fix(deps): set engines.node to >=20.19.0 and clear prod audit high/criticals

DavertMik · claude · DavertMik · commit 9b3cdc6a17d8 · 2026-06-13T14:19:28.000+03:00
The 4.x dependency set already requires Node 20.19+ at runtime (chokidar@5
declares `engines.node &gt;= 20.19.0`, commander/glob require &gt;=20), but
package.json still advertised `node: &gt;=16.0` — so Node 16-18 users got a clean
install and then broke inside dependencies. Raise the floor to match what CI
actually tests, and sync the documented minimum.

Audit hygiene (npm audit --omit=dev, no --force):
- multer ^2.0.2 -&gt; ^2.1.1 (out of the &lt;=2.1.0 advisory range; only consumer is
  a comment in lib/test-server.js)
- uuid 11.1.0 -&gt; 11.1.1 (patch, clears the buffer-bounds advisory)
- tmp override 0.2.5 -&gt; 0.2.6 (advisory wants &lt;0.2.6 gone)
- npm audit fix (within ranges) for the rest

Result: prod npm audit goes from 38 vulnerabilities (2 critical, 16 high) to 3
(0 critical, 1 high). The remaining 3 all route through mocha@11.7.5's pinned
transitive deps (diff@7.0.0 via `^7.0.0`, serialize-javascript@6.0.2 via
`^6.0.2`); the patched versions cross mocha's declared ranges and npm's only
offered fix is `--force` to mocha@11.3.0 (a breaking change), deferred as a
deliberate major-bump decision. They are DoS-class issues in a test runner's
diff/serialization, low exploitability in normal use.

Docs: state Node 20.19+ in migration-4.md and mcp.md.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
diff --git a/docs/mcp.md b/docs/mcp.md
@@ -441,7 +441,7 @@ Storage capture is **enabled** for `run_code`, `snapshot`, `run_step_by_step` fa
 
 ### Server doesn't start
 
-- Node 18+ recommended.
+- Node 20.19+ required.
 - Verify the path / `npx` resolution in your client config.
 
 ### Config not found
diff --git a/docs/migration-4.md b/docs/migration-4.md
@@ -35,7 +35,7 @@ The rest of this guide documents every change the skill makes — read it if you
 
 ## 1. Update Node and Package
 
-CodeceptJS 4.x supports Node 16+, but Node 20 or newer is recommended.
+CodeceptJS 4.x requires Node 20.19 or newer.
 
 ```bash
 npm install codeceptjs@4
@@ -764,4 +764,4 @@ You don't need these to upgrade, but they unlock new workflows:
 4. TypeScript users: run with `tsx` installed and confirm error stack traces point at `.ts` files.
 5. If you removed `autoLogin`: confirm sessions restore under the `auth` plugin.
 6. If you used `tryTo` / `retryTo` / `eachElement` plugins: grep your tests for the old globals and switch to subpath imports.
-7. CI: bump the Node version to 20+ if you were on 18 or below.
+7. CI: bump the Node version to 20.19+ if you were on a lower version.
diff --git a/package.json b/package.json
@@ -127,13 +127,13 @@
     "mocha": "11.7.5",
     "monocart-coverage-reports": "2.12.9",
     "ms": "2.1.3",
-    "multer": "^2.0.2",
+    "multer": "^2.1.1",
     "ora-classic": "5.4.2",
     "parse-function": "5.6.10",
     "parse5": "7.3.0",
     "promise-retry": "1.1.1",
     "sprintf-js": "1.1.3",
-    "uuid": "11.1.0",
+    "uuid": "11.1.1",
     "xpath": "0.0.34",
     "zod": "^4.1.11"
   },
@@ -206,7 +206,7 @@
     }
   },
   "engines": {
-    "node": ">=16.0",
+    "node": ">=20.19.0",
     "npm": ">=5.6.0"
   },
   "es6": true,
@@ -217,7 +217,7 @@
     }
   },
   "overrides": {
-    "tmp": "0.2.5",
+    "tmp": "0.2.6",
     "js-yaml": "^4.1.1"
   }
 }
