Skip to content

Upgrade to Node.js 24#448

Open
kdenhartog wants to merge 5 commits intomainfrom
kdh/strict-engine
Open

Upgrade to Node.js 24#448
kdenhartog wants to merge 5 commits intomainfrom
kdh/strict-engine

Conversation

@kdenhartog
Copy link
Copy Markdown
Member

@kdenhartog kdenhartog commented Feb 9, 2026

Summary

  • Updates Node.js engine requirement to >=24.11.1 <25.0.0 in package.json
  • Updates CI workflows (build.yml, unit-tests.yml) to use Node.js 24
  • Updates Dockerfile.ci base image from node:lts-bookworm to node:24-bookworm
  • Cleans up package-lock.json with engine metadata

Test plan

  • Verify CI builds pass with Node.js 24
  • Verify unit tests pass
  • Verify integration tests pass with updated Docker image
  • Confirm no compatibility issues with dependencies

🤖 Generated with Claude Code

@kdenhartog kdenhartog requested review from a team, mihaiplesa, remusao and yshym as code owners February 9, 2026 11:25
mihaiplesa
mihaiplesa previously approved these changes Feb 9, 2026
View reviewed changes
@socket-security
Copy link
Copy Markdown

socket-security bot commented Feb 9, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
High CVE: Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() in npm serialize-javascript

CVE: GHSA-5c6j-r48x-rmvq Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() (HIGH)

Affected versions: < 7.0.3

Patched version: 7.0.3

From: package-lock.jsonnpm/webpack@5.104.1npm/serialize-javascript@6.0.2

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/serialize-javascript@6.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Medium CVE: Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects in npm serialize-javascript

CVE: GHSA-qj8w-gfj5-8c6v Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects (MODERATE)

Affected versions: < 7.0.5

Patched version: 7.0.5

From: package-lock.jsonnpm/webpack@5.104.1npm/serialize-javascript@6.0.2

ℹ Read more on: This package | This alert | What is a medium CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/serialize-javascript@6.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@kdenhartog kdenhartog force-pushed the kdh/strict-engine branch 3 times, most recently from f70f09c to 28a2b86 Compare February 9, 2026 11:59
mihaiplesa
mihaiplesa previously approved these changes Feb 9, 2026
View reviewed changes
@kdenhartog kdenhartog enabled auto-merge (squash) February 9, 2026 12:38
@mihaiplesa
Copy link
Copy Markdown
Contributor

mihaiplesa commented Mar 20, 2026

Needs a rebase.

remusao
remusao reviewed Mar 30, 2026
View reviewed changes
package-lock.json
Copy link
Copy Markdown
Collaborator

@remusao remusao Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was it necessary to refresh the whole lock?

Copy link
Copy Markdown
Member Author

@kdenhartog kdenhartog Mar 31, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, because the lockfile will now specify the engine per dep due to enabling strict engine setting so we get less of those peer: true inconsistencies we got before.

@kdenhartog
Add audit_deps.js with audit-config integration
13651ec
@kdenhartog
Add audit_deps npm script
bb62f61
@kdenhartog
Use audit_deps script in CI instead of bare npm audit
7356591
@kdenhartog
Simplify audit_deps.js: use fetch, named functions, dedup advisories
5c7710f 
- Replace https.get + manual Promise with native fetch
- Extract fetchIgnoredAdvisories and runNpmAudit from main
- Simplify extractVulnerabilities to a functional chain with dedup
- Drop npm 6 advisories format support (Node 20+ only)
- Update tests: remove npm 6 cases, add deduplication case
github-actions[bot]
github-actions bot reviewed Mar 31, 2026
View reviewed changes
package-lock.json
@@ -12956,18 +11460,25 @@
}
}
},
"node_modules/terser-webpack-plugin/node_modules/serialize-javascript": {
"version": "6.0.2",
Copy link
Copy Markdown

@github-actions github-actions bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[npm-audit] Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()

See GHSA-5c6j-r48x-rmvq
Cc @thypon @kdenhartog

@kdenhartog
Upgrade to Node.js 24 and update CI workflows
ef2c9f6 
Updates Node.js engine requirement to >=24.11.1 <25.0.0 and updates
all CI workflows and Docker configuration to use Node.js 24.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@remusao remusao remusao left review comments

@github-actions github-actions[bot] github-actions[bot] left review comments

@mihaiplesa mihaiplesa mihaiplesa left review comments

@yshym yshym Awaiting requested review from yshym yshym is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@thypon thypon

@kdenhartog kdenhartog

@yshym yshym

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kdenhartog @mihaiplesa @remusao @thypon @yshym