Skip to content

chore(deps): pin node.js to v25.8.2#24

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pin-dependencies
Open

chore(deps): pin node.js to v25.8.2#24
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pin-dependencies

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 24, 2026
edited
Loading

This PR contains the following updates:

Package Type Update Change
node (source) engines pin >=18v25.8.2

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link

github-actions bot commented Feb 24, 2026
edited
Loading

Renovate PR Review Results

⚖️ Safety Assessment: ❌ Not Safe

🔍 Release Content Analysis

Node.js v25.8.2 (Released: March 24, 2026) is a security release that addresses 8 security vulnerabilities:

Critical Security Fixes:

  • CVE-2026-21637 (High): TLS handshake crash prevention - wraps SNICallback invocation in try/catch
  • CVE-2026-21710 (High): HTTP header handling protection - uses null prototype for headersDistinct/trailersDistinct

Medium Priority Fixes:

  • CVE-2026-21711: Permission check addition to pipe operations
  • CVE-2026-21712: URL parsing crash prevention for various format inputs
  • CVE-2026-21713: Timing-safe comparison in Web Cryptography HMAC and KMAC
  • CVE-2026-21714: HTTP/2 flow control error handling improvements
  • CVE-2026-21717: Array index hash collision testing

Low Priority Fixes:

  • CVE-2026-21715 & CVE-2026-21716: Permission checks for filesystem operations

This release focuses on security hardening across TLS, HTTP, cryptography, and file system modules with no breaking API changes.

🎯 Impact Scope Investigation

Critical Incompatibility Identified:

  1. mise.toml Configuration Conflict

    • Current mise.toml specifies: node = "24.13.0" (mise.toml:3)
    • PR changes package.json to: "node": "v25.8.2"
    • This creates a version mismatch between the CI/CD environment and package.json requirement

  2. CI/CD Environment

    • CI uses mise-action (setup/action.yml:8) which reads mise.toml
    • All CI jobs (Build, Typecheck, Lint, Test) will continue using Node.js 24.13.0
    • The pinned version v25.8.2 in package.json will not be enforced in CI
    • Current CI jobs are passing with Node.js 24.x

  3. Codebase Compatibility

    • SDK uses standard Web APIs: fetch, Response, Request, globalThis.fetch (client.ts:118)
    • TypeScript targets ES2022 with lib: ["ES2022"] (tsconfig.json:4,14)
    • No Node.js-specific APIs detected
    • Code is compatible with both Node.js 24.x and 25.x

  4. Version Range Change Impact

    • Previous: "node": ">=18" (flexible range supporting Node.js 18+)
    • New: "node": "v25.8.2" (hard pin to specific version)
    • This is an extremely restrictive change that breaks semantic versioning flexibility
    • Users on Node.js 18, 20, 22, or 24 will see warnings/errors despite code compatibility

💡 Recommended Actions

This PR should NOT be merged as-is. Required fixes:

  1. Update mise.toml Configuration

    • Change node = "24.13.0" to node = "25.8.2" in mise.toml
    • Ensures CI/CD environment matches package.json requirement

  2. Reconsider Pinning Strategy

    • Recommended: Use range "node": ">=18" with Renovate preset :preserveSemverRanges
    • Alternative: If pinning is required, use "node": ">=25.8.2" instead of exact version
    • Hard pinning to a specific patch version is too restrictive for a library SDK

  3. Test with Node.js 25.x

    • Verify all tests pass with Node.js 25.8.2
    • Ensure build and type checking succeed
    • Confirm no runtime issues with the new version

  4. Security Consideration

    • While v25.8.2 includes important security fixes, this SDK doesn't directly use the affected APIs (TLS, HTTP/2, permissions)
    • The security benefit is minimal for this specific codebase
    • Maintaining broader Node.js compatibility may be more valuable

Recommended Next Steps:

  1. Close this PR
  2. Add :preserveSemverRanges preset to Renovate config
  3. If upgrading Node.js in CI, update mise.toml in a separate PR
  4. Consider whether hard pinning aligns with the SDK's compatibility goals

🔗 Reference Links

Generated by koki-develop/claude-renovate-review

@renovate renovate bot force-pushed the renovate/pin-dependencies branch 2 times, most recently from 1ddef35 to a88de1f Compare February 28, 2026 00:32
@renovate renovate bot changed the title chore(deps): pin node.js to v25.7.0 chore(deps): pin node.js to v25.8.0 Mar 3, 2026
@renovate renovate bot force-pushed the renovate/pin-dependencies branch from a88de1f to d15eaff Compare March 3, 2026 18:15
@renovate renovate bot changed the title chore(deps): pin node.js to v25.8.0 chore(deps): pin node.js to v25.8.1 Mar 11, 2026
@renovate renovate bot force-pushed the renovate/pin-dependencies branch from d15eaff to 09dab0c Compare March 11, 2026 13:01
@renovate renovate bot changed the title chore(deps): pin node.js to v25.8.1 chore(deps): pin node.js to v25.8.2 Mar 24, 2026
@renovate renovate bot force-pushed the renovate/pin-dependencies branch from 09dab0c to cf22a8c Compare March 24, 2026 21:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants