Update node to v25, update glob to resolve High Dependabot vulnerability

[timvaillancourt]

Description

This PR updates node to the latest-stable node v25 version

An increased node+npm version was required to resolve this High Dependabot vuln: https://github.com/vitessio/vitess/security/dependabot/435 - the glob version with the fix required a newer npm version

I'm not seeing anything out-of-place in VTAdmin after these changes:

On backporting: I'm torn. On one hand we have a High vulnerability, but changing the required version of node+npm seems like a drastic change that typically we tie with a new major version. So I'm equally on-board with backporting this or not

Related Issue(s)

https://github.com/vitessio/vitess/security/dependabot/435

Checklist

• "Backport to:" labels have been added if this change should be back-ported to release branches
• If this change is to be back-ported to previous releases, a justification is included in the PR description
• Tests were added or are not required
• Did the new or modified tests pass consistently locally and on CI?
• Documentation was added or is not required

Deployment Notes

AI Disclosure

[vitess-bot]

Review Checklist

Hello reviewers! 👋 Please follow this checklist when reviewing this Pull Request.

General

• Ensure that the Pull Request has a descriptive title.
• Ensure there is a link to an issue (except for internal cleanup and flaky test fixes), new features should have an RFC that documents use cases and test cases.

Tests

• Bug fixes should have at least one unit or end-to-end test, enhancement and new features should have a sufficient number of tests.

Documentation

• Apply the release notes (needs details) label if users need to know about this change.
• New features should be documented.
• There should be some code comments as to why things are implemented the way they are.
• There should be a comment at the top of each new or modified test to explain what the test does.

New flags

• Is this flag really necessary?
• Flag names must be clear and intuitive, use dashes (-), and have a clear help text.

If a workflow is added or modified:

• Each item in Jobs should be named in order to mark it as required.
• If the workflow needs to be marked as required, the maintainer team must be notified.

Backward compatibility

• Protobuf changes should be wire-compatible.
• Changes to _vt tables and RPCs need to be backward compatible.
• RPC changes should be compatible with vitess-operator
• If a flag is removed, then it should also be removed from vitess-operator and arewefastyet, if used there.
• vtctl command output order should be stable and awk-able.

[mattlord]

We also need to update the "build on" docs pages: https://vitess.io/docs/contributing/

We need to update and clarify the required node versions there.

[GrahamCampbell]

Node v24 would be more normal. Node odd versions are beta builds, and major stale.

[timvaillancourt]

Node v24 would be more normal. Node odd versions are beta builds, and major stale.

@GrahamCampbell I didn't know that, thanks! v24 makes more sense

For now I think we're blocked on the NPM project. The latest NPM 11 still depends on the vulnerable glob version. I'll return to this later ⌛

[arthurschreiber]

@GrahamCampbell I didn't know that, thanks! v24 makes more sense

For now I think we're blocked on the NPM project. The latest NPM 11 still depends on the vulnerable glob version. I'll return to this later ⌛

I'd also like to add my 2 cents that Node v22 should continue to be the version we target. v22 will be supported till April 2027, and unless we have a real, hard requirement to use a newer version, we should stick to that. As npm is part of the Node.js distribution, whatever security issues found in the npm version used / supported by v22 will end up being fixed.

I also think it's wrong to depend on npm in package.json - I couldn't find anything in vtadmin that would use npm as a library or in any way outside of the scripts in package.json or the build.sh commands. We can just drop that dependency, which will result in dropping a ton of other dependencies, and should reduce the Node.js related security alerts we see massively.

[arthurschreiber]

See #18931 for a PR that removes the dependency on npm from package.json and bumps the version of glob.

[timvaillancourt]

See #18931 for a PR that removes the dependency on npm from package.json and bumps the version of glob.

Oh, we don't need npm? This is great

Closing in favour of #18931