Back to Dashboard
100
n8n-monorepo013322 files scannedApril 3, 2026

Do not install this package

We found dangerous patterns that could harm your computer or steal your data. This package runs hidden code automatically when you install it. This package tries to access your SSH keys and credentials. Unless you are 100% sure you trust the author and have reviewed the code yourself, do not install this.

What We Found(350 issues)

Each card explains what was found and what it means in plain English. Click "Technical details" for the full breakdown.

CRITICALCRIT-002

DO NOT INSTALL. This package runs code BEFORE you can even see what it does. Almost no legitimate package needs this. It's like a delivery driver demanding to enter your house before you can check what's in the box.

Technical details

Any preinstall script is suspicious. Legitimate packages almost never need to run code before installation. This hook executes before the user can inspect the package.

"preinstall": "node scripts/block-npm-install.js"
package.json:12
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/agents/src/sdk/agent.ts:202
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval (
packages/@n8n/agents/src/types/sdk/eval.ts:36
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/expression-runtime/src/bridge/isolated-vm-bridge.ts:193
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/expression-runtime/src/bridge/isolated-vm-bridge.ts:198
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/expression-runtime/src/bridge/isolated-vm-bridge.ts:199
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/expression-runtime/src/bridge/isolated-vm-bridge.ts:230
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/expression-runtime/src/bridge/isolated-vm-bridge.ts:231
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/expression-runtime/src/bridge/isolated-vm-bridge.ts:232
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/expression-runtime/src/bridge/isolated-vm-bridge.ts:233
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/expression-runtime/src/bridge/isolated-vm-bridge.ts:234
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/expression-runtime/src/bridge/isolated-vm-bridge.ts:269
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/workflow-sdk/src/ast-interpreter/errors.ts:78
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/workflow-sdk/src/ast-interpreter/index.ts:5
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/workflow-sdk/src/ast-interpreter/interpreter.test.ts:341
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/workflow-sdk/src/ast-interpreter/interpreter.test.ts:342
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/workflow-sdk/src/ast-interpreter/validators.ts:279
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/workflow-sdk/src/ast-interpreter/validators.ts:283
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/@n8n/workflow-sdk/src/codegen/code-generator.test.ts:775
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/cli/src/modules/instance-registry/storage/redis-instance-storage.ts:43
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/cli/src/modules/instance-registry/storage/redis-instance-storage.ts:59
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/cli/src/modules/instance-registry/storage/redis-instance-storage.ts:162
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/cli/src/modules/instance-registry/storage/redis-instance-storage.ts:186
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/nodes-base/nodes/Merge/v3/helpers/sandbox-utils.ts:47
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/nodes-base/nodes/Merge/v3/helpers/sandbox-utils.ts:56
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/nodes-base/nodes/Merge/v3/helpers/sandbox-utils.ts:57
HIGHHIGH-001

Caution. This package can turn any text into running code. A bad actor could trick it into running harmful commands on your computer. Legitimate tools almost never need this.

Technical details

eval() executes arbitrary strings as code. In an MCP context, this could allow prompt injection to escalate into code execution.

eval(
packages/nodes-base/nodes/Merge/v3/helpers/sandbox-utils.ts:92
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
packages/@n8n/fs-proxy/src/tools/shell/shell-execute.test.ts:2
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
packages/@n8n/fs-proxy/src/tools/shell/shell-execute.ts:3
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

require('child_process'
packages/@n8n/nodes-langchain/scripts/post-build.js:7
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawnSync } from 'child_process'
packages/@n8n/scan-community-package/scanner/scanner.mjs:6
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { execSync } from 'child_process'
packages/cli/src/modules/source-control.ee/source-control-git.service.ee.ts:4
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
packages/node-dev/src/Build.ts:4
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { exec } from 'child_process'
packages/nodes-base/nodes/ExecuteCommand/ExecuteCommand.node.ts:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
packages/testing/containers/network-stabilization.ts:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { exec } from 'child_process'
packages/testing/containers/pull-test-images.ts:10
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { spawn } from 'child_process'
packages/testing/containers/telemetry.ts:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { execSync } from 'child_process'
packages/testing/performance/scripts/save-baseline.mjs:12
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { execSync } from 'child_process'
packages/testing/playwright/global-teardown.ts:1
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { execSync } from 'child_process'
packages/testing/playwright/scripts/build-test-image.mjs:3
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { execFileSync } from 'child_process'
packages/testing/playwright/scripts/distribute-tests.mjs:16
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { execSync } from 'child_process'
packages/testing/playwright/scripts/fetch-currents-metrics.mjs:15
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

require('child_process'
packages/testing/playwright/scripts/generate-coverage-report.js:7
HIGHHIGH-002

