chore(config): Upgrade Node.js to 24.14.0 and add npm min-release-age

[yamadashy]

Upgrade Node.js from 24.0.1 to 24.14.0 and npm to 11.10.0 in .tool-versions, and add .npmrc with min-release-age=7 to reduce supply chain attack risk.

The min-release-age setting (added in npm v11.10.0) prevents installation of packages published less than 7 days ago, matching Renovate's existing minimumReleaseAge: "7 days" configuration.

Checklist

• Run npm run test
• Run npm run lint

---

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the project's development environment and security posture. It updates core JavaScript runtime and package manager versions to their latest stable releases, ensuring access to the newest features and security patches. Concurrently, it introduces a critical security measure to prevent the use of very recently published npm packages, thereby reducing exposure to potential supply chain vulnerabilities.

Highlights

• Dependency Upgrades: Node.js has been upgraded from version 24.0.1 to 24.14.0, and npm has been updated to version 11.10.0 in the .tool-versions file.
• Supply Chain Security: A new .npmrc file has been added with min-release-age=7. This setting, introduced in npm v11.10.0, prevents the installation of packages published less than 7 days ago, aligning with existing Renovate configurations and mitigating supply chain attack risks.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .npmrc
  • Added min-release-age=7 to enforce a minimum age for package releases, enhancing supply chain security.
• .tool-versions
  • Updated Node.js version from 24.0.1 to 24.14.0.
  • Added npm version 11.10.0.

Activity

• No review comments or activity have been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 712eb7b and f7af05e.

📒 Files selected for processing (2)

• .npmrc
• .tool-versions

---

📝 Walkthrough

Walkthrough

Two configuration files are updated: .npmrc receives a new min-release-age=7 setting, and .tool-versions is modified to update Node.js from 24.0.1 to 24.14.0 and add an npm entry at version 11.10.0.

Changes

Cohort / File(s)	Summary
npm Configuration .npmrc	Added min-release-age=7 setting for npm release management.
Version Management .tool-versions	Updated Node.js version from 24.0.1 to 24.14.0 and added npm version 11.10.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• chore(deps): Update dependencies and improve type safety #875 — Updates Node runtime configuration in Dockerfile, aligning with the Node.js version bump in this PR.
• chore(deps): update Node.js version from 23.1.0 to 23.6.0 #284 — Previously updated Node.js version in .tool-versions file, affecting the same configuration target.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main changes: upgrading Node.js and adding npm min-release-age configuration.
Description check	✅ Passed	The description covers the changes comprehensively, includes rationale for the min-release-age setting, and completes all checklist items.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/add-npm-min-release-age

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.14%. Comparing base (712eb7b) to head (f7af05e).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1191   +/-   ##
=======================================
  Coverage   87.14%   87.14%           
=======================================
  Files         115      115           
  Lines        4310     4310           
  Branches      998      998           
=======================================
  Hits         3756     3756           
  Misses        554      554           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gemini-code-assist]

Code Review

This pull request updates the project's tool versions, upgrading Node.js to 24.14.0 and pinning npm to 11.10.0 in .tool-versions. It also introduces a .npmrc file to set min-release-age=7, a security measure to mitigate supply chain risks. The changes are straightforward configuration updates and appear to be correctly implemented as described.

[cloudflare-workers-and-pages]

Deploying repomix with    Cloudflare Pages

Latest commit:	f7af05e
Status:	✅  Deploy successful!
Preview URL:	https://a7e7bebb.repomix.pages.dev
Branch Preview URL:	https://chore-add-npm-min-release-ag.repomix.pages.dev

View logs

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

[claude]

Code Review

Overall: Approve - Clean, focused PR with a well-motivated security improvement.

Summary

This PR upgrades Node.js from 24.0.1 to 24.14.0 and adds npm 11.10.0 in .tool-versions, then introduces a .npmrc with min-release-age=7 to enforce a 7-day quarantine on package installations. This aligns with the existing Renovate minimumReleaseAge: "7 days" in .github/renovate.json5:65, providing defense-in-depth against supply chain attacks.

Analysis

Code quality: The changes are minimal and well-scoped. The .npmrc file contains a single, clear setting. The .tool-versions format is correct with one tool per line.

CI compatibility: The actions/setup-node action reads node-version-file: .tool-versions and parses the nodejs line — the added npm line does not interfere. The CI matrix runs tests across Node 20.x, 22.x, 24.x, and 25.x, and all completed checks are passing. Older npm versions (shipped with Node 20/22) silently ignore the unrecognized min-release-age config, so there's no breakage.

Security: This is a positive security addition. The min-release-age setting provides a local enforcement layer (at npm install/npm ci time) that complements Renovate's server-side minimumReleaseAge. Even if a developer manually adds a dependency, npm will refuse to install versions published less than 7 days ago.

Minor Considerations

Details

• Developer experience: If a developer needs to install a very recently published package (e.g., for urgent testing), they'll need to temporarily override this with --min-release-age=0 or modify .npmrc. This is the intended behavior and a reasonable tradeoff, but worth noting for the team.
• Subdirectory packages: The root .npmrc applies to all npm commands run within the repo tree (including browser/, website/, scripts/), which is the desired behavior for consistent security enforcement.

LGTM.

---

Reviewed by Claude