chore!: baseline Node 24 + apply held majors (lcr@5, write-file-atomic@8) + fix snyk phantom debug dep#232
Merged
Merged
Conversation
BREAKING CHANGE: minimum Node is now 24.15.0 (was 22.12.0). Node 22 is
no longer supported. 24.15.0 is the floor where the two major bumps below
install under engine-strict.
Node 24 baseline:
- engines.node >=22.12.0 -> >=24.15.0 across the root + all 18 packages
- mise.toml node pin 22 -> 24; .nvmrc / .node-version 22 -> 24
- ci.yml test matrices drop Node 22 (now [24]); verify-global-install
matrix flips its six Node-22 legs to 24 (dropping the now-duplicate
linux-x64-node24-mise leg) and keeps every installer x OS x arch combo
- README requirements: "Node 22 or 24" -> "Node 24+"
Held majors (were blocked only by Node 22, now unblocked):
- license-checker-rseidelsohn 4.4.2 -> 5.0.1 (needs node>=24). v5 walks the
tree via @npmcli/arborist and reports raw SPDX expressions, so it surfaces
permissive licenses v4 normalized away. Allowlist (in all four callers:
ci.yml, pre-release-gate.yml, scripts/acceptance.sh, mise.toml) gains
Python-2.0 (argparse, via js-yaml), CC-BY-3.0 (spdx-exceptions data), and
the compound expressions "MIT OR Apache-2.0", "(Apache-2.0 AND MIT)",
"(BSD-3-Clause AND Apache-2.0)", "(BSD-2-Clause OR MIT OR Apache-2.0)",
"(MIT OR CC0-1.0)" — all permissive or composed of already-allowed ids.
- write-file-atomic 7.0.1 -> 8.0.0 across cli, ingestion, analysis, wiki.
snyk phantom dependency:
- snyk-nodejs-lockfile-parser@2.8.0 does require("debug") without declaring
it. Added a pnpm packageExtensions entry injecting debug@4.4.3 into its
deps so `pnpm install` (workspace + lockfile/CI consumers) resolves it
under pnpm strict layout. NOTE: a bare `pnpm add -g <tarball>` global
install still cannot see it (global installs do not read workspace
packageExtensions, and snyk is not ESM-bundle-safe — it does a dynamic
require("fs")). The documented + CI-tested global path is `npm install -g`,
which flat-hoists debug and works end-to-end.
Validated on Node 24.16.0: build, lint, typecheck, 2169 tests (0 fail),
banned-strings, license allowlist (lcr@5), OSV, pack determinism, and a
full `codehub analyze` of an external repo via npm-global install.
Merged
theagenticguy
pushed a commit
that referenced
this pull request
Jun 13, 2026
🤖 Automated release via release-please --- <details><summary>root: 0.9.0</summary> ## [0.9.0](root-v0.8.6...root-v0.9.0) (2026-06-13) ### ⚠ BREAKING CHANGES * baseline Node 24 + apply held majors (lcr@5, write-file-atomic@8) + fix snyk phantom debug dep ([#232](#232)) ### Bug Fixes * **deps:** refresh dependencies + clear esbuild CVE (GHSA-g7r4-m6w7-qqqr) ([#230](#230)) ([75b687f](75b687f)) ### Chores * baseline Node 24 + apply held majors (lcr@5, write-file-atomic@8) + fix snyk phantom debug dep ([#232](#232)) ([93c90e9](93c90e9)) </details> <details><summary>cli: 0.9.0</summary> ## [0.9.0](cli-v0.8.6...cli-v0.9.0) (2026-06-13) ### ⚠ BREAKING CHANGES * baseline Node 24 + apply held majors (lcr@5, write-file-atomic@8) + fix snyk phantom debug dep ([#232](#232)) ### Bug Fixes * **deps:** refresh dependencies + clear esbuild CVE (GHSA-g7r4-m6w7-qqqr) ([#230](#230)) ([75b687f](75b687f)) ### Chores * baseline Node 24 + apply held majors (lcr@5, write-file-atomic@8) + fix snyk phantom debug dep ([#232](#232)) ([93c90e9](93c90e9)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Lifts the Node baseline to 24 and applies the two major dependency bumps that were held back in #230 solely because they require Node ≥ 24. Also addresses the
snyk-nodejs-lockfile-parserphantomdebugdependency surfaced by the Node 24 global-install smoke test.BREAKING: minimum Node is now 24.15.0 (was 22.12.0). Node 22 is dropped.
24.15.0is the floor where both majors below install underengine-strict=true.Node 24 baseline
engines.node>=22.12.0→>=24.15.0across the root + all 18 packagesmise.tomlnode pin22→24;.nvmrc/.node-version22→24ci.yml: both test matrices drop Node 22 (now[24])verify-global-install.yml: the six Node-22 legs flip to 24 (dropping the now-duplicatelinux-x64-node24-mise), keeping every installer × OS × arch combo (mise/nvm/homebrew/volta across linux x64/arm64, macOS arm64/x64)README: "Node 22 or 24" → "Node 24+"Held majors (unblocked by Node 24)
node>=24; powers the requiredlicensesgateLicense allowlist update (required by lcr@5): v5 walks the tree via
@npmcli/arboristand reports raw SPDX expressions instead of normalizing them, so it surfaces permissive licenses v4 hid. Added to all four callers (ci.yml,pre-release-gate.yml,scripts/acceptance.sh,mise.toml):Python-2.0— argparse (via js-yaml); PSF, OSI-approved permissiveCC-BY-3.0— spdx-exceptions (a data package, not code)MIT OR Apache-2.0,(Apache-2.0 AND MIT),(BSD-3-Clause AND Apache-2.0),(BSD-2-Clause OR MIT OR Apache-2.0),(MIT OR CC0-1.0)— compound expressions of already-allowed licensessnyk phantom
debugdependencysnyk-nodejs-lockfile-parser@2.8.0doesrequire("debug")without declaring it — it relied on npm's flat hoisting. Added a pnpmpackageExtensionsentry injectingdebug@4.4.3into snyk's deps, which fixes resolution forpnpm install(the dev workspace + anyone installing from our lockfile + CI).Honest scope note: a bare
pnpm add -g <tarball>global install still can't see it — global installs don't read workspacepackageExtensions, and bundling snyk into the dist isn't viable (it does a dynamicrequire("fs")that breaks ESM bundling). The documented and CI-tested global path isnpm install -g, which flat-hoistsdebugand works end-to-end. I verifiedcodehub analyzeof an external repo vianpm install -gon Node 24 (7040 nodes, 17841 edges, clean).Validation (Node 24.16.0, mirrors required CI)
npm install -g→codehub analyze🤖 Generated with Bonk — OpenCodeHub maintenance