It's not that the tool itself is inherently insecure - it's more about how users are encouraged to use it.
Nearly all workflows built using N8n that I've seen face some kind of prompt injection vulnerability. This is primarily because, in most cases, you configure the LLM by directly inserting external data into the system prompt. As many of you know, the system prompt has the highest execution priority, meaning instructions placed there can heavily influence how the LLM interacts with its tools.
While this isn't exploitable in every situation, it can often be exploited rather generically: by embedding prompts in your social media bio, website, or other locations from where these workflows pull data. Recently, I've managed to use this technique to prompt a random LinkedIn bot to email me back a list of their functions. That's not overly exciting in itself, but it clearly demonstrates the potential for malicious use.
This issue is not specific to N8n. Other tools do it too. But it seems to me there is little to no awareness that this is in fact a problem.
There is a better, safer way to incorporate external data into LLM prompts without jumping through hoops, but unfortunately, that's not how things are currently done with N8n, at least as of today.
moralestapia · 9h ago
What's the safe alternative?
freeqaz · 8h ago
As somebody working in AI Security: There isn't one currently. If you're feeding untrusted inputs into an LLM (today), you have to treat the entire prompt as radioactive.
That means:
- Limit the potential for a malicious prompt to do anything bad
- Scope permissions to the lowest level you can
There are some other mitigations (moderation APIs using a 2nd LLM), but in general they're not 100% solutions. You really need to design your systems around accepting this limitation today.
A- Limit the capabilities of users.
B- Help users limit the capabilities that they to their sub-users, whether they be per-program capabilities or per dependency capabilities.
I think B is the path forward, if you give a user access to emails and files and ChatGPT, then he can give ChatGPT access to emails and files and do damage that way.
With B you can give the user access to ChatGPT and email and a file system, but help him configure fine grained permissions for their experiments.
jasongill · 17h ago
n8n has been good but not great in our organization (and we pronounce it "Nathan", to answer someone else's question). It's effectively a self-hosted version of Zapier and has quite a few built-in integrations. It's a bit more annoying to use than Zapier (but the price is right), and the AI features are currently about like the AI features of every other product: basically sufficient to tell investors "we do AI!" but not anything you're going to actually use.
The one frustration we have with n8n is trying to create custom "apps" (triggers or destinations for workflows). It's clear that the custom apps are an afterthought and have gone through multiple iterations of "here's the best way to do it", and you end up having to just keep trying until you get it to do what you want. Annoyingly, there's no way to manage custom apps in the interface itself - you have to create a Javascript module and then inject it into a .npm directory somewhere inside of the applications Docker container, which just doesn't feel very "professional".
If n8n would add some kind of admin interface for managing custom apps - especially just supporting basic use cases like specifying a REST API as a reusable custom app - it would be great, but still has a ways to go in terms of features (like better user permissions management as part of the lackluster SSO) before it's truly going to be an enterprise grade solution.
That said, we tried Windmill first and while it was cool for the devs who were able to see the vision, the non-technical users hated it and have heavily praised n8n once we created a custom app to let them integrate with our system.
Overall I would say n8n is worth trying if you need something like this, but expect to do some tinkering if you go beyond what it does out of the box.
rubenfiszel · 12h ago
> That said, we tried Windmill first and while it was cool for the devs who were able to see the vision, the non-technical users hated it
Founder of Windmill here. This is not too surprising although we are working on it by leveraging AI and just better DX/design. Pleasing devs in the most demanding orgs and the ever-changing expectations is challenging by itself. Pleasing both devs AND non-technical user is a monumental task that we are now giving more attention to by focusing on 2 aspects:
- A better DX/UX that does not sacrifice power-user capabilities but has a less step learning-curve and more intuitiveness to it. That is mostly about good design and hard work. We are taking inspiration from the best and on the intuitiveness, we've learned a lot from n8n and other leaders in the space.
- leveraging AI capabilities in a state-of-the-art way to have the best models generate the code for non-technical users. That is basically just adopting the best practices inspired by cursor such as great auto-completion, great inline code-gen, excellent semantic search.
aerhardt · 16h ago
Zapier has fundamental issues in control flow and exception handling in my experience.
Custom apps aside, how do Zapier and n8n compare in your experience?
handfuloflight · 14h ago
Can you give a specific example re: Zapier?
aerhardt · 14h ago
Once you’re down a logical branch, there’s no coming back to the main branch. It’s hacks all the way down from there to do things that are extremely simple in a normal programming language.
zarathustreal · 14h ago
Are you asking for an example of control flow?
bevenky · 16h ago
How would you compare it with activepieces.com? It’s also self hostable but OSS license.
I've just poked at them, but my impression was that Node Red much more capable.
IIRC one of my issues with n8n was the lack of streaming ability, which kills it for large datasets.
Towaway69 · 16h ago
For doing streaming in Node-RED, I created a library[1] - it's been through exacatly one example flow[2] - for that it worked well. I've not had a use case for it, it was just an idea of mine to implement an ETL pipeline using NodeRED.
