Node.js versions bundled in runner v2.331.0 trigger security scanner warnings #4214
Description
Hi team,
Our self-hosted GitHub Actions runner (version v2.331.0) is being flagged by security scanners due to outdated Node.js binaries bundled in the runner’s externals/ directory.
The scanner reports that the Node.js versions included in v2.331.0 are older than the patched versions released in the January 13, 2026 Node.js security advisory.
Examples of detected mismatches:
- Node 20.x → installed: 20.19.x, required: 20.20.0
- Node 24.x → installed: 24.12.x, required: 24.13.0
Relevant CVEs from the official Node.js advisory:
- CVE-2025-55130
- CVE-2025-55131
- CVE-2025-55132
- CVE-2025-59465
- CVE-2025-59466
- (and others included in the Jan 13 security release)
Since these Node.js binaries are part of the runner package itself and not user-installed, we are not able to patch or update them manually.
Could you confirm whether these Node.js components will be updated in an upcoming runner release?
Thank you!