chore: update engine dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update	Pending
@types/node (source)	22.17.2 -> 22.19.0					devDependencies	minor
node (source)	22.20.0 -> 22.21.1						minor
pnpm (source)	10.18.0 -> 10.20.0					packageManager	minor	10.21.0

---

Release Notes

nodejs/node (node)

v22.21.1: 2025-10-28, Version 22.21.1 'Jod' (LTS), @​aduh95

Compare Source

Commits

• [af33e8e668] - benchmark: remove unused variable from util/priority-queue (Bruno Rodrigues) #​59872
• [6764ce8756] - benchmark: update count to n in permission startup (Bruno Rodrigues) #​59872
• [4e8d99f0dc] - benchmark: update num to n in dgram offset-length (Bruno Rodrigues) #​59872
• [af0a8ba7f8] - benchmark: adjust dgram offset-length len values (Bruno Rodrigues) #​59708
• [78efd1be4a] - benchmark: update num to n in dgram offset-length (Bruno Rodrigues) #​59708
• [df72dc96e9] - console,util: improve array inspection performance (Ruben Bridgewater) #​60037
• [ef67d09f50] - http: improve writeEarlyHints by avoiding for-of loop (Haram Jeong) #​59958
• [23468fd76b] - http2: fix allowHttp1+Upgrade, broken by shouldUpgradeCallback (Tim Perry) #​59924
• [56abc4ac76] - lib: optimize priority queue (Gürgün Dayıoğlu) #​60039
• [ea5cfd98c5] - lib: implement passive listener behavior per spec (BCD1me) #​59995
• [c2dd6eed2f] - process: fix wrong asyncContext under unhandled-rejections=strict (Shima Ryuhei) #​60103
• [81a3055710] - process: fix default env for process.execve (Richard Lau) #​60029
• [fe492c7ace] - process: fix hrtime fast call signatures (Renegade334) #​59600
• [76b4cab8fc] - src: bring permissions macros in line with general C/C++ standards (Anna Henningsen) #​60053
• [21970970c7] - src: remove AnalyzeTemporaryDtors option from .clang-tidy (iknoom) #​60008
• [609c063e81] - src: remove unused variables from report (Moonki Choi) #​60047
• [987841a773] - src: avoid unnecessary string allocations in SPrintF impl (Anna Henningsen) #​60052
• [6e386c0632] - src: make ToLower/ToUpper input args more flexible (Anna Henningsen) #​60052
• [c3be1226c7] - src: allow std::string_view arguments to SPrintF() and friends (Anna Henningsen) #​60058
• [764d35647d] - src: remove unnecessary std::string error messages (Anna Henningsen) #​60057
• [1289ef89ec] - src: remove unnecessary shadowed functions on Utf8Value & BufferValue (Anna Henningsen) #​60056
• [d1fb8a538d] - src: avoid unnecessary string -> char* -> string round trips (Anna Henningsen) #​60055
• [54b439fb5a] - src: fill options_args, options_env after vectors are finalized (iknoom) #​59945
• [c7c597e2ca] - src: use RAII for uv_process_options_t (iknoom) #​59945
• [b928ea9716] - test: ensure that the message event is fired (Luigi Pinca) #​59952
• [e4b95a5158] - test: replace diagnostics_channel stackframe in output snapshots (Chengzhong Wu) #​60024
• [4206406694] - test: mark test-web-locks skip on IBM i (SRAVANI GUNDEPALLI) #​59996
• [26394cd5bf] - test: expand tls-check-server-identity coverage (Diango Gavidia) #​60002
• [b58df47995] - test: fix typo of test-benchmark-readline.js (Deokjin Kim) #​59993
• [af3a59dba8] - test: verify tracing channel doesn't swallow unhandledRejection (Gerhard Stöbich) #​59974
• [cee362242b] - timers: fix binding fast call signatures (Renegade334) #​59600
• [40fea57fdd] - tools: add message on auto-fixing js lint issues in gh workflow (Dario Piotrowicz) #​59128
• [aac90d351b] - tools: verify signatures when updating nghttp* (Antoine du Hamel) #​60113
• [9fae03c7d9] - tools: use dependabot cooldown and move tools/doc (Rafael Gonzaga) #​59978
• [81548abdf6] - wasi: fix WasiFunction fast call signature (Renegade334) #​59600

v22.21.0: 2025-10-20, Version 22.21.0 'Jod' (LTS), @​aduh95

Compare Source

Notable Changes

• [1486fedea1] - (SEMVER-MINOR) cli: add --use-env-proxy (Joyee Cheung) #​59151
• [bedaaa11fc] - (SEMVER-MINOR) http: support http proxy for fetch under NODE_USE_ENV_PROXY (Joyee Cheung) #​57165
• [af8b5fa29d] - (SEMVER-MINOR) http: add shouldUpgradeCallback to let servers control HTTP upgrades (Tim Perry) #​59824
• [42102594b1] - (SEMVER-MINOR) http,https: add built-in proxy support in http/https.request and Agent (Joyee Cheung) #​58980
• [686ac49b82] - (SEMVER-MINOR) src: add percentage support to --max-old-space-size (Asaf Federman) #​59082