The library just uses the streaming API[3] of NodeJS - effectively converting lines of CSV (for example) into individual messages that flow through NodeRED.
NodeRED isn't great for handling large messages but perfect for directing many small messages.
Have not used Node Red in production and only played with it briefly, but n8n is more of a Zapier replacement whereas Node Red I believe is more of an IoT automation platform.
n8n is made so that you can set it up and give your staff access and they can manage their own workflows (like "when a customer opens a support ticket, update their Salesforce record to increment the number of tickets they have opened").
It's clearly aimed at non technical users being able to develop their own solutions to problems (for better or for worse), more so than Windmill which is made for developers to solve their own problems or develop solutions that non-technical people can use. Node Red if I remember correctly is more heavily weighted toward real time events for dev (especially hardware/IoT dev) use than "let the support team manage their own workflows for routing customer complaints"
rcarmo · 15h ago
My approach to using Node-RED for AI has been to build re-usable sub flows with high-level functionality (parser, chunker, etc.).
You can go a _long_ way with the split/join nodes and a little ingenuity to work around any issues with streaming.
mbesto · 12h ago
I've used Node Red and n8n both on my homelab and deleted Node Red after awhile. The UI, workflow and 3rd party service support is simply just better on n8n. I could see Node Red having its advantages if you're used to writing code all day (I'm not).
otabdeveloper4 · 15h ago
I evaluated both at one point, and n8n is a "we have NodeRed at home" product. Didn't see the point.
Towaway69 · 15h ago
For me, NodeRED is far more low-level with switch nodes being the equivalent to a case statement. A change node being equivalent to doing assigments of variables.
n8n is far more high level with google sheet nodes communicating with postgres database nodes. There is far less ability to do manipulate the data being passed around - as many said Zapier-like.
NodeRED is used for home automation and talking to devices that are connected to the network and providing nice dashboards of things happening. Another big use case is IIoT. So it less focussed on integration of SaaS services and more on devices integration and inter-communication between devices.
Plus NodeRED has a great collection[1] of third party nodes that can help in connecting to new devices. Installing nodes is based on npm but is completely automated.
As a former user of N8N the tool looked interesting to me but I ended up converting most of my use cases into shell scripts, python scripts executed by cron jobs, and into ci/cd jobs. It gave me more flexibility about the tech stack I need, and a greater ease of debugging and developing robust designed tools.
I guess N8N was not intuitive for simple things and seemed too complicated for me. I'm now happier with cron jobs/GitOps to manage my automations.
On the other hand I also had to replace some IFTTT workflows with my own scripts.
More work for me but I gained quality and control.
photon_garden · 14h ago
We’ve been using n8n in production for the last few months at my startup and are planning on migrating to regular backend code.
Pros:
- Good observability. It’s handy that they track all executions and let you see when workflows run.
- Usable for non-technical people.
- They’ve had all the integrations we needed.
Cons:
- Implementing parallel execution for async parts of the workflow is complicated and flaky.
- Pricing is expensive for the hosted version.
- Version control is bad.
- If you have engineering capacity, it’s faster and simpler to write some more backend code if you already have a backend.
fzysingularity · 13h ago
We (at https://vlm.run) use n8n internally for a lot of automations and it’s been great (Reddit/HN scraping), slack automations, cron jobs for sales etc.
We also made a custom node for popular document/image/video ETL jobs like document-to-markdown, audio/video transcriptions with VLMs (Vision Language Models).
A while back I used it to glue together a bunch of APIs to make a geofence on top of a WiFi location service my company offers. Super easy to prototype external computation without something like severless/lambda (which would be the likely path for production)
Thanks for sharing, Chris! In case it's helpful to other readers, the linked article outlines combining several tools together, including N8n and how it fit into the picture. Decent article, although a bit shallow on details.
preya2k · 17h ago
If you’re looking for an Open Source alternative, give Windmill a try.
hectormalot · 17h ago
Having some experience with both, I think they are quite different. N8n looks quite polished and seems primarily concerned about connecting pre-made blocks. There are custom code blocks (JS and Python only, with limited ability to import libraries), but it’s not something you’d use by default. I thinks it great for less-technical users when compared to windmill.
Windmill OTOH supports a bunch of programming languages for steps (Go, Rust, Python, TS, etc.) and seems to have a much more “code first” approach. Reusable blocks are more like code templates compared to n8n.
Hard to say which is better. I really like the ability in windmill to just write code for each step and it comes across more powerful, but it feels less polished and intuitive when compared to n8n.
rubenfiszel · 12h ago
Founder of windmill.
I'm not ashamed to admit than n8n feels more polished. There are a few reasons:
- Our team was and is still much smaller. We were 5 for the first 2 years, we are now 10 (year 3), and are continuing to hire to follow our growth.
- They have been around for longer and mature for longer, more time to iterate. We have reached some level of maturity recently and are now spending more iterations on polishing rather than new features.
