theagenticguy · theagenticguy · Jun 13, 2026 · Jun 13, 2026
@@ -50,7 +50,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        node-version: [22, 24]
+        node-version: [24]
     runs-on: ${{ matrix.os }}
     env:
       MISE_NODE_VERSION: ${{ matrix.node-version }}
@@ -92,7 +92,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        node-version: [22]
+        node-version: [24]
     runs-on: ${{ matrix.os }}
     env:
       MISE_NODE_VERSION: ${{ matrix.node-version }}
@@ -146,10 +146,17 @@ jobs:
       - name: license allowlist
         # Root is `private: true` with no runtime deps post-collapse; scan
         # packages/cli (the real third-party runtime deps) via `--start`.
+        # license-checker-rseidelsohn v5 walks the tree via @npmcli/arborist
+        # and reports raw SPDX expressions (e.g. "MIT OR Apache-2.0") instead
+        # of normalizing to a single id, so the compound expressions below are
+        # listed verbatim. Python-2.0 (argparse, via js-yaml) and CC-BY-3.0
+        # (spdx-exceptions data) are both OSI-approved permissive. Keep this
+        # allowlist identical across ci.yml, pre-release-gate.yml, and
+        # scripts/acceptance.sh.
         run: >
           pnpm exec license-checker-rseidelsohn
           --start packages/cli
-          --onlyAllow 'Apache-2.0;MIT;BSD-2-Clause;BSD-3-Clause;ISC;CC0-1.0;BlueOak-1.0.0;0BSD'
+          --onlyAllow 'Apache-2.0;MIT;BSD-2-Clause;BSD-3-Clause;ISC;CC0-1.0;BlueOak-1.0.0;0BSD;Python-2.0;CC-BY-3.0;MIT OR Apache-2.0;(Apache-2.0 AND MIT);(BSD-3-Clause AND Apache-2.0);(BSD-2-Clause OR MIT OR Apache-2.0);(MIT OR CC0-1.0)'
           --excludePrivatePackages
           --production
 

@@ -98,10 +98,13 @@ jobs:
       - name: license allowlist
         # Root is `private: true` with no runtime deps post-collapse; scan
         # packages/cli (the real third-party runtime deps) via `--start`.
+        # license-checker-rseidelsohn v5 reports raw SPDX expressions; see the
+        # note in ci.yml. Keep this allowlist identical across ci.yml,
+        # pre-release-gate.yml, and scripts/acceptance.sh.
         run: >
           pnpm exec license-checker-rseidelsohn
           --start packages/cli
-          --onlyAllow 'Apache-2.0;MIT;BSD-2-Clause;BSD-3-Clause;ISC;CC0-1.0;BlueOak-1.0.0;0BSD'
+          --onlyAllow 'Apache-2.0;MIT;BSD-2-Clause;BSD-3-Clause;ISC;CC0-1.0;BlueOak-1.0.0;0BSD;Python-2.0;CC-BY-3.0;MIT OR Apache-2.0;(Apache-2.0 AND MIT);(BSD-3-Clause AND Apache-2.0);(BSD-2-Clause OR MIT OR Apache-2.0);(MIT OR CC0-1.0)'
           --excludePrivatePackages
           --production
 

