Bump @types/node from 25.2.0 to 25.2.1

[dependabot]

Bumps @types/node from 25.2.0 to 25.2.1.

Commits

• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[fossabot]

[fossabot]

Needs Review

I recommend reviewing this upgrade before merging because the project specifies Node.js 20.19.0 as its runtime but is upgrading to type definitions for Node.js 25.x. This mismatch can introduce type errors for APIs that differ between Node.js versions. The project actively uses Node.js APIs including node:fs, process.platform, process.env, and Buffer types. Type definitions should match the Node.js major version in use. Consider either downgrading to @​types/node@​20.x to match the runtime, or upgrading Node.js to 25.x if new features are needed.

Tip: Comment @​fossabot fix to attempt automatic fixes.

Fix Suggestions

We identified 2 fixable issues in this upgrade.

• Downgrade @​types/node from ^25.2.1 to ^20.x to match the project's Node.js 20.19.0 runtime. In package.json, change '"@​types/node": "^25.2.1"' to '"@​types/node": "^20.17.0"' (or latest 20.x patch), then run 'npm install' or 'yarn install'
  Run: npm install @​types/node@^20.17.0 --save-dev
  Files: package.json
• If Node.js 25.x features are actually needed: Update .nvmrc from 'v20.19.0' to 'v25.x.x', update package.json engines from '>= 20.16.0' to '>= 25.0.0', and update .github/workflows/test.yml node-version from '20.x' to '25.x'. This requires team decision on Node.js version strategy.
  Files: .nvmrc and 2 other files

AI Assistant Prompt

Copy prompt for AI assistant

# Fix @​types/node Version Mismatch

## Context
This project runs on Node.js 20.19.0 but has `@​types/node@^25.2.1` installed. Type definitions should match the Node.js major version to avoid type errors for APIs that differ between versions.

## Current State
- **Runtime**: Node.js 20.19.0 (specified in `.nvmrc`, `package.json` engines, and CI workflows)
- **Type Definitions**: `@​types/node@^25.2.1` (mismatched)
- **Node.js APIs in use**: `node:fs`, `process.platform`, `process.env`, `Buffer`

## Required Fix

Downgrade `@​types/node` to match the Node.js 20.x runtime.

### File: `package.json`

Find the `@​types/node` dependency in `devDependencies` and change:
```json
"@​types/node": "^25.2.1"
```
to:
```json
"@​types/node": "^20.17.0"
```

### After editing:
1. Run `npm install` (or `yarn install`) to update the lockfile
2. Verify TypeScript compilation still works with `npm run build` or equivalent

## Why This Fix
Type definitions for Node.js 25.x may include types for APIs not available in Node.js 20.x, which could:
- Allow code that compiles but fails at runtime
- Show incorrect type signatures for APIs that changed between versions

Matching the types to the runtime ensures type safety accurately reflects available APIs.

What we checked

• Project specifies Node.js v20.19.0 as the target runtime version ^[1]
• Package engines require Node.js >= 20.16.0 ^[2]
• Declares @​types/node at ^25.2.1, which provides type definitions for Node.js 25.x ^[3]
• Imports node:fs module which relies on @​types/node for TypeScript definitions ^[4]
• Uses process.platform API which has type definitions from @​types/node ^[5]
• Uses Buffer type for stream handling, which is defined in @​types/node ^[6]
• CI workflow configures Node.js 20.x for linting and builds ^[7]

Dependency Usage

• Project specifies Node.js v20.19.0 as the target runtime version
  

  fossa-action/.nvmrc

  Line 1 in 941bee4

  v20.19.0

• Imports node:fs module which relies on @​types/node for TypeScript definitions
  

  fossa-action/src/download-cli.ts

  Line 4 in 941bee4

  import * as fs from 'node:fs';

View 3 more usages

• Uses process.platform API which has type definitions from @​types/node
  

  fossa-action/src/download-cli.ts

  Line 10 in 941bee4

  switch (process.platform) {

• Uses Buffer type for stream handling, which is defined in @​types/node
  

  fossa-action/src/index.ts

  Line 63 in 941bee4

  const collectOutput = (data: Buffer) => {

• CI workflow configures Node.js 20.x for linting and builds
  

  fossa-action/.github/workflows/test.yml

  Line 15 in 941bee4

  node-version: 20.x

Changes

The @​types/node package adds TypeScript type definitions for five Web API constructor options interfaces: CloseEventInit, ErrorEventInit, EventSourceInit, MessageEventInit, and WebSocketInit. These additions improve type safety when constructing web standard event and connection objects in Node.js applications.

