chore(deps): pin node.js to v25.7.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
node (source)	engines	pin	>=18 → v25.7.0

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ❌ Not Safe

🔍 Release Content Analysis

Node.js v25.7.0 Release (2026-02-24)

This PR proposes changing the Node.js engine requirement from >=18 (flexible range supporting Node 18+) to v25.7.0 (exact pin). Node.js v25.7.0 was released today (2026-02-24) and includes:

New Features in v25.7.0:

• HTTP/2: Added http1Options for HTTP/1 fallback configuration
• SEA (Single Executable Applications): Support for ESM entry points
• Stream API: Renamed Duplex.toWeb() type option to readableType
• Test Runner: Show interrupted test on SIGINT
• SQLite: Marked as release candidate

Major Breaking Changes from Node.js v18 → v25:

• Removed APIs: SlowBuffer, fs.F_OK/R_OK/W_OK/X_OK, fs.rmdir recursive option, assert.CallTracker, multiple deprecated crypto/async/fs APIs
• Web Storage enabled by default: This has caused significant ecosystem breakage (webpack, jest, html-webpack-plugin chains)
• V8 upgraded to 14.1: Major internal changes with performance improvements
• NODE_MODULE_VERSION: Updated from 138 to 141 (requires native module recompilation)
• Security: New --allow-net permission model flag

No security fixes are specifically highlighted in v25.7.0.

🎯 Impact Scope Investigation

Codebase Analysis:

• No direct Node.js API usage: The SDK uses only Web Standard APIs (fetch, globalThis, Response, Request, Promise, JSON)
• TypeScript target: ES2022 with NodeNext module resolution
• Runtime environment: Project uses Bun (1.3.5) as the primary runtime, not Node.js directly
• Build toolchain: Uses Bun for all operations (build, test, lint)

CI/CD Configuration:

• mise.toml: Currently specifies Node.js 24.13.0 (not in sync with package.json)
• GitHub Actions: Uses mise-action to install tools from mise.toml
• All CI checks: ✅ PASSED (Build, Lint, Typecheck, Test all succeeded)

Critical Issues Identified:

1. Unnecessary Pin: This PR pins to an exact version (v25.7.0) rather than preserving the range. For a library package, this is problematic:

   • Libraries should typically use ranges (e.g., >=18) to allow consumers flexibility
   • Exact pins are more appropriate for applications, not SDKs
   • This forces all consumers to use exactly Node.js v25.7.0

2. Version Mismatch: mise.toml specifies Node.js 24.13.0, but package.json would be pinned to v25.7.0. The CI uses mise.toml, so the actual runtime differs from the declared engine requirement.

3. Breaking Changes Risk: Node.js v25 contains 50+ removed/deprecated APIs. While this SDK doesn't directly use them, consumers might:

   • Web Storage enabled by default breaks test environments (localStorage mocks)
   • Native module incompatibility (NODE_MODULE_VERSION changed)
   • Ecosystem tooling issues documented with webpack/jest

4. Production Readiness: Node.js v25 is a Current release (not LTS). It will become unsupported after 6 months. The official guidance states: "Production applications should only use Active LTS or Maintenance LTS releases."

💡 Recommended Actions

Immediate Actions:

1. Close this PR - Do not merge the exact pin to v25.7.0

2. Configure Renovate to preserve semver ranges by adding :preserveSemverRanges preset to renovate.json (as suggested in the PR description)

3. Update package.json engines manually to a more appropriate range:

   "engines": {
     "node": ">=18.0.0"
   }

   Or if Node 18 compatibility needs to be verified:

   "engines": {
     "node": "^18.0.0 || ^20.0.0 || ^22.0.0"
   }

4. Sync mise.toml with package.json philosophy - Either:

   • Keep mise.toml at a stable LTS version (e.g., 22.x LTS)
   • Or update it to match the minimum supported version (18.x)

Testing Recommendations:

1. Test on Node.js LTS versions: 18.x (Hydrogen), 20.x (Iron), 22.x (Jod)
2. Avoid testing on Current releases (v25) unless specifically targeting new features
3. Add matrix testing in CI to verify compatibility across supported Node versions

Configuration Changes:

Add to renovate.json or package.json:

{
  "extends": [":preserveSemverRanges"]
}

🔗 Reference Links

• Node.js v25 Changelog
• Node.js v25.0.0 Release Notes
• Node.js v25 Breaking Changes Analysis
• Node.js Release Schedule
• GitHub PR #24

Generated by koki-develop/claude-renovate-review