npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

n8n-nodes-hashi-vault

v1.1.9

Published

Secure N8N node for HashiCorp Vault integration with AppRole authentication - Hardened version

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

luisra51luisra51

Keywords

n8n-community-node-packagen8nhashicorpvaultsecretsapprolesecurity-hardened

Readme

N8N HashiCorp Vault Node

n8n.io - Workflow Automation

This is a security-hardened version of the N8N HashiCorp Vault integration node. Created after discovering security vulnerabilities in the original n8n-nodes-hashicorp-vault package.

⚠️ Security Notice

This package was created as a secure alternative after identifying:

  • Critical vulnerabilities in dependencies (form-data CVE)
  • Missing source repository for original package
  • Potential supply chain attack indicators

🚀 Features

  • AppRole Authentication: Secure authentication using HashiCorp Vault's AppRole method
  • Token Authentication: Direct token-based authentication
  • KV v1 & v2 Support: Works with both Key-Value secret engines
  • Namespace Support: Enterprise Vault namespace functionality
  • SSL Configuration: Flexible SSL certificate validation options
  • Security Hardened: Updated dependencies to resolve CVE vulnerabilities

📦 Installation

# Install from local package (recommended)
npm install file:./path/to/this/package

# Or from npm
npm install n8n-nodes-hashi-vault

🔧 Configuration

Credentials Setup

  1. Vault URL: Your Vault instance URL (e.g., https://vault.example.com:8200)
  2. Authentication Method: Choose between AppRole or Token
  3. AppRole Configuration (if selected):
    • Role ID: Your AppRole Role ID
    • Secret ID: Your AppRole Secret ID
  4. Token Configuration (if selected):
    • Token: Your Vault token
  5. Optional Settings:
    • Namespace: Vault namespace (Enterprise feature)
    • API Version: KV engine version (v1 or v2)
    • Ignore SSL Issues: Skip SSL certificate validation

⚙️ Vault Configuration Examples

Token Authentication

Best for: Development, testing, or when you need simple setup. Advantages: Quick setup, no additional Vault configuration needed.

# Create a token with KV access policy
vault policy write n8n-kv-policy - <<EOF
path "secret/data/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/metadata/*" {
  capabilities = ["list"]
}
EOF

# Generate token (expires in 24h)
vault token create -policy=n8n-kv-policy -ttl=24h

AppRole Authentication

Best for: Production, automated workflows, enhanced security. Advantages: Token rotation, audit trails, granular permissions, no long-lived tokens in N8N.

# Enable AppRole auth method
vault auth enable approle

# Create policy
vault policy write n8n-kv-policy - <<EOF
path "secret/data/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/metadata/*" {
  capabilities = ["list"]
}
EOF

# Create AppRole
vault write auth/approle/role/n8n-role \
    token_policies="n8n-kv-policy" \
    token_ttl=1h \
    token_max_ttl=4h

# Get Role ID and Secret ID for N8N configuration
vault read auth/approle/role/n8n-role/role-id
vault write -f auth/approle/role/n8n-role/secret-id

Node Operations

Read Secret

{
  "secretEngine": "secret",
  "secretPath": "myapp/database",
  "version": 0
}

Write Secret

{
  "secretEngine": "secret",
  "secretPath": "myapp/database",
  "secretData": "{\"username\": \"myuser\", \"password\": \"mypassword\"}"
}

Delete Secret

{
  "secretEngine": "secret",
  "secretPath": "myapp/database"
}

List Secrets

{
  "secretEngine": "secret",
  "listPath": "myapp/"
}

🔒 Security Changes Made

Dependency Updates

  • axios: Updated to ^1.7.9 (fixes form-data CVE)
  • form-data: Resolved critical vulnerability (CWE-330)
  • Development dependencies: Updated to latest secure versions

Code Integrity

  • Source verification: Full code review completed
  • No external endpoints: Confirmed communication only with configured Vault
  • TypeScript conversion: Improved type safety
  • Clean package: No suspicious dependencies or scripts

🧪 Testing

# Install dependencies
npm install

# Build the project
npm run build

# Run tests
npm test

# Security audit
npm audit

📋 Development

# Development mode
npm run dev

# Format code
npm run format

# Lint code
npm run lint

🚨 Security Audit Results

npm audit
# Expected: 0 vulnerabilities found

🤝 Contributing

This is a security-focused fork. When contributing:

  1. Security first: All changes must maintain or improve security posture
  2. Dependency management: Keep dependencies minimal and up-to-date
  3. Code review: All changes require security review
  4. Testing: Include security tests for new features

📋 TODO - Performance Optimizations

🚀 Token Management

  • [ ] Token Caching: Implement AppRole token caching with TTL to reduce authentication requests
  • [ ] Token Renewal: Add automatic token renewal before expiration
  • [ ] Connection Pooling: Reuse HTTP connections to Vault

🗄️ Secret Caching

  • [ ] Secure Secret Caching: Implement encrypted in-memory or Redis-based secret caching
  • [ ] TTL Management: Configurable TTL for cached secrets with automatic expiration
  • [ ] Cache Invalidation: Manual and automatic cache clearing mechanisms
  • [ ] Memory Security: Implement secure memory handling and cleanup for cached secrets

⚡ Performance Monitoring

  • [ ] Metrics Collection: Track response times, cache hit ratios, and authentication frequency
  • [ ] Memory Usage: Monitor cache memory consumption and implement LRU eviction

📜 License

MIT License - See LICENSE file for details

🛡️ Security

  • Report vulnerabilities: Create an issue with [SECURITY] prefix
  • Response time: Security issues will be addressed within 24 hours
  • Disclosure: Coordinated disclosure preferred

🙏 Acknowledgments

  • Original concept from the n8n-nodes-hashicorp-vault package
  • Security improvements by @luisra51
  • N8N community for the excellent automation platform

⚠️ Always verify package integrity and run security audits before deployment in production environments.