chore(deps): update node.js to v20.19.5

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
node (source)		patch	v20.19.2 -> 20.19.5
node (source)	engines	patch	20.19.2 -> 20.19.5
node (source)		patch	20.19.2 -> 20.19.5

---

Release Notes

nodejs/node (node)

v20.19.5: 2025-09-03, Version 20.19.5 'Iron' (LTS), @​marco-ippolito

Compare Source

Notable Changes

• [f5b293ad48] - doc: add JonasBa to collaborators (Jonas Badalic) #​58355
• [4e6ae787c6] - doc: add puskin to collaborators (Giovanni Bucci) #​58308
• [d06db658fc] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #​58499
• [3c6206cac9] - doc: add @​geeksilva97 to collaborators (Edy Silva) #​57241

Commits

• [ea20403467] - build: fix uvwasi pkgname (Antoine du Hamel) #​58270
• [c647aa4b30] - build: fix pointer compression builds (Joyee Cheung) #​58171
• [d2c5e609ae] - build: disable v8_enable_pointer_compression_shared_cage on non-64bit (Shelley Vohr) #​58867
• [84d5c4d244] - build: search for libnode.so in multiple places (Jan Staněk) #​58213
• [068c439552] - crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 (Filip Skokan) #​58942
• [edff105c34] - debugger: fix behavior of plain object exec in debugger repl (Dario Piotrowicz) #​57498
• [0473e35b7f] - deps: update zlib to 1.3.1-470d3a2 (Node.js GitHub Bot) #​58628
• [1218dbbea5] - deps: update zlib to 1.3.0.1-motley-780819f (Node.js GitHub Bot) #​57768
• [0e3cd9ec00] - deps: update zlib to 1.3.0.1-motley-788cb3c (Node.js GitHub Bot) #​56655
• [a194dd9bd4] - deps: update archs files for openssl-3.0.16 (Node.js GitHub Bot) #​57335
• [cc9b79ca70] - deps: upgrade openssl sources to quictls/openssl-3.0.16 (Node.js GitHub Bot) #​57335
• [82c46d5358] - deps: update cjs-module-lexer to 2.1.0 (Node.js GitHub Bot) #​57180
• [43e3f9b26b] - deps: update cjs-module-lexer to 2.0.0 (Michael Dawson) #​56855
• [91282ff16b] - deps: update corepack to 0.33.0 (Node.js GitHub Bot) #​58566
• [b76bca6f38] - deps: update acorn to 8.15.0 (Node.js GitHub Bot) #​58711
• [ae11481011] - deps: update acorn to 8.14.1 (Node.js GitHub Bot) #​57382
• [142d701201] - deps: update minimatch to 10.0.3 (Node.js GitHub Bot) #​58712
• [fee082d684] - deps: update llhttp to 9.3.0 (Fedor Indutny) #​58144
• [c06f6f3f05] - dns: remove redundant code using common variable (Deokjin Kim) #​57386
• [cded8e7e77] - dns: fix parse memory leaky (theanarkh) #​58973
• [182ae67233] - dns: fix dns query cache implementation (Ethan Arrowood) #​58404
• [621b66a297] - doc: add review guidelines for collaborator nominations (Antoine du Hamel) #​57449
• [b1009b5b72] - doc: explicit mention arbitrary code execution as a vuln (Rafael Gonzaga) #​57426
• [f5b293ad48] - doc: add JonasBa to collaborators (Jonas Badalic) #​58355
• [4e6ae787c6] - doc: add puskin to collaborators (Giovanni Bucci) #​58308
• [530473f479] - doc: add ovflowd back to core collaborators (Claudio W.) #​58911
• [38e8bbc131] - doc: add info on how project manages social media (Michael Dawson) #​57318
• [d06bb4dcc2] - doc: ping nodejs/tsc for each security pull request (Rafael Gonzaga) #​57309
• [d06db658fc] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #​58499
• [8c3bc156ed] - doc: clarify path.isAbsolute is not path traversal mitigation (Eric Fortis) #​57073
