Bundled punycode DEP0040 warning persists in v5 — @actions/artifact ^2.1.8 needs upgrade

[michailidouservices]

Summary

actions/deploy-pages@v5.0.0 (released 2026-03-25, latest) still emits a DEP0040 punycode DeprecationWarning in every "Deploy to GitHub Pages" step. This persists even with FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true, because the warning isn't from the Node version mismatch — it's from a transitive dependency in the bundled action that loads Node's deprecated punycode module at startup.

This is the "won't go away though" warning that @jaredthivener noted in #410 (the Node 24 support issue, which is essentially solved by v5).

Root cause

actions/deploy-pages/package.json pins:

"dependencies": {
  "@actions/artifact": "^2.1.8",
  ...
}

@actions/artifact v2.x predates the punycode fix. The punycode fix was shipped in @actions/artifact v6.0.0 (December 2025), and actions/upload-artifact itself moved to it in actions/upload-artifact#744.

The package.json line for @actions/artifact hasn't been touched since 2024-07-15 (commit 479a2d95).

Trace

A diagnose run with NODE_OPTIONS=--trace-deprecation:

(node:6488) [DEP0040] DeprecationWarning: The punycode module is deprecated. Please use a userland alternative instead.
    at node:punycode:7:10
    at BuiltinModule.compileForInternalLoader (node:internal/bootstrap/realm:398:7)
    at BuiltinModule.compileForPublicLoader (node:internal/bootstrap/realm:337:10)
    at loadBuiltinModule (node:internal/modules/helpers:125:7)
    at loadBuiltinWithHooks (node:internal/modules/cjs/loader:1202:15)
    at Module._load (node:internal/modules/cjs/loader:1293:48)
    at wrapModuleLoad (node:internal/modules/cjs/loader:255:19)
    at Module.require (node:internal/modules/cjs/loader:1556:12)
    at require (node:internal/modules/helpers:152:16)
    at Object.85477 (/home/runner/work/_actions/actions/deploy-pages/v5/external node-commonjs "punycode":1:1)

The bundled module ID 85477 resolves to a node-commonjs "punycode" external in the ncc-built dist/index.js of actions/deploy-pages@v5.

Ask

Bump @actions/artifact from ^2.1.8 to ^6.x (or whatever current major has the punycode fix). After the bump, rebuild the dist/ bundle with ncc and tag a v5.0.1 / v5.1.0.

This would silence the warning for every consumer of actions/deploy-pages@v5 without requiring them to wait for upstream Node version migrations or pin SHAs.

Related

• Support Node.js 24 #410 — "Support Node.js 24" (the parent thread; the Node 24 part was solved in v5, but the punycode subwarning is a different transitive-dep issue)
• fix: update @actions/artifact for Node.js 24 punycode deprecation upload-artifact#744 — the original @actions/artifact v6.0.0 punycode fix
• Please publish a new release tag with current main (includes upload-artifact@v7 + punycode fix) upload-pages-artifact#142 — same root cause, different action — sister issue I just filed for the upload side

Workaround

There is no clean workaround. FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true doesn't help (the warning isn't about Node version). SHA-pinning to current main doesn't help either, because main is cd2ce8fc from 2026-03-24, which is exactly what v5.0.0 was tagged from on 2026-03-25 — there's no newer commit to pin to. The fix must come from a maintainer-side @actions/artifact bump.