@@ -6,7 +6,7 @@
 # `npm install -g`, run the 5 hard gates plus the 4 smoke commands. The CLI is
 # the only published package — the 14 internal libraries are bundled into its
 # tarball at build time (tsup noExternal), so a single tarball is the entire
-# install graph. The matrix exercises Linux/macOS x Node 20/22/24 x
+# install graph. The matrix exercises Linux/macOS x Node 24 x
 # mise/nvm/Homebrew/Volta installers so a regression in any one of those tool
 # managers cannot land silently.
 #
@@ -49,64 +49,58 @@ jobs:
       matrix:
         include:
           # ---------------------------- Linux x64 -----------------------------
-          # Floor is Node 22 (engines.node >= 22.12.0); the prior node20 row
-          # tested a sub-floor runtime and was dropped.
-          - label: linux-x64-node22-mise
-            runner: ubuntu-24.04
-            os: linux
-            arch: x64
-            node: "22"
-            installer: mise
+          # Floor is Node 24 (engines.node >= 24.15.0); the prior node20/node22
+          # rows tested sub-floor runtimes and were dropped.
           - label: linux-x64-node24-mise
             runner: ubuntu-24.04
             os: linux
             arch: x64
             node: "24"
             installer: mise
-          - label: linux-x64-node22-nvm
+          - label: linux-x64-node24-nvm
             runner: ubuntu-24.04
             os: linux
             arch: x64
-            node: "22"
+            node: "24"
             installer: nvm
           # ---------------------------- Linux arm64 ---------------------------
           # ubuntu-24.04-arm is the public-repo arm64 runner label; it is
           # the closest proxy GitHub offers for Apple Silicon Linux boxes.
-          - label: linux-arm64-node22-mise
+          - label: linux-arm64-node24-mise
             runner: ubuntu-24.04-arm
             os: linux
             arch: arm64
-            node: "22"
+            node: "24"
             installer: mise
           # ---------------------------- macOS arm64 ---------------------------
           # macos-14 / macos-15 are arm64 runners (Apple Silicon).
-          - label: macos-arm64-node22-homebrew
+          - label: macos-arm64-node24-homebrew
             runner: macos-14
             os: macos
             arch: arm64
-            node: "22"
+            node: "24"
             installer: homebrew
-          - label: macos-arm64-node22-nvm
+          - label: macos-arm64-node24-nvm
             runner: macos-14
             os: macos
             arch: arm64
-            node: "22"
+            node: "24"
             installer: nvm
-          - label: macos-arm64-node22-volta
+          - label: macos-arm64-node24-volta
             runner: macos-14
             os: macos
             arch: arm64
-            node: "22"
+            node: "24"
             installer: volta
           # ---------------------------- macOS x64 -----------------------------
           # macos-15-intel is the current Intel-Mac (x86_64) runner label;
           # covers the Intel Mac smoke case the plan calls out. The older
           # `macos-13` label was retired by GitHub.
-          - label: macos-x64-node22-nvm
+          - label: macos-x64-node24-nvm
             runner: macos-15-intel
             os: macos
             arch: x64
-            node: "22"
+            node: "24"
             installer: nvm
     steps:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
@@ -135,7 +129,7 @@ jobs:
           bash /tmp/nvm-install.sh
           export NVM_DIR="$HOME/.nvm"
           # Sourcing nvm.sh runs nvm's auto-use against the repo `.nvmrc`
-          # (node 22). On the macOS runners nvm is freshly cloned and no
+          # (node 24). On the macOS runners nvm is freshly cloned and no
           # node is installed yet, so that auto-use returns exit 3
           # ("version N/A — not installed"). Under `set -e` that aborts the
           # step before `nvm install` ever runs. On the Ubuntu runners nvm +

@@ -1 +1 @@
-22
+24
@@ -1 +1 @@
-22
+24
@@ -108,7 +108,7 @@ for musl / `win32-arm64` coverage.
 
 ### Install from npm (recommended)
 
-**Requirements:** Node 22 or 24.
+**Requirements:** Node 24+.
 
 ```bash
 # global install — puts `codehub` on your PATH
@@ -136,7 +136,7 @@ codehub analyze
 
 ### Build from source
 
-**Requirements:** Node 22 or 24; pnpm 11+; Python 3.12 (only needed for
+**Requirements:** Node 24+; pnpm 11+; Python 3.12 (only needed for
 SCIP indexers on Python-heavy repos); `mise` recommended.
 