Caution. This package can open a terminal on your computer and run any command it wants — with YOUR permissions. It could delete files, install malware, or steal your data without you seeing anything happen.

Technical details

Importing child_process gives the package ability to spawn shell commands. MCP servers should not need to execute arbitrary system commands.

import { execSync } from 'child_process'
scripts/format.mjs:5
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/agents/src/storage/sqlite-memory.ts:327
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/@n8n/agents/src/workspace/process.ts:6
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/@n8n/agents/src/workspace/sandbox/base-sandbox.ts:134
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/ai-workflow-builder.ee/src/tools/utils/connection.utils.ts:47
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/chat-hub/src/parser.ts:54
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/chat-hub/src/parser.ts:55
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/codemirror-lang-html/src/html.ts:88
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/codemirror-lang-html/src/html.ts:96
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/codemirror-lang-sql/src/complete.ts:19
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/errors/src/application.error.ts:30
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/expression-runtime/src/extensions/string-extensions.ts:337
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/expression-runtime/src/extensions/string-extensions.ts:346
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/expression-runtime/src/extensions/string-extensions.ts:363
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/@n8n/fs-proxy/src/tools/shell/shell-execute.ts:59
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/@n8n/fs-proxy/src/tools/shell/shell-execute.ts:65
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/@n8n/fs-proxy/src/tools/shell/shell-execute.ts:68
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/@n8n/instance-ai/src/runtime/background-task-manager.ts:109
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/instance-ai/src/workflow-builder/extract-code.ts:74
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/instance-ai/src/workspace/n8n-sandbox-client.ts:266
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/instance-ai/src/workspace/n8n-sandbox-sandbox.ts:98
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/@n8n/instance-ai/src/workspace/sandbox-fs.ts:33
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/@n8n/mcp-browser/src/browser-discovery.ts:226
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/@n8n/node-cli/src/commands/dev/utils.ts:169
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/@n8n/node-cli/src/commands/dev/utils.ts:351
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/@n8n/node-cli/src/commands/dev/utils.ts:369
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/@n8n/node-cli/src/commands/dev/utils.ts:453
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/@n8n/node-cli/src/commands/dev/utils.ts:515
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/@n8n/node-cli/src/utils/child-process.ts:38
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/@n8n/node-cli/src/utils/child-process.ts:39
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/@n8n/node-cli/src/utils/git.ts:14
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/@n8n/node-cli/src/utils/git.ts:25
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/nodes-langchain/nodes/Guardrails/actions/checks/keywords.ts:73
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/nodes-langchain/nodes/Guardrails/actions/checks/pii.ts:230
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/@n8n/nodes-langchain/scripts/post-build.js:11
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
packages/@n8n/scan-community-package/scanner/scanner.mjs:81
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawnSync(
packages/@n8n/scan-community-package/scanner/scanner.mjs:97
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/stylelint-config/src/rules/css-var-naming.ts:389
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:3289
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/cli/scripts/build.mjs:38
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/cli/scripts/build.mjs:73
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/cli/src/abstract-server.ts:268
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/cli/src/commands/execute-batch.ts:251
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/cli/src/commands/execute-batch.ts:255
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/cli/src/modules/dynamic-credentials.ee/context-establishment-hooks/http-header-extractor.ts:44
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/cli/src/modules/dynamic-credentials.ee/services/dynamic-credential-web.service.ts:22
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/cli/src/modules/instance-ai/instance-ai.service.ts:1986
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/cli/src/modules/instance-ai/web-research/ssrf-guard.ts:51
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/cli/src/modules/instance-ai/web-research/ssrf-guard.ts:54
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/cli/src/modules/source-control.ee/source-control-git.service.ee.ts:59
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/cli/src/modules/source-control.ee/source-control-git.service.ee.ts:68
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/cli/src/services/cache/redis.cache-manager.ts:80
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/cli/src/task-runners/task-runner-process-js.ts:42
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/cli/src/task-runners/task-runner-process-py.ts:38
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/core/src/execution-engine/node-execution-context/utils/extract-value.ts:76
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/@n8n/design-system/src/components/N8nMarkdown/youtube.ts:48
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/stores/ui.store.registration.spec.ts:23
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/coordinator/operations/query.test.ts:195
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/coordinator/operations/query.test.ts:206
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/coordinator/operations/query.test.ts:217
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/coordinator/operations/query.test.ts:229
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/coordinator/operations/query.test.ts:260
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/coordinator/operations/query.ts:18
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/coordinator/worker.ts:79
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/data/operations/loadNodeTypes.ts:112
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/data/operations/query.ts:23
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/data/operations/query.ts:29
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/data/operations/query.ts:139
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/data/operations/query.ts:142
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/data/operations/query.ts:145
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/data/worker.ts:145
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/data/worker.ts:166
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/index.ts:37
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/app/workers/index.ts:39
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/features/ai/assistant/composables/useAIAssistantHelpers.ts:62
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/features/ai/assistant/composables/useBuilderTodos.ts:70
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/frontend/editor-ui/src/features/core/dataTable/utils/typeUtils.ts:16
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/node-dev/src/Build.ts:81
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/BambooHr/v1/actions/companyReport/get/execute.ts:42
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/BambooHr/v1/actions/employeeDocument/download/execute.ts:28
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/BambooHr/v1/actions/file/download/execute.ts:28
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/ExecuteCommand/ExecuteCommand.node.ts:30
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/Google/Docs/GenericFunctions.ts:85
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/Google/Sheet/v1/GenericFunctions.ts:103
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/Google/Sheet/v2/helpers/GoogleSheets.utils.ts:86
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/Merge/v3/helpers/sandbox-utils.ts:83
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/Merge/v3/helpers/sandbox-utils.ts:86
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/Microsoft/SharePoint/helpers/utils.ts:66
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/Microsoft/SharePoint/helpers/utils.ts:74
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/Microsoft/Storage/descriptions/BlobDescription.ts:147
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/Microsoft/Storage/descriptions/BlobDescription.ts:157
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/MySql/v2/helpers/utils.ts:45
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/Notion/shared/GenericFunctions.ts:1111
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/Oracle/Sql/helpers/utils.ts:212
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/PostBin/GenericFunctions.ts:23
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/UnleashedSoftware/GenericFunctions.ts:93
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/nodes/Venafi/ProtectCloud/VenafiTlsProtectCloud.node.ts:349
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/nodes-base/utils/utilities.ts:332
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/containers/helm-stack.ts:66
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/containers/helm-stack.ts:80
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/containers/helm-stack.ts:85
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/containers/helm-stack.ts:86
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/containers/helm-stack.ts:90
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/containers/helm-stack.ts:101
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/containers/helm-stack.ts:113
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/containers/helm-stack.ts:125
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/containers/helm-stack.ts:339
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/containers/helm-stack.ts:350
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/containers/helm-stack.ts:365
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/containers/helm-stack.ts:422
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/containers/helm-stack.ts:466
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/testing/containers/network-stabilization.ts:38
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/containers/services/gitea.ts:94
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/containers/services/gitea.ts:107
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/containers/services/gitea.ts:129
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/containers/services/gitea.ts:209
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/containers/services/gitea.ts:229
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/containers/services/keycloak.ts:146
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/containers/services/keycloak.ts:218
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/containers/services/keycloak.ts:505
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

spawn(
packages/testing/containers/telemetry.ts:301
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/cli.test.ts:12
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/cli.test.ts:26
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/cli.test.ts:38
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/cli.test.ts:48
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/cli.test.ts:57
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/cli.test.ts:66
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/cli.test.ts:75
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/cli.test.ts:145
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/cli.test.ts:171
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/cli.test.ts:192
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/janitor/src/core/inventory-analyzer.ts:256
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/janitor/src/core/inventory-analyzer.ts:422
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/janitor/src/core/inventory-analyzer.ts:428
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/janitor/src/core/inventory-analyzer.ts:485
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/janitor/src/core/method-usage-analyzer.ts:124
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:21
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:22
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:23
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:83
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:84
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:109
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:164
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:183
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:200
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:203
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:222
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:252
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:280
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:305
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:322
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:348
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:375
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/janitor/src/core/tcr-executor.test.ts:436
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/janitor/src/rules/api-purity.rule.ts:58
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/janitor/src/utils/git-operations.ts:38
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/janitor/src/utils/git-operations.ts:124
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/testing/janitor/src/utils/git-operations.ts:125
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/performance/scripts/save-baseline.mjs:21
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/playwright/global-teardown.ts:11
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/playwright/global-teardown.ts:15
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/playwright/reporters/metrics-reporter.ts:173
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/playwright/scripts/build-test-image.mjs:13
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/playwright/scripts/fetch-currents-metrics.mjs:69
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/playwright/scripts/generate-coverage-report.js:105
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/playwright/scripts/generate-coverage-report.js:112
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/playwright/scripts/import-victoria-data.mjs:23
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
packages/testing/playwright/scripts/import-victoria-data.mjs:29
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/workflow/src/errors/base/base.error.ts:53
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/workflow/src/extensions/expression-parser.ts:35
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/workflow/src/extensions/string-extensions.ts:376
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/workflow/src/extensions/string-extensions.ts:385
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/workflow/src/extensions/string-extensions.ts:402
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/workflow/src/from-ai-parse-utils.ts:254
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/workflow/src/from-ai-parse-utils.ts:384
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/workflow/src/node-reference-parser-utils.ts:293
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/workflow/src/node-reference-parser-utils.ts:302
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/workflow/src/telemetry-helpers.ts:176
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/workflow/src/telemetry-helpers.ts:247
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/workflow/src/utils.ts:472
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

exec(
packages/workflow/src/workflow-data-proxy.ts:334
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
scripts/ensure-zx.mjs:7
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
scripts/format.mjs:51
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
scripts/format.mjs:63
HIGHHIGH-003

Caution. This package runs system commands on your computer. This is like giving someone the keys to your terminal. They could run anything — download files, change settings, or access your private data.

Technical details

Direct process execution functions (exec, spawn) can run arbitrary commands. Combined with user input, this enables remote code execution.

execSync(
scripts/prepare.mjs:10
HIGHHIGH-004

DO NOT INSTALL. This package tries to read your SSH keys — the same keys that unlock your servers, your GitHub account, and your deployments. No Claude skill should ever need to touch these files. This looks like credential theft.

Technical details

Accessing SSH keys or known_hosts is a strong indicator of credential theft. No legitimate MCP server needs access to SSH configuration.

~/.ssh
packages/@n8n/fs-proxy/src/tools/shell/shell-execute.ts:20
HIGHHIGH-004

DO NOT INSTALL. This package tries to read your SSH keys — the same keys that unlock your servers, your GitHub account, and your deployments. No Claude skill should ever need to touch these files. This looks like credential theft.

Technical details

Accessing SSH keys or known_hosts is a strong indicator of credential theft. No legitimate MCP server needs access to SSH configuration.

known_hosts
packages/cli/src/modules/source-control.ee/source-control-git.service.ee.ts:155
HIGHHIGH-004

DO NOT INSTALL. This package tries to read your SSH keys — the same keys that unlock your servers, your GitHub account, and your deployments. No Claude skill should ever need to touch these files. This looks like credential theft.

Technical details

Accessing SSH keys or known_hosts is a strong indicator of credential theft. No legitimate MCP server needs access to SSH configuration.

known_hosts
packages/cli/src/modules/source-control.ee/source-control-git.service.ee.ts:168
HIGHHIGH-004

DO NOT INSTALL. This package tries to read your SSH keys — the same keys that unlock your servers, your GitHub account, and your deployments. No Claude skill should ever need to touch these files. This looks like credential theft.

