chore(core): Add DTOs for workflow create / update validation

[guillaumejacquart]

Summary

This PR implements new DTOs for workflow creation and update, to make sure that user cannot forge a request containing fields that should be updated only internally (like triggerCount, versionCounter, or shared fields)

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/PAY-4382/mass-assignment-in-workflow-creation-allows-tampering-with-internal

Review / Merge checklist

• PR title and summary are descriptive. (conventions)
• Docs updated or follow-up ticket created.
• Tests included.
• PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

[codecov]

Codecov Report

❌ Patch coverage is 89.28571% with 6 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...n/api-types/src/dto/workflows/base-workflow.dto.ts	84.00%	4 Missing ⚠️
packages/@n8n/api-types/src/dto/index.ts	0.00%	2 Missing ⚠️

📢 Thoughts on this report? Let us know!

[currents-bot]

✅

E2E Tests: n8n tests passed after 9m 21.7s

🟢 609 · 🔴 0 · ⚪️ 38 · 🟣 2

View Run Details

Run Details

• Project: n8n

• Groups: 2

• Framework: Playwright

• Run Status: Passed

• Commit: 5edcbdd

• Spec files: 142

• Overall tests: 647

• Duration: 9m 21.7s

• Parallelization: 16

Groups

GroupId	Results	Spec Files Progress
multi-main:e2e	🟢 552 · 🔴 0 · ⚪️ 38 · 🟣 1	133 / 133
multi-main:e2e:isolated	🟢 57 · 🔴 0 · ⚪️ 0 · 🟣 1	9 / 9

---

This message was posted automatically by currents.dev | Integration Settings

[cubic-dev-ai]

1 issue found across 7 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/@n8n/api-types/src/dto/workflows/base-workflow.dto.ts">

<violation number="1" location="packages/@n8n/api-types/src/dto/workflows/base-workflow.dto.ts:21">
P2: Validator accepts arrays when it should only accept plain objects. In JavaScript, `typeof [] === 'object'` returns `true`, so arrays will pass this validation despite the message stating 'Connections must be an object'. Add `&& !Array.isArray(val)` to reject arrays.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

No issues found across 9 files

[konstantintieber]

Nit: I think it's good to remind other readers that Object.assign is only safe here because of the Dto schemas. I would consider shorting it to a single line comment like:

Object.assign is safe because the body provided by the user is validated against the UpdateWorkflowDto

in both methods mainly for readibility.

[konstantintieber]

Great job on these unit tests 👍

[konstantintieber]

Nice us of parameterized tests 💅

[n8n-assistant]

Got released with [email protected]