chore(deps): pin node.js to v25.9.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
node (source)	engines	pin	>=18 → v25.9.0

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ⚠️ Needs Manual Migration

🔍 Release Content Analysis

Node.js v25.9.0 (Released April 1, 2026) - Notable Changes:

• Test Runner Module Mocking API Consolidation: MockModuleOptions.defaultExport and MockModuleOptions.namedExports have been consolidated into a single MockModuleOptions.exports option. Migration tool available: npx codemod @nodejs/mock-module-exports

• Security Fixes: Multiple CVEs addressed including CVE-2026-21716 (permission check on lib/fs/promises), CVE-2026-21715 (permission check to realpath.native), CVE-2026-21714 (NGHTTP2_ERR_FLOW_CONTROL error handling), CVE-2026-21712 (URL crash handling), and CVE-2026-21637 (SNICallback invocation)

• New Features (SEMVER-MINOR):

  • AsyncLocalStorage: Added using scope support for enhanced async context management
  • CLI: New --max-heap-size option for memory control
  • Cryptography: Added TurboSHAKE and KangarooTwelve Web Cryptography algorithms
  • REPL: Removed node:domain dependency
  • SEA: Code cache support for ESM entrypoints
  • Streams: New experimental stream/iter implementation

• Dependency Updates: ada to 3.4.4, timezone to 2026a, simdjson to 4.5.0, ngtcp2 to 1.21.0, npm to 11.12.1, SQLite to 3.51.3

• Notable Deprecations: CryptoKey use in node:crypto, module.register() (DEP0205)

Major Compatibility Concern:

• Node.js 18 reached End-of-Life in April 2025 and is no longer supported
• Node.js v25 is a Current release (not LTS) - suitable for experimentation but requires thorough testing for production
• The recommended production path is Node.js 22 LTS (supported until April 2027)

🎯 Impact Scope Investigation

1. Package.json Changes:

• Changes engines.node from >=18 (flexible range) to v25.9.0 (exact pin)
• This is a breaking change for the package distribution strategy

2. Codebase Usage Analysis:

• ✅ No usage of deprecated Node.js APIs found:

  • No node:domain usage
  • No CryptoKey usage
  • No module.register() usage
  • No test runner module mocking APIs (MockModule)

• ✅ Core APIs used are stable:

  • globalThis.fetch (stable in Node.js since v18)
  • Standard Response, Request objects
  • TypeScript with ES2022 target

3. CI/Build Environment:

• Uses Bun (v1.2.11) as the primary runtime for build/test, not Node.js directly
• Bun has ~98% Node.js API compatibility in 2026
• CI workflows use mise-action for tool management but no explicit Node.js version pinning detected
• All CI checks (Build, Lint, Test, Typecheck) currently passing

4. Dependency Compatibility:

• @types/node: 22.19.11 (mismatched with Node.js v25.9.0 pin)
• TypeScript: 5.9.3 (compatible with all Node versions)
• Other dev dependencies (Biome, Vitest, Husky) are runtime-agnostic

5. Consumer Impact:

• This SDK is published to npm as @codize/piston
• Pinning to exact Node.js version (v25.9.0) means:
  • ❌ Consumers on Node.js 18, 20, 22 will see warnings/errors
  • ❌ Blocks adoption for users on stable LTS versions
  • ❌ Incompatible with Renovate's typical semver range preservation

💡 Recommended Actions

CRITICAL - Do NOT merge as-is. This PR requires significant modifications:

1. Reject the exact version pin strategy:

   • The change from >=18 to v25.9.0 is inappropriate for a library package
   • Exact pins make sense for applications, not SDKs
   • Add :preserveSemverRanges to Renovate config as suggested in the PR description

2. Update to a more appropriate range:

   • Recommended: "node": ">=18" (keep current) or "node": ">=22" (upgrade to LTS minimum)
   • Node.js 22 is the current LTS and supported until April 2027
   • Node.js v25 is Current (not LTS) and changes every month

3. Sync @types/node version:

   • If targeting Node.js v25, update @types/node from 22.19.11 to 25.x
   • If keeping >=18 range, current @types/node: 22.x is appropriate (covers v18-22)

4. CI Configuration:

   • Add explicit Node.js version matrix testing if upgrading minimum (test 18, 20, 22)
   • Verify Bun compatibility continues with any Node.js API changes

5. Alternative approach - Stay on current strategy:

   • Keep "node": ">=18" as-is (most flexible for consumers)
   • Configure Renovate with :preserveSemverRanges preset to prevent future pin attempts
   • This SDK uses only stable, widely-supported Node.js APIs (fetch, standard library)

Migration Checklist if proceeding with v25:

• Update @types/node to 25.x
• Test with actual Node.js v25.9.0 (not just Bun)
• Update Renovate config with :preserveSemverRanges
• Change pin to appropriate range (>=22 or >=25)
• Verify no breaking changes affect fetch API or other used APIs
• Document Node.js version requirements in README.md

🔗 Reference Links

• Node.js v25.9.0 Release Notes
• Node.js v25 Changelog
• Node.js Releases Overview
• Node.js End of Life Information
• Node.js 18 End of Life Announcement
• Bun Node.js Compatibility Documentation
• Bun vs Node.js 2026 Comparison

Generated by koki-develop/claude-renovate-review