Risks when using community nodes
Installing community nodes from npm means you are installing unverified code from a public source into your n8n instance. This has some risks.
Risks when using community nodes
Installing community nodes from npm means you are installing unverified code from a public source into your n8n instance. This has some risks.
Risks include:
- System security: community nodes have full access to the machine that n8n runs on, and can do anything, including malicious actions.
- Data security: any community node that you use has access to data in your workflows.
- Breaking changes: node developers may introduce breaking changes in new versions of their nodes. A breaking change is an update that breaks previous functionality. Depending on the node versioning approach that a node developer chooses, upgrading to a version with a breaking change could cause all workflows using the node to break. Be careful when upgrading your nodes.
n8n vets verified community nodes
In addition to publicly available community nodes from npm, n8n inspects some nodes and makes them available as verified community node inside the nodes panel. These nodes have to meet a set of data and system security requirements for approval.
Report bad community nodes
You can report bad community nodes to [security@n8n.io](mailto: security@n8n.io)
Disable community nodes
If you are self-hosting n8n, you can disable community nodes by setting N8N_COMMUNITY_PACKAGES_ENABLED to false. On n8n cloud, visit the Cloud Admin Panel and disable community nodes from there. See troubleshooting for more information.
Last updated on
Install verified community nodes in the n8n app
Limited to n8n instance owners Only the n8n instance owner can install and manage verified community nodes. The instance owner is the person who sets up and manages user management. All mem
n8n community node blocklist
n8n maintains a blocklist of community nodes. You can't install any node on this list.