• Added CloseEventInit interface type definition for CloseEvent constructor options (v25.2.1, package source)
• Added ErrorEventInit interface type definition for ErrorEvent constructor options (v25.2.1, package source)
• Added EventSourceInit interface type definition for EventSource constructor options (v25.2.1, package source)

View 3 more changes

• Added MessageEventInit interface type definition for MessageEvent constructor options (v25.2.1, package source)
• Added WebSocketInit interface type definition for WebSocket constructor options (v25.2.1, package source)
• Updated package metadata and content hash (v25.2.1, package source)

References (7)

[1]: Project specifies Node.js v20.19.0 as the target runtime version

fossa-action/.nvmrc

Line 1 in 941bee4

v20.19.0

[2]: Package engines require Node.js >= 20.16.0

fossa-action/package.json

Line 10 in 941bee4

"node": ">= 20.16.0"

[3]: Declares @​types/node at ^25.2.1, which provides type definitions for Node.js 25.x

fossa-action/package.json

Line 21 in 941bee4

"@types/node": "^25.2.1",

[4]: Imports node:fs module which relies on @​types/node for TypeScript definitions

fossa-action/src/download-cli.ts

Line 4 in 941bee4

import * as fs from 'node:fs';

[5]: Uses process.platform API which has type definitions from @​types/node

fossa-action/src/download-cli.ts

Line 10 in 941bee4

switch (process.platform) {

[6]: Uses Buffer type for stream handling, which is defined in @​types/node

fossa-action/src/index.ts

Line 63 in 941bee4

const collectOutput = (data: Buffer) => {

[7]: CI workflow configures Node.js 20.x for linting and builds

fossa-action/.github/workflows/test.yml

Line 15 in 941bee4

node-version: 20.x

---

fossabot analyzed this PR using dependency research. View this analysis on the web

[fossabot]

[fossabot]

Needs Review

I recommend reviewing this upgrade before merging because the static analysis flagged a runtime version mismatch — the project's engine constraint targets Node.js >= 20.16.0, while the upgraded @​types/node package covers type definitions for Node.js versions 22, 24, and 25. Although @​types/node is a pure devDependency with no runtime footprint, upgrading to a type-definition set that exposes newer Node.js APIs increases the risk of accidentally referencing APIs unavailable in Node.js 20 at runtime. Positively, the EdgeBit analysis detected no symbol removals, all package source changes are purely additive (new event-related interface types like CloseEventInit, WebSocketInit, etc.), and the actual Node.js globals used in the codebase (process.env, process.platform, Buffer, fs.createWriteStream) are stable APIs present in all relevant Node versions. The typosquat warning for types-node is for an entirely different package and does not apply here. A quick check that CI passes and no Node.js 25-specific APIs have been introduced is sufficient to clear this upgrade.

Tip: Comment @​fossabot fix to attempt automatic fixes.

Fix Suggestions

We identified 2 fixable issues in this upgrade.

• Search all .ts and .tsx files under src/ for usage of Node.js 25-specific APIs that are not available in Node.js 20. Specifically, grep for: 'CloseEventInit', 'WebSocketInit', 'navigator', 'WebSocket' (as a global type), 'crypto.subtle' (if newly typed), or any imports from 'node:sqlite', 'node:sea', or other Node.js 22+ modules. If any are found, replace them with Node.js 20-compatible alternatives or remove them. Run: grep -rn 'CloseEventInit|WebSocketInit|node:sqlite|node:sea|navigator.' src/ OR manually inspect each .ts file in src/ for references to these newer APIs.
  Run: grep -rn 'CloseEventInit\|WebSocketInit\|node:sqlite\|node:sea\|navigator\.' src/
  Files: src/index.ts, src/download-cli.ts
• Verify the project builds and tests pass with the new @​types/node version by running the full build and test suite. Run: npm ci && npm run build && npm test. If compilation fails due to new type incompatibilities, the specific errors will indicate which Node.js 25 types are being inadvertently used. Manual alternative: review the TypeScript compiler output for any errors referencing types introduced after Node.js 20.
  Run: cd . && npm ci && npm run build && npm test
  Files: package.json, tsconfig.json

AI Assistant Prompt

Copy prompt for AI assistant

# Dependency Upgrade Review: @​types/node (PR #269)

## Context
The `@​types/node` package has been upgraded and now includes type definitions for Node.js 22/24/25. Our project targets Node.js `>= 20.16.0` (see `package.json` engines field). While `@​types/node` is a devDependency with no runtime footprint, the new version exposes newer Node.js APIs (like `CloseEventInit`, `WebSocketInit`, `EventSourceInit`, etc.) that don't exist in Node.js 20. We need to verify our code doesn't accidentally use any of these newer APIs.

CI is green, but we want to be thorough.

## Task 1: Grep for Node.js 22+ API usage

Search all `.ts` and `.tsx` files under `src/` for references to APIs introduced after Node.js 20. Specifically check for:

- `CloseEventInit`
- `ErrorEventInit`
- `EventSourceInit`
- `MessageEventInit`
- `WebSocketInit`
- `WebSocket` (as a global type)
- `navigator.` (global navigator object)
- `node:sqlite`
- `node:sea`
- `crypto.subtle` (if newly typed)

Run:
```bash
grep -rn 'CloseEventInit\|ErrorEventInit\|EventSourceInit\|MessageEventInit\|WebSocketInit\|node:sqlite\|node:sea\|navigator\.' src/
```

Key files to inspect:
- `src/index.ts`
- `src/download-cli.ts`

If any matches are found, replace them with Node.js 20-compatible alternatives or remove them.

## Task 2: Verify build and tests pass

Run the full build and test suite to confirm no type incompatibilities:
```bash
npm ci && npm run build && npm test
```

If compilation fails, check the errors for references to types introduced after Node.js 20 and fix accordingly.

## Task 3: Confirm tsconfig.json setup

Review `tsconfig.json` and confirm:
- `typeRoots` includes `node_modules/@​types/`
- `skipLibCheck` is `true`
- Module resolution is `NodeNext`

No changes should be needed here — just confirm the configuration is consistent.

## Expected Outcome
If the grep in Task 1 returns no results and the build in Task 2 succeeds, the upgrade is safe to merge as-is. The codebase only uses stable Node.js APIs (`process.env`, `process.platform`, `Buffer`, `fs.createWriteStream`) that are present in all relevant Node.js versions.

Please report your findings for each task.

What we checked

• New @​types/node version declared as ^25.2.1 in devDependencies, while engines.node (line 11) is >= 20.16.0. The type definitions cover Node.js 25.x APIs, creating a potential gap where Node.js 25-only types could be used but fail at runtime on Node.js 20. ^[1]
• Project engine constraint >= 20.16.0 confirms the runtime target is Node.js 20, two major versions behind the @​types/node v25 type set. ^[2]
• Buffer used as a callback parameter type — a stable, long-standing Node.js global present since Node.js v0.x; no compatibility concern with this upgrade. ^[3]
• process.env.PATH and process.env spread (also line 75, 140, 142) used for environment variable management — stable APIs unaffected by the version delta between Node.js 20 and 25. ^[4]
• import * as fs from 'node:fs' — node: protocol import and fs.createWriteStream (line 65) are stable APIs available in Node.js 20; no risk from this type upgrade. ^[5]
• process.platform used for platform detection (win32, darwin, default) — a stable Node.js global with no changes across Node.js 20–25. ^[6]
• "skipLibCheck": true is set, which suppresses type-checking inside .d.ts files. This reduces the chance of type-level breakage from the upgraded definitions but also means subtle type regressions could go undetected at compile time. ^[7]
• typeRoots explicitly includes ./node_modules/@​types/, confirming @​types/node is globally ambient-loaded. All new interface types (CloseEventInit, WebSocketInit, etc.) added in this upgrade become globally available without imports. ^[8]

Dependency Usage

@​types/node is a foundational TypeScript type definitions package that provides compile-time type safety for Node.js built-in APIs throughout this GitHub Action codebase — while it shows zero explicit import statements (as expected for a pure type declarations package), its types are actively exercised across core source files like src/index.ts and src/download-cli.ts, which rely on Node.js globals such as Buffer, process.env, and process.platform for environment variable management, platform detection, and CLI output streaming. The tsconfig.json explicitly configures typeRoots to include node_modules/@​types/, confirming that @​types/node is globally ambient-loaded to support the project's NodeNext module resolution strategy. Without this package, the TypeScript compiler would fail to type-check all Node.js runtime interactions that underpin the action's core business logic: downloading the FOSSA CLI binary and orchestrating its execution.

