Pinned data size validation added to backend
Backend validation now prevents AI agents from bypassing frontend limits to create oversized workflows with large pinned datasets.
AI agents creating workflows through the API could bypass size checks that were only enforced in the browser. By embedding limits directly in the workflow service, pinned data is validated before any workflow is created or updated — regardless of how the request arrives.
Two limits are now enforced server-side: pinned data alone cannot exceed 12 MB, and a workflow including pinned data cannot exceed approximately 16 MB. These constraints prevent the storage and performance issues that accompany oversized workflows.
Size limit constants have been consolidated into the shared @n8n/api-types package, eliminating the risk of frontend and backend drift. The same values now protect both client-side and server-side operations.
View Original GitHub Description
Summary
It turned out we're validating pinned data only on frontend. Not validating it on backend might lead to large workflows being created by AI agents. This PR adds this validation to backend.
Related Linear tickets, Github issues, and Community forum posts
Closes ADO-4995
Review / Merge checklist
- PR title and summary are descriptive. (conventions) <!-- **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** -->
- Docs updated or follow-up ticket created.
- Tests included. <!-- A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. -->
- PR Labeled with
Backport to Beta,Backport to Stable, orBackport to v1(if the PR is an urgent fix that needs to be backported)