- Their surface area is smaller, windmill does A LOT and expose more for the better or worse.
n8n has done a lot of things really well and although we have a different audience, there is a lot to learn from what they did very well and we have the upmost respect for them. We have some overlap, but I think ultimately we strive in different kind of orgs and will cohabit rather than compete.
Reubend · 6h ago
While you're here, may I ask something about Windmill? My impression of n8n is that it's similar to Zapier in the sense that it mainly focuses on linking pre-made integrations, while Windmill is more of a workflow engine like Temporal. But while I see on your landing page that Windmill also boast lots of integrations, clicking on any of them take me to a sort of community script sharing interface, where it's not really clear how fully fleshed out any of the integrations are.
Are these two things being wrongly compared to each other when they're actually meant for different purposes? Or is Windmill indeed a good point of comparison?
rattray · 17h ago
For those curious, it looks like n8n is "fair-code" source available.
I hadn't seen this term before but it looks interesting:
Just to clarify.
The reason why you aren't saying N8n is open source because of its license right? I haven't read its license but it does seem to me to have quite some restrictions.
And whereas Windmill seems to be agpl + apache.
So that is what you are mentioning, right?
tinco · 14h ago
Typically when people say open source they mean that the source code can be used , modified and made public for any purpose. There is an organization called OSI that maintains a ratified list of licenses that are compatible with the ideals of the open source movement. Although the OSI has been compromised by the big cloud providers and no longer serves the public interest, the list can still be relied on as a good sign that the license you're looking at is open source.
preya2k · 11h ago
Yes, n8n is not open source. It’s “source available”.
sneak · 6h ago
Windmill is also not fully open source; there are major sections of it powering central features that are not released as free software.
Also, they require a CLA with copyright assignment so they can reuse your contributions in nonfree software. It’s always shady when companies do this.
The open source parts of Windmill are partially Apache and partially AGPL; there are some of us who additionally regard the AGPL as nonfree (because it’s really a EULA).
filipheremans · 16h ago
Indeed! Big fan..
hypefi · 14h ago
Tried it, but in an age where AI does a lot of the work in coding, I think just using code to automate things is better than using n8n, the visual aspect though of the AI agents nodes, chains and workflows is the one thing that is interesting in n8n
nico · 17h ago
Can someone talk about their experience using n8n? I’ve seen it in passing a lot lately, but I wonder what some good successful use cases are
simple10 · 17h ago
I can highly recommend n8n. I prefer it over Make.com, Pipedream, Zapier, etc. for automations and AI agent tasks. Basically, anything you want to automate but don't want to spin up a custom code server each time.
The main reasons I switched to n8n are it's open source, meaning I can run it locally without limits, and it supports code nodes in javascript and python. Make.com used to drive me bonkers when it took 10+ minutes to create all the nodes in the UI to handle loops, errors, etc. when I could normally just write a few lines of code to handle it.
Only downside to n8n vs other platforms is it's polling based vs instant trigger unlike Zapier's and Make.com's connectors. So if you're processing email, Google Sheets data, etc. you'll have more latency with n8n unless you add some custom middleware to handle instant triggers. But polling is actually a benefit in my case since I mostly run n8n locally through docker. Whenever I spin it up, it auto catches up on new data it hasn't yet processed.
n8n's AI nodes are first rate and more intuitive IMO than others. You can easily extend it with custom LangChain nodes as well if you're self hosting.
If you want to play around with n8n locally, this tool makes it easy: https://github.com/LLemonStack/llemonstack/ I created it to make it easier for me to spin up and down project stacks on the same machine.
True. It's dual licensed. Most of the features are available in the self hosted / local version.
tinco · 14h ago
It's dual licensed in a way, but neither license is open source. The OSI messed up in not coming up with an answer to the SSPL, and now ambitious projects that would have traditionally gone with an open source license like AGPL are now foregoing open source entirely and just slapping a sustainable use license on it.
So yeah, you can use n8n for free, but that doesn't make it open source. It is a source available license.
moralestapia · 9h ago
What's the catch?
You have to pay after some revenue threshold?
XCSme · 16h ago
I recently started using it, and as an experienced developer, I love it.
It's really easy to automate tasks and schedule things.
For example, I connected it to my UXWizz MySQL database, asked the AI in UXWizz to give me a query with the funnel conversions for today (visits/pricing/checkout/sales) compared to last week, copied that into n8n and made it send me an emoji-formatted daily Telegram message.
I am now using it to implement an AI chat-bot/support ticket responder, and I'm planning to migrate a Node.js auto-poster to it, so I can easily change the schedule/model/content of the post without having to edit any code.
I like that it has good documentation for integrations. For example, I was testing Google Ads, and I want to do conversion tracking without adding the Google JS to my page. Again, I used an MySQL connection to my UXWizz analytics dashboard to select the gclid for all visits that lead to a conversion event, then with n8n I upload those daily to a Google Sheet, which is then used by Google Ads to properly track conversions. The Google Sheet integration is not trivial (you need Google Cloud account, create an app, create oauth login, etc.), but the n8n docs were clear enough to follow and up-to-date enough to work.
rkuodys · 15h ago
Can I ask you why so many things with N8N is connected over Telegram it seems versus for example slack? Not a user of Telegram so I honestly am curious about this choice
XCSme · 15h ago
Personally I hate Slack, it never works on my PC because of their organizations/workspace system, where you need a separate account for each community you are in. Also, it's really buggy and login often doesn't work, or switching accounts breaks things.
Telegram has a really good mobile app, and their BotFather makes it easy to create custom integrations. They display nicely a lot of notification formats (text/html/markdown) and it's free.
Slack is too bloated to simply use for notifications.
nik8n · 15h ago
I think many users choose Telegram, as it's really simple. Slack is usually slightly more work to setup, e.g. creating the slack bot for it. I'm using Slack ware more than telegram, but I guess both work.
sally_glance · 13h ago
I can only talk about the Slack integration story since I never worked with the Telegram API, but over the last couple of years it has become an incredible mess. There are various ways to do the same thing, different permission models, deprecated endpoints without clear alternatives... It has become a pain honestly.
gokaygurcan · 17h ago
Before it was moved to GitHub Actions, we had a multiple-step deployment flow created in Node-Red, I believe you can achieve more or less the same thing with n8n. Never tried tho, it wasn't necessary anyway. If I really really simplify it's like, checkout, run some tests, deploy to a preview env, run some more tests, report back to slack.
On a personal level, I use it to automate booking a tennis court. It logs in, selects the date and time (pre-defined), adds a partner/opponent, books the court, pings a service that generates a calendar entry. If I decide to cancel the booking, it again pings the service and removes the calendar entry. I needed to bend some "nodes" to do what I need within the same workflow (such as create event runs once a day but update event runs in every 10 minutes).
In the past, I also used it to detect service interruptions with my ISP. I don't use that ISP anymore, so this workflow is redundant, but it was checking an API and if there's an entry, sending it as a push notification (via ntfy) to my phone.
neoecos · 17h ago
I got to know n8n from HN comments a couple year ago. I tried it and kinda liked it, it was really a tool for making quick PoC, trying remote APIs and building operations.
I was able to hack a MVP of a new product in just one or two days.
Now, the company uses n8n for a lot of stuff, out ops team and finance team is expected to automatize manual work using n8n. From billing to financial conciliation to customer support. Also in product/dev team we implement some parts as flows, for things we expect to change a lot of features that are more internal.
But n8n requires a lot of time and care. It's not intended for high loads, they make a lot of breaking changes (more like new bugs, but is not fun).
We do all this self hosting in a k8s cluster.
In general I like it, but I think is still intended for a personal o early adopter.
Funny, one of my biz co-founder, learned and created a new biz just teaching it.
ibaikov · 17h ago
It is great to make chatbots in my opinion. Personal automations, AI, etc. I have friends who use it to prototype products and it works using n8n as backend for users. I mostly don't do this, only prototypes that only I can access. It has pros and cons vs coding, and you probably have to make something using n8n to see if it works for you.
sharpfuryz · 15h ago
It depends on what you need. For use cases like "export data from HubSpot, transform it (join by id, normalize), and load it into Google Spreadsheets," it works great. I've tested it for marketing automation, but it requires skill to configure properly.
kfogel · 17h ago
Wow. This project was the cause of a very long and intense discussion about mis-use of the term "open source". See https://github.com/n8n-io/n8n/issues/40#issuecomment-5397146... for details (lands mid-thread -- you might want to scroll back to see the start, and if you read the whole thing to the end then you deserve some sort of award!).
TL;DR: The author originally tried to call n8n "open source" but while using a non-open-source license. After much discussion, he kept the license but stopped using the label "open source", to the relief of many people.
That half-decade-old thread is still what I point to when I want to explain to someone why preserving the specificity of the term "open source" matters.
SKILNER · 17h ago
Is the UX of the name any indication of the UX of the product?
lukaslevert · 16h ago
n8n is a unique name that for now I think works to differentiate them. Time will tell if they keep it.
Jefro118 · 13h ago
How do people integrate steps on websites/web scraping into their larger workflows? I’m looking to try and integrate my own browser RPA tool [1] into n8n but I’m not sure how useful it is.
How is the name pronounced? Like nate-n, which is a play on Nathan?
Aside from that, I've been thinking about no/low-code solutions for educational purposes. I'm an incoming professor of a university and most my students have little background in CS or related fields. The university insists on using tools like Alteryx but I want to see if free open-source solutions exist (because that way, students can use the tools after graduation).
So far I've seen Dify, Flowise, Langflow, n8n, Make. The last two seem to be more general while the other ones are tailored to LLMs (which is the focus of my courses—applications of LLMs in management).
c_hastings · 17h ago
From their GitHub:
“ What does n8n mean?
Short answer: It means "nodemation" and is pronounced as n-eight-n.
