chore(deps): update node.js to v24.15.0

[renovate]

This PR contains the following updates:

Package	Update	Change
node (source)	minor	24.13.0 → 24.15.0

---

Release Notes

nodejs/node (node)

v24.15.0

Compare Source

v24.14.1

Compare Source

v24.14.0

Compare Source

v24.13.1

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Jump: Node.js 24.13.0 → 24.15.0 (across 4 intermediate releases: 24.13.1, 24.14.0, 24.14.1, 24.15.0)

Security Fixes in 24.14.1:

• CVE-2026-21710 (High): HTTP header handling vulnerability - null prototype for headersDistinct/trailersDistinct
• CVE-2026-21637 (High): TLS SNICallback exception handling improvements
• CVE-2026-21717 (Medium): Array index hash collision testing
• CVE-2026-21713 (Medium): Web Cryptography timing-safe comparison in HMAC/KMAC
• CVE-2026-21714 (Medium): HTTP/2 flow control error handling
• CVE-2026-21712 (Medium): URL parsing crash prevention
• CVE-2026-21716 (Low): Permission verification for filesystem promises
• CVE-2026-21715 (Low): Permission checks for native realpath operations

Notable Features in 24.14.0:

• AsyncHooks trackPromises option for promise lifecycle monitoring
• New ignore option for fs.watch()
• HTTP setGlobalProxyFromEnv() function
• SQLite defensive mode enabled by default
• Stream enhancements with bytes() method

Notable Features in 24.15.0:

• require(esm) marked as stable
• Module compile cache marked as stable
• SQLite marked as release candidate
• New CLI options: --max-heap-size, --require-module/--no-require-module
• Root certificates updated to NSS 3.121
• Performance optimizations for Buffer operations and WebCrypto

Dependency Updates Across Releases:

• npm: 11.8.0 → 11.12.1
• SQLite: 3.51.2 → 3.52.0
• OpenSSL: 3.5.5 (maintained)
• Multiple security and stability patches

Breaking Changes: None identified. All changes maintain backward compatibility within the Node.js 24.x LTS ("Krypton") line.

🎯 Impact Scope Investigation

Configuration Impact:

• Modified file: mise.toml only (line 3: node = "24.13.0" → node = "24.15.0")
• CI/CD: Uses mise-action for tool installation - will automatically use updated version from mise.toml
• No hardcoded version constraints: CI workflows use mise for version management

Code Usage Analysis:

• Runtime requirement: package.json specifies "engines": { "node": ">=18" } - fully compatible
• TypeScript target: ES2022 with NodeNext module resolution - no Node.js version-specific features
• API usage: Code uses only standard Web APIs (fetch, Response, Request) via globalThis.fetch
• No Node.js built-ins: No imports of Node.js core modules (node:fs, node:path, etc.)
• Test framework: Vitest 4.0.18 - compatible with Node.js 24.x
• Build tool: Bun 1.3.5 - independent of Node.js version for SDK functionality

Dependency Compatibility:
All devDependencies verified compatible with Node.js 24.15.0:

• @biomejs/biome@2.3.13 - supports Node.js 18+
• @types/node@22.19.11 - type definitions (no runtime impact)
• typescript@5.9.3 - supports all Node.js LTS versions
• vitest@4.0.18 - supports Node.js 18+
• husky@9.1.7, lint-staged@16.2.7 - standard tooling, version-agnostic

No Usage of Updated Features:
The codebase does not use any Node.js-specific APIs that were changed or enhanced in these releases (HTTP/2, fs.watch, SQLite, AsyncHooks, etc.). The SDK is runtime-agnostic, relying solely on Web Standard APIs.

💡 Recommended Actions

Immediate Actions:

1. ✅ Merge this PR - The update is safe and provides important security fixes
2. ✅ No code changes required - The SDK uses only standard Web APIs
3. ✅ No migration needed - Full backward compatibility maintained

Post-Merge Verification (automated via CI):

1. Run bun run build - Verify TypeScript compilation succeeds
2. Run bun test - Verify all tests pass with new Node.js version
3. Run bun run lint - Verify Biome linting succeeds

Benefits of Merging:

• Security: Patches 8 CVEs including 2 high-severity vulnerabilities
• Stability: Numerous bug fixes for HTTP keep-alive, streams, and zlib
• Performance: Optimizations for Buffer operations and WebCrypto
• Dependencies: Updated npm, SQLite, and root certificates
• Future-proofing: Stable require(esm) and module compile cache

No Breaking Changes: The update stays within the Node.js 24.x LTS line with full backward compatibility. The project's minimum version requirement (node >= 18) remains satisfied.

🔗 Reference Links

• Node.js v24.15.0 Release
• Node.js v24.14.1 Security Release
• Node.js v24.14.0 Release
• Node.js v24.13.1 Release
• mise Tool Management
• Pull Request #23

Generated by koki-develop/claude-renovate-review