• [e688410bda] - doc: fix rendering of DEP0174 description (David Sanders) #​56835
• [e6a0c6a0fa] - doc: add missing assert return types (Colin Ihrig) #​57219
• [026b3cab6a] - doc: add 1ilsang to triage team (1ilsang) #​57183
• [3c6206cac9] - doc: add @​geeksilva97 to collaborators (Edy Silva) #​57241
• [ef3a4675c7] - doc: fix web.libera.chat link in pull-requests.md (Samuel Bronson) #​57076
• [1db42b76f7] - doc: remove buffered flag from performance hooks examples (Pavel Romanov) #​52607
• [b73a1356ce] - doc: add module namespace object links (Dario Piotrowicz) #​57093
• [09368db20f] - doc: disambiguate pseudo-code statement (Dario Piotrowicz) #​57092
• [2c3dc569a1] - doc: fix wrong articles used to address modules (Dario Piotrowicz) #​57090
• [cd8259cb4e] - doc: modules.md: fix distance definition (Alexander “weej” Jones) #​57046
• [7b0ea9ab2d] - doc: fix wrong verb form (Dario Piotrowicz) #​57091
• [14fcfc242b] - doc: add a note about require('../common') in testing documentation (Aditi) #​56953
• [bc7d18b6ea] - doc: recommend writing tests in new files and including comments (Joyee Cheung) #​57028
• [acd4d7f269] - doc: improve documentation on argument validation (Aditi) #​56954
• [4cd6b3ca73] - doc: buffer: fix typo on Buffer.copyBytesFrom( offset option (tpoisseau) #​57015
• [01220607f2] - doc: update cleanup to trust on vuln db automation (Rafael Gonzaga) #​57004
• [77a0505a32] - doc: update post sec release process (Rafael Gonzaga) #​56907
• [77dbcfce5f] - doc: add section about using npx with permission model (Rafael Gonzaga) #​56539
• [73e51407b7] - doc: remove RedYetiDev from triagers team (Aviv Keller) #​55947
• [9a36cbb792] - doc: fix relative path mention in --allow-fs (Rafael Gonzaga) #​55791
• [04d9c5baeb] - doc: add scroll margin to links (Roman Reiss) #​58982
• [959a67f6ff] - doc: make Stability labels not sticky in Stability index (Livia Medeiros) #​58291
• [8757a5532f] - doc: update release key for aduh95 (Antoine du Hamel) #​58877
• [6fa0626327] - doc,src,test: fix typos (Noritaka Kobayashi) #​58477
• [9991788e4a] - http: coerce content-length to number (Marco Ippolito) #​57458
• [ff5cf8a428] - http2: fix check for frame->hd.type (hanguanqiang) #​57644
• [2f333b6c51] - lib: optimize prepareStackTrace on builtin frames (Chengzhong Wu) #​56299
• [cdf985071f] - lib: suppress source map lookup exceptions (Chengzhong Wu) #​56299
• [faa08b14ed] - lib: fixup incorrect argument order in assertEncoding (James M Snell) #​57177
• [a683cd1232] - meta: add IlyasShabi to collaborators (Ilyas Shabi) #​58916
• [b145bb28aa] - meta: bump codecov/codecov-action from 5.4.2 to 5.4.3 (dependabot[bot]) #​58551
• [2c59789001] - meta: bump ossf/scorecard-action from 2.4.1 to 2.4.2 (dependabot[bot]) #​58550
• [4095337e96] - meta: bump rtCamp/action-slack-notify from 2.3.2 to 2.3.3 (dependabot[bot]) #​58108
• [631fed8e39] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​58456
• [7d2f7180b6] - meta: bump codecov/codecov-action from 5.4.0 to 5.4.2 (dependabot[bot]) #​58110
• [1558551ea5] - meta: bump actions/download-artifact from 4.2.1 to 4.3.0 (dependabot[bot]) #​58106
• [e1f12fe737] - meta: ignore mailmap changes in linux ci (Jonas Badalic) #​58356
• [1b78eb1313] - meta: bump actions/setup-node from 4.3.0 to 4.4.0 (dependabot[bot]) #​58111
• [2b8449c39a] - meta: bump actions/setup-python from 5.5.0 to 5.6.0 (dependabot[bot]) #​58107
• [833b70bbc5] - meta: allow penetration testing on live system with prior authorization (Matteo Collina) #​57966
• [c6a88561f5] - meta: bump actions/setup-python from 5.4.0 to 5.5.0 (dependabot[bot]) #​57718
• [9046ef4fb3] - meta: bump peter-evans/create-pull-request from 7.0.7 to 7.0.8 (dependabot[bot]) #​57717
• [46388a4e2a] - meta: bump actions/cache from 4.2.2 to 4.2.3 (dependabot[bot]) #​57715
• [d3970685bd] - meta: bump actions/setup-node from 4.2.0 to 4.3.0 (dependabot[bot]) #​57714
• [47004ef37f] - meta: bump actions/upload-artifact from 4.6.1 to 4.6.2 (dependabot[bot]) #​57713
• [4abe83ec03] - meta: add some clarification to the nomination process (James M Snell) #​57503
• [45e9b88363] - meta: remove collaborator self-nomination (Rich Trott) #​57537
• [d10949b7d8] - meta: edit collaborator nomination process (Antoine du Hamel) #​57483
• [704562fb7a] - meta: move ovflowd to emeritus (Claudio W.) #​57443
• [3f981b8537] - meta: bump codecov/codecov-action from 5.3.1 to 5.4.0 (dependabot[bot]) #​57257
• [7e1ff7b332] - meta: bump ossf/scorecard-action from 2.4.0 to 2.4.1 (dependabot[bot]) #​57253
• [8d4ec412b9] - meta: move RaisinTen back to collaborators, triagers and SEA champion (Darshan Sen) #​57292
• [cc2abb5d17] - meta: bump peter-evans/create-pull-request from 7.0.6 to 7.0.7 (dependabot[bot]) #​57259
• [4fad2b8758] - meta: bump actions/cache from 4.2.0 to 4.2.2 (dependabot[bot]) #​57256
• [5f5bb8b986] - meta: bump actions/upload-artifact from 4.6.0 to 4.6.1 (dependabot[bot]) #​57255
• [e949359a56] - meta: bump actions/setup-python from 5.3.0 to 5.4.0 (dependabot[bot]) #​56867
• [d3c5ad7510] - meta: bump peter-evans/create-pull-request from 7.0.5 to 7.0.6 (dependabot[bot]) #​56866
• [56decfe2d1] - meta: bump codecov/codecov-action from 5.0.7 to 5.3.1 (dependabot[bot]) #​56864
• [52e518444d] - meta: bump actions/cache from 4.1.2 to 4.2.0 (dependabot[bot]) #​56862
• [9cac93d9c3] - meta: bump actions/stale from 9.0.0 to 9.1.0 (dependabot[bot]) #​56860
• [ecf4252f7c] - meta: update last name for jkrems (Jan Martin) #​57006
• [e8beaaaedf] - meta: bump actions/upload-artifact from 4.4.3 to 4.6.0 (dependabot[bot]) #​56861
• [5462c257f8] - meta: bump actions/setup-node from 4.1.0 to 4.2.0 (dependabot[bot]) #​56868
• [89c37891a0] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​56889
• [2a0175c291] - meta: add @​nodejs/url as codeowner (Chengzhong Wu) #​56783
• [c12aae1e78] - meta: bump github/codeql-action from 3.28.18 to 3.29.2 (dependabot[bot]) #​58922
• [4ef09990f1] - meta: bump github/codeql-action from 3.28.16 to 3.28.18 (dependabot[bot]) #​58552
• [889654eb2c] - meta: bump github/codeql-action from 3.28.11 to 3.28.16 (dependabot[bot]) #​58112
• [091e5c1bb9] - meta: bump github/codeql-action from 3.28.10 to 3.28.13 (dependabot[bot]) #​57716
• [01415153de] - meta: bump github/codeql-action from 3.28.8 to 3.28.10 (dependabot[bot]) #​57254
• [72ea8aac34] - meta: bump github/codeql-action from 3.27.5 to 3.28.8 (dependabot[bot]) #​56859
• [99a271e588] - meta: bump step-security/harden-runner from 2.12.0 to 2.12.2 (dependabot[bot]) #​58923
