npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

@mewuto/n8ncheck

v1.0.3

Published

Security vulnerability checker for n8n workflows

Downloads

200

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

mewutomewuto

Keywords

n8nsecurityworkflowcheckervalidator

Readme

n8ncheck

Test License: MIT

Security vulnerability checker for n8n workflows.

Features

  • Node-level Security Checks: Validates individual node configurations for security issues
  • Workflow-level Scenario Checks: Analyzes node relationships and workflow patterns
  • Multiple Output Formats: Console, JSON, and GitHub PR comment formats

Installation

Prerequisites

  • Node.js >= 18.0.0
  • npm

Setup

npm install
npm run build

Usage

Basic Commands

# Basic security analysis (console output)
npm run dev analyze workflow.json

# PR comment format for GitHub integration
npm run dev analyze workflow.json -- -f pr-comment

Production Usage

# Build and run analysis
npm run build
n8ncheck analyze workflow.json

# Or using node directly
node dist/index.js analyze workflow.json

Options

| Option | Description | Default | |--------|-------------|---------| | -f, --format <type> | Output format: console, pr-comment | console | | -o, --output <file> | Save output to file | stdout | | -g, --graph | Show detailed graph information | false |

Security Checks

This tool performs two types of security analysis: individual node validation and workflow-level scenario checks that analyze node relationships and dependencies.

Node Checks

The following are examples of individual node security checks.

HTTP Request Node

  • Production URL Detection: Detects hardcoded production environment URLs
  • Dynamic URL/Body Construction: Identifies dynamically constructed URLs and request bodies

BigQuery Node

  • Production Project Access: Detects production project and dataset/table references
  • Dynamic SQL Construction: Warns about dynamically constructed SQL queries

JavaScript Code, Slack, Google Sheets, Google Drive nodes are also supported with various security checks.

Scenario Checks

The following are examples of workflow-level scenario checks.

Google Sheets Scope Scenario

Detects Google Sheets creation without subsequent permission configuration (Google Drive Share or HTTP Request setup).

Slack User Validation Scenario

Validates proper user authentication in Slack-triggered workflows using AST-based JavaScript code analysis.

Additional workflow-level security scenarios are supported.

Severity Levels

  • 🚨 Error: Critical issues that prevent secure operation
  • ⚠️ Warning: Security concerns requiring review
  • 💡 Note: Configuration notices for administrators
  • ✅ None: No security issues detected (safe)

Development

Available Commands

| Command | Description | |---------|-------------| | npm run build | Build TypeScript to JavaScript | | npm run dev | Run in development mode with ts-node | | npm run analyze | Build and run analysis | | npm test | Run test suite | | npm run lint | Run Biome lint | | npm run typecheck | Run TypeScript type checking | | npm run fmt | Format code with Biome | | npm run fmt:check | Check formatting without modifying files | | npm run fix | Auto-fix formatting and linting issues |

Testing & Code Quality

# Run all tests
npm test

# Run linting
npm run lint

# Type checking
npm run typecheck

Contributing

We welcome bug fixes and documentation improvements. If you find issues, please submit an issue first.

If you want to submit a PR for bug fixes or documentation, please read the CONTRIBUTING.md and follow the instructions beforehand.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Copyright (c) 2025 mewuto