chore(deps): pin node.js to v25.8.1

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
node (source)	engines	pin	>=18 → v25.8.1

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ⚠️ Needs Manual Migration

🔍 Release Content Analysis

Version Change: >=18 → v25.8.1 (pinning to specific version)

Node.js v25 Major Changes:

• V8 Engine Upgrade to 14.1: Brings major JSON.stringify performance improvements, built-in Uint8Array base64/hex conversion, and WebAssembly/JIT pipeline optimizations
• 50+ Deprecated API Removals: Including SlowBuffer class (EOL), deprecated hash options in crypto, fs.rmdir recursive option, and fs constant exports
• Web Storage Changes: Default behavior changed with localStorage no longer undefined, which broke webpack/jest/html-webpack-plugin chains in initial releases (partially reverted in v25.2.1)
• Enhanced Security Features: Permission model gains --allow-net for granular network permission control, Web Storage enabled by default, ErrorEvent now global
• Security Fixes: v25.8.0 addressed CVE-2025-59465 (TLSSocket default error handler) and CVE-2026-21636 (network check on pipe_wrap connect)

Breaking Changes:

• SlowBuffer removed (affects dependencies like jsonwebtoken → jwa → buffer-equal-constant-time)
• localStorage/Web Storage behavior changes can break test runners (Jest, Vitest)
• Experimental require(ESM) support changes
• Multiple deprecated APIs moved to End-of-Life status

Important Context: Node.js v25 is a Current release (odd-numbered), NOT an LTS version. It will not receive long-term support and is intended for previewing features and testing by library authors, not production applications.

🎯 Impact Scope Investigation

Codebase Analysis:

• ✅ No usage of removed APIs (SlowBuffer, fs.rmdir recursive, assert.fail multi-arg) found in source code
• ✅ No localStorage/Web Storage usage detected in the codebase
• ✅ Simple TypeScript SDK with minimal Node.js API surface - uses only standard fetch API (via globalThis.fetch)
• ✅ Main dependencies are dev tools (Biome, TypeScript, Vitest, Husky) with no direct Node.js-specific runtime dependencies

Runtime Environment:

• Uses Bun as primary runtime: CI uses mise-action to install Bun (v1.2.11 detected)
• Engines field impact: Change from >=18 to v25.8.1 is a significant restriction
  • Previous: Allowed Node.js 18.x, 20.x, 22.x, and newer
  • New: Pins to exactly Node.js v25.8.1
  • Issue: Bun may not respect the engines field strictly, but this creates confusion for users

CI Status: All checks passing on PR #24:

• ✅ Build: pass (11s)
• ✅ Lint: pass (14s)
• ✅ Test: pass (12s)
• ✅ Typecheck: pass (15s)

Dependency Compatibility:

• No Node.js-specific packages in dependencies
• Dev dependencies (@biomejs/biome, typescript, vitest) are actively maintained and should support Node.js 25
• No known breaking changes affecting this SDK's functionality

💡 Recommended Actions

1. Critical Issue - Overly Restrictive Version Pinning:
The change from >=18 (semver range) to v25.8.1 (exact pin) is too restrictive and not aligned with Renovate's intended purpose. This prevents:

• Using Node.js LTS versions (18, 20, 22)
• Using any other Node.js 25.x version
• Future Node.js versions

2. Node.js v25 is NOT LTS:

• Node.js v25 is a Current release that will NOT receive long-term support
• Production applications should use LTS versions (18, 20, or 22)
• v25 is suitable only for feature preview and testing

3. Recommended Configuration Changes:

Option A (Recommended for Production): Keep LTS compatibility

"engines": {
  "node": ">=18"
}

Add Renovate preset :preserveSemverRanges to prevent future pinning.

Option B (If testing Node.js 25): Use range instead of pin

"engines": {
  "node": ">=18 <26"
}

Option C (Multi-version support): Explicitly support LTS and Current

"engines": {
  "node": "^18.0.0 || ^20.0.0 || ^22.0.0 || ^25.0.0"
}

4. Renovate Configuration:
Add to renovate.json:

{
  "extends": [":preserveSemverRanges"],
  "packageRules": [
    {
      "matchDepTypes": ["engines"],
      "enabled": false
    }
  ]
}

5. Runtime Consideration:
Since this project uses Bun (not Node.js) as the primary runtime:

• The engines field may not be strictly enforced
• Consider whether Node.js version constraints are necessary
• Document that Bun is the recommended runtime

6. Action Items:

1. Close this PR - The pinned version is not appropriate
2. Configure Renovate to preserve semver ranges or disable engines updates
3. Keep existing "node": ">=18" to maintain broad compatibility
4. Document runtime requirements - Specify Bun version if applicable
5. Optional: Add CI matrix testing for multiple Node.js versions (18, 20, 22, 25) if Node.js compatibility is important

🔗 Reference Links

• Node.js Releases
• Node.js v25 Changelog
• Node.js v25.0.0 Release Notes
• Node.js 25 Breaking Changes Guide
• Node.js 25 Ecosystem Impact Analysis
• Node.js Deprecated APIs Documentation
• Bun Node.js Compatibility
• Renovate Documentation

Generated by koki-develop/claude-renovate-review