Skip to content

chore(deps): update node.js to v24.13.1#23

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/node-24.x
Open

chore(deps): update node.js to v24.13.1#23
renovate[bot] wants to merge 1 commit intomainfrom
renovate/node-24.x

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 14, 2026
edited
Loading

This PR contains the following updates:

Package Update Change Pending
node (source) patch 24.13.024.13.1 v24.14.0

Release Notes

nodejs/node (node)

v24.13.1

Compare Source

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link

github-actions bot commented Feb 14, 2026
edited
Loading

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Node.js v24.13.1 (LTS) "Krypton" was released on February 10, 2026, as a patch release with the following key changes:

Security Fixes:

  • CVE-2025-59465 (High): Fixed TLS socket default error handler vulnerability that could cause process crashes when HTTP/2 servers receive malformed HEADERS frames with oversized HPACK data
  • CVE-2026-21637 (Medium): Fixed TLS error handling issue where exceptions in pskCallback or ALPNCallback bypass standard error handling, potentially causing process termination or resource exhaustion

Major Updates:

  • Crypto: Updated root certificates to NSS 3.119 and OpenSSL to 3.5.5
  • CLI Stability: Marked --heapsnapshot-near-heap-limit, --build-snapshot, and --build-snapshot-config flags as stable
  • Build: Added Python 3.14 support
  • Unicode: Updated ada library to v3.4.2 with Unicode 17 support

Dependency Updates:

  • npm 11.8.0, corepack 0.34.6, sqlite 3.51.2, ICU 78.2, zlib 1.3.1, nghttp2 1.68.0, brotli 1.2.0, simdjson 4.2.4

Bug Fixes:

  • HTTP: Fixed rawHeaders exceeding maxHeadersCount limit, double ERR_PROXY_TUNNEL emission
  • File System: Fixed ENOTDIR in globSync, rmSync non-ASCII character handling
  • Node-API: Added napi_set_prototype, fixed data race in napi_threadsafe_function, added Float16Array support
  • Module System: Fixed sync resolve hooks for require with node: prefixes
  • Test Runner: Fixed memory leaks, coverage report issues

Breaking Changes: None identified - this is a standard patch release maintaining full backward compatibility.

🎯 Impact Scope Investigation

Node.js Usage in Project:

  • Version Specification: Only in mise.toml (line 3: node = "24.13.0"node = "24.13.1")
  • Package Requirements: package.json specifies "engines": { "node": ">=18" } - v24.13.1 satisfies this constraint
  • CI/CD Configuration: Uses mise-action in .github/actions/setup/action.yml which reads from mise.toml

Direct Node.js API Usage:

  • Zero Direct Dependencies: The SDK does not import any node:* modules
  • Runtime: Project uses Bun (v1.3.5) for development commands (build, test, lint)
  • TypeScript Compilation: Targets ES2022 with NodeNext module resolution
  • API Surface: SDK only uses standard Web APIs (fetch, Response, JSON operations)

Dependencies Analysis:

  • No runtime dependencies (pure TypeScript SDK)
  • Dev dependencies are Node.js-agnostic build tools (@biomejs/biome, vitest, typescript)
  • The SDK is designed for browser and Node.js environments using standard Web APIs

Configuration Files Impact:

  • mise.toml - Updated (only file changed in PR)
  • package.json - No changes needed (engine constraint already satisfied)
  • .github/workflows/ci.yml - No changes needed (uses mise-action)
  • tsconfig.json - No changes needed (configuration independent of Node.js patch version)

💡 Recommended Actions

Immediate Actions:

  1. Merge PR - This is a safe patch update with security fixes
  2. No Code Changes Required - The SDK has zero direct Node.js API dependencies
  3. No Migration Work - Full backward compatibility maintained

Post-Merge Verification:

  1. Verify CI pipeline passes (build, typecheck, lint, test)
  2. Confirm mise correctly installs Node.js v24.13.1

Benefits of This Update:

  • Patches two TLS-related vulnerabilities (CVE-2025-59465, CVE-2026-21637)
  • Updates crypto root certificates to NSS 3.119 for improved security
  • Updates OpenSSL to 3.5.5 with latest security patches
  • Receives all bug fixes for HTTP, file system, and Node-API

Risk Assessment:

  • Risk Level: Minimal - patch release with no breaking changes
  • API Compatibility: 100% - no API changes that affect this codebase
  • Security Impact: Positive - addresses two TLS vulnerabilities
  • Testing Required: Standard CI pipeline verification only

🔗 Reference Links

Generated by koki-develop/claude-renovate-review

@renovate renovate bot force-pushed the renovate/node-24.x branch from b9629c8 to 52296eb Compare February 16, 2026 13:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants