Skip to content

chore(deps): update node.js to v24.18.0#86

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/node-24.x
Open

chore(deps): update node.js to v24.18.0#86
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/node-24.x

Conversation

@renovate

@renovate renovate Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change
node (source) engines minor ^24.15.0^24.18.0
node (source) minor 24.15.024.18.0

Release Notes

nodejs/node (node)

v24.18.0: 2026-06-23, Version 24.18.0 'Krypton' (LTS), @​richardlau prepared by @​sxa

Compare Source

Notable Changes
  • [e07e7a31e1] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #​63527
  • [44c8ebcbd6] - http: avoid stream listeners on idle agent sockets (Matteo Collina) #​64004
  • [d3ef4122ee] - (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #​63597
  • [bb2857b85a] - (SEMVER-MINOR) crypto: align key argument names in docs and error messages (Filip Skokan) #​62527
  • [b9d5e87880] - (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #​62527
  • [ccd756d61e] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #​62183
  • [4c9251fc09] - (SEMVER-MINOR) http: add writeInformation to send arbitrary 1xx status codes (Tim Perry) #​63155
  • [8c989ec4a3] - (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #​63079
  • [3f54c8ba32] - Revert "stream: noop pause/resume on destroyed streams" (Stewart X Addison) #​63834
Commits

v24.17.0: 2026-06-18, Version 24.17.0 'Krypton' (LTS), @​aduh95

Compare Source

This is a security release.

Notable Changes
  • (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
  • (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
  • (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
  • (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
  • (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
  • (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
  • (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
  • (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
  • (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
  • (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
  • (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
Commits

v24.16.0: 2026-05-21, Version 24.16.0 'Krypton' (LTS), @​aduh95

Compare Source

Notable Changes
  • [b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #​62553
  • [ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #​62713
  • [9705f628d9] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #​57775
  • [40ccfdecf9] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #​62277
  • [d7188af5c9] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #​63082
  • [aa1d8a9afc] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #​62541
  • [6f37f7e240] - (SEMVER-MINOR) stream: propagate destruction in duplexPair (Ahmed Elhor) #​61098
  • [d14029be7f] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #​61747
  • [d142c584cd] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #​62820
  • [01a9552585] - (SEMVER-MINOR) test_runner: add mock-timers support for AbortSignal.timeout (DeveloperViraj) #​60751
  • [00705a459a] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #​61556
Commits

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jun 2, 2026
@renovate
renovate Bot force-pushed the renovate/node-24.x branch 3 times, most recently from 9f837af to 825fa46 Compare June 4, 2026 16:04
@renovate

renovate Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
? Verifying lockfile against supply-chain policies (167 entries)...

   ╭─────────────────────────────────────────╮
   │                                         │
   │   Update available! 11.7.0 → 11.8.0.    │
   │   Changelog: https://pnpm.io/v/11.8.0   │
   │    To update, run: pnpm add -g pnpm     │
   │                                         │
   ╰─────────────────────────────────────────╯

✗ Lockfile failed supply-chain policy check (167 entries in 2.6s)
[ERR_PNPM_TARBALL_URL_MISMATCH] 167 lockfile entries failed verification:
  @babel/runtime@7.29.7 has a tarball URL (http://npmproxy.devexpress.devx:4873/@babel/runtime/-/runtime-7.29.7.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@babel/runtime/-/runtime-7.29.7.tgz)
  @devexpress/utils@2.1.1 has a tarball URL (http://npmproxy.devexpress.devx:4873/@devexpress/utils/-/utils-2.1.1.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@devexpress/utils/-/utils-2.1.1.tgz)
  @fast-csv/format@5.0.7 has a tarball URL (http://npmproxy.devexpress.devx:4873/@fast-csv/format/-/format-5.0.7.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@fast-csv/format/-/format-5.0.7.tgz)
  @fast-csv/parse@5.0.7 has a tarball URL (http://npmproxy.devexpress.devx:4873/@fast-csv/parse/-/parse-5.0.7.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@fast-csv/parse/-/parse-5.0.7.tgz)
  @isaacs/cliui@8.0.2 has a tarball URL (http://npmproxy.devexpress.devx:4873/@isaacs/cliui/-/cliui-8.0.2.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz)
  @jridgewell/gen-mapping@0.3.13 has a tarball URL (http://npmproxy.devexpress.devx:4873/@jridgewell/gen-mapping/-/gen-mapping-0.3.13.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.13.tgz)
  @jridgewell/remapping@2.3.5 has a tarball URL (http://npmproxy.devexpress.devx:4873/@jridgewell/remapping/-/remapping-2.3.5.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@jridgewell/remapping/-/remapping-2.3.5.tgz)
  @jridgewell/resolve-uri@3.1.2 has a tarball URL (http://npmproxy.devexpress.devx:4873/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz)
  @jridgewell/sourcemap-codec@1.5.5 has a tarball URL (http://npmproxy.devexpress.devx:4873/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz)
  @jridgewell/trace-mapping@0.3.31 has a tarball URL (http://npmproxy.devexpress.devx:4873/@jridgewell/trace-mapping/-/trace-mapping-0.3.31.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.31.tgz)
  @pkgjs/parseargs@0.11.0 has a tarball URL (http://npmproxy.devexpress.devx:4873/@pkgjs/parseargs/-/parseargs-0.11.0.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz)
  @preact/signals-core@1.14.2 has a tarball URL (http://npmproxy.devexpress.devx:4873/@preact/signals-core/-/signals-core-1.14.2.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@preact/signals-core/-/signals-core-1.14.2.tgz)
  @types/jquery@3.5.34 has a tarball URL (http://npmproxy.devexpress.devx:4873/@types/jquery/-/jquery-3.5.34.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@types/jquery/-/jquery-3.5.34.tgz)
  @types/pako@2.0.4 has a tarball URL (http://npmproxy.devexpress.devx:4873/@types/pako/-/pako-2.0.4.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@types/pako/-/pako-2.0.4.tgz)
  @types/raf@3.4.3 has a tarball URL (http://npmproxy.devexpress.devx:4873/@types/raf/-/raf-3.4.3.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@types/raf/-/raf-3.4.3.tgz)
  @types/sizzle@2.3.10 has a tarball URL (http://npmproxy.devexpress.devx:4873/@types/sizzle/-/sizzle-2.3.10.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@types/sizzle/-/sizzle-2.3.10.tgz)
  @types/trusted-types@2.0.7 has a tarball URL (http://npmproxy.devexpress.devx:4873/@types/trusted-types/-/trusted-types-2.0.7.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz)
  abort-controller@3.0.0 has a tarball URL (http://npmproxy.devexpress.devx:4873/abort-controller/-/abort-controller-3.0.0.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/abort-controller/-/abort-controller-3.0.0.tgz)
  ansi-regex@5.0.1 has a tarball URL (http://npmproxy.devexpress.devx:4873/ansi-regex/-/ansi-regex-5.0.1.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz)
  ansi-regex@6.2.2 has a tarball URL (http://npmproxy.devexpress.devx:4873/ansi-regex/-/ansi-regex-6.2.2.tgz) that does not match the registry's published metadata (https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz)
  …and 147 more

The lockfile contains entries that the active policies reject. This can mean the lockfile is stale, or that someone committed a lockfile that bypassed the policy locally — inspect recent changes to pnpm-lock.yaml before trusting it. If the changes look expected, run "pnpm clean --lockfile" and then "pnpm install" to rebuild from a fresh resolution. Alternatively, relax the policy that flagged them.

@renovate
renovate Bot force-pushed the renovate/node-24.x branch from 825fa46 to cb5501c Compare June 5, 2026 18:29
@renovate
renovate Bot force-pushed the renovate/node-24.x branch 4 times, most recently from 203d3fd to 79d0b71 Compare June 24, 2026 01:39
@renovate renovate Bot changed the title chore(deps): update node.js to v24.16.0 chore(deps): update node.js to v24.17.0 Jun 24, 2026
@renovate
renovate Bot force-pushed the renovate/node-24.x branch from 79d0b71 to bb20f3f Compare June 30, 2026 03:12
@renovate renovate Bot changed the title chore(deps): update node.js to v24.17.0 chore(deps): update node.js to v24.18.0 Jun 30, 2026
@renovate
renovate Bot force-pushed the renovate/node-24.x branch from bb20f3f to b045941 Compare June 30, 2026 09:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants