chore(deps): bump node-addon-slsa to 0.9.1

[vadimpiven]

• packages/node: dependency 0.8.12 → 0.9.1.
• packages/node: remove addon.url — the published manifest now drives downloads; see node-addon-slsa v0.9.0 breaking changes.
• release.yaml: bump reusable-workflow pin to v0.9.1 (000ddac). Rewrite the addons: input to the new {url, bundleUrl} leaf shape; bundleUrl points at the sidecar sigstore bundle co-located with each binary.

[gemini-code-assist]

Code Review

This pull request updates the node-addon-slsa dependency to version 0.9.1 and removes the explicit download URL from the addon configuration. A compatibility issue was identified where the project's engines field still supports Node.js 20, which is incompatible with the new dependency's requirement of Node.js >=22.12.0, potentially leading to installation failures.

[gemini-code-assist]

The update to node-addon-slsa@0.9.1 introduces a requirement for Node.js >=22.12.0 (as specified in its package metadata and reflected in the lockfile). However, the engines field in this file (line 93) still includes support for Node.js ^20.19.0. This mismatch will cause installation failures for users on Node.js 20. Please update the engines field to match the requirements of the new dependency version.

[greptile-apps]

Greptile Summary

Bumps node-addon-slsa to 0.9.1, removes the now-obsolete addon.url field from package.json, and rewrites the addons workflow input to the new {url, bundleUrl} leaf shape required by v0.9.0 breaking changes. All six platform/arch combinations are consistently updated with matching .node.gz / .node.gz.sigstore URL pairs, and the reusable-workflow pin is updated to the corresponding v0.9.1 commit hash.

Confidence Score: 5/5

Safe to merge — a clean dependency bump with a well-scoped breaking-change adaptation

All changes are consistent and mechanically correct: version pinned in package.json and lockfile, all six platform/arch entries updated with the new leaf shape, and the reusable workflow pinned to a specific commit hash. No logic changes, no security concerns.

No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/release.yaml	Bumps reusable workflow pin to v0.9.1 and rewrites addons input to new {url, bundleUrl} leaf shape; all 6 platform/arch combos are consistently updated
packages/node/package.json	Bumps node-addon-slsa from 0.8.12 to 0.9.1 and removes addon.url per v0.9.0 breaking-change guidance
pnpm-lock.yaml	Lockfile updated to resolve node-addon-slsa@0.9.1; no other dependency changes

_{Reviews (1): Last reviewed commit: "chore(deps): bump node-addon-slsa to 0.9..." | Re-trigger Greptile}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!