Technical details

Accessing SSH keys or known_hosts is a strong indicator of credential theft. No legitimate MCP server needs access to SSH configuration.

known_hosts
packages/cli/src/modules/source-control.ee/source-control-preferences.service.ee.ts:189
HIGHHIGH-004

DO NOT INSTALL. This package tries to read your SSH keys — the same keys that unlock your servers, your GitHub account, and your deployments. No Claude skill should ever need to touch these files. This looks like credential theft.

Technical details

Accessing SSH keys or known_hosts is a strong indicator of credential theft. No legitimate MCP server needs access to SSH configuration.

known_hosts
packages/cli/src/modules/source-control.ee/source-control-preferences.service.ee.ts:193
HIGHHIGH-004

DO NOT INSTALL. This package tries to read your SSH keys — the same keys that unlock your servers, your GitHub account, and your deployments. No Claude skill should ever need to touch these files. This looks like credential theft.

Technical details

Accessing SSH keys or known_hosts is a strong indicator of credential theft. No legitimate MCP server needs access to SSH configuration.

known_hosts
packages/cli/src/modules/source-control.ee/source-control-preferences.service.ee.ts:196
HIGHHIGH-004

DO NOT INSTALL. This package tries to read your SSH keys — the same keys that unlock your servers, your GitHub account, and your deployments. No Claude skill should ever need to touch these files. This looks like credential theft.

Technical details

Accessing SSH keys or known_hosts is a strong indicator of credential theft. No legitimate MCP server needs access to SSH configuration.

known_hosts
packages/cli/src/modules/source-control.ee/source-control-preferences.service.ee.ts:198
HIGHHIGH-004

DO NOT INSTALL. This package tries to read your SSH keys — the same keys that unlock your servers, your GitHub account, and your deployments. No Claude skill should ever need to touch these files. This looks like credential theft.

Technical details

Accessing SSH keys or known_hosts is a strong indicator of credential theft. No legitimate MCP server needs access to SSH configuration.

known_hosts
packages/cli/src/modules/source-control.ee/source-control.service.ee.ts:194
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.LANGSMITH_API_KEY
packages/@n8n/ai-workflow-builder.ee/evaluations/support/environment.ts:150
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.LANGSMITH_API_KEY
packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:142
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.LANGCHAIN_API_KEY
packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:143
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.NGROK_AUTHTOKEN
packages/testing/containers/services/ngrok.ts:48
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.QA_METRICS_WEBHOOK_PASSWORD
packages/testing/containers/telemetry.ts:284
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CURRENTS_RECORD_KEY
packages/testing/playwright/currents.config.ts:4
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CURRENTS_RECORD_KEY
packages/testing/playwright/playwright.config.ts:117
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.QA_METRICS_WEBHOOK_PASSWORD
packages/testing/playwright/reporters/metrics-reporter.ts:42
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CODECOV_API_TOKEN
packages/testing/playwright/scripts/coverage-analysis.mjs:87
HIGHHIGH-005

Caution. This package reads your secret passwords and API tokens from your system. If it also has network access, your credentials could be sent to someone else's server. Check WHY it needs your secrets.

Technical details

Reading sensitive environment variables (tokens, secrets, keys, passwords) suggests data exfiltration. MCP servers should declare required env vars, not silently read secrets.

process.env.CURRENTS_API_KEY
packages/testing/playwright/scripts/fetch-currents-metrics.mjs:86
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
package.json:62
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
package.json:85
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/ai-utilities/package.json:60
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/declarative/custom/template/package.json:39
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/declarative/custom/template/package.json:46
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/declarative/github-issues/template/package.json:42
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/declarative/github-issues/template/package.json:49
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/programmatic/ai/memory-custom/template/package.json:40
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/programmatic/ai/memory-custom/template/package.json:47
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/programmatic/ai/memory-custom/template/package.json:48
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/programmatic/ai/model-ai-custom/template/package.json:42
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/programmatic/ai/model-ai-custom/template/package.json:49
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/programmatic/ai/model-ai-custom/template/package.json:50
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/programmatic/ai/model-ai-custom-example/template/package.json:42
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/programmatic/ai/model-ai-custom-example/template/package.json:49
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/programmatic/ai/model-ai-custom-example/template/package.json:50
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/programmatic/ai/model-openai-compatible/template/package.json:42
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/programmatic/ai/model-openai-compatible/template/package.json:49
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/programmatic/ai/model-openai-compatible/template/package.json:50
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/programmatic/example/template/package.json:39
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/node-cli/src/template/templates/programmatic/example/template/package.json:46
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/@n8n/nodes-langchain/package.json:20
MEDIUMMED-002

Risky. This package doesn't lock its dependency versions. That means if one of its dependencies gets hacked tomorrow, you'd automatically download the hacked version. Good packages always pin their versions.

Technical details

Using '*' or 'latest' as a dependency version means any future version will be installed automatically — including compromised ones.

"*"
packages/frontend/@n8n/design-system/package.json:73
MEDIUMMED-003

Suspicious. This package downloads code from paste sites or raw URLs instead of using normal package managers. This is a common trick to sneak in malicious code that doesn't show up in the package itself.

Technical details

Network requests to paste sites or raw GitHub content may indicate payload downloading. Legitimate dependencies use npm, not pastebins.

raw.githubusercontent
packages/frontend/editor-ui/src/app/components/ImportWorkflowUrlModal.test.ts:111
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/@n8n/agents/src/integrations/langsmith.ts:43
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require()
packages/@n8n/agents/src/runtime/model-factory.ts:19
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(e
packages/@n8n/agents/src/runtime/model-factory.ts:113
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require()
packages/@n8n/ai-workflow-builder.ee/evaluations/support/workflow-executor.ts:57
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(f
packages/@n8n/ai-workflow-builder.ee/evaluations/support/workflow-executor.ts:137
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(p
packages/@n8n/ai-workflow-builder.ee/evaluations/support/workflow-executor.ts:182
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(p
packages/@n8n/ai-workflow-builder.ee/evaluations/support/workflow-executor.ts:186
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(p
packages/@n8n/ai-workflow-builder.ee/evaluations/support/workflow-executor.ts:193
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(p
packages/@n8n/ai-workflow-builder.ee/evaluations/support/workflow-executor.ts:198
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(`
packages/@n8n/backend-common/src/modules/module-registry.ts:95
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(`
packages/@n8n/backend-common/src/modules/module-registry.ts:98
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(s
packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:94
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import()
packages/@n8n/eslint-config/src/rules/no-dynamic-import-template.ts:8
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import()
packages/@n8n/eslint-config/src/rules/no-dynamic-import-template.ts:13
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(`
packages/@n8n/eslint-plugin-community-nodes/src/rules/no-restricted-imports.test.ts:70
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(`
packages/@n8n/eslint-plugin-community-nodes/src/rules/no-restricted-imports.test.ts:73
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(`
packages/@n8n/eslint-plugin-community-nodes/src/rules/no-restricted-imports.test.ts:79
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(`
packages/@n8n/eslint-plugin-community-nodes/src/rules/no-restricted-imports.test.ts:161
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(`
packages/@n8n/eslint-plugin-community-nodes/src/rules/no-restricted-imports.test.ts:169
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(f
packages/@n8n/instance-ai/src/workspace/sandbox-setup.ts:60
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(
packages/@n8n/nodes-langchain/nodes/code/Code.node.ts:56
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import (o
packages/@n8n/nodes-langchain/nodes/code/Code.node.ts:98
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(m
packages/@n8n/task-runner/src/js-task-runner/js-task-runner.ts:180
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(r
packages/@n8n/task-runner/src/js-task-runner/require-resolver.ts:40
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require()
packages/@n8n/task-runner/src/start.ts:12
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require()
packages/@n8n/workflow-sdk/src/ast-interpreter/errors.ts:78
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require()
packages/@n8n/workflow-sdk/src/ast-interpreter/interpreter.test.ts:352
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require()
packages/@n8n/workflow-sdk/src/ast-interpreter/validators.ts:289
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require()
packages/@n8n/workflow-sdk/src/generate-types/generate-types.test.ts:3564
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require()
packages/@n8n/workflow-sdk/src/generate-types/generate-types.test.ts:3586
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require()
packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:2841
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import (n
packages/@n8n/workflow-sdk/src/generate-types/generate-zod-schemas.test.ts:703
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require()
packages/@n8n/workflow-sdk/src/generate-types/generate-zod-schemas.ts:10
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(s
packages/@n8n/workflow-sdk/src/validation/schema-validator.ts:141
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require()
packages/@n8n/workflow-sdk/src/validation/schema-validator.ts:161
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require()
packages/@n8n/workflow-sdk/src/workflow-builder/plugins/registry.test.ts:222
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(`
packages/cli/src/command-registry.ts:40
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(f
packages/cli/src/command-registry.ts:99
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/commands/base-command.ts:190
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/commands/base-command.ts:249
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/commands/base-command.ts:254
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(t
packages/cli/src/controllers/translation.controller.ts:42
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(N
packages/cli/src/controllers/translation.controller.ts:58
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(h
packages/cli/src/external-hooks.ts:126
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/modules/dynamic-credentials.ee/dynamic-credentials.module.ts:44
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/modules/dynamic-credentials.ee/dynamic-credentials.module.ts:55
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/modules/external-secrets.ee/external-secrets.module.ts:30
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:128
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/modules/instance-ai/instance-ai.module.ts:57
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/modules/instance-ai/instance-ai.module.ts:60
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/modules/mcp/mcp.controller.ts:111
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/modules/mcp/mcp.module.ts:33
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/modules/mcp/tools/workflow-builder/create-workflow-from-code.tool.ts:131
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/modules/mcp/tools/workflow-builder/update-workflow.tool.ts:115
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/modules/mcp/tools/workflow-builder/validate-workflow-code.tool.ts:69
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/public-api/index.ts:68
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(f
packages/cli/src/public-api/v1/handlers/discover/discover.service.ts:126
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/scaling/scaling.service.ts:76
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(`
packages/cli/src/security-audit/security-audit.service.ts:66
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/server.ts:482
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/task-runners/task-runner-module.ts:95
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/cli/src/task-runners/task-runner-module.ts:115
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(c
packages/core/src/nodes-loader/directory-loader.ts:347
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(f
packages/core/src/nodes-loader/load-class-in-isolation.ts:13
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(`
packages/frontend/@n8n/design-system/src/locale/index.ts:38
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

require(`
packages/frontend/@n8n/design-system/src/locale/index.ts:43
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/frontend/editor-ui/src/app/router.ts:41
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/frontend/editor-ui/src/app/router.ts:82
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/frontend/editor-ui/src/app/router.ts:87
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import (a
packages/frontend/editor-ui/src/app/stores/workflowDocument/useWorkflowDocumentNodes.ts:42
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/frontend/editor-ui/src/features/settings/communityNodes/components/nodeCreator/CommunityNodeInfo.test.ts:109
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/frontend/editor-ui/src/features/settings/communityNodes/components/nodeCreator/CommunityNodeInfo.test.ts:152
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/frontend/editor-ui/src/features/settings/communityNodes/components/nodeCreator/CommunityNodeInfo.test.ts:198
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/frontend/editor-ui/src/features/settings/communityNodes/components/nodeCreator/CommunityNodeInfo.test.ts:327
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import (I
packages/nodes-base/nodes/Google/Drive/v1/GoogleDriveV1.node.ts:921
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import (I
packages/nodes-base/nodes/Google/Drive/v2/actions/common.descriptions.ts:538
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(
packages/nodes-base/utils/binary.ts:174
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import(f
packages/testing/janitor/src/cli.ts:85
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import()
packages/testing/janitor/src/core/facade-resolver.ts:109
MEDIUMMED-004

Suspicious. This package loads code from an unknown location decided at runtime. We can't tell what it will actually run because it depends on a variable. This makes it harder to verify the package is safe.

Technical details

Dynamic require/import with variable arguments loads code determined at runtime. This can be used to load payloads that static analysis can't detect.

import (l
packages/testing/janitor/src/utils/ast-helpers.ts:136

Finding Summary

1

Critical

245

High

104

Medium

0

Low

0

Info