Community package updates verified by default
The public API's update endpoint now automatically verifies community packages against the n8n-vetted list, fetching the correct checksum for the requested version and surfacing clear error messages when a version hasn't been verified.
When updating community packages through n8n's public API, the system now automatically verifies each package against the vetted list and retrieves the correct checksum for the specified version. Previously, the update process skipped verification entirely, potentially allowing unverified packages to be installed without proper validation.
The fix ensures that when a version is requested during an update, the corresponding checksum is fetched from the vetted package data. If the requested version isn't in the vetted list, an error message clearly states which version is the latest verified one. Developers can opt out of verification by setting verify: false in the request body.
This change lives in the CLI package's public API handlers and community packages lifecycle service.
View Original GitHub Description
- Updated the update method to include verification for community packages. Makes sure to retrieve the checksum for the respective version
- Improved error messages to clarify when a package is not verified.
Related Linear tickets, Github issues, and Community forum posts
Fixes LIGO-447
Review / Merge checklist
- I have seen this code, I have run this code, and I take responsibility for this code.
- PR title and summary are descriptive. (conventions) <!-- **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** -->
- Docs updated or follow-up ticket created.
- Tests included. <!-- A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. -->
- PR Labeled with
Backport to Beta,Backport to Stable, orBackport to v1(if the PR is an urgent fix that needs to be backported)