add an option to sync canvas with log view (#​15391) (9938e63)
• editor: Distinguish official verified nodes from community built nodes (#​15630) (7f0c6d6)
• editor: Save new project on Enter in name field (#​15535) (fbf7083)
• editor: Show informative message in NDV when AI tools have no parameters (#​15515) (a426ecd)
• editor: Use resource locator at Simple Vector Store memory key, allow cross workflow use (#​15421) (e5c2aea)
• Merge Node: Option in combineBySql operation to return either confirmation of succes or empty result (#​15509) (a86bc43)
• Migrate Test Workflows to Main Repo (#​15504) (867842d)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/n8n:1.95.2

📦 Image Reference ghcr.io/uniget-org/tools/n8n:1.95.2

digest	sha256:64dcf47ff6c2b3d4e81c1cf928fc2f0a2cdbff9c682d6e2c2da9df9af448ef75
vulnerabilities
platform	linux/amd64
size	172 MB
packages	1409

semver 5.3.0 (npm) pkg:npm/semver@5.3.0 Inefficient Regular Expression Complexity Affected range <5.7.2 Fixed version 5.7.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

multer 1.4.5-lts.2 (npm) pkg:npm/multer@1.4.5-lts.2 Missing Release of Memory after Effective Lifetime Affected range <2.0.0 Fixed version 2.0.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Impact Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal busboy stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Patches Users should upgrade to 2.0.0 Workarounds None References fix: MEMORY LEAK expressjs/multer#1120 expressjs/multer@2c8505f

pdfjs-dist 2.16.105 (npm) pkg:npm/pdfjs-dist@2.16.105 Improper Check for Unusual or Exceptional Conditions Affected range <=4.1.392 Fixed version 4.2.67 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Description Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. Patches The patch removes the use of eval: mozilla/pdf.js#18015 Workarounds Set the option isEvalSupported to false. References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

identity 3.4.2 (npm) pkg:npm/%40azure/identity@3.4.2 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Affected range <4.2.1 Fixed version 4.2.1 CVSS Score 6.8 CVSS Vector CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Description Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

auth-js 2.65.0 (npm) pkg:npm/%40supabase/auth-js@2.65.0 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range <2.69.1 Fixed version 2.69.1 CVSS Score 1.3 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U Description Impact The library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. Patches Strict value checks have been added to all affected functions. These functions now require that the userId and factorId parameters MUST be valid UUID (v4). Patched version: >= 2.69.1 Workarounds Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. It is recommended that users of the auth-js library always follow security best practice and validate all inputs, before passing these to other functions or libraries. References supabase/auth-js#1063

undici 5.28.5 (npm) pkg:npm/undici@5.28.5 Missing Release of Memory after Effective Lifetime Affected range <5.29.0 Fixed version 5.29.0 CVSS Score 3.1 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L Description Impact Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. Patches This has been patched in nodejs/undici#4088. Workarounds If a webhook fails, avoid keep calling it repeatedly. References Reported as: nodejs/undici#3895

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/15398110493.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/15398110493.