fix: Fix 10 critical issues in axios, defu, hono and 3 more

[aikido-autofix]

Upgrade dependencies to fix critical proxy bypass/SSRF in Axios and prototype pollution vulnerabilities in defu and other packages.

⚠️ Incomplete breaking changes analysis (4/6 analyzed)

⚠️ Breaking changes analysis not available for: axios, @langchain/community

✅ No breaking changes from either package upgrade affect this codebase:

defu (6.1.4 => 6.1.5): The package is not directly imported or used anywhere in the codebase. While it appears in pnpm.overrides, there are no code references to defu functions, so the change in inherited enumerable properties behavior has no impact.

yaml (2.3.4 => 2.8.3):

• The dropped Collection.maxFlowStringSingleLineLength property is not used anywhere in the codebase

• The codebase only uses the parse function from the yaml package in packages/testing/code-health/src/utils/workspace-parser.ts

• The Node.js version requirement increase to 14.18 is satisfied, as the project requires Node.js >=22.16

All breaking changes by upgrading defu from version 6.1.4 to 6.1.5 (CHANGELOG)

Version	Description
v6.1.5	Inherited enumerable properties are now ignored, which may affect code that previously relied on merging inherited properties from prototype chains

All breaking changes by upgrading yaml from version 2.3.4 to 2.8.3 (CHANGELOG)

Version	Description
2.5.0	Drop unused Collection.maxFlowStringSingleLineLength
2.7.0	Require Node.js 14.18 or later (was 14.6)

✅ 10 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2025-62718	🚨 CRITICAL	[axios] Axios fails to properly normalize hostnames when checking NO_PROXY rules, allowing requests to loopback addresses (localhost., [::1]) to bypass proxy protections and reach internal services. This enables proxy bypass and SSRF attacks against protected loopback or internal endpoints.
CVE-2026-35209	HIGH	[defu] Prototype pollution vulnerability in the defu function allows attackers to override default object properties through crafted __proto__ payloads in unsanitized user input, potentially leading to application logic bypass or information disclosure.
CVE-2026-39409	MEDIUM	[hono] The ipRestriction() middleware fails to canonicalize IPv4-mapped IPv6 addresses before applying IPv4 allow/deny rules, allowing attackers to bypass IP-based access controls in dual-stack environments.
CVE-2026-39408	MEDIUM	[hono] Path traversal vulnerability in toSSG() allows attackers to write files outside the configured output directory during static site generation using specially crafted dynamic route parameters. This enables arbitrary file write attacks that could compromise system integrity.
CVE-2026-39407	MEDIUM	[hono] Path handling inconsistency in serveStatic allows bypassing route-based authorization middleware by using repeated slashes (//) in request paths, enabling unauthorized access to protected static files.
GHSA-26pp-8wgv-hjvm	MEDIUM	[hono] Cookie names are not validated in setCookie(), serialize(), or serializeSigned(), allowing invalid characters that can cause malformed Set-Cookie headers and runtime errors when processing untrusted cookie names.
CVE-2026-39410	MEDIUM	[hono] A discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed, enabling attacker-controlled cookies to override legitimate ones through key normalization.
CVE-2026-39406	MEDIUM	[@hono/node-server] Path handling inconsistency in serveStatic allows bypassing route-based authorization middleware by using repeated slashes (//), enabling access to protected static files. This vulnerability permits middleware bypass and unauthorized file access.
CVE-2026-33532	MEDIUM	[yaml] A stack overflow vulnerability in the YAML parser's node resolution phase allows attackers to trigger a RangeError via deeply nested YAML structures (~2-10 KB), potentially causing denial of service or process termination in applications that don't catch non-YAMLParseError exceptions.
CVE-2026-27795	MEDIUM	[@langchain/community] RecursiveUrlLoader in LangChain allows redirect-based Server-Side Request Forgery (SSRF) by validating only the initial URL while automatically following redirects to unvalidated internal endpoints. This bypass undermines SSRF protections and enables attackers to access sensitive internal or metadata services.

🔗 Related Tasks

• https://linear.app/n8n/issue/SEC-572/small-upgrade-for-defu-n8n

[github-actions]

⚠️ Ownership acknowledgement required

Please add or check the following item in your PR description before this can be merged:

- [x] I have seen this code, I have run this code, and I take responsibility for this code.

[cubic-dev-ai]

No issues found across 3 files

Architecture diagram

sequenceDiagram
    participant Attacker as Client / Attacker
    participant Hono as Hono (Middleware)
    participant App as Application Logic (Defu/YAML)
    participant FS as File System / SSG
    participant Outbound as Axios / LangChain
    participant IntSvc as Internal Service (localhost)

    Note over Attacker, IntSvc: Security Boundary Hardening (Inbound & Outbound)

    Note over Attacker, Hono: 1. Inbound Request Handling
    Attacker->>Hono: GET /static//etc/passwd (Repeated slashes)
    Hono->>Hono: CHANGED: Normalize path (serveStatic)
    Hono->>Hono: CHANGED: Validate IP (IPv4-mapped-IPv6)
    alt Unauthorized / Malformed
        Hono-->>Attacker: 403 Forbidden / 404 Not Found
    else Valid Access
        Hono->>FS: Read authorized static file
    end

    Note over Attacker, App: 2. Input Parsing & Object Merging
    Attacker->>App: POST payload with __proto__ or Deep YAML
    App->>App: CHANGED: Parse YAML (Stack depth limit)
    App->>App: CHANGED: Merge objects (Ignore inherited properties)
    Note right of App: Prevents Prototype Pollution & Parser DoS

    Note over App, IntSvc: 3. Outbound Request Security (SSRF/Proxy)
    App->>Outbound: Request external resource
    Outbound->>Outbound: Follow redirect / Check NO_PROXY
    
    alt Redirect to Internal / Loopback
        Outbound->>Outbound: CHANGED: Normalize host (localhost., [::1])
        Outbound->>Outbound: NEW: Re-validate redirect target
        Outbound-->>App: Blocked (SSRF Prevention)
        App-->>Attacker: Error: Illegal Request
    else Valid External Request
        Outbound->>IntSvc: (Bypass attempt blocked)
        Note right of Outbound: Proxy bypass via hostname normalization fixed
    end

    Note over Hono, FS: 4. Static Site Generation (toSSG)
    App->>FS: Generate static files via dynamic routes
    FS->>FS: CHANGED: Sanitize route parameters
    Note right of FS: Prevents Path Traversal during build phase

Loading

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[n8n-assistant]

Hey @aikido-autofix[bot],

Thank you for your contribution. We appreciate the time and effort you’ve taken to submit this pull request.

Before we can proceed, please ensure the following:
• Tests are included for any new functionality, logic changes or bug fixes.
• The PR aligns with our contribution guidelines.

Regarding new nodes:
We no longer accept new nodes directly into the core codebase. Instead, we encourage contributors to follow our Community Node Submission Guide to publish nodes independently.

If your node integrates with an AI service that you own or represent, please email nodes@n8n.io and we will be happy to discuss the best approach.

About review timelines:
This PR has been added to our internal tracker as "GHC-7692". While we plan to review it, we are currently unable to provide an exact timeframe. Our goal is to begin reviews within a month, but this may change depending on team priorities. We will reach out when the review begins.

Thank you again for contributing to n8n.

[github-actions]

Performance Comparison

Comparing current → latest master → 14-day baseline

docker-stats

Metric	Current	Latest Master	Baseline (avg)	vs Master	vs Baseline	Status
docker-image-size-runners	386.00 MB	386.00 MB	387.50 MB (σ 3.00)	+0.0%	-0.4%	✅
docker-image-size-n8n	1269.76 MB	1269.76 MB	1269.76 MB (σ 0.00)	+0.0%	+0.0%	—

Idle baseline with Instance AI module loaded

Metric	Current	Latest Master	Baseline (avg)	vs Master	vs Baseline	Status
instance-ai-heap-used-baseline	187.01 MB	186.51 MB	186.46 MB (< 3 samples)	+0.3%	+0.3%	—
instance-ai-rss-baseline	385.46 MB	394.55 MB	369.15 MB (< 3 samples)	-2.3%	+4.4%	—

Memory consumption baseline with starter plan resources

Metric	Current	Latest Master	Baseline (avg)	vs Master	vs Baseline	Status
memory-heap-used-baseline	114.36 MB	114.53 MB	113.09 MB (σ 1.15)	-0.2%	+1.1%	⚠️
memory-rss-baseline	284.75 MB	287.07 MB	281.78 MB (σ 34.50)	-0.8%	+1.1%	✅

How to read this table

• Current: This PR's value (or latest master if PR perf tests haven't run)
• Latest Master: Most recent nightly master measurement
• Baseline: Rolling 14-day average from master
• vs Master: PR impact (current vs latest master)
• vs Baseline: Drift from baseline (current vs rolling avg)
• Status: ✅ within 1σ | ⚠️ 1-2σ | 🔴 >2σ regression

[codecov]

Bundle Report

Changes will increase total bundle size by 1 bytes (0.0%) ⬆️. This is within the configured threshold ✅

Detailed changes

Bundle name	Size	Change
editor-ui-esm	45.61MB	1 bytes (0.0%) ⬆️

Affected Assets, Files, and Routes:

view changes for bundle: editor-ui-esm

Assets Changed:

Asset Name	Size Change	Total Size	Change (%)
assets/src-*.js	1 bytes	2.43MB	0.0%