• Buffer used as a callback parameter type — a stable, long-standing Node.js global present since Node.js v0.x; no compatibility concern with this upgrade.
  src/index.ts:63
• process.env.PATH and process.env spread (also line 75, 140, 142) used for environment variable management — stable APIs unaffected by the version delta between Node.js 20 and 25.
  src/index.ts:73

View 2 more usages

• import * as fs from 'node:fs' — node: protocol import and fs.createWriteStream (line 65) are stable APIs available in Node.js 20; no risk from this type upgrade.
  src/download-cli.ts:4
• process.platform used for platform detection (win32, darwin, default) — a stable Node.js global with no changes across Node.js 20–25.
  src/download-cli.ts:10

Changes

@​types/node was updated to add new Init interface type definitions for Web API constructors: CloseEventInit, ErrorEventInit, EventSourceInit, MessageEventInit, and WebSocketInit. These additions improve TypeScript type coverage for browser-compatible APIs available in Node.js.

• Added CloseEventInit interface type definition for CloseEvent constructor options (v25.2.1, package source)
• Added ErrorEventInit interface type definition for ErrorEvent constructor options (v25.2.1, package source)
• Added EventSourceInit interface type definition for EventSource constructor options (v25.2.1, package source)

View 3 more changes

• Added MessageEventInit interface type definition for MessageEvent constructor options (v25.2.1, package source)
• Added WebSocketInit interface type definition for WebSocket constructor options (v25.2.1, package source)
• Updated package metadata and content hash (v25.2.1, package source)

References (8)

[1]: New @​types/node version declared as ^25.2.1 in devDependencies, while engines.node (line 11) is >= 20.16.0. The type definitions cover Node.js 25.x APIs, creating a potential gap where Node.js 25-only types could be used but fail at runtime on Node.js 20.

fossa-action/package.json

Line 22 in 2c97ad1

"@types/node": "^25.2.1",

[2]: Project engine constraint >= 20.16.0 confirms the runtime target is Node.js 20, two major versions behind the @​types/node v25 type set.

fossa-action/package.json

Line 11 in 2c97ad1

"node": ">= 20.16.0"

[3]: Buffer used as a callback parameter type — a stable, long-standing Node.js global present since Node.js v0.x; no compatibility concern with this upgrade.

fossa-action/src/index.ts

Line 63 in 2c97ad1

const collectOutput = (data: Buffer) => {

[4]: process.env.PATH and process.env spread (also line 75, 140, 142) used for environment variable management — stable APIs unaffected by the version delta between Node.js 20 and 25.

fossa-action/src/index.ts

Line 73 in 2c97ad1

const PATH = process.env.PATH || '';

[5]: import * as fs from 'node:fs' — node: protocol import and fs.createWriteStream (line 65) are stable APIs available in Node.js 20; no risk from this type upgrade.

fossa-action/src/download-cli.ts

Line 4 in 2c97ad1

import * as fs from 'node:fs';

[6]: process.platform used for platform detection (win32, darwin, default) — a stable Node.js global with no changes across Node.js 20–25.

fossa-action/src/download-cli.ts

Line 10 in 2c97ad1

switch (process.platform) {

[7]: "skipLibCheck": true is set, which suppresses type-checking inside .d.ts files. This reduces the chance of type-level breakage from the upgraded definitions but also means subtle type regressions could go undetected at compile time.

fossa-action/tsconfig.json

Line 23 in 2c97ad1

"skipLibCheck": true, // Disables typechecking in `*.d.ts` files. TODO(leo): Remove this after `github` upgrade.

[8]: typeRoots explicitly includes ./node_modules/@​types/, confirming @​types/node is globally ambient-loaded. All new interface types (CloseEventInit, WebSocketInit, etc.) added in this upgrade become globally available without imports.

fossa-action/tsconfig.json

Line 39 in 2c97ad1

"typeRoots": [

---

fossabot analyzed this PR using dependency research. View this analysis on the web

[fossabot]

[fossabot]

✓ Safe to upgrade

I recommend merging this upgrade because the changes are entirely additive, introducing only new interface type definitions (CloseEventInit, ErrorEventInit, EventSourceInit, MessageEventInit, WebSocketInit) with no breaking changes detected by static analysis. The codebase relies exclusively on foundational, long-stable Node.js APIs — Buffer, process.env, process.platform, and the fs module — all of which are well-supported in the project's declared Node.js runtime range (>= 20.16.0). The reported runtime version note ('new dependencies require 20') is fully satisfied by the project's current Node versions (20.16.0, 20.19.0). Notably, the malicious package advisory referenced in context targets types-node (an unscoped typosquatting package), which is entirely unrelated to the legitimate @​types/node scoped package being upgraded here.