• [b4c4c02490] - meta: bump step-security/harden-runner from 2.11.0 to 2.12.0 (dependabot[bot]) #​58109
• [5361bb9157] - meta: bump step-security/harden-runner from 2.10.4 to 2.11.0 (dependabot[bot]) #​57258
• [28e33acf30] - meta: bump step-security/harden-runner from 2.10.2 to 2.10.4 (dependabot[bot]) #​56863
• [fad773cede] - module: throw error when re-runing errored module jobs (Joyee Cheung) #​58957
• [2531185423] - module: allow cycles in require() in the CJS handling in ESM loader (Joyee Cheung) #​58598
• [ed43b69689] - module: clarify cjs global-like error on ModuleJobSync (Carlos Espa) #​56491
• [6e02db1b12] - module: handle instantiated async module jobs in require(esm) (Joyee Cheung) #​58067
• [badba50d30] - module: fix incorrect formatting in require(esm) cycle error message (haykam821) #​57453
• [939ecf8906] - module: handle cached linked async jobs in require(esm) (Joyee Cheung) #​57187
• [ba7f8a0353] - module: improve error message from asynchronicity in require(esm) (Joyee Cheung) #​57126
• [c1e7fa2586] - module: handle .mjs in .js handler in CommonJS (Joyee Cheung) #​55590
• [41f3dfd21b] - module: fix require.resolve() crash on non-string paths (Aditi) #​56942
• [043dcdd628] - os: fix GetInterfaceAddresses memory lieaky (theanarkh) #​58940
• [9b74e9bfd9] - permission: ignore internalModuleStat on module loading (Rafael Gonzaga) #​55797
• [611a147b45] - readline: fix unresolved promise on abortion (Daniel Venable) #​54030
• [f891ae3421] - repl: avoid deprecated require.extensions in tab completion (baki gul) #​58653
• [7ba44290bf] - repl: fix tab completion not working with computer string properties (Dario Piotrowicz) #​58709
• [eb842048b2] - src: do not format single string argument for THROW_ERR_* (Joyee Cheung) #​57126
• [4f004937ec] - src: fixup errorhandling more in various places (James M Snell) #​57852
• [5daa7fe2e2] - src: fix module buffer allocation (X-BW) #​57738
• [586b1be11b] - src: fix build when using shared simdutf (Antoine du Hamel) #​58407
• [563e61f012] - src: fix possible dereference of null pointer (Eusgor) #​58459
• [cbec07ea0b] - src: fix FIPS init error handling (Tobias Nießen) #​58379
• [80fb80e71b] - src: fix -Wunreachable-code in src/node_api.cc (Shelley Vohr) #​58901
• [5e97719860] - test: skip test-http-imports on macos (Marco Ippolito) #​59745
• [69c43bdfcc] - test: fix internet/test-dns (Michaël Zasso) #​59660
• [6fd58e0338] - tools: update coverage GitHub Actions to fixed version (Rich Trott) #​59512
• [eb7bbce73e] - tools: disable failing coverage jobs (Antoine du Hamel) #​58770
• [65b1669936] - util: fix formatting of objects with built-in Symbol.toPrimitive (Shima Ryuhei) #​57832
• [8a29f13bec] - util: fix parseEnv incorrectly splitting multiple ‘=‘ in value (HEESEUNG) #​57421
• [077d5020c4] - v8: fix missing callback in heap utils destroy (Ruben Bridgewater) #​58846
• [34ae9f8b18] - vm: import call should return a promise in the current context (Chengzhong Wu) #​58309
• [0dd3a8d6d1] - win,build: fix MSVS v17.14 compilation issue (StefanStojanovic) #​58902
• [1b83a2bd2d] - zlib: remove mentions of unexposed Z_TREES constant (Jimmy Leung) #​58371
• [9dc9604502] - zlib: fix pointer alignment (jhofstee) #​57727

v20.19.4: 2025-07-15, Version 20.19.4 'Iron' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

• (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()

Commits

• [db7b93fcef] - (CVE-2025-27210) lib: handle all windows reserved driver name (RafaelGSS) nodejs-private/node-private#721

v20.19.3: 2025-06-23, Version 20.19.3 'Iron' (LTS), @​marco-ippolito

Compare Source

Notable Changes

• [c535a3c483] - crypto: graduate WebCryptoAPI Ed25519 and X25519 algorithms as stable (Filip Skokan) #​56142
• [af1dc63815] - crypto: update root certificates to NSS 3.108 (Node.js GitHub Bot) #​57381
• [01d63a4ddf] - deps: update timezone to 2025b (Node.js GitHub Bot) #​57857
• [b6daa344eb] - doc: add dario-piotrowicz to collaborators (Dario Piotrowicz) #​58102

Commits

• [fc1fa7a357] - build: use FILE_OFFSET_BITS=64 esp. on 32-bit arch (RafaelGSS) #​58090
• [79e0812181] - build: use glob for dependencies of out/Makefile (Richard Lau) #​55789
• [f56e62851a] - crypto: allow length=0 for HKDF and PBKDF2 in SubtleCrypto.deriveBits (Filip Skokan) #​55866
• [c535a3c483] - crypto: graduate WebCryptoAPI Ed25519 and X25519 algorithms as stable (Filip Skokan) #​56142
• [39925de8b1] - crypto: allow non-multiple of 8 in SubtleCrypto.deriveBits (Filip Skokan) #​55296
• [af1dc63815] - crypto: update root certificates to NSS 3.108 (Node.js GitHub Bot) #​57381
• [d09008add3] - deps: V8: cherry-pick 1a3ecc2 (Michaël Zasso) #​58342
• [fd56652425] - deps: V8: cherry-pick 182d9c0 (Andrey Kosyakov) #​58342
• [447481e829] - deps: V8: cherry-pick third_party/zlib@646b7f5 (Hans Wennborg) #​58342
• [eb447168df] - deps: update simdutf to 6.4.2 (Node.js GitHub Bot) #​57855
• [01d63a4ddf] - deps: update timezone to 2025b (Node.js GitHub Bot) #​57857
• [10fb49f2a9] - deps: update icu to 77.1 (Node.js GitHub Bot) #​57455
• [f1dc7d0205] - deps: update corepack to 0.32.0 (Node.js GitHub Bot) #​57265
• [7a2e64bb8a] - deps: update simdutf to 6.4.0 (Node.js GitHub Bot) #​56764
• [e80669be0d] - doc: mention reports should align with Node.js CoC (Rafael Gonzaga) #​57607
• [7b2c0bc92e] - doc: add gurgunday as triager (Gürgün Dayıoğlu) #​57594
• [791e4879de] - doc: document REPL custom eval arguments (Dario Piotrowicz) #​57690
• [2917f09876] - doc: improved fetch docs (Alessandro Miliucci) #​57296
• [d940b15843] - doc: clarify unhandledRejection events behaviors in process doc (Dario Piotrowicz) #​57654
• [71c664fab7] - doc: update position type to integer | null in fs (Yukihiro Hasegawa) #​57745
• [0c0fbfa9c6] - doc: add missing v0.x changelog entries (Antoine du Hamel) #​57779
• [e99462c9fc] - doc: correct deprecation type of assert.CallTracker (René) #​57997
• [c7e92696ef] - doc: add returns for https.get (Eng Zer Jun) #​58025
• [ccc42b69ce] - doc: fix env variable name in util.styleText (Antoine du Hamel) #​58072
• [b6daa344eb] - doc: add dario-piotrowicz to collaborators (Dario Piotrowicz) #​58102
• [e5d6a3df16] - doc: fix AsyncLocalStorage example response changes after node v18 (Naor Tedgi (Abu Emma)) #​57969
• [f006411998] - doc: fix typo of file zlib.md (yusheng chen) #​58093
• [5193735df4] - doc: add missing options.signal to readlinePromises.createInterface() (Jimmy Leung) #​55456
