Dead yamljs dependency removed

Matsuuu

·Apr 13, 2026·#28307chore: Remove dependency to yamljs in favor of yaml

n8n is cutting ties with yamljs, an abandoned library last updated in 2017. The CLI's public API now relies on the actively maintained yaml package instead.

The n8n CLI was using yamljs for parsing OpenAPI specifications — a library that has sat untouched for seven years with no maintainers. The yaml package, by contrast, receives regular updates and security patches.

The switch required updating how YAML files are loaded in the public API middleware. The old code imported the default export from yamljs; the new approach imports yaml as a module and reads the file directly before parsing it. This minor API adjustment keeps the functionality intact while using a dependency with active stewardship.

Notably, yamljs will still appear in the dependency tree as a transitive dependency pulled in by curlconverter, but n8n's direct usage has been eliminated. The yaml package version is now centralized in the pnpm workspace catalog, ensuring consistency across all packages.

This change lives in the CLI's public API layer, affecting how OpenAPI documentation is served.

View Original GitHub Description

Summary

As yamljs is abandoned, remove dependency to it in favor of maintained yaml. Centralize on a single version of yaml via pnpm workspace.

Curlconverter uses yamljs for features we are not using, so it's still going to be present as a transient dependency.

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/CAT-2648

Review / Merge checklist

I have seen this code, I have run this code, and I take responsibility for this code.
PR title and summary are descriptive. (conventions)
Docs updated or follow-up ticket created.
Tests included.
PR Labeled with Backport to Beta, Backport to Stable, or Backport to v1 (if the PR is an urgent fix that needs to be backported)