What we checked

• Dependency declared as "@​types/node": "^25.2.1" in devDependencies, confirming it is a type-only development dependency with no runtime impact ^[1]
• Lock file resolves @​types/node@^25.2.1 to exactly version 25.2.1, confirming the pinned upgrade target ^[2]
• Buffer used as a type annotation for subprocess output callbacks — a stable core Node.js global available in all Node 20.x versions, unaffected by this upgrade ^[3]
• process.env.PATH and process.env spread used for environment variable injection — fundamental Node.js globals available in all Node 20.x versions, no type changes expected ^[4]
• import * as fs from 'node:fs' uses the fs module for createWriteStream — a stable API available across all Node 20.x versions, fully covered by existing type definitions ^[5]
• process.platform used for OS-specific binary selection — a stable, long-standing Node.js API, not affected by this type definition upgrade ^[6]
• engines field declares ">= 20.16.0". The type definitions target Node 25 APIs, but no Node 25-specific APIs are used in the codebase, making the version gap between type definitions and runtime benign ^[7]

Dependency Usage

@​types/node is a TypeScript type definition package with no direct runtime imports, but it provides essential type support actively used across the codebase. In src/index.ts and src/download-cli.ts, the application relies on core Node.js globals and APIs — including Buffer for streaming subprocess output, process.env for environment variable access (such as injecting FOSSA_API_KEY and PATH), process.platform for OS-specific binary selection, and the fs module for file system operations during CLI download. Without @​types/node, TypeScript compilation would fail for these foundational Node.js interactions that underpin the action's CLI orchestration and environment configuration logic.

• Buffer used as a type annotation for subprocess output callbacks — a stable core Node.js global available in all Node 20.x versions, unaffected by this upgrade
  src/index.ts:63
• process.env.PATH and process.env spread used for environment variable injection — fundamental Node.js globals available in all Node 20.x versions, no type changes expected
  src/index.ts:73

View 2 more usages

• import * as fs from 'node:fs' uses the fs module for createWriteStream — a stable API available across all Node 20.x versions, fully covered by existing type definitions
  src/download-cli.ts:4
• process.platform used for OS-specific binary selection — a stable, long-standing Node.js API, not affected by this type definition upgrade
  src/download-cli.ts:10

Changes

@​types/node was updated to add new Init interface type definitions for Web API constructors — CloseEventInit, ErrorEventInit, EventSourceInit, MessageEventInit, and WebSocketInit — providing proper TypeScript typing for options passed to these constructors.

• Added CloseEventInit interface type definition for CloseEvent constructor options (v25.2.1, package source)
• Added ErrorEventInit interface type definition for ErrorEvent constructor options (v25.2.1, package source)
• Added EventSourceInit interface type definition for EventSource constructor options (v25.2.1, package source)

View 3 more changes

• Added MessageEventInit interface type definition for MessageEvent constructor options (v25.2.1, package source)
• Added WebSocketInit interface type definition for WebSocket constructor options (v25.2.1, package source)
• Updated package metadata and content hash (v25.2.1, package source)

References (7)

[1]: Dependency declared as "@​types/node": "^25.2.1" in devDependencies, confirming it is a type-only development dependency with no runtime impact

fossa-action/package.json

Line 22 in 2a743ae

"@types/node": "^25.2.1",

[2]: Lock file resolves @​types/node@^25.2.1 to exactly version 25.2.1, confirming the pinned upgrade target

fossa-action/yarn.lock

Line 169 in 2a743ae

"@types/node@^25.2.1":

[3]: Buffer used as a type annotation for subprocess output callbacks — a stable core Node.js global available in all Node 20.x versions, unaffected by this upgrade

fossa-action/src/index.ts

Line 63 in 2a743ae

const collectOutput = (data: Buffer) => {

[4]: process.env.PATH and process.env spread used for environment variable injection — fundamental Node.js globals available in all Node 20.x versions, no type changes expected

fossa-action/src/index.ts

Line 73 in 2a743ae

const PATH = process.env.PATH || '';

[5]: import * as fs from 'node:fs' uses the fs module for createWriteStream — a stable API available across all Node 20.x versions, fully covered by existing type definitions

fossa-action/src/download-cli.ts

Line 4 in 2a743ae

import * as fs from 'node:fs';

[6]: process.platform used for OS-specific binary selection — a stable, long-standing Node.js API, not affected by this type definition upgrade

fossa-action/src/download-cli.ts

Line 10 in 2a743ae

switch (process.platform) {

[7]: engines field declares ">= 20.16.0". The type definitions target Node 25 APIs, but no Node 25-specific APIs are used in the codebase, making the version gap between type definitions and runtime benign

fossa-action/package.json

Line 11 in 2a743ae

"node": ">= 20.16.0"

---

fossabot analyzed this PR using dependency research. View this analysis on the web