chore(deps): pin node.js to v25.8.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
node (source)	engines	pin	>=18 → v25.8.0

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ❌ Not Safe

🔍 Release Content Analysis

Node.js v25.8.0 (Released: March 3, 2026)

This PR proposes pinning Node.js from a flexible >=18 requirement to an exact v25.8.0 version. Key concerns:

• Release Status: Node.js v25 is a Current (non-LTS) release that is unsuitable for production use

  • v25 (odd-numbered) will become unsupported after 6 months from its October 2025 release
  • Expected EOL: April 2026 (approximately 1 month from now)
  • Node.js documentation states: "Production applications should only use Active LTS or Maintenance LTS releases"

• Notable Changes in v25.8.0:

  • SQLite module: Added limits property to DatabaseSync
  • Diagnostics channels: C++ support for native modules
  • Permission system: New --permission-audit flag
  • Test runner: Worker ID exposure during concurrent execution
  • Performance: Buffer.concat() optimizations
  • Security fixes: Multiple CVE patches (CVE-2025-59465, CVE-2026-21636, etc.)
  • Dependencies: Updated npm (11.11.0), undici (7.22.0), acorn (8.16.0)

• No Breaking Changes: v25.8.0 itself contains no documented breaking API changes

🎯 Impact Scope Investigation

Current Environment:

• Runtime: Project currently uses Node.js v18.20.8 in CI
• Build Tool: Bun v1.2.11 (handles actual code execution)
• TypeScript Target: ES2022 (fully compatible with Node.js v18+)
• CI Setup: Uses mise-action for tool management, but no .mise.toml or .tool-versions file specifying Node version
• Code Dependencies: No direct Node.js-specific APIs used (only standard fetch/Response APIs via globalThis)

Critical Issues:

1. Version Mismatch: CI environment runs Node.js v18.20.8, but package.json would require v25.8.0 exactly

   • This creates an immediate CI/deployment conflict
   • CI workflows (.github/workflows/ci.yml) use setup action without Node version specification

2. Restrictive Pinning: Changing from >=18 to v25.8.0 eliminates:

   • Compatibility with LTS versions (v22, v24)
   • Flexibility for users on stable releases
   • The current development environment (v18)

3. Lifecycle Risk: Node.js v25 reaches EOL in ~1 month, requiring another immediate upgrade

4. CI Passing Status: Tests passed on the PR, but this is because:

   • Bun (not Node.js) executes the actual code
   • The engines field is advisory only (not enforced by npm/bun)
   • The mismatch would only surface in strict environments or production deployments

No Code Changes Required: The SDK itself doesn't use Node.js-specific APIs that would break between v18 and v25. The codebase uses:

• Standard Web Fetch API (globalThis.fetch)
• ES2022 JavaScript features (supported in v18+)
• TypeScript compilation to ES2022 target

💡 Recommended Actions

DO NOT MERGE this PR as-is. The following issues must be addressed:

1. Reject Version Pinning Approach:

   • Add :preserveSemverRanges preset to Renovate config to prevent similar pinning in future
   • Maintain flexible version range for library compatibility

2. Recommended Alternative Versions:

   "engines": {
     "node": ">=18.18.0"
   }

   Or if updating to a more recent baseline:

   "engines": {
     "node": ">=20.0.0"
   }

   • Use LTS releases (v20, v22, v24) as minimum baseline
   • Avoid odd-numbered releases (v25) entirely for library projects

3. Update CI/Development Environment (if upgrading):

   • Create .tool-versions or .mise.toml file:

     # .mise.toml
     [tools]
     node = "22"  # or "24" for latest LTS

   • Update local development to match
   • Ensure consistency across all environments

4. Configuration Changes:

   // renovate.json or .github/renovate.json
   {
     "extends": [
       "config:recommended",
       ":preserveSemverRanges"
     ]
   }

5. Testing Strategy:

   • Verify SDK works on Node.js v18, v20, v22, v24 (LTS versions)
   • Document supported Node.js versions in README
   • Add matrix testing in CI for multiple Node versions

🔗 Reference Links

• Node.js v25.8.0 Changelog
• Node.js Release Schedule
• Node.js v25 Release Notes
• Renovate preserveSemverRanges Documentation

Generated by koki-develop/claude-renovate-review