# fix: unblock Dependabot Security Updates (Node 24 Compat + brace-expansion CVE)

[Aryan-Verma-999]

fix: Unblock Dependabot Security Updates (Node 24 Compat + brace-expansion CVE)

Acceptance Criteria fulfillment

• node-check.js skips the Node.js version enforcement when running inside Dependabot's container (DEPENDABOT_HOME is set), preventing YN0009 build failures
• postinstall build step is skipped in Dependabot and CI environments so corepack yarn up can complete without triggering a full monorepo build
• Dependabot security updates for handlebars, vm2, path-to-regexp, and node-forge are unblocked (previously failing because Dependabot runs Node.js v24 while node-check.js enforced Node 22)
• brace-expansion CVE in /packages/react-native is addressed by pinning to 1.1.13 via yarn resolutions

Video/Screenshots

No UI changes — infrastructure/tooling fix only.

PR Test Details

Root cause: Dependabot's updater container runs Node.js v24.15.0, but scripts/node-check.js enforced Node 22 (major version check), causing exit code 1 → YN0009: embeddedchat@workspace:. couldn't be built successfully on every Dependabot security update attempt against the root workspace.

Changes:

File	Change
scripts/node-check.js	Exit early (success) when DEPENDABOT_HOME env var is set
package.json	Skip postinstall: yarn build in Dependabot and CI environments
packages/react-native/package.json	Add resolutions to pin brace-expansion to 1.1.13

Note: The PR will be ready for live testing at https://rocketchat.github.io/EmbeddedChat/pulls/pr-1296 after approval. Contributors are requested to replace <pr_number> with the actual PR number.

[Spiral-Memory]

Any specific reason why it was working fine with 16.9 node version without any failures?

[Spiral-Memory]

I suggest we also switch to 24, as it's the LTS too version with much longer support. Is there any specific reason you chose 22? I hope migrating from 22 to 24 won't be a major task.

[Aryan-Verma-999]

primary reason for choosing 22 was to align embeddedchat with rc server, as rc 8.4+ requires node 22
we can switch to 24 if you'd like

[Spiral-Memory]

Got it! But I think we should still move to 24, as Rocket.Chat is constantly maintained by the internal team. Once the support ends, it will probably be migrated. EmbeddedChat, on the other hand, is more of a community-maintained project, so it's difficult to make major changes later on. So let's go with the latest LTS version.

[Aryan-Verma-999]

Any specific reason why it was working fine with 16.9 node version without any failures?

the old node-check.js used minimum version check,
the new node-check.js uses a strict major version check

that's why the dependabot was failing

[Aryan-Verma-999]

Got it! But I think we should still move to 24, as Rocket.Chat is constantly maintained by the internal team. Once the support ends, it will probably be migrated. EmbeddedChat, on the other hand, is more of a community-maintained project, so it's difficult to make major changes later on. So let's go with the latest LTS version.

yeah sure, on it

[Spiral-Memory]

Any specific reason why it was working fine with 16.9 node version without any failures?

the old node-check.js used minimum version check,
the new node-check.js uses a strict major version check

that's why the dependabot was failing

Understood!

[Spiral-Memory]

Closing this PR. If, later, dependabot fails, we'll think about it.