fix: Fix security issue in @rudderstack/rudder-sdk-node via major version upgrade from 2.1.4 to 3.0.0 (#24303)

Co-authored-by: aikido-autofix[bot] <119856028+aikido-autofix[bot]@users.noreply.github.com> Co-authored-by: Nikhil Kuriakose <nikhil.kuriakose@n8n.io>
2026-04-21 15:47:20 +00:00 · 2026-01-14 16:22:06 +01:00 · 2026-01-14 16:22:06 +01:00 · bad85bbe61
commit bad85bbe61
parent 959c5d251d
3 changed files with 37 additions and 22 deletions
--- a/package.json
+++ b/package.json
@ -128,7 +128,8 @@
      "jws@3": "3.2.2",
      "jws@4": "4.0.1",
      "qs@6": "6.14.1",
-      "@smithy/config-resolver": ">=4.4.0"
+      "@smithy/config-resolver": ">=4.4.0",
+      "@rudderstack/rudder-sdk-node@<=3.0.0": "3.0.0"
    },
    "patchedDependencies": {
      "bull@4.16.4": "patches/bull@4.16.4.patch",
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@ -114,7 +114,7 @@
    "@n8n_io/ai-assistant-sdk": "catalog:",
    "@n8n_io/license-sdk": "2.24.1",
    "@parcel/watcher": "^2.5.1",
-    "@rudderstack/rudder-sdk-node": "2.1.4",
+    "@rudderstack/rudder-sdk-node": "3.0.0",
    "@sentry/node": "catalog:",
    "aws4": "1.11.0",
    "axios": "catalog:",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -312,6 +312,7 @@ overrides:
  jws@4: 4.0.1
  qs@6: 6.14.1
  '@smithy/config-resolver': '>=4.4.0'
+  '@rudderstack/rudder-sdk-node@<=3.0.0': 3.0.0

 patchedDependencies:
  '@lezer/highlight':
@ -1685,8 +1686,8 @@ importers:
        specifier: ^2.5.1
        version: 2.5.1
      '@rudderstack/rudder-sdk-node':
-        specifier: 2.1.4
-        version: 2.1.4(tslib@2.8.1)
+        specifier: 3.0.0
+        version: 3.0.0
      '@sentry/node':
        specifier: 'catalog:'
        version: 9.42.1
@ -6898,12 +6899,15 @@ packages:

  '@otplib/plugin-crypto@12.0.1':
    resolution: {integrity: sha512-qPuhN3QrT7ZZLcLCyKOSNhuijUi9G5guMRVrxq63r9YNOxxQjPm59gVxLM+7xGnHnM6cimY57tuKsjK7y9LM1g==}
+    deprecated: Please upgrade to v13 of otplib. Refer to otplib docs for migration paths

  '@otplib/plugin-thirty-two@12.0.1':
    resolution: {integrity: sha512-MtT+uqRso909UkbrrYpJ6XFjj9D+x2Py7KjTO9JDPhL0bJUYVu5kFP4TFZW4NFAywrAtFRxOVY261u0qwb93gA==}
+    deprecated: Please upgrade to v13 of otplib. Refer to otplib docs for migration paths

  '@otplib/preset-default@12.0.1':
    resolution: {integrity: sha512-xf1v9oOJRyXfluBhMdpOkr+bsE+Irt+0D5uHtvg6x1eosfmHCsCC6ej/m7FXiWqdo0+ZUI6xSKDhJwc8yfiOPQ==}
+    deprecated: Please upgrade to v13 of otplib. Refer to otplib docs for migration paths

  '@otplib/preset-v11@12.0.1':
    resolution: {integrity: sha512-9hSetMI7ECqbFiKICrNa4w70deTUfArtwXykPUvSHWOdzOlfa9ajglu7mNCntlvxycTiOAXkQGwjQCzzDEMRMg==}
@ -7464,10 +7468,8 @@ packages:
  '@rtsao/scc@1.1.0':
    resolution: {integrity: sha512-zt6OdqaDoOnJ1ZYsCYGt9YmWzDXl4vQdKTyJev62gFhRGKdx7mcT54V9KIjg+d2wi9EXsPvAPKe7i7WjfVWB8g==}

-  '@rudderstack/rudder-sdk-node@2.1.4':
-    resolution: {integrity: sha512-Y/WJRcIYss+gCipzCMYcbJ3WPkj4SxsqNcb/HYjKhaLjdfjCmuWVSsJFEajfpA8EpkKRh3OamerBO5kftwXLxQ==}
-    peerDependencies:
-      tslib: ^2.6.2
+  '@rudderstack/rudder-sdk-node@3.0.0':
+    resolution: {integrity: sha512-zWdyYzpuUG/sa6cMr8FspYZtxdxee7G5SXYPkAYWwqd72lVO8MKXf+CX9eoIkix7Mc3qzgTFdyKleZN9QYvwQg==}

  '@rushstack/node-core-library@5.12.0':
    resolution: {integrity: sha512-QSwwzgzWoil1SCQse+yCHwlhRxNv2dX9siPnAb9zR/UmMhac4mjMrlMZpk64BlCeOFi1kJKgXRkihSwRMbboAQ==}
@ -10155,6 +10157,10 @@ packages:
    resolution: {integrity: sha512-CF+nGsJyfsCC9MJL8hFxqXzbwq+jGBXhaz1j15G+5N/XtKIPFUUy5O1mfWWKbKunfuH/x+UV4NYRQDHSkjCOgA==}
    engines: {node: '>=12'}

+  bull@4.16.5:
+    resolution: {integrity: sha512-lDsx2BzkKe7gkCYiT5Acj02DpTwDznl/VNN7Psn7M3USPG7Vs/BaClZJJTAG+ufAR9++N1/NiUTdaFBWDIl5TQ==}
+    engines: {node: '>=12'}
+
  bundle-name@4.1.0:
    resolution: {integrity: sha512-tjwM5exMg6BGRI+kNmTntNsvdZS1X8BFYS6tnJ2hdH0kVxM6/eVZ2xy+FqStSWvYmtfFMDLIxurorHwDKfDz5Q==}
    engines: {node: '>=18'}
@ -15909,6 +15915,7 @@ packages:
    resolution: {integrity: sha512-gv6vLGcmAOg96/fgo3d9tvA4dJNZL3fMyBqVRrGxQ+Q/o4k9QzbJ3NQF9cOO/71wRodoXhaPgphvMFU68qVAJQ==}
    deprecated: |-
      You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.
+
      (For a CapTP with native promises, see @endo/eventual-send and @endo/captp)

  qrcode.vue@3.3.4:
@ -17925,10 +17932,6 @@ packages:
    resolution: {integrity: sha512-8XkAphELsDnEGrDxUOHB3RGvXz6TeuYSGEZBOjtTtPm2lwhGBjLgOzLHB63IUWfBpNucQjND6d3AOudO+H3RWQ==}
    hasBin: true

-  uuid@11.0.2:
-    resolution: {integrity: sha512-14FfcOJmqdjbBPdDjFQyk/SdT4NySW4eM0zcG+HqbHP5jzuH56xO3J1DGhgs/cEMCfwYi3HQI1gnTO62iaG+tQ==}
-    hasBin: true
-
  uuid@11.1.0:
    resolution: {integrity: sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==}
    hasBin: true
@ -18366,10 +18369,12 @@ packages:
  whatwg-encoding@2.0.0:
    resolution: {integrity: sha512-p41ogyeMUrw3jWclHWTQg1k05DSVXPLcVxRTYsXUk+ZooOCZLcoYgPZ/HL/D/N+uQPOtcp1me1WhBEaX02mhWg==}
    engines: {node: '>=12'}
+    deprecated: Use @exodus/bytes instead for a more spec-conformant and faster implementation

  whatwg-encoding@3.1.1:
    resolution: {integrity: sha512-6qN4hJdMwfYBtE3YBTTHhoeuUrDBPZmbQaxWAqSALV/MeEnR5z1xd8UKud2RAkFoPkmB+hli1TZSnyi84xz1vQ==}
    engines: {node: '>=18'}
+    deprecated: Use @exodus/bytes instead for a more spec-conformant and faster implementation

  whatwg-fetch@3.6.20:
    resolution: {integrity: sha512-EqhiFU6daOA8kpjOWTL0olhVOF3i7OrFzSYiGsEMB8GcXS+RrzauAERX65xMeNWVqxA6HXH2m69Z9LaKKdisfg==}
@ -23921,7 +23926,7 @@ snapshots:

  '@rtsao/scc@1.1.0': {}

-  '@rudderstack/rudder-sdk-node@2.1.4(tslib@2.8.1)':
+  '@rudderstack/rudder-sdk-node@3.0.0':
    dependencies:
      axios: 1.12.0
      axios-retry: 4.5.0(axios@1.12.0)
@ -23932,11 +23937,9 @@ snapshots:
      md5: 2.3.0
      ms: 2.1.3
      remove-trailing-slash: 0.1.1
-      serialize-javascript: 6.0.2
-      tslib: 2.8.1
-      uuid: 11.0.2
+      uuid: 11.1.0
    optionalDependencies:
-      bull: 4.16.4(patch_hash=a4b6d56db16fe5870646929938466d6a5c668435fd1551bed6a93fffb597ba42)
+      bull: 4.16.5
    transitivePeerDependencies:
      - debug
      - supports-color
@ -27501,6 +27504,19 @@ snapshots:
    transitivePeerDependencies:
      - supports-color

+  bull@4.16.5:
+    dependencies:
+      cron-parser: 4.9.0
+      get-port: 5.1.1
+      ioredis: 5.3.2
+      lodash: 4.17.21
+      msgpackr: 1.11.2
+      semver: 7.7.3
+      uuid: 8.3.2
+    transitivePeerDependencies:
+      - supports-color
+    optional: true
+
  bundle-name@4.1.0:
    dependencies:
      run-applescript: 7.1.0
@ -30585,7 +30601,7 @@ snapshots:
      '@types/debug': 4.1.12
      '@types/node': 20.19.21
      '@types/tough-cookie': 4.0.5
-      axios: 1.12.0
+      axios: 1.12.0(debug@4.4.3)
      camelcase: 6.3.0
      debug: 4.4.3(supports-color@8.1.1)
      dotenv: 16.6.1
@ -30595,7 +30611,7 @@ snapshots:
      isstream: 0.1.2
      jsonwebtoken: 9.0.3
      mime-types: 2.1.35
-      retry-axios: 2.6.0(axios@1.12.0(debug@4.4.3))
+      retry-axios: 2.6.0(axios@1.12.0)
      tough-cookie: 4.1.4
    transitivePeerDependencies:
      - supports-color
@ -35026,7 +35042,7 @@ snapshots:
      onetime: 5.1.2
      signal-exit: 3.0.7

-  retry-axios@2.6.0(axios@1.12.0(debug@4.4.3)):
+  retry-axios@2.6.0(axios@1.12.0):
    dependencies:
      axios: 1.12.0

@ -37143,8 +37159,6 @@ snapshots:

  uuid@10.0.0: {}

-  uuid@11.0.2: {}
-
  uuid@11.1.0: {}

  uuid@8.3.2: {}