fix: Fix 8 security issues in jsonpath, mailparser, mysql2 and 5 more

[aikido-autofix]

Upgrades multiple packages to address critical security vulnerabilities including XSS, SQL injection, prototype pollution, symlink deletion, and regex injection risks.

✅ 8 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2025-61140	MEDIUM	[jsonpath] The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.
AIKIDO-2026-10127	HIGH	[jsonpath] A cross-site scripting (XSS) vulnerability exists in plain text to HTML conversion due to improper escaping of URLs and link text in anchor tags. Attackers can inject malicious code through specially crafted URLs containing quotes or HTML content.
AIKIDO-2026-10225	HIGH	[jsonpath] SQL injection vulnerability in escape functions due to inconsistent type handling, allowing attackers to inject SQL logic and bypass authentication through non-string parameter types in parameterized queries.
CVE-2025-13437	MEDIUM	[jsonpath] When zx is invoked with --prefer-local=, the CLI creates a symlink named ./node_modules pointing to /node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup rou...
AIKIDO-2026-10058	MEDIUM	[jsonpath] A Regular Expression Injection vulnerability allows attackers to break out of string literals via unescaped quotes in crafted payloads, enabling arbitrary JavaScript code execution in eval contexts or inline scripts.
CVE-2026-27795	MEDIUM	[jsonpath] A redirect-based Server-Side Request Forgery (SSRF) bypass in RecursiveUrlLoader allows attackers to bypass URL validation by following redirects to internal or metadata endpoints without revalidation. This vulnerability enables access to restricted internal resources through automatic redirect following.
CVE-2023-26115	LOW	[jsonpath] All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
CVE-2026-26996	LOW	[jsonpath] A Regular Expression Denial of Service (ReDoS) vulnerability exists where glob patterns with many consecutive wildcards followed by a non-matching literal character cause exponential backtracking, enabling attackers to hang applications via user-controlled pattern inputs.

🔗 Related Tasks

• https://linear.app/n8n/issue/SEC-446/upgrade-package-jsonpath-n8n
• https://linear.app/n8n/issue/SEC-457/minor-upgrade-for-mailparser-n8n
• https://linear.app/n8n/issue/SEC-477/minor-upgrade-for-mysql2-n8n

[cubic-dev-ai]

No issues found across 6 files

Architecture diagram

sequenceDiagram
    participant User as User / Attacker
    participant FE as Frontend (Editor UI)
    participant BE as Backend (n8n Core / Nodes)
    participant MP as mailparser (nodes-base)
    participant DB as MySQL DB (mysql2)
    participant CLI as CLI Utility (zx)

    Note over User, CLI: Security Hardening: Runtime Protection against CVEs (SQLi, XSS, ReDoS)

    rect rgb(30, 41, 59)
    Note right of User: UI Data Mapping & Expression Flow
    User->>FE: Input JSONPath expression / Data
    FE->>FE: CHANGED: jsonpath.value() validation
    Note over FE: Prevents Prototype Pollution<br/>& Regex Injection
    FE-->>FE: CHANGED: Escape URL/HTML in links
    Note over FE: Prevents XSS in Editor UI
    FE-->>User: Rendered JSON / Preview
    end

    rect rgb(23, 37, 84)
    Note right of User: Workflow Execution (Email/DB)
    User->>BE: Execute Workflow
    BE->>MP: CHANGED: Parse incoming email stream
    MP-->>BE: Sanitized Mail Object
    
    BE->>DB: CHANGED: Execute Parameterized Query
    alt Parameter Validation
        DB->>DB: CHANGED: Strict type-handling
        Note over DB: Fixes SQLi via non-string types
    end
    DB-->>BE: Query Result
    BE-->>User: Workflow Success
    end

    rect rgb(5, 46, 22)
    Note right of CLI: Development & Scripting Flow
    CLI->>CLI: Execute script with --prefer-local
    CLI->>CLI: Create node_modules symlink
    opt Cleanup Phase
        CLI->>CLI: CHANGED: Resolve correct symlink path
        Note over CLI: Prevents accidental symlink<br/>deletion logic error
    end
    end

    Note over FE,BE: Transitive Security: Glob & Word-Wrap
    BE->>BE: CHANGED: Process Glob patterns / String wrapping
    Note over BE: ReDoS mitigation via minimatch/word-wrap upgrades

Loading

[codecov]

❌ 5 Tests Failed:

Tests completed	Failed	Passed	Skipped
44933	5	44928	2

View the top 3 failed test(s) by shortest run time

InsightsService (Integration) getInsightsByWorkflow compacted data are grouped by workflow correctly with projectId filter

Stack Traces | 0.026s run time

Error: expect(received).toMatchObject(expected)

- Expected  - 2
+ Received  + 2

  Object {
    "failed": 2,
    "projectId": "E85L9n6jNKvLXJxL",
    "projectName": "s6suiua",
    "runTime": 123,
-   "succeeded": 5,
+   "succeeded": 4,
    "timeSaved": 0,
-   "total": 7,
+   "total": 6,
    "workflowId": "ATHm7Bjuq4YUs1z2",
    "workflowName": "test workflow",
  }
    at Object.<anonymous> (.../insights/__tests__/insights.service.integration.test.ts:602:31)

InsightsService (Integration) getInsightsByTime compacted data are are grouped by time correctly with projectId filter

Stack Traces | 0.034s run time

Error: expect(received).toEqual(expected) // deep equality

Expected: ArrayContaining [ObjectContaining {"date": "2026-02-12T00:00:00.000Z", "values": {"averageRunTime": 0, "failed": 1, "failureRate": 0.5, "succeeded": 1, "timeSaved": 0, "total": 2}}, ObjectContaining {"date": "2026-02-16T00:00:00.000Z", "values": {"averageRunTime": 15, "failed": 0, "failureRate": 0, "succeeded": 2, "timeSaved": 0, "total": 2}}, ObjectContaining {"date": "2026-02-24T00:00:00.000Z", "values": {"averageRunTime": 0, "failed": 0, "failureRate": 0, "succeeded": 2, "timeSaved": 0, "total": 2}}, ObjectContaining {"date": "2026-02-26T00:00:00.000Z", "values": {"averageRunTime": 0, "failed": 4, "failureRate": 0.5714285714285714, "succeeded": 3, "timeSaved": 0, "total": 7}}]
Received: [{"date": "2026-02-16T00:00:00.000Z", "values": {"averageRunTime": 15, "failed": 0, "failureRate": 0, "succeeded": 2, "timeSaved": 0, "total": 2}}, {"date": "2026-02-24T00:00:00.000Z", "values": {"averageRunTime": 0, "failed": 0, "failureRate": 0, "succeeded": 2, "timeSaved": 0, "total": 2}}, {"date": "2026-02-26T00:00:00.000Z", "values": {"averageRunTime": 0, "failed": 4, "failureRate": 0.5714285714285714, "succeeded": 3, "timeSaved": 0, "total": 7}}]
    at Object.<anonymous> (.../insights/__tests__/insights.service.integration.test.ts:916:19)

InsightsService (Integration) getInsightsByTime compacted data are are grouped by time correctly

Stack Traces | 0.037s run time

Error: expect(received).toHaveLength(expected)

Expected length: 4
Received length: 3
Received array:  [{"date": "2026-02-16T00:00:00.000Z", "values": {"averageRunTime": 15, "failed": 0, "failureRate": 0, "succeeded": 2, "timeSaved": 0, "total": 2}}, {"date": "2026-02-24T00:00:00.000Z", "values": {"averageRunTime": 0, "failed": 0, "failureRate": 0, "succeeded": 2, "timeSaved": 0, "total": 2}}, {"date": "2026-02-26T00:00:00.000Z", "values": {"averageRunTime": 0, "failed": 4, "failureRate": 0.5714285714285714, "succeeded": 3, "timeSaved": 0, "total": 7}}]
    at Object.<anonymous> (.../insights/__tests__/insights.service.integration.test.ts:758:19)

test/complete.test.ts > SQL completion > completes quoted column names in quoted tables for a specific quoted schema

Stack Traces | 0.0419s run time

TypeError: state.languageDataAt(...)[0] is not a function
 ❯ get test/complete.test.ts:23:78
 ❯ test/complete.test.ts:104:14

test/complete.test.ts > SQL completion > completes quoted table names under quoted schema

Stack Traces | 0.0948s run time

TypeError: state.languageDataAt(...)[0] is not a function
 ❯ get test/complete.test.ts:23:78
 ❯ test/complete.test.ts:67:14

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}

[codecov]

Bundle Report

Changes will increase total bundle size by 3.24kB (0.01%) ⬆️. This is within the configured threshold ✅

Detailed changes

Bundle name	Size	Change
editor-ui-esm	42.47MB	3.24kB (0.01%) ⬆️

Affected Assets, Files, and Routes:

view changes for bundle: editor-ui-esm

Assets Changed:

Asset Name	Size Change	Total Size	Change (%)
assets/worker-*.js	-2.91MB	13.37kB	-99.54%
assets/worker-*.js	2.91MB	2.92MB	21725.55% ⚠️
assets/constants-*.js	9 bytes	2.89MB	0.0%
assets/RunDataJsonActions-*.js	3.23kB	181.88kB	1.81%

[n8n-assistant]

Hey @aikido-autofix[bot],

Thank you for your contribution. We appreciate the time and effort you’ve taken to submit this pull request.

Before we can proceed, please ensure the following:
• Tests are included for any new functionality, logic changes or bug fixes.
• The PR aligns with our contribution guidelines.

Regarding new nodes:
We no longer accept new nodes directly into the core codebase. Instead, we encourage contributors to follow our Community Node Submission Guide to publish nodes independently.

If your node integrates with an AI service that you own or represent, please email nodes@n8n.io and we will be happy to discuss the best approach.

About review timelines:
This PR has been added to our internal tracker as "GHC-7029". While we plan to review it, we are currently unable to provide an exact timeframe. Our goal is to begin reviews within a month, but this may change depending on team priorities. We will reach out when the review begins.

Thank you again for contributing to n8n.

[blacksmith-sh]

Found 5 test failures on Blacksmith runners:

Failures

Test	View Logs
InsightsService (Integration)/ InsightsService (Integration) getInsightsByTime compacted data are are grouped by time correctly	View Logs
InsightsService (Integration)/ InsightsService (Integration) getInsightsByTime compacted data are are grouped by time correctly with projectId filter	View Logs
InsightsService (Integration)/ InsightsService (Integration) getInsightsByWorkflow compacted data are grouped by workf low correctly with projectId filter	View Logs
test/complete.test.ts/SQL completion > completes quoted column names in quoted tables for a specific quoted schema	View Logs
test/complete.test.ts/SQL completion > completes quoted table names under quoted schema	View Logs