From cb9fd78f2ce8683b0e21cedf3d0faf010017af9d Mon Sep 17 00:00:00 2001
From: capJavert <dev@kickass.website>
Date: Thu, 15 Jan 2026 11:22:01 +0100
Subject: [PATCH 1/2] chore: upgrade Node.js to 22.22.0 (CVE-2025-59466)

Update Node.js version from 22.16 to 22.22.0 to mitigate CVE-2025-59466
affecting async_hooks / AsyncLocalStorage.

Updated files:
- .nvmrc
- package.json (volta)
- Dockerfile
- Dockerfile.dev
- .circleci/config.yml
- .infra/.nvmrc
- .infra/package.json (volta)
- AGENTS.md (version + upgrade checklist)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .circleci/config.yml |  4 ++--
 .infra/.nvmrc        |  2 +-
 .infra/package.json  |  2 +-
 .nvmrc               |  2 +-
 AGENTS.md            | 16 ++++++++++++++--
 Dockerfile           |  2 +-
 Dockerfile.dev       |  2 +-
 package.json         |  2 +-
 8 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index f72e032cdb..136894269a 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -5,7 +5,7 @@ jobs:
   build-app:
     executor:
       name: common/node
-      tag: "22.16"
+      tag: "22.22"
     steps:
       - common/setup-node
       - run:
@@ -23,7 +23,7 @@ jobs:
   test:
     resource_class: large
     docker:
-      - image: cimg/node:22.16
+      - image: cimg/node:22.22
       - image: postgres:18-alpine
         environment:
           POSTGRES_DB: api_test
diff --git a/.infra/.nvmrc b/.infra/.nvmrc
index f2a2bc6165..f766ee84dd 100644
--- a/.infra/.nvmrc
+++ b/.infra/.nvmrc
@@ -1 +1 @@
-22.16
+22.22
diff --git a/.infra/package.json b/.infra/package.json
index aef56a3750..ef92836d71 100644
--- a/.infra/package.json
+++ b/.infra/package.json
@@ -14,6 +14,6 @@
   },
   "packageManager": "pnpm@9.14.4+sha256.26a726b633b629a3fabda006f696ae4260954a3632c8054112d7ae89779e5f9a",
   "volta": {
-    "node": "22.16.0"
+    "node": "22.22.0"
   }
 }
diff --git a/.nvmrc b/.nvmrc
index f2a2bc6165..f766ee84dd 100644
--- a/.nvmrc
+++ b/.nvmrc
@@ -1 +1 @@
-22.16
+22.22
diff --git a/AGENTS.md b/AGENTS.md
index e557183c90..65721840bf 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -4,7 +4,7 @@ This file provides guidance to coding agents when working with code in this repo
 
 ## Prerequisites
 
-- **Node.js**: 22.16.0 (managed via Volta)
+- **Node.js**: 22.22.0 (managed via Volta)
 - **Package Manager**: pnpm 9.14.4
 
 ## Essential Commands
@@ -25,7 +25,7 @@ This file provides guidance to coding agents when working with code in this repo
 **Migration Generation:**
 When adding or modifying entity columns, **always generate a migration** using:
 ```bash
-# IMPORTANT: Run nvm use from within daily-api directory (uses .nvmrc with node 22.16)
+# IMPORTANT: Run nvm use from within daily-api directory (uses .nvmrc with node 22.22)
 cd /path/to/daily-api
 nvm use
 pnpm run db:migrate:make src/migration/DescriptiveMigrationName
@@ -161,3 +161,15 @@ Hooks are configured in `.claude/settings.json`:
 - **File Protection** (PreToolUse): Blocks edits to `pnpm-lock.yaml`, `src/migration/`, `.infra/Pulumi.*`, `.env`, `.git/`
 - **Prevent Force Push** (PreToolUse): Blocks `git push --force` and `git push -f`
 - **Auto-Lint** (PostToolUse): Runs `eslint --fix` on TypeScript files after edits
+
+## Node.js Version Upgrade Checklist
+
+When upgrading Node.js version, update these files:
+- `.nvmrc`
+- `package.json` (volta section)
+- `Dockerfile`
+- `Dockerfile.dev`
+- `.circleci/config.yml` (2 places: executor tag and docker image)
+- `.infra/.nvmrc`
+- `.infra/package.json` (volta section)
+- This file (`AGENTS.md` - Prerequisites section)
diff --git a/Dockerfile b/Dockerfile
index d63e49a22f..f95c88f713 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1
-FROM node:22.16-bookworm-slim
+FROM node:22.22-bookworm-slim
 
 ADD https://www.apple.com/appleca/AppleIncRootCertificate.cer /usr/local/share/ca-certificates/AppleIncRootCertificate.cer
 ADD https://www.apple.com/certificateauthority/AppleRootCA-G2.cer /usr/local/share/ca-certificates/AppleRootCA-G2.cer
diff --git a/Dockerfile.dev b/Dockerfile.dev
index eafe05eec2..b447eaf551 100644
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -1,4 +1,4 @@
-FROM node:22.16-bookworm-slim
+FROM node:22.22-bookworm-slim
 
 ADD https://www.apple.com/appleca/AppleIncRootCertificate.cer /usr/local/share/ca-certificates/AppleIncRootCertificate.cer
 ADD https://www.apple.com/certificateauthority/AppleRootCA-G2.cer /usr/local/share/ca-certificates/AppleRootCA-G2.cer
diff --git a/package.json b/package.json
index 30de090951..1edf7203e7 100644
--- a/package.json
+++ b/package.json
@@ -191,7 +191,7 @@
     }
   },
   "volta": {
-    "node": "22.16.0"
+    "node": "22.22.0"
   },
   "packageManager": "pnpm@9.14.4+sha256.26a726b633b629a3fabda006f696ae4260954a3632c8054112d7ae89779e5f9a",
   "pnpm": {

From bb544cbf45fe3f1e00754f9202e7a32832452083 Mon Sep 17 00:00:00 2001
From: capJavert <dev@kickass.website>
Date: Thu, 15 Jan 2026 11:54:10 +0100
Subject: [PATCH 2/2] feat: adjust install

---
 AGENTS.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/AGENTS.md b/AGENTS.md
index 65721840bf..4e7b53ada4 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -173,3 +173,5 @@ When upgrading Node.js version, update these files:
 - `.infra/.nvmrc`
 - `.infra/package.json` (volta section)
 - This file (`AGENTS.md` - Prerequisites section)
+
+After updating, run `pnpm install` to check if lock file needs updating and commit any changes.