Chore/upgrade node 24 rn 79#14303
Open
raymondjacobson wants to merge 6 commits into
Open
Conversation
Pin Node to v24.10.0 in .nvmrc files, CI workflows, the SDK Dockerfile and engines, and bump mobile to React Native 0.79.5 with matching @react-native/* 0.79.5 and @react-native-community/cli 16.0.0. Add minimum-release-age=10080 (7d) in .npmrc as supply-chain hardening for npm 11. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
npm 11.6.1 doesn't recognize this key (warns "Unknown project config"). The rolling-window minimum-age feature is in pnpm/Bun but not yet in npm — only date-based `before` is supported. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Use the npm key landed in npm/cli#8965 ("feat: add min-release-age"). Value is in days; 7 means installs ignore versions published less than a week ago. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
Contributor
🌐 Web preview readyPreview URL: https://audius-web-preview-pr-14303.audius.workers.dev Unique preview for this PR (deployed from this branch). |
Apply the 0.78 → 0.79 native template deltas the initial bump missed:
- @react-native-community/cli* 16.0.0 → 18.0.0
- Gradle wrapper 8.12-all → 8.13-bin (regenerated jar + gradlew)
- Gemfile: add Ruby 3.4 stdlib gems (bigdecimal, logger, benchmark,
mutex_m)
Add an install-time guardrail against the wrong Node/npm:
- root engines: node >=24.10.0, npm >=11.10.0
- .npmrc: engine-strict=true
- bump packageManager to npm@11.10.0 (informational unless Corepack
is enabled)
Bump identity-service engines ~14.0.0 → >=18.0.0 to match its Docker
base (node:18-alpine) so the new strict gate doesn't refuse installs
on Node 24 hosts.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Node 24.10.0 ships with npm 11.6.1, which fails the new engines.npm >=11.10.0 floor and silently ignores the min-release-age supply-chain gate (the option was added in npm 11.10.0 via npm/cli#8965). Add a pinned 'npm install -g npm@11.10.0' step right after each actions/setup-node so CI matches the engines declaration and the supply-chain gate is actually enforced in CI, not just locally. Also pins the existing 'Upgrade npm for OIDC support' step in publish-packages.yml from npm@latest to npm@11.10.0 for reproducibility. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Set min-release-age=7