Describe the bug
The community-hub security-scan n8n workflow runs its Claude AI analysis with zero package source code. The Fetch Package Code step returns no files, so the AI receives only package metadata. The stored ai_analysis result shows files_scanned: 0 / files_available: 0, and the model itself flags "Zero source files available for review despite npm package being published." As a result the AI security review is metadata-only and cannot assess the actual code (it returns a risk_level/recommendation based purely on registry metadata).
To reproduce
- Trigger a security scan on a package (e.g.
@strapi-community/plugin-redis) via the moderation admin → Run security scan.
- Open the resulting
security-review record (or the n8n execution for security-scan).
- Inspect the
ai_analysis stage result.
Expected behavior
Fetch Package Code fetches the package source (npm tarball and/or the declared GitHub repo) and passes the relevant files to the model, so the AI performs a real code-level review (files_scanned > 0, scan_source set).
Actual behavior
Fetch Package Code yields no source → the AI receives 0 files → the analysis is shallow. Example stored ai_analysis payload:
{
"files_scanned": 0,
"files_available": 0,
"scan_source": null,
"parsed": {
"risk_level": "medium",
"recommendation": "request_changes",
"red_flags": ["Zero source files available for review despite npm package being published"]
}
}
Environment
- n8n: staging community-hub workflow set,
security-scan workflow (Fetch Package Code → Claude Haiku Security Analysis).
- Surfaced during the staging bring-up of the moderation automation.
Additional context
The dependency-scan and AI-analysis stages otherwise run fine — only the source fetch feeding the AI is empty. Filed to track fixing the source fetch so the AI review is meaningful. (Separately, the dependency scan flags the @strapi/strapi peer dependency itself as vulnerable, which is likely noise for a plugin scan — worth a look while in this area.)
Describe the bug
The community-hub
security-scann8n workflow runs its Claude AI analysis with zero package source code. TheFetch Package Codestep returns no files, so the AI receives only package metadata. The storedai_analysisresult showsfiles_scanned: 0/files_available: 0, and the model itself flags "Zero source files available for review despite npm package being published." As a result the AI security review is metadata-only and cannot assess the actual code (it returns arisk_level/recommendationbased purely on registry metadata).To reproduce
@strapi-community/plugin-redis) via the moderation admin → Run security scan.security-reviewrecord (or the n8n execution forsecurity-scan).ai_analysisstage result.Expected behavior
Fetch Package Codefetches the package source (npm tarball and/or the declared GitHub repo) and passes the relevant files to the model, so the AI performs a real code-level review (files_scanned > 0,scan_sourceset).Actual behavior
Fetch Package Codeyields no source → the AI receives 0 files → the analysis is shallow. Example storedai_analysispayload:{ "files_scanned": 0, "files_available": 0, "scan_source": null, "parsed": { "risk_level": "medium", "recommendation": "request_changes", "red_flags": ["Zero source files available for review despite npm package being published"] } }Environment
security-scanworkflow (Fetch Package Code→Claude Haiku Security Analysis).Additional context
The dependency-scan and AI-analysis stages otherwise run fine — only the source fetch feeding the AI is empty. Filed to track fixing the source fetch so the AI review is meaningful. (Separately, the dependency scan flags the
@strapi/strapipeer dependency itself as vulnerable, which is likely noise for a plugin scan — worth a look while in this area.)