chore(deps): update dependency n8n to v1.70.2

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
n8n (source)	minor	1.69.2 -> 1.70.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

n8n-io/n8n (n8n)

v1.70.2

Compare Source

Bug Fixes

• core: Opt-out from optimizations if $item is used (#​12036) (dfa1806)
• core: Use the configured timezone in task runner (#​12032) (b0f6c6f)

v1.70.1

Compare Source

Bug Fixes

• editor: Fix bug causing connection lines to disappear when hovering stickies (#​11950) (c018b63)
• editor: Fix pin data showing up in production executions on new canvas (#​11951) (e4e5077)

v1.70.0

Compare Source

Bug Fixes

• AI Agent Node: Add binary message before scratchpad to prevent tool calling loops (#​11845) (5c80cb5)
• CodeNodeEditor walk cannot read properties of null (#​11129) (d99e0a7)
• core: Bring back execution data on the executionFinished push message (#​11821) (0313570)
• core: Correct invalid WS status code on removing connection (#​11901) (1d80225)
• core: Don't use unbound context methods in code sandboxes (#​11914) (f6c0d04)
• core: Fix broken execution query when using projectId (#​11852) (a061dbc)
• core: Fix validation of items returned in the task runner (#​11897) (a535e88)
• editor: Add missing trigger waiting tooltip on new canvas (#​11918) (a8df221)
• editor: Don't re-render input panel after node finishes executing (#​11813) (b3a99a2)
• editor: Fix AI assistant loading message layout (#​11819) (89b4807)
• editor: Fix new canvas discovery tooltip position after adding github stars button (#​11898) (f4ab5c7)
• editor: Fix node position not getting set when dragging selection on new canvas (#​11871) (595de81)
• editor: Restore workers view (#​11876) (3aa72f6)
• editor: Turn NPS survey into a modal and make sure it shows above the Ask AI button (#​11814) (ca169f3)
• editor: Use crypto.randomUUID() to initialize node id if missing on new canvas (#​11873) (bc4857a)
• n8n Form Node: Duplicate popup in manual mode (#​11925) (2c34bf4)
• n8n Form Node: Redirect if completion page to trigger (#​11822) (1a8fb7b)
• OpenAI Node: Remove preview chatInput parameter for Assistant:Messsage operation (#​11825) (4dde287)
• Retain execution data between partial executions (new flow) (#​11828) (3320436)

Features

• Add SharePoint credentials (#​11570) (05c6109)
• Add Zabbix credential only node (#​11489) (fbd1ecf)
• AI Transform Node: Support for drag and drop (#​11276) (2c252b0)
• editor: Drop response wrapper requirement from Subworkflow Tool output (#​11785) (cd3598a)
• editor: Improve node and edge bring-to-front mechanism on new canvas (#​11793) (b89ca9d)
• editor: Make new canvas connections go underneath node when looping backwards (#​11833) (91d1bd8)
• editor: Make the left sidebar in Expressions editor draggable (#​11838) (a713b3e)
• editor: Migrate existing users to new canvas and set new canvas as default (#​11896) (caa7447)
• Slack Node: Update wait for approval to use markdown (#​11754) (40dd02f)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/n8n:1.70.2

📦 Image Reference ghcr.io/uniget-org/tools/n8n:1.70.2

digest	sha256:97ea8602f0fde8474e644c6c48ba3566d7e0cb76a2a111c5918ae13b3c71f657
vulnerabilities
platform	linux/amd64
size	143 MB
packages	1318

cross-spawn 4.0.2 (npm) pkg:npm/[email protected] Inefficient Regular Expression Complexity Affected range <6.0.6 Fixed version 7.0.5 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

semver 5.3.0 (npm) pkg:npm/[email protected] Inefficient Regular Expression Complexity Affected range <5.7.2 Fixed version 5.7.2 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Description Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

pdfjs-dist 2.16.105 (npm) pkg:npm/[email protected] Affected range <=4.1.392 Fixed version 4.2.67 Description Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. Patches The patch removes the use of eval: mozilla/pdf.js#18015 Workarounds Set the option isEvalSupported to false. References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

identity 3.4.2 (npm) pkg:npm/%40azure/[email protected] Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Affected range <4.2.1 Fixed version 4.2.1 CVSS Score 6.8 CVSS Vector CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Description Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

cookie 0.4.2 (npm) pkg:npm/[email protected] Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affected range <0.7.0 Fixed version 0.7.0 Description Impact The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Patches Upgrade to 0.7.0, which updates the validation for name, path, and domain. Workarounds Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input. References fix: narrow the validation of cookies to match RFC6265 jshttp/cookie#167

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/12164382180.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/12164382180.