Dependencies bumped across the n8n monorepo

shortstacked

·Apr 2, 2026·#27880fix: Bump dependencies

A batch of Node.js packages including node-forge, fast-xml-parser, and undici are updated to their latest stable versions, bringing security patches and bug fixes to the n8n automation platform.

Dependency updates rarely make headlines, but they are the backbone of a secure codebase. This PR refreshes multiple packages across the n8n monorepo, including critical libraries like node-forge for cryptographic operations, fast-xml-parser for data parsing, and the HTTP client undici. The update also introduces newer major versions of path-to-regexp and picomatch via monorepo overrides, ensuring the workspace pulls consistent versions throughout.

Keeping dependencies current reduces exposure to known vulnerabilities and ensures access to the latest improvements. For users, this means a more robust automation platform running on well-maintained foundations. The changes span three packages — the main CLI, the node CLI, and the workspace catalog — suggesting a coordinated effort to keep the entire stack aligned.

No new features or behavior changes are introduced. This is plumbing: boring, essential, and done right.

View Original GitHub Description

Summary

Updates several key dependencies across the codebase, including Node.js packages and the Docker image launcher. This refresh incorporates the latest security patches, critical bug fixes, and performance enhancements to improve overall application robustness and maintainability.

Related Linear tickets, Github issues, and Community forum posts

Review / Merge checklist

PR title and summary are descriptive. (conventions)
Docs updated or follow-up ticket created.
Tests included.
PR Labeled with Backport to Beta, Backport to Stable, or Backport to v1 (if the PR is an urgent fix that needs to be backported)