Commits

• [a71dd592e3] - benchmark: calibrate config dgram multi-buffer (Bruno Rodrigues) #​59696
• [16c4b466f4] - benchmark: calibrate config cluster/echo.js (Nam Yooseong) #​59836
• [53cb9f3b6c] - build: add the missing macro definitions for OpenHarmony (hqzing) #​59804
• [ec5290fe01] - build: do not include custom ESLint rules testing in tarball (Antoine du Hamel) #​59809
• [1486fedea1] - (SEMVER-MINOR) cli: add --use-env-proxy (Joyee Cheung) #​59151
• [1f93913446] - crypto: use return await when returning Promises from async functions (Renegade334) #​59841
• [f488b2ff73] - crypto: use async functions for non-stub Promise-returning functions (Renegade334) #​59841
• [aed9fd5ac4] - crypto: avoid calls to promise.catch() (Renegade334) #​59841
• [37c2d186f0] - deps: update amaro to 1.1.4 (pmarchini) #​60044
• [28aea13419] - deps: update archs files for openssl-3.5.4 (Node.js GitHub Bot) #​60101
• [ddbc1aa0bb] - deps: upgrade openssl sources to openssl-3.5.4 (Node.js GitHub Bot) #​60101
• [badbba2da9] - deps: update googletest to 50b8600 (Node.js GitHub Bot) #​59955
• [48aaf98a08] - deps: update archs files for openssl-3.5.3 (Node.js GitHub Bot) #​59901
• [e02a562ea6] - deps: upgrade openssl sources to openssl-3.5.3 (Node.js GitHub Bot) #​59901
• [7e0e86cb92] - deps: upgrade npm to 10.9.4 (npm team) #​60074
• [91dda5facf] - deps: update undici to 6.22.0 (Matteo Collina) #​60112
• [3a3220a2f0] - dgram: restore buffer optimization in fixBufferList (Yoo) #​59934
• [09bdcce6b8] - diagnostics_channel: fix race condition with diagnostics_channel and GC (Ugaitz Urien) #​59910
• [b3eeb3bd13] - doc: provide alternative to url.parse() using WHATWG URL (Steven) #​59736
• [1ddaab1904] - doc: mention reverse proxy and include simple example (Steven) #​59736
• [3b3b71e99c] - doc: mark .env files support as stable (Santeri Hiltunen) #​59925
• [d37f67d1bd] - doc: remove optional title prefixes (Aviv Keller) #​60087
• [ca2dff63f9] - doc: fix typo on child_process.md (Angelo Gazzola) #​60114
• [3fca564a05] - doc: add automated migration info to deprecations (Augustin Mauroy) #​60022
• [4bc366fc16] - doc: use "WebAssembly" instead of "Web Assembly" (Tobias Nießen) #​59954
• [4808dbdd9a] - doc: fix typo in section on microtask order (Tobias Nießen) #​59932
• [d6e303d645] - doc: update V8 fast API guidance (René) #​58999
• [0a3a3f729e] - doc: add security escalation policy (Ulises Gascón) #​59806
• [8fd669c70d] - doc: type improvement of file http.md (yusheng chen) #​58189
• [9833dc6060] - doc: rephrase dynamic import() description (Nam Yooseong) #​59224
• [2870a73681] - doc,crypto: update subtle.generateKey and subtle.importKey (Filip Skokan) #​59851
• [85818db93c] - fs,win: do not add a second trailing slash in readdir (Gerhard Stöbich) #​59847
• [bedaaa11fc] - (SEMVER-MINOR) http: support http proxy for fetch under NODE_USE_ENV_PROXY (Joyee Cheung) #​57165
• [af8b5fa29d] - (SEMVER-MINOR) http: add shouldUpgradeCallback to let servers control HTTP upgrades (Tim Perry) #​59824
• [758271ae66] - http: optimize checkIsHttpToken for short strings (방진혁) #​59832
• [42102594b1] - (SEMVER-MINOR) http,https: add built-in proxy support in http/https.request and Agent (Joyee Cheung) #​58980
• [a33ed9bf96] - inspector: ensure adequate memory allocation for Binary::toBase64 (René) #​59870
• [34c686be2b] - lib: update inspect output format for subclasses (Miguel Marcondes Filho) #​59687
• [12e553529c] - lib: add source map support for assert messages (Chengzhong Wu) #​59751
• [d2a70571f8] - lib,src: refactor assert to load error source from memory (Chengzhong Wu) #​59751
• [20a9e86b5d] - meta: move Michael to emeritus (Michael Dawson) #​60070
• [c591cca15c] - meta: bump github/codeql-action from 3.30.0 to 3.30.5 (dependabot[bot]) #​60089
• [090ba141b1] - meta: bump codecov/codecov-action from 5.5.0 to 5.5.1 (dependabot[bot]) #​60091
• [a0ba6884a5] - meta: bump actions/stale from 9.1.0 to 10.0.0 (dependabot[bot]) #​60092
• [0feca0c541] - meta: bump actions/setup-node from 4.4.0 to 5.0.0 (dependabot[bot]) #​60093
• [7cd2b42d18] - meta: bump step-security/harden-runner from 2.12.2 to 2.13.1 (dependabot[bot]) #​60094
• [1f3b9d66ac] - meta: bump actions/cache from 4.2.4 to 4.3.0 (dependabot[bot]) #​60095
• [0fedbb3de7] - meta: bump ossf/scorecard-action from 2.4.2 to 2.4.3 (dependabot[bot]) #​60096
• [04590b8267] - meta: bump actions/setup-python from 5.6.0 to 6.0.0 (dependabot[bot]) #​60090
• [2bf0a9318f] - meta: add .npmrc with ignore-scripts=true (Joyee Cheung) #​59914
• [e10dc7b81c] - module: allow overriding linked requests for a ModuleWrap (Chengzhong Wu) #​59527
• [2237142369] - module: link module with a module request record (Chengzhong Wu) #​58886
• [6d24b88fbc] - node-api: added SharedArrayBuffer api (Mert Can Altin) #​59071
• [4cc84c96f4] - node-api: make napi_delete_reference use node_api_basic_env (Jeetu Suthar) #​59684
• [e790eb6b50] - repl: fix cpu overhead pasting big strings to the REPL (Ruben Bridgewater) #​59857
• [99ea08dc43] - repl: add isValidParentheses check before wrap input (Xuguang Mei) #​59607
• [e4a4f63019] - sqlite: fix crash session extension callbacks with workers (Bart Louwers) #​59848
• [42c5544b97] - src: assert memory calc for max-old-space-size-percentage (Asaf Federman) #​59460
• [686ac49b82] - (SEMVER-MINOR) src: add percentage support to --max-old-space-size (Asaf Federman) #​59082
• [84701ff668] - src: clear all linked module caches once instantiated (Chengzhong Wu) #​59117
• [8e182e561f] - src: remove unnecessary Environment::GetCurrent() calls (Moonki Choi) #​59814
• [c9cde35c4d] - src: simplify is_callable by making it a concept (Tobias Nießen) #​58169
• [892b425ee1] - src: rename private fields to follow naming convention (Moonki Choi) #​59923
• [36b68db7f5] - src: reduce the nearest parent package JSON cache size (Michael Smith) #​59888
• [26b40bad02] - src: replace FIXED_ONE_BYTE_STRING with Environment-cached strings (Moonki Choi) #​59891
• [34dcb7dc32] - src: create strings in FIXED_ONE_BYTE_STRING as internalized (Anna Henningsen) #​59826
• [4d748add05] - src: remove std::array overload of FIXED_ONE_BYTE_STRING (Anna Henningsen) #​59826
• [bb6fd7c2d1] - src: ensure v8::Eternal is empty before setting it (Anna Henningsen) #​59825
• [7a91282bf9] - src: use simdjson::pad (0hm☘️) #​59391
• [ba00875f01] - stream: use new AsyncResource instead of bind (Matteo Collina) #​59867
• [ebec3ef68b] - (SEMVER-MINOR) test: move http proxy tests to test/client-proxy (Joyee Cheung) #​58980
• [7067d79fb3] - test: mark sea tests flaky on macOS x64 (Richard Lau) #​60068
• [ca1942c9d5] - test: testcase demonstrating issue 59541 (Eric Rannaud) #​59801
• [660d57355e] - test,doc: skip --max-old-space-size-percentage on 32-bit platforms (Asaf Federman) #​60144
• [19a7b1ef26] - tls: load bundled and extra certificates off-thread (Joyee Cheung) #​59856
• [095e7a81fc] - tls: only do off-thread certificate loading on loading tls (Joyee Cheung) #​59856
• [c42c1204c7] - tools: fix tools/make-v8.sh for clang (Richard Lau) #​59893
• [b632a1d98d] - tools: skip test-internet workflow for draft PRs (Michaël Zasso) #​59817
• [6021c3ac76] - tools: copyedit build-tarball.yml (Antoine du Hamel) #​59808
• [ef005d0c9b] - typings: update 'types' binding (René) #​59692
• [28ef564ecd] - typings: remove unused imports (Nam Yooseong) #​59880
• [f88752ddb6] - url: replaced slice with at (Mikhail) #​59181
• [24c224960c] - url: add type checking to urlToHttpOptions() (simon-id) #​59753
• [f2fbcc576d] - util: fix debuglog.enabled not being present with callback logger (Ruben Bridgewater) #​59858
• [6277058e43] - vm: sync-ify SourceTextModule linkage (Chengzhong Wu) #​59000
• [5bf21a4309] - vm: explain how to share promises between contexts w/ afterEvaluate (Eric Rannaud) #​59801
• [312b33a083] - vm: "afterEvaluate", evaluate() return a promise from the outer context (Eric Rannaud) #​59801
• [1eadab863c] - win,tools: add description to signature (Martin Costello) #​59877
• [816e1befb1] - zlib: reduce code duplication (jhofstee) #​57810