Long answer: "I get that question quite often (more often than I expected) so I decided it is probably best to answer it here. While looking for a good name for the project with a free domain I realized very quickly that all the good ones I could think of were already taken. So, in the end, I chose nodemation. 'node-' in the sense that it uses a Node-View and that it uses Node.js and '-mation' for 'automation' which is what the project is supposed to help with. However, I did not like how long the name was and I could not imagine writing something that long every time in the CLI. That is when I then ended up on 'n8n'." - Jan Oberhauser, Founder and CEO, n8n.io”
senordevnyc · 17h ago
This sounds like excellent evidence that they picked a terrible name and should change it.
pinkmuffinere · 13h ago
It is definitely a bad name, even once you know the real name it feels unnatural to say. It might be too late to change though. Maybe better to ret-con it to just be “Nathan” :/
victorbjorklund · 17h ago
N8N is great. Been self-hosting for years.
k8sToGo · 17h ago
Can you provide a few examples for what you use it for privately?
op00to · 17h ago
I use it to follow subreddits, scrape posts, analyze based on arbitrary criteria, note the findings in a spreadsheet, then send a notification.
victorbjorklund · 17h ago
An example i set up recently was getting a notification on telegram whenever I deploy a vercel site (our build process is slow so can take 20 min). Webhook from Vercel -> filter on the author -> send notification to telegram.
The perfect usecase for n8n is when you got integrations and you dont need to run the workflow so often
MattDaEskimo · 15h ago
I've always found that these no-code workflow builders fail to hit the right abstraction - especially when new paradigms are added.
XCSme · 15h ago
This is not no-code.
It allows you to write custom nodes with arbitrary code, but also connect them to existing integrations. Also, for each connection you can transform/select the data using JavaScript.
Izmaki · 17h ago
Looks like a product you'd end up with if a few years back you thought to yourself "how do I make a business combining AI and pipelines?". I don't hate AI as such, I just don't love how it has to be shoved into every product or tech imaginable these days.
XCSme · 15h ago
Yeah, the title is misleading. I use it to automate non-AI stuff too, and probably n8n was there before all the AI hype too.
bwfan123 · 17h ago
Isnt this just workflow automation thats been around for decades ?
whats ai about it ?
ibaikov · 17h ago
There are lots of AI nodes which are both very convenient and are great for learning how all of this works. Vector storage integrations etc. I'm not affiliated.
Valodim · 17h ago
Simple to self host and use, can recommend.
Can't say I'm a fan of the €55M financing round they took though. I mean, congratulations to them, but the growth they'll need to satisfy those investors is so very likely to lead to chasing numbers and enshittifying the product down the line.
brandonpelfrey · 17h ago
I'm curious, because neither of us knows their financial situation or needs and ambitions. What would you suggest they do?
9dev · 17h ago
Not take as much Money. You can get by with way less, and don’t have to sell as many of your Horcruxes to the VCs.
throwaway7783 · 15h ago
Did something new happen here? Almost feels like an ad for n8n. This product has been there for a while.
XCSme · 15h ago
I just found about it a few weeks ago, and it worked surprisingly well for me, and I'm happy I stumbled upon it.
I submitted it, seeing that it was not discussed recently, maybe it's useful to anyone else.
I using the self-hosted version.
sa-code · 14h ago
Is this an ad? Can you buy upvotes for HN?
XCSme · 13h ago
It's not an ad, the original title I submitted it with was different. I added it because I discovered it a few weeks ago, and I love the self-hosted version, very polished and well documented.
Tadpole9181 · 9h ago
Can someone recommend a self-host alternative for n8n? I'd be fine paying for one of the lower tiers to get access to shared workspaces, so I can work with my small team, but if you want to self-host you have to jump up to the Enterprise version which can easily be 20x more expensive.
This makes it unusable for my purpose.
But in my (limited) research into options like Airflow or Dagster or Windmill, they weren't quite at the same level and it doesn't feel like a significant value-add over writing a simple webhook server.
jlaneve · 8h ago
Where do you think the gap between Airflow and what you need is?
m3kw9 · 14h ago
It would be nice if these sites started off with a usable demo right away, even if it’s on rails. Reading all the technical stuff and having to figure it out that way is very inefficient.
revskill · 17h ago
The funny things about "modern AI workflow builders" is they don't learn anything about n8n, which is universal and having a solid design.
Examples of those failure systems, is SimStudio, just a joke compared to n8n.
greatpostman · 17h ago
I’m suspicious about n8n being able to abstract properly to allow for dynamic agentic workflows. Anyone have actual experience?
scrollinondubs · 15h ago
Can you clarify "dynamic agentic workflows?" I use their agent node and it works great but what are you trying to do with it? FYI they just added native support for MCP in the latest release both for exposing their workflows as a MCP server and consuming MCP servcies easily via their MCP client tool:
https://docs.n8n.io/integrations/builtin/core-nodes/n8n-node...https://docs.n8n.io/integrations/builtin/cluster-nodes/sub-n...
That should make things interesting because they have a fairly extensive library of templates which can now easily be converted to MCP servers and be more easily invoked agnatically by LLMs.
EcommerceFlow · 17h ago
I have a friend that uses them, but I took a separate route and just decided to learn programming basics, at least enough to be able to vibe code.
I'm thinking why not just use APIs?
victorbjorklund · 14h ago
I'm a developer but use N8N. One reason is not having to build and maintain integrations with lots of API:s for workflows that are just run once in a while. Like building an integration with Slack that will get data from 5 API:s and save it in google sheets and send you an email.
That would require writing lots of code while here it is much easier with N8N. Anything complicated or needing lots of useage I would go for programming
orliesaurus · 15h ago
I think you did the right choice, but not everyone wants to take the longer route, so this is why n8n exists!
XCSme · 15h ago
I think using this without programming knowledge is hard, you'll hit a lot of errors and data transformation issues that are hard to solve without knowing programming 101 like arrays, objects, data access, etc.
But, if you do know how to code, this makes it easy to quickly integrate stuff without having to write all the connection boilerplate code.
It's not that the tool itself is inherently insecure - it's more about how users are encouraged to use it.
Nearly all workflows built using N8n that I've seen face some kind of prompt injection vulnerability. This is primarily because, in most cases, you configure the LLM by directly inserting external data into the system prompt. As many of you know, the system prompt has the highest execution priority, meaning instructions placed there can heavily influence how the LLM interacts with its tools.
While this isn't exploitable in every situation, it can often be exploited rather generically: by embedding prompts in your social media bio, website, or other locations from where these workflows pull data. Recently, I've managed to use this technique to prompt a random LinkedIn bot to email me back a list of their functions. That's not overly exciting in itself, but it clearly demonstrates the potential for malicious use.
This issue is not specific to N8n. Other tools do it too. But it seems to me there is little to no awareness that this is in fact a problem.
There is a better, safer way to incorporate external data into LLM prompts without jumping through hoops, but unfortunately, that's not how things are currently done with N8n, at least as of today.
That means: - Limit the potential for a malicious prompt to do anything bad - Scope permissions to the lowest level you can
There are some other mitigations (moderation APIs using a 2nd LLM), but in general they're not 100% solutions. You really need to design your systems around accepting this limitation today.
More info on this wiki here: https://github.com/tldrsec/prompt-injection-defenses
A- Limit the capabilities of users. B- Help users limit the capabilities that they to their sub-users, whether they be per-program capabilities or per dependency capabilities.
I think B is the path forward, if you give a user access to emails and files and ChatGPT, then he can give ChatGPT access to emails and files and do damage that way.
With B you can give the user access to ChatGPT and email and a file system, but help him configure fine grained permissions for their experiments.
The one frustration we have with n8n is trying to create custom "apps" (triggers or destinations for workflows). It's clear that the custom apps are an afterthought and have gone through multiple iterations of "here's the best way to do it", and you end up having to just keep trying until you get it to do what you want. Annoyingly, there's no way to manage custom apps in the interface itself - you have to create a Javascript module and then inject it into a .npm directory somewhere inside of the applications Docker container, which just doesn't feel very "professional".
If n8n would add some kind of admin interface for managing custom apps - especially just supporting basic use cases like specifying a REST API as a reusable custom app - it would be great, but still has a ways to go in terms of features (like better user permissions management as part of the lackluster SSO) before it's truly going to be an enterprise grade solution.
That said, we tried Windmill first and while it was cool for the devs who were able to see the vision, the non-technical users hated it and have heavily praised n8n once we created a custom app to let them integrate with our system.
Overall I would say n8n is worth trying if you need something like this, but expect to do some tinkering if you go beyond what it does out of the box.
Founder of Windmill here. This is not too surprising although we are working on it by leveraging AI and just better DX/design. Pleasing devs in the most demanding orgs and the ever-changing expectations is challenging by itself. Pleasing both devs AND non-technical user is a monumental task that we are now giving more attention to by focusing on 2 aspects:
- A better DX/UX that does not sacrifice power-user capabilities but has a less step learning-curve and more intuitiveness to it. That is mostly about good design and hard work. We are taking inspiration from the best and on the intuitiveness, we've learned a lot from n8n and other leaders in the space.
- leveraging AI capabilities in a state-of-the-art way to have the best models generate the code for non-technical users. That is basically just adopting the best practices inspired by cursor such as great auto-completion, great inline code-gen, excellent semantic search.
Custom apps aside, how do Zapier and n8n compare in your experience?
And their Launch HN: https://news.ycombinator.com/item?id=34723989
I've just poked at them, but my impression was that Node Red much more capable.
IIRC one of my issues with n8n was the lack of streaming ability, which kills it for large datasets.
The library just uses the streaming API[3] of NodeJS - effectively converting lines of CSV (for example) into individual messages that flow through NodeRED.
NodeRED isn't great for handling large messages but perfect for directing many small messages.
[1] https://flows.nodered.org/node/@gregoriusrippenstein/node-re...
[2] https://flowhub.org/f/c520d9da20ad7f1d
[3] https://nodejs.org/dist/latest-v18.x/docs/api/stream.html
n8n is made so that you can set it up and give your staff access and they can manage their own workflows (like "when a customer opens a support ticket, update their Salesforce record to increment the number of tickets they have opened").
It's clearly aimed at non technical users being able to develop their own solutions to problems (for better or for worse), more so than Windmill which is made for developers to solve their own problems or develop solutions that non-technical people can use. Node Red if I remember correctly is more heavily weighted toward real time events for dev (especially hardware/IoT dev) use than "let the support team manage their own workflows for routing customer complaints"
You can go a _long_ way with the split/join nodes and a little ingenuity to work around any issues with streaming.
n8n is far more high level with google sheet nodes communicating with postgres database nodes. There is far less ability to do manipulate the data being passed around - as many said Zapier-like.
NodeRED is used for home automation and talking to devices that are connected to the network and providing nice dashboards of things happening. Another big use case is IIoT. So it less focussed on integration of SaaS services and more on devices integration and inter-communication between devices.
Plus NodeRED has a great collection[1] of third party nodes that can help in connecting to new devices. Installing nodes is based on npm but is completely automated.
[1] https://flows.nodered.org/search?type=node
I guess N8N was not intuitive for simple things and seemed too complicated for me. I'm now happier with cron jobs/GitOps to manage my automations. On the other hand I also had to replace some IFTTT workflows with my own scripts.
More work for me but I gained quality and control.
Pros:
- Good observability. It’s handy that they track all executions and let you see when workflows run.
- Usable for non-technical people.
- They’ve had all the integrations we needed.
Cons:
- Implementing parallel execution for async parts of the workflow is complicated and flaky.
- Pricing is expensive for the hosted version.
- Version control is bad.
- If you have engineering capacity, it’s faster and simpler to write some more backend code if you already have a backend.
We also made a custom node for popular document/image/video ETL jobs like document-to-markdown, audio/video transcriptions with VLMs (Vision Language Models).
https://github.com/vlm-run/n8n-nodes-vlmrun
https://www.npmjs.com/package/@vlm-run/n8n-nodes-vlmrun/v/0....
https://blog.golioth.io/a-2-geofence-wi-fi-location-here-com...
Windmill OTOH supports a bunch of programming languages for steps (Go, Rust, Python, TS, etc.) and seems to have a much more “code first” approach. Reusable blocks are more like code templates compared to n8n.
Hard to say which is better. I really like the ability in windmill to just write code for each step and it comes across more powerful, but it feels less polished and intuitive when compared to n8n.
I'm not ashamed to admit than n8n feels more polished. There are a few reasons:
- Our team was and is still much smaller. We were 5 for the first 2 years, we are now 10 (year 3), and are continuing to hire to follow our growth.
- They have been around for longer and mature for longer, more time to iterate. We have reached some level of maturity recently and are now spending more iterations on polishing rather than new features.
- Their surface area is smaller, windmill does A LOT and expose more for the better or worse.
n8n has done a lot of things really well and although we have a different audience, there is a lot to learn from what they did very well and we have the upmost respect for them. We have some overlap, but I think ultimately we strive in different kind of orgs and will cohabit rather than compete.
Are these two things being wrongly compared to each other when they're actually meant for different purposes? Or is Windmill indeed a good point of comparison?
I hadn't seen this term before but it looks interesting:
https://faircode.io/
And whereas Windmill seems to be agpl + apache.
So that is what you are mentioning, right?
Also, they require a CLA with copyright assignment so they can reuse your contributions in nonfree software. It’s always shady when companies do this.
The open source parts of Windmill are partially Apache and partially AGPL; there are some of us who additionally regard the AGPL as nonfree (because it’s really a EULA).
The main reasons I switched to n8n are it's open source, meaning I can run it locally without limits, and it supports code nodes in javascript and python. Make.com used to drive me bonkers when it took 10+ minutes to create all the nodes in the UI to handle loops, errors, etc. when I could normally just write a few lines of code to handle it.
Only downside to n8n vs other platforms is it's polling based vs instant trigger unlike Zapier's and Make.com's connectors. So if you're processing email, Google Sheets data, etc. you'll have more latency with n8n unless you add some custom middleware to handle instant triggers. But polling is actually a benefit in my case since I mostly run n8n locally through docker. Whenever I spin it up, it auto catches up on new data it hasn't yet processed.
n8n's AI nodes are first rate and more intuitive IMO than others. You can easily extend it with custom LangChain nodes as well if you're self hosting.
If you want to play around with n8n locally, this tool makes it easy: https://github.com/LLemonStack/llemonstack/ I created it to make it easier for me to spin up and down project stacks on the same machine.
Or see n8n's official repo for instructions on running locally: https://github.com/n8n-io/n8n
> Content of branches other than the main branch (i.e. "master") are not licensed
How the fuck do pull requests work in that setup? Or presumably tags aren't licensed?! Holy shit
Anyway, seems to be some rando made up license https://github.com/n8n-io/n8n/blob/master/LICENSE.md#sustain...
