ENG-0000 chore: patch Node.js async_hooks DoS (Jan 2026)

[jonathanprozzi]

Updates Node.js runtime pins and engine constraints to patched minors for the January 2026 async_hooks DoS vulnerability.

Notes:

• Uses the repo's existing major version to infer the patched minor.
• For EOL majors (<20), bumps to Node 20.20.0.

Changes:

• .node-version: runtime -> 24.13.0
• package.json: engine -> >=24.13.0 <25.0.0 || >=25.3.0 <26.0.0

Why this fixes the issue:

• engines.node is a guard rail only; it does not change the runtime.
• Runtime pins (.nvmrc, Dockerfile, CI node-version, hosting config) control what Node actually runs.
• Deploy/rebuild is required to apply the patched runtime in production.
• Dependency updates (react/next/etc.) are for compatibility only; they do not patch Node itself.

Extra notes:

• If the existing engines range is wide (e.g., >=20 <25), we prefer the highest patched major within that range.
• The engines upper bound always matches the target major (e.g., >=24.13.0 <25.0.0).
• Floating Docker tags (e.g., node:20-alpine) require a rebuild or pin to the patched minor.
• Dependency bumps (React/Next/etc.) are for compatibility only; they do not fix the runtime vulnerability.

[claude]

PR Review: Node.js async_hooks DoS Patch (January 2026)

Summary

This PR appropriately addresses the January 2026 Node.js async_hooks DoS vulnerability by updating runtime pins and engine constraints to patched versions. The changes are minimal, focused, and correctly implemented.

✅ What's Done Well

1. Correct Runtime Pin Update

   • .node-version updated from 24.4.0 → 24.13.0 ✓
   • All CI workflows reference .node-version via node-version-file, so they'll automatically use the patched version
   • No hardcoded versions in workflows to update

2. Proper Engine Constraints

   • engines.node updated to >=24.13.0 <25.0.0 || >=25.3.0 <26.0.0 ✓
   • Correctly allows both patched Node 24.13+ and Node 25.3+ ranges
   • Upper bounds prevent accidental use of unpatched majors

3. Minimal Scope

   • Only changes what's necessary (3 files, 3 additions, 3 deletions)
   • No unnecessary refactoring or feature additions
   • Follows the repository's convention of committing package-lock.json

4. Documentation

   • PR description clearly explains the vulnerability and fix rationale
   • Notes about deployment requirements are accurate

🔍 Observations & Considerations

Action Runtime Compatibility

The action.yml specifies using: node24 at action.yml:54, which means GitHub Actions will run this action using Node.js 24.x. According to GitHub Actions documentation, node24 refers to the latest Node 24.x version available in the Actions runner environment.

Important: GitHub's Actions runners update their Node versions independently of your repository. When they roll out Node 24.13.0 to their runner images, your action will automatically use it. You don't control the exact Node version for node24 - GitHub does. This is actually a good thing in this case, as it means the vulnerability will be patched when GitHub updates their runners.

Engine Constraint Enforcement

The PR description correctly notes that engines.node is a "guard rail only" - it doesn't control the runtime. However, it's worth noting:

• npm install will warn (but not fail) if run on incompatible Node versions
• This protects local development and ensures contributors use patched versions
• The constraint correctly matches the security advisory ranges

No Code Changes Required

Since this is a Node.js runtime vulnerability patch (not a code vulnerability), no source code changes are needed. The dist/index.js will be regenerated on the next code change via the normal npm run bundle workflow.

📋 Checklist Review

• ✅ Code Quality: N/A (no code changes, only configuration)
• ✅ Best Practices: Follows semver constraints, minimal changes
• ✅ Potential Bugs: None identified
• ✅ Performance: No performance impact
• ✅ Security: Addresses the async_hooks DoS vulnerability correctly
• ✅ Test Coverage: No test changes needed (runtime-only change)

🎯 Recommendations

Required: None - the PR is correct as-is.

Optional Considerations:

1. Verify CI Workflow Behavior: Once merged, confirm that CI workflows pick up Node 24.13.0 from the updated .node-version file
2. Monitor GitHub Runner Updates: Keep track of when GitHub Actions runners are updated to Node 24.13.0, as that's when the action runtime itself will be patched
3. Communication: If this action is used by external users, consider a release note mentioning the security update

✅ Approval Status

Approved - This PR correctly addresses the security vulnerability with minimal, focused changes. The implementation follows the repository's conventions and includes proper engine constraints to guard against running on vulnerable Node versions.

The changes are safe to merge.

---

Review generated with attention to CLAUDE.md conventions and GitHub Actions architecture