chore: clear dependency advisories and bump CI to Node 24#15
Merged
Conversation
Security: - Bump @xmldom/xmldom to 0.9.10 (the only affected runtime dependency; resolves high-severity XML injection + serialization DoS advisories). - npm audit fix clears the critical handlebars and high basic-ftp/ws advisories across the dev/test toolchain. - Add overrides for esbuild (^0.28.1) and js-yaml (^4.2.0) to clear the remaining dev-only advisories that the parents pin to vulnerable ranges. - npm audit now reports 0 vulnerabilities. CI: - Bump GitHub Actions Node from 20 to 24 in ci.yml and release.yml. Verified: format:check, build, 154 unit/integration tests, and 37 browser tests all pass with the updated dependency tree.
actions/checkout@v4 and actions/setup-node@v4 declare the node20 runtime, which GitHub now force-runs on node24 and is deprecating. v5 is the first major of each that natively targets node24, resolving the warning without pulling in the additional breaking changes from v6/v7.
actions/create-release@v1 is archived and runs on the node12 runtime. Replace it with `gh release create`, which ships pre-installed on the runner and runs as a shell step, so there is no action runtime to deprecate. Behavior is preserved: a non-draft, non-prerelease release on the pushed tag with notes from the extracted release_notes.md.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release-prep chores: clear all GitHub-reported dependency vulnerabilities and move CI to Node 24.
Security —
npm auditnow reports 0 vulnerabilities (was 30: 1 critical, 4 high, 23 moderate, 2 low)Cross-checked against the repo's actual Dependabot alerts, not just
npm audit.@xmldom/xmldom→ 0.9.10 — the only affected runtime dependency. Resolves the high-severity XML injection + serialization DoS advisories. Within the existing^0.9.8range.npm audit fix(non-force) cleared the critical (handlebars) and remaining high (basic-ftp, ws) advisories across the dev/test toolchain.overridesfor the two stragglers whose parents pin vulnerable ranges — both dev-only:esbuild→^0.28.1(from web-test-runner / rollup-plugin-esbuild / tsx; advisory was dev-server-on-Windows arbitrary file read, CI runs Ubuntu; esbuild has no deps so the pin is safe)js-yaml→^4.2.0(buried under jest's coverage tooling viababel-plugin-istanbul → @istanbuljs/load-nyc-config; no fixed 3.x release exists; only reachable via Babel coverage-config loading, never attacker input)CI — Node 20 → 24
.github/workflows/ci.ymland the verify job (plus the commented publish job) inrelease.yml.Verification
All green locally with the updated dependency tree:
npm run format:checknpm run buildnpm test— 154 unit/integration tests pass (coverage runs, confirming the js-yaml 4.x override doesn't break Babel coverage tooling)npm run test:browser— 37 browser tests pass (confirming the esbuild 0.28 override doesn't break@web/dev-server-esbuildbundling)npm audit— 0 vulnerabilitiesNotes
This bumps CI to Node 24 but does not change the package's declared engine support. Let me know if you'd also like an
enginesfield / matrix change.