fix: upgrade GitHub Actions and patch dependency vulnerabilities (v2.44.1) (#690 )

2026-04-01 23:23:12 +00:00 · 2026-04-01 21:17:59 +02:00
10 changed files with 1275 additions and 1079 deletions
--- a/.github/workflows/docker-build-fast.yml
+++ b/.github/workflows/docker-build-fast.yml
@@ -36,11 +36,11 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4

      - name: Log in to GitHub Container Registry
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -48,7 +48,7 @@ jobs:
          
      - name: Extract metadata
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
@@ -56,7 +56,7 @@ jobs:
            type=raw,value=test-amd64
            
      - name: Build and push Docker image (AMD64 only)
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v7
        with:
          context: .
          platforms: linux/amd64
--- a/.github/workflows/docker-build-n8n.yml
+++ b/.github/workflows/docker-build-n8n.yml
@@ -53,7 +53,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4

      - name: Log in to Docker Hub
        uses: docker/login-action@v3
@@ -62,11 +62,11 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4

      - name: Log in to GitHub Container Registry
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -74,7 +74,7 @@ jobs:

      - name: Extract metadata
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
@@ -85,7 +85,7 @@ jobs:
            type=raw,value=latest,enable={{is_default_branch}}

      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v7
        with:
          context: .
          file: ./Dockerfile
@@ -109,7 +109,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -167,7 +167,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
        with:
          generate_release_notes: true
          body: |
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -78,15 +78,15 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4

      - name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4

      - name: Log in to GitHub Container Registry
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -94,7 +94,7 @@ jobs:

      - name: Extract metadata
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
@@ -107,7 +107,7 @@ jobs:
            type=raw,value=latest,enable={{is_default_branch}}
            
      - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v7
        with:
          context: .
          no-cache: false
@@ -186,15 +186,15 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4

      - name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4

      - name: Log in to GitHub Container Registry
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -202,7 +202,7 @@ jobs:
          
      - name: Extract metadata for Railway
        id: meta-railway
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-railway
          tags: |
@@ -215,7 +215,7 @@ jobs:
            type=raw,value=latest,enable={{is_default_branch}}
            
      - name: Build and push Railway Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v7
        with:
          context: .
          file: ./Dockerfile.railway
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -389,7 +389,7 @@ jobs:
          echo "Version: $(node -e "console.log(require('./package.json').version)")"
      
      - name: Publish to NPM with retry
-        uses: nick-invision/retry@v2
+        uses: nick-invision/retry@v4
        with:
          timeout_minutes: 5
          max_attempts: 3
@@ -448,13 +448,13 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4

      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -462,7 +462,7 @@ jobs:
      
      - name: Extract metadata for standard image
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
@@ -472,7 +472,7 @@ jobs:
            type=raw,value=latest,enable={{is_default_branch}}
      
      - name: Build and push standard Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v7
        with:
          context: .
          platforms: linux/amd64,linux/arm64
@@ -553,7 +553,7 @@ jobs:

      - name: Extract metadata for Railway image
        id: meta-railway
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-railway
          tags: |
@@ -563,7 +563,7 @@ jobs:
            type=raw,value=latest,enable={{is_default_branch}}
      
      - name: Build and push Railway Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v7
        with:
          context: .
          file: ./Dockerfile.railway
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -116,7 +116,7 @@ jobs:
      # Upload coverage to Codecov
      - name: Upload coverage to Codecov
        if: always()
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: ./coverage/lcov.info
@@ -250,7 +250,7 @@ jobs:
          path: artifacts

      - name: Publish test results
-        uses: dorny/test-reporter@v1
+        uses: dorny/test-reporter@v3
        if: always()
        continue-on-error: true
        with:
--- a/.github/workflows/update-n8n-deps.yml
+++ b/.github/workflows/update-n8n-deps.yml
@@ -129,7 +129,7 @@ jobs:
      
      - name: Create Pull Request
        if: steps.branch.outputs.branch_name != ''
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@v8
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          branch: ${{ steps.branch.outputs.branch_name }}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

+## [2.44.1] - 2026-04-01
+
+### Security
+
+- **Bump axios** from `^1.11.0` to `^1.14.0` to patch known vulnerability
+- **Bump nodemon** from `^3.1.10` to `^3.1.14` to patch transitive dependency vulnerabilities
+
+### Changed
+
+- **Upgrade GitHub Actions** to latest versions across all CI/CD workflows (docker, release, test, update-n8n-deps) — contributed by @salmanmkc in #663
+
+Conceived by Romuald Członkowski - https://www.aiadvisors.pl/en
+
 ## [2.44.0] - 2026-04-01

 ### Added
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "n8n-mcp",
-  "version": "2.44.0",
+  "version": "2.44.1",
  "description": "Integration between n8n workflow automation and Model Context Protocol (MCP)",
  "main": "dist/index.js",
  "types": "dist/index.d.ts",
@@ -140,11 +140,11 @@
    "@vitest/coverage-v8": "^3.2.4",
    "@vitest/runner": "^3.2.4",
    "@vitest/ui": "^3.2.4",
-    "axios": "^1.11.0",
+    "axios": "^1.14.0",
    "axios-mock-adapter": "^2.1.0",
    "fishery": "^2.3.1",
    "msw": "^2.10.4",
-    "nodemon": "^3.1.10",
+    "nodemon": "^3.1.14",
    "ts-node": "^10.9.2",
    "typescript": "^5.8.3",
    "vitest": "^3.2.4"
--- a/package.runtime.json
+++ b/package.runtime.json
@@ -1,6 +1,6 @@
 {
  "name": "n8n-mcp-runtime",
-  "version": "2.33.2",
+  "version": "2.44.1",
  "description": "n8n MCP Server Runtime Dependencies Only",
  "private": true,
  "dependencies": {