Package evidence

@n8n/[email protected]

Obfuscation Density: high encoded/escaped-token density

Trust signals

Why this verdict

PkgRadar discounts a release’s score when public reputation argues against novel malware. The verdict above already reflects these — the panel just explains what was applied.

Weekly downloads: 57,337Mainstream · −50% score
Versions published: 351Mature · −50% score
First published: Sep 2023
Publisher: GitHub ActionsTrusted automation · −70% score

Effective trust discount applied: −70% (max across signals — discounts don’t stack). New install-lifecycle deltas vs the previous release would clear the discount.

Recommended action

Review before promoting

Mixed signals: the package has indicators worth reading before allowing the update in automated dependency flows.

Inspect tarball Add to CI gate

Block this release in CIcurl · GitHub Actions

Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.

curl -fsS https://pkgradar.com/gate/npm \
  -H "Authorization: Bearer $PKGRADAR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"specs":["@n8n/[email protected]"],"fail_on":"review"}'

GitHub Actions step:

- name: PkgRadar gate
  run: |
    curl -fsS https://pkgradar.com/gate/npm \
      -H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
      -H "Content-Type: application/json" \
      -d '{"specs":["@n8n/[email protected]"],"fail_on":"review"}'

PublisherGitHub Actions

Artifact bytes2,604,287

Previous version1.122.34

Published2026-05-28T09:39:06.425Z

SHA-256ca3574d6c22324430eeb0f77d465f6d731e141728a2955968f19eb03af109ef5

Why flagged

What the scanner saw

Obfuscation Density: high encoded/escaped-token density

Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.

Availability ledger

available

review

16d agoLast checked

reviewRisk

3Score

1.122.35Version

Status history (1 event)

new → available16d ago · risk review · score 3 · status changed

Evidence

Static findings

1 static · 0 from release diff · showing high-signal first.

Severity	Kind	Path	Detail	Points
medium	Obfuscation Density	package/dist/utils/tokenizer/cl100k_base.json	high encoded/escaped-token density	12

Manifest

Package metadata

Scripts14

buildtsup --tsconfig tsconfig.build.json && pnpm copy-nodes-json && tsc-alias -p tsconfig.build.json && pnpm copy-tokenizer-json && pnpm n8n-copy-static-files && pnpm n8n-generate-metadata
cleanrimraf dist .turbo
copy-nodes-jsonnode ../../nodes-base/scripts/copy-nodes-json.js .
copy-tokenizer-jsonnode scripts/copy-tokenizer-json.js .
devpnpm run watch
formatbiome format --write .
format:checkbiome ci .
linteslint nodes credentials utils --quiet
lint:fixeslint nodes credentials utils --fix
testjest
test:devjest --watch
test:unitjest
typechecktsc --noEmit
watchtsup --watch nodes --watch credentials --watch utils --watch types --tsconfig tsconfig.build.json --onSuccess "node ./scripts/post-build.js"

Dependencies74

@aws-sdk/client-sso-oidc3.808.0
@azure/identity4.3.0
@azure/search-documents12.1.0
@getzep/zep-cloud1.0.6
@getzep/zep-js0.9.0
@google-cloud/resource-manager5.3.0
@google/genai1.19.0
@google/generative-ai0.21.0
@huggingface/inference4.0.5
@langchain/anthropic1.1.3
@langchain/aws1.0.3
@langchain/classic1.0.5
@langchain/cohere1.0.1
@langchain/community1.1.18
@langchain/core1.1.8
@langchain/google-genai2.0.0
@langchain/google-vertexai2.0.0
@langchain/groq1.0.2
@langchain/mistralai1.0.1
@langchain/mongodb1.0.1
@langchain/ollama1.0.2
@langchain/openai1.1.3
@langchain/pinecone1.0.1
@langchain/qdrant1.0.1
@langchain/redis1.0.1
@langchain/textsplitters1.0.1
@langchain/weaviate1.0.1
@modelcontextprotocol/sdk^1.26.0
@mozilla/readability0.6.0
@n8n/client-oauth20.33.4
…and 44 more.