Upgrade Node.js to v20.19.2 for security enhancements

[PeterDaveHello]

Related GitHub Issue

Upgrading Node.js to v20.19.2 for security enhancements.

Submitted directly without opening an issue first, due to the security nature of the update, an issue can precede similar future updates if preferred.

Description

Upgrade Node.js from v20.18.1 to v20.19.2.

This version includes security patches for known vulnerabilities, enhancing overall project security.

Changes involve updating relevant project configuration files (e.g., .nvmrc, package.json engines, CI/CD workflow files) to specify Node.js v20.19.2.

Test Procedure

Install dependencies with Node.js v20.19.2, run the test and build process without error.

Type of Change

• 🐛 Bug Fix: Non-breaking change that fixes an issue.
• ✨ New Feature: Non-breaking change that adds functionality.
• 💥 Breaking Change: Fix or feature that would cause existing functionality to not work as expected.
• ♻️ Refactor: Code change that neither fixes a bug nor adds a feature. - [ ] 💅 Style: Changes that do not affect the meaning of the code (white-space, formatting, etc.).
• 📚 Documentation: Updates to documentation files.
• ⚙️ Build/CI: Changes to the build process or CI configuration. - [x] 🧹 Chore: Other changes that don't modify src or test files.

Pre-Submission Checklist

• Issue Linked: Direct submission for security (see "Related GitHub Issue").
• Scope: Changes focused on Node.js upgrade.
• Self-Review: Code self-reviewed.
• Code Quality:
  • Adheres to project style guidelines.
  • No new linting errors or warnings.
  • Debug code (e.g., console.log) removed.
• Testing:
  • New and/or updated tests have been added to cover my changes.
  • All tests pass locally (npm test).
  • The application builds successfully with my changes.
• Branch Hygiene: My branch is up-to-date (rebased) with the main branch.
• Documentation Impact: I have considered if my changes require documentation updates (see "Documentation Updates" section below).
• Changeset: A changeset has been created using npm run changeset if this PR includes user-facing changes or dependency updates.
• Contribution Guidelines: I have read and agree to the Contributor Guidelines.

Documentation Updates

• No documentation updates are required.

Additional Notes

Aligns the project with a more secure Node.js version. Feedback on the direct PR approach for future security-driven updates is welcome.

Get in Touch

Discord: peterdavehello

---

Important

Upgrade Node.js to v20.19.2 across configuration files and CI/CD workflows for security enhancements.

• Node.js Upgrade:
  • Upgrade Node.js from v20.18.1 to v20.19.2 for security enhancements.
  • Update Node.js version in .nvmrc, .tool-versions, evals/.tool-versions, and evals/scripts/setup.sh.
  • Update Node.js version in package.json and src/package.json under engines.
• CI/CD Workflows:
  • Update Node.js version to v20.19.2 in changeset-release.yml, code-qa.yml, marketplace-publish.yml, nightly-publish.yml, and update-contributors.yml.

^{This description was created by for 9d0ae59. You can customize this summary. It will automatically update as commits are pushed.}

[daniel-lxs]

Hey @PeterDaveHello, Thank you for the contribution.

This looks good to me, I'll leave the release page for version for reference 20.19.2

Notable Changes

(CVE-2025-23166) fix error handling on async crypto operation
(CVE-2025-23167) (SEMVER-MAJOR) update llhttp to 9.2.0
(CVE-2025-23165) add missing call to uv_fs_req_cleanup

We might want to look out for that update to llhttp

[mrubens]

Ah, we usually use Renovate for this but it got disabled when we moved to the RooCodeInc organization. I just turned it back on - let's see if that version bump comes through in there as well.

[mrubens]

This just came through from Renovate #4159

[daniel-lxs]

Thank you @PeterDaveHello !

[PeterDaveHello]

It seems PR #4159 is not as comprehensive as this one. The workflows under https://github.com/RooCodeInc/Roo-Code/tree/main/.github/workflows are still using the older version. It feels especially questionable to replace an existing, more complete PR with a newer one that does the same thing but is less thorough.

With all due respect, Roo Code is a fantastic project. However, if the maintainers currently have limited bandwidth and tend to prioritize PRs that appear more appealing at first glance, such as automated dependency updates from bots (which often lack thorough validation), bots copying commits from downstream, or adding new LLM models, contributors might feel discouraged from investing effort into carefully addressing bug fixes (e.g., #2303, #3958) or improving dependency security.

I fully understand that not all my PRs will or should be accepted. I'm open to further discussion and would appreciate any feedback on how I can better align my contributions with the project's goals.

[mrubens]

It seems PR #4159 is not as comprehensive as this one. The workflows under https://github.com/RooCodeInc/Roo-Code/tree/main/.github/workflows are still using the older version. It feels especially questionable to replace an existing, more complete PR with a newer one that does the same thing but is less thorough.

Sorry about that! I do think that we should have an automated dependency checker like Renovate since it's hard to count on people to be on top of all of the important changes, but this is a great example of why there's no substitute for human judgement. Really appreciate your contribution and your keeping us honest. I just included your commit in #4212.

With all due respect, Roo Code is a fantastic project. However, if the maintainers currently have limited bandwidth and tend to prioritize PRs that appear more appealing at first glance, such as automated dependency updates from bots (which often lack thorough validation), bots copying commits from downstream, or adding new LLM models, contributors might feel discouraged from investing effort into carefully addressing bug fixes (e.g., #2303, #3958) or improving dependency security.

I fully understand that not all my PRs will or should be accepted. I'm open to further discussion and would appreciate any feedback on how I can better align my contributions with the project's goals.

We've been moving toward an Issue-First model in hopes that it helps with alignment of PRs with project goals. Would love to discuss if you have any feedback on that approach. Thank you for all of your contributions!

[daniel-lxs]

I apologize as well, I assumed that renovate would also update what this PR did.

Thank you for letting us know about the mistake.

I'll pay more attention to the contributions.

[PeterDaveHello]

Thank you @mrubens and @daniel-lxs for the thoughtful handling and explanation!

I appreciate that the more comprehensive solution was ultimately adopted through #4212. I completely understand the complexities of project maintenance and the challenge of balancing automated tools with human review.

Regarding the Issue-First approach, that's a good direction. For future security updates like this, I'll consider opening an issue first to discuss scope and approach. I initially submitted this directly due to the security nature, similar to how automated tools like Renovate typically handle security patches, but I'm happy to adapt to the project's preferred workflow.

Thanks again for your time and patience. I'm happy to continue contributing to this fantastic project and will work to better align with the project goals going forward.