chore(ci): bump GitHub Actions to Node 24-native versions#38
Merged
Conversation
GitHub Actions runners default to Node 24 starting June 2nd, 2026. The previously-pinned versions (checkout@v4, setup-node@v4, wrangler-action@v3) all ran on Node 20 and produced deprecation warnings on every workflow run. Latest stable versions, all native to Node 24: - actions/checkout v4 → v6 (v6.0.2, published 2026-01-09) - actions/setup-node v4 → v6 (v6.4.0, published 2026-04-20) - cloudflare/wrangler-action v3 → v4 (v4.0.0, published 2026-05-12) Behavior expected unchanged; this is purely a runtime-version migration. CI on this PR verifies the bumped versions work cleanly before merging. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
MP2EZ
added a commit
that referenced
this pull request
May 31, 2026
The @opennextjs/cloudflare 1.19.11 upgrade in this PR pulls a newer transitive wrangler that requires Node.js >= 22. CI's setup-node was pinned to node-version 20, so `wrangler dev` aborted on startup with "Wrangler requires at least Node.js v22.0.0" — the wrangler-smoke job's worker never came up and the readiness probe timed out. Bumps node-version 20 → 22 in both ci.yml (Lint+Tests, wrangler-smoke) and deploy.yml. This is distinct from the earlier Actions-runtime bump (PR #38: checkout/setup-node action versions) — that was the action's own Node runtime; this is the Node the action provisions for the project toolchain. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
MP2EZ
added a commit
that referenced
this pull request
May 31, 2026
* fix(security): patch SSRF + high-severity CVEs in next + OpenNext Audit (/m:audit --security) flagged 51 npm vulns, 2 hitting the production runtime: - @opennextjs/cloudflare 1.14.4 → 1.19.11: SSRF via /cdn-cgi/ path-normalization bypass (GHSA-c7mq-gh6q-6q7c). This is the live Cloudflare Workers server adapter — the built worker ships its runtime shim, so even though it's a devDependency the vuln reaches production. Highest-priority fix. - next 16.0.10 → 16.2.6: high-severity set (Server-Actions CSRF via null origin, middleware/proxy bypass, RSC cache poisoning, image-optimizer DoS). Several target the middleware GPC/AB surface. Also bumped eslint-config-next to match (16.2.6) and ran npm audit fix for transitive criticals (fast-xml-parser, serialize-javascript, minimatch, etc.). Result: 51 → 4 vulns. The remaining 4 are all moderate build-chain transitives (postcss XSS via next, @opennextjs/aws) whose only "fix" npm offers is a catastrophic downgrade — next→9.3.3 (destroys the app) or @opennextjs→1.14.1 (reintroduces the SSRF just fixed). They are build-time only (PostCSS never serves user content) with no real runtime exposure and no forward fix available, so they are left intentionally. Do NOT run `npm audit fix --force`. Verified: lint + typecheck clean, 80 tests pass, `next build` + `opennextjs-cloudflare build` both succeed (worker.js produced). Note: 16.3.x is canary-only; 16.2.6 is the latest stable 16.x. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * ci: bump runner Node 20 → 22 (required by upgraded wrangler) The @opennextjs/cloudflare 1.19.11 upgrade in this PR pulls a newer transitive wrangler that requires Node.js >= 22. CI's setup-node was pinned to node-version 20, so `wrangler dev` aborted on startup with "Wrangler requires at least Node.js v22.0.0" — the wrangler-smoke job's worker never came up and the readiness probe timed out. Bumps node-version 20 → 22 in both ci.yml (Lint+Tests, wrangler-smoke) and deploy.yml. This is distinct from the earlier Actions-runtime bump (PR #38: checkout/setup-node action versions) — that was the action's own Node runtime; this is the Node the action provisions for the project toolchain. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pure runtime-version migration. GitHub Actions runners default to Node 24 on June 2nd, 2026. The previously pinned versions (`checkout@v4`, `setup-node@v4`, `wrangler-action@v3`) ran on Node 20 and produced deprecation warnings on every workflow run.
Bumps
All 10 action references across `.github/workflows/ci.yml` and `.github/workflows/deploy.yml` updated via sed.
Verification
CI on this PR runs under the new action versions, so a green build IS the verification:
If CI is green, the Node 24 migration is done.
🤖 Generated with Claude Code