So yeah, you can use n8n for free, but that doesn't make it open source. It is a source available license.
You have to pay after some revenue threshold?
It's really easy to automate tasks and schedule things.
For example, I connected it to my UXWizz MySQL database, asked the AI in UXWizz to give me a query with the funnel conversions for today (visits/pricing/checkout/sales) compared to last week, copied that into n8n and made it send me an emoji-formatted daily Telegram message.
I am now using it to implement an AI chat-bot/support ticket responder, and I'm planning to migrate a Node.js auto-poster to it, so I can easily change the schedule/model/content of the post without having to edit any code.
I like that it has good documentation for integrations. For example, I was testing Google Ads, and I want to do conversion tracking without adding the Google JS to my page. Again, I used an MySQL connection to my UXWizz analytics dashboard to select the gclid for all visits that lead to a conversion event, then with n8n I upload those daily to a Google Sheet, which is then used by Google Ads to properly track conversions. The Google Sheet integration is not trivial (you need Google Cloud account, create an app, create oauth login, etc.), but the n8n docs were clear enough to follow and up-to-date enough to work.
Telegram has a really good mobile app, and their BotFather makes it easy to create custom integrations. They display nicely a lot of notification formats (text/html/markdown) and it's free.
Slack is too bloated to simply use for notifications.
On a personal level, I use it to automate booking a tennis court. It logs in, selects the date and time (pre-defined), adds a partner/opponent, books the court, pings a service that generates a calendar entry. If I decide to cancel the booking, it again pings the service and removes the calendar entry. I needed to bend some "nodes" to do what I need within the same workflow (such as create event runs once a day but update event runs in every 10 minutes).
In the past, I also used it to detect service interruptions with my ISP. I don't use that ISP anymore, so this workflow is redundant, but it was checking an API and if there's an entry, sending it as a push notification (via ntfy) to my phone.
I was able to hack a MVP of a new product in just one or two days.
Now, the company uses n8n for a lot of stuff, out ops team and finance team is expected to automatize manual work using n8n. From billing to financial conciliation to customer support. Also in product/dev team we implement some parts as flows, for things we expect to change a lot of features that are more internal.
But n8n requires a lot of time and care. It's not intended for high loads, they make a lot of breaking changes (more like new bugs, but is not fun).
We do all this self hosting in a k8s cluster.
In general I like it, but I think is still intended for a personal o early adopter.
Funny, one of my biz co-founder, learned and created a new biz just teaching it.
TL;DR: The author originally tried to call n8n "open source" but while using a non-open-source license. After much discussion, he kept the license but stopped using the label "open source", to the relief of many people.
That half-decade-old thread is still what I point to when I want to explain to someone why preserving the specificity of the term "open source" matters.
[1] - https://browsable.app
Aside from that, I've been thinking about no/low-code solutions for educational purposes. I'm an incoming professor of a university and most my students have little background in CS or related fields. The university insists on using tools like Alteryx but I want to see if free open-source solutions exist (because that way, students can use the tools after graduation).
So far I've seen Dify, Flowise, Langflow, n8n, Make. The last two seem to be more general while the other ones are tailored to LLMs (which is the focus of my courses—applications of LLMs in management).
“ What does n8n mean?
Short answer: It means "nodemation" and is pronounced as n-eight-n.
Long answer: "I get that question quite often (more often than I expected) so I decided it is probably best to answer it here. While looking for a good name for the project with a free domain I realized very quickly that all the good ones I could think of were already taken. So, in the end, I chose nodemation. 'node-' in the sense that it uses a Node-View and that it uses Node.js and '-mation' for 'automation' which is what the project is supposed to help with. However, I did not like how long the name was and I could not imagine writing something that long every time in the CLI. That is when I then ended up on 'n8n'." - Jan Oberhauser, Founder and CEO, n8n.io”
The perfect usecase for n8n is when you got integrations and you dont need to run the workflow so often
It allows you to write custom nodes with arbitrary code, but also connect them to existing integrations. Also, for each connection you can transform/select the data using JavaScript.
Can't say I'm a fan of the €55M financing round they took though. I mean, congratulations to them, but the growth they'll need to satisfy those investors is so very likely to lead to chasing numbers and enshittifying the product down the line.
I submitted it, seeing that it was not discussed recently, maybe it's useful to anyone else.
I using the self-hosted version.
This makes it unusable for my purpose.
But in my (limited) research into options like Airflow or Dagster or Windmill, they weren't quite at the same level and it doesn't feel like a significant value-add over writing a simple webhook server.
Examples of those failure systems, is SimStudio, just a joke compared to n8n.
I'm thinking why not just use APIs?
That would require writing lots of code while here it is much easier with N8N. Anything complicated or needing lots of useage I would go for programming
But, if you do know how to code, this makes it easy to quickly integrate stuff without having to write all the connection boilerplate code.