Conversation
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
…PACKAGES_AUTH_TOKEN is enough
n8n-assistant
Bot
added
core
maspio
changed the title
maspio
changed the title
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
3 issues found across 5 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="packages/cli/src/modules/community-packages/npm-utils.ts">
<violation number="1" location="packages/cli/src/modules/community-packages/npm-utils.ts:86">
P1: Custom agent: **Security Review**
The `fullArgs` array logged here includes the raw `_authToken=<secret>` value when authentication is configured. Even at `debug` level, this exposes the npm registry credential to log sinks. Redact or omit the auth-related arguments before logging.</violation>
<violation number="2" location="packages/cli/src/modules/community-packages/npm-utils.ts:148">
P1: Custom agent: **Security Review**
The `headers` object logged here contains the `Authorization: Bearer <token>` value when authentication is configured. Even at `debug` level, this exposes the npm registry credential to log sinks. Omit or redact the `Authorization` header before logging.</violation>
</file>
<file name="packages/cli/src/modules/community-packages/community-packages.service.ts">
<violation number="1" location="packages/cli/src/modules/community-packages/community-packages.service.ts:515">
P1: Passing `authToken` into npm helpers causes registry credentials to be logged in plaintext debug logs (CLI args and Authorization headers).</violation>
</file>
Architecture diagram
sequenceDiagram
participant Svc as CommunityPackagesService
participant Config as CommunityPackagesConfig
participant Utils as npm-utils
participant API as NPM Registry (HTTP)
participant CLI as NPM CLI (Process)
Note over Svc,CLI: Community Package Installation / Update Flow
Svc->>Config: NEW: Fetch N8N_COMMUNITY_PACKAGES_AUTH_TOKEN
Config-->>Svc: Auth Token (if set)
rect rgb(240, 240, 240)
Note over Svc,API: Step 1: Metadata Verification (Integrity & Version)
Svc->>Utils: verifyIntegrity(packageName, version, registry, token)
Utils->>API: CHANGED: executeNpmRequest() with "Bearer <token>" header
alt Request Successful
API-->>Utils: Package Metadata (dist.integrity)
else Request Failed (Fallback)
Utils->>CLI: CHANGED: executeNpmCommand("view") with "--//registry/:_authToken=<token>"
CLI-->>Utils: JSON Metadata
end
Utils-->>Svc: Verification Result
end
rect rgb(240, 240, 240)
Note over Svc,CLI: Step 2: Download Package
Svc->>Utils: downloadPackage(packageName, version, token)
Utils->>CLI: CHANGED: npm pack --registry=<url> --//<host>/:_authToken=<token>
CLI-->>Utils: .tgz file
Utils-->>Svc: Tarball path
end
rect rgb(240, 240, 240)
Note over Svc,CLI: Step 3: Local Dependency Installation
Svc->>Utils: executeNpmCommand("install", { registry, token })
Utils->>CLI: CHANGED: npm install [args] --registry=<url> --//<host>/:_authToken=<token>
CLI-->>Utils: Success/Failure
Utils-->>Svc: Done
end
Svc->>Svc: Load nodes into n8n runtime
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
| ['pack', `${packageName}@${packageVersion}`, `--registry=${registry}`, '--quiet'], | ||
| { cwd: this.downloadFolder }, | ||
| ['pack', `${packageName}@${packageVersion}`, '--quiet'], | ||
| { cwd: this.downloadFolder, registry, authToken }, |
Contributor
There was a problem hiding this comment.
P1: Passing authToken into npm helpers causes registry credentials to be logged in plaintext debug logs (CLI args and Authorization headers).
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/cli/src/modules/community-packages/community-packages.service.ts, line 515:
<comment>Passing `authToken` into npm helpers causes registry credentials to be logged in plaintext debug logs (CLI args and Authorization headers).</comment>
<file context>
@@ -500,8 +511,8 @@ export class CommunityPackagesService {
- ['pack', `${packageName}@${packageVersion}`, `--registry=${registry}`, '--quiet'],
- { cwd: this.downloadFolder },
+ ['pack', `${packageName}@${packageVersion}`, '--quiet'],
+ { cwd: this.downloadFolder, registry, authToken },
);
</file context>
Contributor
There was a problem hiding this comment.
This has been addressed
Contributor
There was a problem hiding this comment.
Thanks for the update!
Contributor
Performance ComparisonComparing current → latest master → 14-day baseline Idle baseline with Instance AI module loaded
Memory consumption baseline with starter plan resources
docker-stats
How to read this table
|
Contributor
Testing doneManually verified that installing packages from authenticated registry works with auth token. Setup
Test execution
Results
|
sandra0503
previously approved these changes
Apr 13, 2026
sandra0503
approved these changes
Apr 15, 2026
Aijeyomah
pushed a commit
to Aijeyomah/n8n
that referenced
this pull request
Apr 15, 2026
…ate community node packages (n8n-io#28228) Co-authored-by: Sandra Zollner <sandra.zollner@n8n.io>
Merged
Contributor
|
Got released with |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an env config
N8N_COMMUNITY_PACKAGES_AUTH_TOKENto install community nodes from authenticated npm registry accounts. Usage in combination withN8N_COMMUNITY_PACKAGES_REGISTRYenables enterprises and oem partners to build secure custom node publishing pipelines.This PR is critical for an OEM partner launch. Compared to our alternative "load nodes from filesystem" strategy, our community package installer supports remote api management and node upgrades without restart that are distributed across main and worker instances.
Related Linear tickets, Github issues, and Community forum posts
Review / Merge checklist
Backport to Beta,Backport to Stable, orBackport to v1(if the PR is an urgent fix that needs to be backported)