 ```bash

@@ -1,5 +1,5 @@
 [tools]
-node = "22"
+node = "24"
 pnpm = "11.1.0"
 python = "3.12"
 uv = "latest"
@@ -149,7 +149,7 @@ run = "bash scripts/check-banned-strings.sh"
 description = "License allowlist check (packages/cli prod deps)"
 # Root is `private: true` with no runtime deps post-collapse, so scan from
 # packages/cli (where the real third-party runtime deps live) via `--start`.
-run = "pnpm exec license-checker-rseidelsohn --start packages/cli --onlyAllow 'Apache-2.0;MIT;BSD-2-Clause;BSD-3-Clause;ISC;CC0-1.0;BlueOak-1.0.0;0BSD' --excludePrivatePackages --production"
+run = "pnpm exec license-checker-rseidelsohn --start packages/cli --onlyAllow 'Apache-2.0;MIT;BSD-2-Clause;BSD-3-Clause;ISC;CC0-1.0;BlueOak-1.0.0;0BSD;Python-2.0;CC-BY-3.0;MIT OR Apache-2.0;(Apache-2.0 AND MIT);(BSD-3-Clause AND Apache-2.0);(BSD-2-Clause OR MIT OR Apache-2.0);(MIT OR CC0-1.0)' --excludePrivatePackages --production"
 
 [tasks.osv]
 description = "OSV vulnerability scan against pnpm-lock.yaml"

@@ -5,7 +5,7 @@
   "description": "OpenCodeHub — Apache-2.0 code intelligence graph + MCP server for AI coding agents",
   "license": "Apache-2.0",
   "engines": {
-    "node": ">=22.12.0",
+    "node": ">=24.15.0",
     "pnpm": ">=11.0.0"
   },
   "packageManager": "pnpm@11.1.0",
@@ -31,7 +31,7 @@
     "commitizen": "4.3.2",
     "cz-conventional-changelog": "3.3.0",
     "lefthook": "2.1.9",
-    "license-checker-rseidelsohn": "4.4.2",
+    "license-checker-rseidelsohn": "5.0.1",
     "tsx": "4.22.4",
     "typescript": "6.0.3"
   },

@@ -43,7 +43,7 @@
     "@opencodehub/sarif": "workspace:*",
     "@opencodehub/storage": "workspace:*",
     "@opencodehub/wiki": "workspace:*",
-    "write-file-atomic": "7.0.1"
+    "write-file-atomic": "8.0.0"
   },
   "devDependencies": {
     "@types/node": "25.9.3",
@@ -66,6 +66,6 @@
     "detect-changes"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -61,7 +61,7 @@
     "piscina": "5.2.0",
     "snyk-nodejs-lockfile-parser": "2.8.0",
     "web-tree-sitter": "0.26.9",
-    "write-file-atomic": "7.0.1",
+    "write-file-atomic": "8.0.0",
     "yaml": "2.9.0",
     "zod": "4.4.3"
   },
@@ -104,6 +104,6 @@
     "code-analysis"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -62,6 +62,6 @@
     "legacy-code"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -57,6 +57,6 @@
     "typescript"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -6,7 +6,7 @@
   "license": "Apache-2.0",
   "type": "module",
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   },
   "scripts": {
     "dev": "astro dev",

@@ -67,6 +67,6 @@
     "semantic-search"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -61,6 +61,6 @@
     "language-detection"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -58,7 +58,7 @@
     "snyk-nodejs-lockfile-parser": "2.8.0",
     "spdx-correct": "^3.2.0",
     "web-tree-sitter": "0.26.9",
-    "write-file-atomic": "7.0.1"
+    "write-file-atomic": "8.0.0"
   },
   "devDependencies": {
     "@types/node": "25.9.3",
@@ -90,6 +90,6 @@
     "pipeline"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -72,6 +72,6 @@
     "coding-agent"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -65,6 +65,6 @@
     "context-window"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -61,6 +61,6 @@
     "allowlist"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -65,6 +65,6 @@
     "findings"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -63,6 +63,6 @@
     "sast"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -68,6 +68,6 @@
     "java"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -62,6 +62,6 @@
     "rrf"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -66,6 +66,6 @@
     "storage"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -62,6 +62,6 @@
     "code-summaries"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }
@@ -42,7 +42,7 @@
     "@opencodehub/core-types": "workspace:*",
     "@opencodehub/storage": "workspace:*",
     "@opencodehub/summarizer": "workspace:*",
-    "write-file-atomic": "7.0.1"
+    "write-file-atomic": "8.0.0"
   },
   "devDependencies": {
     "@types/node": "25.9.3",
@@ -66,6 +66,6 @@
     "markdown"
   ],
   "engines": {
-    "node": ">=22.12.0"
+    "node": ">=24.15.0"
   }
 }