pnpm/pnpm (pnpm)

v10.20.0

Compare Source

Minor Changes

• Support --all option in pnpm --help to list all commands #​8628.

Patch Changes

• When the latest version doesn't satisfy the maturity requirement configured by minimumReleaseAge, pick the highest version that is mature enough, even if it has a different major version #​10100.
• create command should not verify patch info.
• Set managePackageManagerVersions to false, when switching to a different version of pnpm CLI, in order to avoid subsequent switches #​10063.

v10.19.0

Compare Source

Minor Changes

• You can now allow specific versions of dependencies to run postinstall scripts. onlyBuiltDependencies now accepts package names with lists of trusted versions. For example:

  onlyBuiltDependencies:
    - nx@21.6.4 || 21.6.5
    - esbuild@0.25.1

  Related PR: #​10104.

• Added support for exact versions in minimumReleaseAgeExclude #​9985.

  You can now list one or more specific versions that pnpm should allow to install, even if those versions don’t satisfy the maturity requirement set by minimumReleaseAge. For example:

  minimumReleaseAge: 1440
  minimumReleaseAgeExclude:
    - nx@21.6.5
    - webpack@4.47.0 || 5.102.1

v10.18.3

Compare Source

Patch Changes

• Fix a bug where pnpm would infinitely recurse when using verifyDepsBeforeInstall: install and pre/post install scripts that called other pnpm scripts #​10060.
• Fixed scoped registry keys (e.g., @scope:registry) being parsed as property paths in pnpm config get when --location=project is used #​9362.
• Remove pnpm-specific CLI options before passing to npm publish to prevent "Unknown cli config" warnings #​9646.
• Fixed EISDIR error when bin field points to a directory #​9441.
• Preserve version and hasBin for variations packages #​10022.
• Fixed pnpm config set --location=project incorrectly handling keys with slashes (auth tokens, registry settings) #​9884.
• When both pnpm-workspace.yaml and .npmrc exist, pnpm config set --location=project now writes to pnpm-workspace.yaml (matching read priority) #​10072.
• Prevent a table width error in pnpm outdated --long #​10040.
• Sync bin links after injected dependencies are updated by build scripts. This ensures that binaries created during build processes are properly linked and accessible to consuming projects #​10057.

v10.18.2

Compare Source

Patch Changes

• pnpm outdated --long should work #​10040.
• Replace ndjson with split2. Reduce the bundle size of pnpm CLI #​10054.
• pnpm dlx should request the full metadata of packages, when minimumReleaseAge is set #​9963.
• pnpm version switching should work when the pnpm home directory is in a symlinked directory #​9715.
• Fix EPIPE errors when piping output to other commands #​10027.

v10.18.1

Compare Source

Patch Changes

• Don't print a warning, when --lockfile-only is used #​8320.
• pnpm setup creates a command shim to the pnpm executable. This is needed to be able to run pnpm self-update on Windows #​5700.
• When using pnpm catalogs and running a normal pnpm install, pnpm produced false positive warnings for "skip adding to the default catalog because it already exists". This warning now only prints when using pnpm add --save-catalog as originally intended.

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

🦋 Changeset detected

Latest commit: fffbcfb

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
@adbayb/stack	Minor
@adbayb/create	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR