Skip to content

chore(deps): update node.js to v24 #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

chore(deps): update node.js to v24 #285

renovate wants to merge 1 commit into from
+2 −2

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 8, 2026
edited by coderabbitai bot
Loading

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Update Change
node (source) major 22.21.124.13.0

Release Notes

nodejs/node (node)

v24.13.0: 2026-01-13, Version 24.13.0 'Krypton' (LTS), @​marco-ippolito

Compare Source

This is a security release.

Notable Changes

lib:

Commits

v24.12.0: 2025-12-10, Version 24.12.0 'Krypton' (LTS), @​targos

Compare Source

Notable Changes
  • [1a00b5f68a] - (SEMVER-MINOR) http: add optimizeEmptyRequests server option (Rafael Gonzaga) #​59778
  • [ff5754077d] - (SEMVER-MINOR) lib: add options to util.deprecate (Rafael Gonzaga) #​59982
  • [8987159234] - (SEMVER-MINOR) module: mark type stripping as stable (Marco Ippolito) #​60600
  • [92c484ebf4] - (SEMVER-MINOR) node-api: add napi_create_object_with_properties (Miguel Marcondes Filho) #​59953
  • [b11bc5984e] - (SEMVER-MINOR) sqlite: allow setting defensive flag (Bart Louwers) #​60217
  • [e7da5b4b7d] - (SEMVER-MINOR) src: add watch config namespace (Marco Ippolito) #​60178
  • [a7f7d10c06] - (SEMVER-MINOR) src: add an option to make compile cache portable (Aditi) #​58797
  • [92ea669240] - (SEMVER-MINOR) src,permission: add --allow-inspector ability (Rafael Gonzaga) #​59711
  • [05d7509bd2] - (SEMVER-MINOR) v8: add cpu profile (theanarkh) #​59807
Commits

v24.11.1

Compare Source

v24.11.0

Compare Source

v24.10.0: 2025-10-08, Version 24.10.0 (Current), @​RafaelGSS

Compare Source

Notable Changes
  • [31bb476895] - (SEMVER-MINOR) console: allow per-stream inspectOptions option (Anna Henningsen) #​60082
  • [3b92be2fb8] - (SEMVER-MINOR) lib: remove util.getCallSite (Rafael Gonzaga) #​59980
  • [18c79d9e1c] - (SEMVER-MINOR) sqlite: create authorization api (Guilherme Araújo) #​59928
Commits

v24.9.0: 2025-09-25, Version 24.9.0 (Current), @​targos

Compare Source

Notable Changes
  • [9b043a9096] - (SEMVER-MINOR) http: add shouldUpgradeCallback to let servers control HTTP upgrades (Tim Perry) #​59824
  • [a6456ab90a] - (SEMVER-MINOR) sqlite: cleanup ERM support and export Session class (James M Snell) #​58378
  • [5563361d22] - (SEMVER-MINOR) sqlite: add tagged template (0hm☘️) #​58748
  • [04013ee933] - (SEMVER-MINOR) worker: add heap profile API (theanarkh) #​59846
Commits

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Summary by CodeRabbit

  • Chores
    • Updated the project Node.js version requirement to 24.13.0, ensuring consistency across configurations and test setups.

✏️ Tip: You can customize this high-level summary in your review settings.

@renovate renovate bot added the renovate label Jan 8, 2026
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 8, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Two .nvmrc files were updated to specify Node.js 24.13.0 (previously 22.21.1): one at the repository root and one at src/test/vscode-notebook-perf/.nvmrc. These edits only change the declared runtime version and do not modify functional code, logic, or control flow.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Title accurately describes the main change: updating Node.js from v22 to v24 across .nvmrc files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (2)
  • CVE-2025: Entity not found: Issue - Could not find referenced Issue.
  • CVE-2026: Entity not found: Issue - Could not find referenced Issue.

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link

codecov bot commented Jan 8, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0%. Comparing base (a996dfb) to head (ccc075e).
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@     Coverage Diff     @@
##   main   #285   +/-   ##
===========================
===========================
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate renovate bot force-pushed the renovate/node-24.x branch 2 times, most recently from 5f1f9fe to 580252b Compare January 12, 2026 08:24
coderabbitai[bot]
coderabbitai bot requested changes Jan 12, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In @.nvmrc:
- Line 1: The Node.js version was bumped to 24.12.0 which is a major jump with
breaking changes; run the full test suite under Node 24, rebuild native modules
(npm rebuild / yarn rebuild), and verify package.json for native dependencies
(node-gyp, sqlite3, bcrypt, etc.), then test crypto/TLS paths and API
usage—search code for deprecated/removed APIs such as url.parse, SlowBuffer,
fs.truncate(fd), tls.createSecurePair and update to supported alternatives;
ensure any native addon is rebuilt and CI uses Node 24 before merging.
📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5f1f9fe and 580252b.

📒 Files selected for processing (2)
  • .nvmrc
  • src/test/vscode-notebook-perf/.nvmrc
🔇 Additional comments (1)
src/test/vscode-notebook-perf/.nvmrc (1)

1-1: Consistent with root .nvmrc.

Both files updated together—ensures test environment matches project runtime.

.nvmrc Outdated
@@ -1 +1 @@
22.21.1
24.12.0
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Node.js 24.12.0 breaking changes migration guide from Node.js 22

💡 Result:

Below is a concise migration checklist and the key breaking/behavior changes to watch for when moving from Node.js 22 → 24.12.0 (LTS). Sources: Node.js v22→v24 migration notes and the v24.12.0 release notes. [1][2]

  1. Quick summary of highest-impact breaking changes
  • OpenSSL 3.5: default security level = 2 — short RSA/DSA/DH (<2048) and ECC (<224) keys and RC4 cipher suites are prohibited; test TLS/crypto usage. [1]
  • V8 → 13.6: new globals/features (Float16Array, RegExp.escape, Error.isError, explicit resource management). Native addons must be rebuilt and may require V8 API updates (NODE-API recommended). [1][2]
  • AsyncLocalStorage now uses AsyncContextFrame by default — verify context propagation. [2]
  • URLPattern is global — adjust imports if you previously imported it. [2]
  • Stricter runtime argument validation / behavioral changes: fetch() compliance, AbortSignal validation, stream/pipe errors now throwing, Buffer behavior changes, Windows path-handling fixes — run tests. [1]
  • Removed/deprecated APIs and runtime deprecations you may rely on: tls.createSecurePair, fs.truncate(fd), dirent.path, SlowBuffer, url.parse() (runtime-deprecated, use WHATWG URL), process.execve on Windows, various undocumented process bindings; file-constants getters (fs.F_OK etc.) warn — replace usages. [1][2]
  • Build/toolchain changes: minimum gcc 12.2 on Linux/AIX, Xcode 16.1 on macOS; MSVC support removed on Windows (ClangCL required to build). [1]
  1. Concrete migration steps (recommended order)
  • Run your test-suite on Node.js 24 (CI job or local): fix failing tests first (argument validation and stream errors are common failure sources). [1]
  • Rebuild native modules: npm rebuild / node-gyp rebuild / reinstall to ensure compatibility with V8 13.6; prefer NODE-API for native addons to reduce churn. [1]
  • Run the Node.js codemods for automated fixes (examples provided by Node.js): e.g., fs-access-mode-constants, crypto-rsa-pss-update, fs-truncate-to-ftruncate, process-assert-to-node-assert (npx codemod run …). [1]
  • Address crypto/TLS: ensure keys/ciphers meet OpenSSL 3.5 requirements; test external connections and certificate handling. [1]
  • Replace deprecated APIs: migrate url.parse → WHATWG URL, stop using SlowBuffer, stop relying on removed internals. [1][2]
  • Inspect async context usage (AsyncLocalStorage), URLPattern usage, and any code that relied on older Buffer behavior or lax argument validation. [1][2]
  • Update build toolchains if you compile Node from source (gcc/Xcode/ClangCL) and CI images accordingly. [1]
  • Upgrade dependent packages (especially native modules and npm-based tools) and check compatibility notes for npm 11 bundled with Node 24. [2]
  • Run security and static-analysis checks, then deploy to a staging environment and smoke-test. [1]
  1. Resources and commands
  • Node.js official migration page (v22→v24) — includes detailed breaking changes and codemod list. [1]
  • Node.js v24.12.0 release notes for specific fixes/semver-minor/commits. [2]
  • Typical commands:
    • npx codemod run @nodejs/ (see migration page). [1]
    • npm rebuild / npm ci (reinstall native modules).
    • Run full test matrix on Node 24 in CI.

If you want, I can:

  • produce a short grep/codemod plan for your repo (list of patterns to search and exact codemods to run), or
  • scan your package.json + native deps and give a prioritized list of likely breakages.

Sources:
[1] Node.js: “v22 to v24” migration notes (Node.js official).
[2] Node.js: “v24.12.0” release notes (Node.js official).

🌐 Web query:

Node.js 24.12.0 security advisories known issues LTS

💡 Result:

Short summary — Node.js v24.12.0 (LTS) — security advisories & known issues

  • Official v24.12.0 release notes (v24.12.0 published 2025-12-10) — normal LTS changes and minor features; no new single‑version emergency security advisory called out in the tag. [1]

  • Recent security advisories affecting the 24.x line you should track (examples patched on 24.x or relevant to 24.x):

    • Multiple CVEs and security releases published in 2025 (May / July) addressing DoS, HTTP/2 crashes, ReadFileUtf8 memory leak, HashDoS (V8 rapidhash), request‑smuggling / Content‑Length handling, privilege/capability environment handling (CVE-2024-21892 and related), and other issues — these affect 24.x and were fixed in the 24.x security/patch releases. See the Node.js security release posts. [2][3]

  • Known issue history relevant to 24.x LTS:

    • Buffer.allocUnsafe returned zero‑filled buffers in 24.11.0; restored behavior in the next LTS patch. (Noted in Node.js releases). [1]
    • V8/rapidhash HashDoS and other CVEs (July 2025 security release) were announced for the 24.x line. [3]

  • Practical recommendations:

    • Run the latest 24.x LTS patch (v24.12.0 is LTS as of 2025‑12‑10) and apply any subsequent security patch releases from nodejs.org immediately.
    • Subscribe to Node.js security release posts and monitor CVE trackers (NVD/Snyk) for new advisories affecting 24.x. [2][4]

Sources

  1. Node.js v24.12.0 release tag / notes (GitHub releases). [GitHub nodejs/node — v24.12.0]. [1]
  2. Node.js Project security release posts (May / July 2025 security releases listing CVEs affecting 24.x). [Node.js security blog]. [2]
  3. Summaries / trackers referencing CVEs affecting v24.x (HashDoS / ReadFileUtf8 / CVE listings). [stack.watch / HKCERT / Node.js CN vulnerability posts]. [3]
  4. Snyk package security page for [email protected] (vulnerability scanning/status). [Snyk]. [4]

If you want, I can: (a) list the specific CVE IDs and which 24.x patch fixed each, or (b) fetch the latest security patches released after v24.12.0 and produce a one‑line remediation checklist. Which would you prefer?

🏁 Script executed:

#!/bin/bash
# Search for Node.js API calls that might be affected by breaking changes
rg -n --type=ts --type=js 'process\.(version|versions|release)' --max-count=10
rg -n --type=ts --type=js 'require\(["\']node:' --max-count=10
rg -n --type=ts --type=js 'require\(["\']v8' --max-count=10

Repository: deepnote/vscode-deepnote

Length of output: 373

🏁 Script executed:

# Check for Node.js/npm related config files
git ls-files | grep -E '(package\.json|\.npmrc|engines)'

Repository: deepnote/vscode-deepnote

Length of output: 172

Major version jump confirmed—breaking changes require testing.

Node.js 22 → 24 introduces significant breaking changes (OpenSSL 3.5 stricter crypto validation, V8 13.6 requiring native module rebuilds, removed APIs like tls.createSecurePair, stricter argument validation). v24.12.0 is stable LTS, but run your test suite and check package.json for native dependencies. Rebuild any native modules (npm rebuild); prioritize testing crypto/TLS and API deprecations (check for url.parse(), SlowBuffer, fs.truncate(fd) usage).

🤖 Prompt for AI Agents 
In @.nvmrc at line 1, The Node.js version was bumped to 24.12.0 which is a major
jump with breaking changes; run the full test suite under Node 24, rebuild
native modules (npm rebuild / yarn rebuild), and verify package.json for native
dependencies (node-gyp, sqlite3, bcrypt, etc.), then test crypto/TLS paths and
API usage—search code for deprecated/removed APIs such as url.parse, SlowBuffer,
fs.truncate(fd), tls.createSecurePair and update to supported alternatives;
ensure any native addon is rebuilt and CI uses Node 24 before merging.

@renovate renovate bot force-pushed the renovate/node-24.x branch 3 times, most recently from 6709a85 to fe87eca Compare January 13, 2026 14:00
coderabbitai[bot]
coderabbitai bot requested changes Jan 13, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In @.nvmrc:
- Line 1: Replace the invalid Node version in .nvmrc from "24.13.0" to the
actual latest "24.12.0", then update package.json to ensure @types/node aligns
(change any pinned or careted node types version to ^22.15.1 if you want Node 24
compatibility) and edit CONTRIBUTING.md to replace any references to "22.15.1"
so all files (.nvmrc, package.json, CONTRIBUTING.md) consistently reference the
corrected versions; update the version strings exactly where they appear (look
for the literal "24.13.0" in .nvmrc, "@types/node" dependency entry in
package.json, and the node version mention in CONTRIBUTING.md).
📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6709a85 and fe87eca.

📒 Files selected for processing (2)
  • .nvmrc
  • src/test/vscode-notebook-perf/.nvmrc
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Build & Test
🔇 Additional comments (1)
src/test/vscode-notebook-perf/.nvmrc (1)

1-1: Consistent with root .nvmrc update.

Test environment matches the root configuration. Ensure this version is validated (see root .nvmrc verification).

@renovate renovate bot force-pushed the renovate/node-24.x branch from fe87eca to ccc075e Compare January 15, 2026 09:50
@renovate renovate bot force-pushed the renovate/node-24.x branch from ccc075e to a492c6c Compare January 15, 2026 16:18
coderabbitai[bot]
coderabbitai bot requested changes Jan 15, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In @.nvmrc:
- Line 1: Update the `@types/node` versions to match Node.js 24: change the root
package.json dependency "@types/node" from "^22.15.1" to "^24.x" and update the
test package's "@types/node" from "^18.15.0" to "^24.x"; run npm install (or
yarn) and then rebuild/typecheck to ensure no type errors, and update any
lockfile (package-lock.json / yarn.lock) accordingly.
📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ccc075e and a492c6c.

📒 Files selected for processing (2)
  • .nvmrc
  • src/test/vscode-notebook-perf/.nvmrc
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Audit - Production
  • GitHub Check: Build & Test
🔇 Additional comments (1)
src/test/vscode-notebook-perf/.nvmrc (1)

1-1: Consistent with root .nvmrc.

Test fixture aligned correctly.

✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.

.nvmrc
@@ -1 +1 @@
22.21.1
24.13.0
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for Node version references across the repository

echo "=== package.json engines field ==="
fd -t f 'package\.json$' --exec jq -r '{file: input_filename, engines: .engines}' {} \; 2>/dev/null | head -50

echo -e "\n=== GitHub Actions workflows (node-version references) ==="
rg 'node-version' -g '*.yml' -g '*.yaml' --max-count 10 2>/dev/null

echo -e "\n=== .nvmrc files ==="
fd -t f '\.nvmrc$' --exec cat {} + | wc -l
fd -t f '\.nvmrc$' -exec sh -c 'echo "File: {}"; cat {}' \;

echo -e "\n=== package.json with `@types/node` versions ==="
fd -t f 'package\.json$' --exec jq -r 'select(.devDependencies."@types/node" != null or .dependencies."@types/node" != null) | {file: input_filename, types_node: (.devDependencies."@types/node" // .dependencies."@types/node")}' {} \; 2>/dev/null

echo -e "\n=== Node version mentions in docs ==="
rg 'node.*24|24.*node' -i -g '*.md' 2>/dev/null | head -20

Repository: deepnote/vscode-deepnote

Length of output: 891

🌐 Web query:

Node.js 24.13.0 release security CVE 2026

💡 Result:

Yes — Node.js 24.13.0 (LTS) is a security release published on January 13, 2026. It fixes multiple CVEs (notably CVE-2025-55131, CVE-2025-55130 and CVE-2025-59465 among others) and the Node.js project recommends upgrading to 24.13.0 (or later) to address these issues. [1][2]

Sources:

  • Node.js 24.13.0 release notes (Jan 13, 2026). [1]
  • Node.js security releases advisory (Jan 13, 2026) — list of addressed CVEs and upgrade guidance. [2]

🌐 Web query:

@types/node 24 TypeScript types Node.js compatibility

💡 Result:

Short answer: @types/node v24 = type definitions for Node.js 24 (match major versions). Use the @types major that matches your Node major (e.g., install @types/node@24 for Node 24). For runtime TypeScript in Node 24, Node's docs recommend TypeScript 5.8+ for the built‑in type‑stripping workflow. [1][2][3]

Sources:

  • DefinitelyTyped/@types versioning and guidance. [1]
  • Explanation that @types/node major aligns with Node major. [2]
  • Node.js TypeScript (type‑stripping) guidance recommending TS 5.8+ (Node 24 docs). [3]

Update @types/node to match Node.js 24—version mismatch detected.

Node.js 24.13.0 is valid and addresses multiple CVEs (recommended upgrade). However, package.json still has @types/node ^22.15.1. Update to @types/node ^24.x to match the Node 24.13.0 runtime, preventing TypeScript compilation issues.

Also update the test package's @types/node ^18.15.0 to ^24.x for consistency.

🤖 Prompt for AI Agents 
In @.nvmrc at line 1, Update the `@types/node` versions to match Node.js 24:
change the root package.json dependency "@types/node" from "^22.15.1" to "^24.x"
and update the test package's "@types/node" from "^18.15.0" to "^24.x"; run npm
install (or yarn) and then rebuild/typecheck to ensure no type errors, and
update any lockfile (package-lock.json / yarn.lock) accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant