n8n 1.123.60 - Billing Count and Security Fixes

   |   3 minute read   |   Using 598 words

n8n [email protected] was published on June 22, 2026 as a focused stable release for the workflow automation project. The most important user visible change is in core billing: error workflow executions are excluded from billable execution counts, while the rest of the release tightens dependency security.

The full release notes and downloads are on the GitHub release page.

Billable execution counting is corrected

The core fix in this release changes how n8n counts error workflow executions. The release notes say error workflow executions are excluded from the billable execution count, via #32544.

For teams that run n8n in production, this is the change to notice first. Error workflows can be part of normal operations. They catch failed runs, notify owners, push incidents into chat, or move failed payloads into a review path. Counting those executions as billable work makes the usage number harder to reason about.

This release does not describe a new config key, CLI flag, or migration step for the billing fix. Treat it as a behavior correction in the core accounting path. After upgrading, operators who compare execution counts across versions should remember that error workflow runs may no longer appear in the billable side of the number.

Dependency security fixes cover common packages

n8n [email protected] also includes two security fix batches for third party dependencies. The first batch fixes 21 security issues in tmp, protobufjs, ws, and eight more packages, tracked as #32687. The second fixes 5 security issues in tmp, ws, axios, and one more package, tracked as #32706.

The release notes do not list the individual vulnerability IDs, so there is no point pretending this post can rank their risk in detail. The useful signal is simpler: n8n refreshed several dependencies that sit in common Node.js paths for temporary files, WebSocket traffic, protocol buffers, and HTTP requests.

For operators, this kind of release belongs in the normal patch window. It is not a feature release. It is also not just a cosmetic changelog entry. Dependency fixes can remove findings from scanners, reduce noise in image audits, and keep production deployments closer to the supported package set.

Small release with real operator impact

The changelog for this tag is short. That is not a problem. The listed changes are the kind that matter to people who operate n8n instead of only testing it locally.

There are no new workflow nodes in the notes. There are no UI features called out. There are no documented breaking changes, deprecations, or manual migration steps. The release is mostly about correcting accounting behavior and carrying dependency security fixes forward.

The release notes also include generated review badges for Stage Review and cubic. Those links are useful for review flow, but they are not product changes in the release itself. The actionable part of this tag is the three bug fix entries above.

Upgrade notes

Since prerelease is false in the release metadata, this is a stable release rather than a beta, alpha, or release candidate. If your deployment tracks stable n8n tags, this patch should be evaluated as a normal maintenance update.

The main post upgrade check is billing related. If your team reports on execution counts, compare the numbers with the billing fix in mind. A drop in billable executions after the update may be expected if error workflow executions were previously included.

Security scanning is the second check. If your build or image scanner was flagging tmp, protobufjs, ws, axios, or related dependencies, rerun the scan after the update and verify which findings remain.

Where to get it



denis256 at denis256.dev