• [fd44af730f] - doc: fix misaligned options in vm.compileFunction() (Jimmy Leung) #​58145
• [0fdcc0ddcd] - doc: add ambassaor message (Brian Muenzenmeyer) #​57600
• [5ca9616bd3] - doc: increase z-index of header element (Dario Piotrowicz) #​57851
• [81342d10f0] - doc: fix deprecation type for DEP0148 (Livia Medeiros) #​57785
• [776becfe01] - doc: remove mention of --require not supporting ES modules (Huáng Jùnliàng) #​57620
• [3140a8f133] - doc: add missing deprecated badges in fs.md (Yukihiro Hasegawa) #​57384
• [441ce24ae3] - doc: deprecate passing invalid types in fs.existsSync (Carlos Espa) #​55892
• [0556f54544] - http: correctly translate HTTP method (Paolo Insogna) #​52701
• [c2c6d2b035] - http: be more generational GC friendly (ywave620) #​56767
• [cdf3fa241c] - http2: skip writeHead if stream is closed (Shima Ryuhei) #​57686
• [bbd5aec785] - http2: fix graceful session close (Kushagra Pandey) #​57808
• [b427ae4f34] - meta: remove build-windows.yml (Aviv Keller) #​54662
• [49e624f554] - os: fix netmask format check condition in getCIDR function (Wiyeong Seo) #​57324
• [d582954434] - src: remove unused variable in crypto_x509.cc (Michaël Zasso) #​57754
• [234a505e96] - src: allow embedder customization of OOMErrorHandler (Shelley Vohr) #​57325
• [c0252cd380] - src: fix -Wunreachable-code-return in node_sea (Shelley Vohr) #​57664
• [fcd1622fc1] - src: fix kill signal 0 on Windows (Stefan Stojanovic) #​57695
• [850192b06b] - test: skip broken sea on rhel8 (Marco Ippolito) #​58761
• [3cf7cfb695] - test: update WPT for WebCryptoAPI to edd42c0 (Node.js GitHub Bot) #​57365
• [f57765bdcf] - test: mark test-without-async-context-frame flaky on windows (James M Snell) #​56753
• [275ea8e7ef] - test: force GC in test-file-write-stream4 (Luigi Pinca) #​57930
• [da6a13c338] - test: deflake test-http2-options-max-headers-block-length (Luigi Pinca) #​57959
• [56fce6691e] - test: prevent extraneous HOSTNAME substitution in test-runner-output (René) #​58076
• [c9c0be5596] - test: update expected error message for macOS (Antoine du Hamel) #​57742
• [3cbf5f93d2] - test: fix missing edge case in test-blob-slice-with-large-size (Joyee Cheung) #​58414
• [bffd4ec379] - test: skip in test-buffer-tostring-rangeerror on allocation failure (Joyee Cheung) #​58415
• [8237346fb7] - test,crypto: update WebCryptoAPI WPT (Filip Skokan) #​54593
• [b90c4ab937] - tools: remove unused osx-pkg-postinstall.sh (Antoine du Hamel) #​57667
• [414013dcfb] - tools: edit create-release-proposal workflow to handle pr body length (Elves Vieira) #​57841
• [7c449ed6b3] - tools: fix tarball testing directory (Marco Ippolito) #​57994
• [d164dc2d38] - tools: update sccache version to v0.10.0 (Marco Ippolito) #​57994
• [debd3c2cc0] - tools: disable failing test envs in test-linux CI (Antoine du Hamel) #​58351
• [152112505a] - typings: fix ImportModuleDynamicallyCallback return type (Chengzhong Wu) #​57160
• [363bf744ab] - worker: flush stdout and stderr on exit (Matteo Collina) #​56428

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[roomote]

I found an issue that needs attention: .nvmrc lost the leading 'v' prefix which can break some nvm-based workflows; please keep the canonical 'vX.Y.Z' format.

[roomote]

[P2] The leading 'v' was removed (was 'v20.19.2' -> now '20.19.5'). Some tools and scripts expect the canonical 'v' prefix in .nvmrc. Suggest keeping the prefix for consistency with prior file and common nvm conventions.

Suggested change

	20.19.5
	v20.19.5

[roomote]

I found some issues that need attention related to the Node.js version bump; see inline comments.

[roomote]

[P2] Consistency: Other repo files still pin Node 20.19.2 (e.g., .github/actions/setup-node-pnpm/action.yml default, packages/evals/scripts/setup.sh install/check, packages/evals/README.md). Consider updating these to 20.19.5 in this PR so CI/dev environments stay aligned.

[roomote]

No new issues found beyond existing comments; leaving one improvement suggestion inline.

[roomote]

[P3] Consider using a semver range for engines.node (e.g., ">=20.19.5 <21") to reduce churn and avoid blocking contributors on patch updates. Tooling in the repo (.nvmrc/.tool-versions) still pins a concrete version for dev/CI.

Suggested change

	"node": "20.19.5"
	"node": ">=20.19.5 <21"

[roomote]

I found one improvement to keep toolchain versions consistent across environments.

[roomote]

[P3] Consider also pinning pnpm here to mirror packageManager ([email protected]) so asdf-managed environments use the same pnpm version.

Suggested change

	nodejs 20.19.5
	nodejs 20.19.5
	pnpm 10.8.1

[roomote]

I found one additional improvement for engines consistency; see inline.

[roomote]

[P3] Consider using a semver range for engines.node (e.g., ">=20.19.5 <21") to reduce churn and avoid blocking contributors on patch updates. Tooling (.nvmrc/.tool-versions) pins the concrete version for dev/CI, so this remains safe.

[roomote]

No new issues found - all concerns already addressed in existing comments.

[roomote]

I found some issues that need attention related to version pinning; see inline comments.

[roomote]

[P2] Consider using a semver range for engines.node (>=20.19.5 <21) instead of an exact pin. This avoids unnecessary churn with patch releases while still preventing breaking major upgrades. Align with .nvmrc/.tool-versions as needed.

[roomote]

[P2] Mirror the semver range suggestion for engines.node here as well (>=20.19.5 <21) to keep developer environments consistent without forcing exact patch matching.

[roomote]

I found some issues that need attention related to Node engine duplication; see inline comments.

[roomote]

[P2] Avoid duplicating engines.node across root and src/package.json. VS Code extensions run on the extension host's Node bundled with VS Code; pinning engines.node here can block installs unnecessarily. Consider removing engines.node from src/package.json and rely on the root engines plus .nvmrc/.tool-versions for dev/CI pinning.

[roomote]

I found one improvement suggestion; see inline.

[roomote]

[P3] Consider adding engines.pnpm to mirror packageManager and enforce pnpm compatibility. This helps prevent mismatched pnpm versions in environments that respect engines.

Suggested change

	"node": "20.19.5"
	"node": "20.19.5",
	"pnpm": ">=10.8.1 <11"

[roomote]

No new issues found - all concerns already addressed in existing comments.

[roomote]

No new issues found - all concerns already addressed in existing comments.

[roomote]

Review Summary

This PR updates Node.js from v20.19.2 to v20.19.5. However, there are issues that need to be addressed:

Critical Issues

• .nvmrc format change: The 'v' prefix was removed (was v20.19.2, now 20.19.5). Some tools expect the canonical 'v' prefix format.
• Incomplete update: Several files still reference Node 20.19.2:
  • .github/actions/setup-node-pnpm/action.yml (line 9)
  • packages/evals/scripts/setup.sh (lines 217, 218, 226)
  • packages/evals/README.md (line 84)

Suggestions for Improvement

• Consider using semver ranges for engines.node (e.g., >=20.19.5 <21) to reduce maintenance churn
• Consider adding pnpm 10.8.1 to .tool-versions for asdf-managed environments

Please address the critical issues before merging.