fix(deps): update node.js to v24.14.1

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending	Age	Confidence
node (source)		patch	24.14.0 → 24.14.1	v24.15.0
@types/node (source)	devDependencies	patch	24.12.0 → 24.12.2

---

Release Notes

nodejs/node (node)

v24.14.1

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Node.js v24.14.1 (March 24, 2026 Security Release)

This is a critical security release addressing 9 CVEs with no breaking changes or new features:

High Severity (2 CVEs):

• CVE-2026-21637: TLS SNICallback crash vulnerability - Fixed incomplete error handling in loadSNI() that could cause remote DoS on TLS servers when SNICallback throws synchronous exceptions
• CVE-2026-21710: HTTP __proto__ header DoS - Fixed uncaught TypeError when accessing req.headersDistinct with __proto__ header name, preventing server crashes

Medium Severity (5 CVEs):

• CVE-2026-21712: URL parsing crash - Fixed assertion failures with malformed internationalized domain names (IDN) in url.format()
• CVE-2026-21713: Timing side-channel in HMAC - Implemented constant-time comparison for Web Cryptography HMAC/KMAC operations to prevent timing oracle attacks
• CVE-2026-21714: HTTP/2 memory leak - Fixed resource exhaustion from malformed WINDOW_UPDATE frames on stream 0
• CVE-2026-21717: HashDoS in V8 - Mitigated hash collision attacks by improving V8's string hashing mechanism for integer-like strings

Low Severity (2 CVEs):

• CVE-2026-21716: Permission Model bypass in fs/promises - Added permission checks to FileHandle.chmod() and FileHandle.chown()
• CVE-2026-21715: Permission Model bypass in realpath - Added permission verification to fs.realpathSync.native()

Dependency Updates:

• undici: 7.22.0 → 7.24.4 (security updates)
• npm: 11.10.1 → 11.11.0

@types/node v24.12.2

Minor patch update to TypeScript type definitions, typically includes:

• Type signature refinements for Node.js APIs
• Compatibility updates with Node.js v24.14.x
• No runtime impact (dev dependency only)

🎯 Impact Scope Investigation

1. Node.js Runtime Usage

The codebase uses Node.js in two contexts:

• Dockerfile (Line 34): Node.js v24.14.0 → v24.14.1 installed via mise for sandbox runtime execution
  • Used for RuntimeNode (node:178-179) - executes user-submitted JavaScript files
  • Used for RuntimeNodeTypeScript (node:547-561) - compiles TypeScript and executes resulting JavaScript

2. TypeScript Compilation

• package.json/package-lock.json: @types/node v24.12.0 → v24.12.2 for TypeScript runtime
  • Located at internal/sandbox/defaults/node-typescript/
  • Pre-installed in Docker image at /mise/ts-node-modules/ (Dockerfile:38-39)
  • Mounted read-only during TypeScript compilation (runtime.go:567)

3. No Direct Codebase Dependencies

• The sandbox service is written in Go (not JavaScript/TypeScript)
• Node.js is only used as a sandboxed runtime for executing user code via nsjail
• No application code imports or depends on Node.js APIs directly
• Runtime path references are hardcoded: /mise/installs/node/current/bin/node (runtime.go:179, 549, 561)

4. Security Relevance

The sandbox directly benefits from these security fixes:

• CVE-2026-21710 (HTTP headers): Prevents malicious user code from crashing the Node.js runtime via __proto__ header exploitation
• CVE-2026-21712 (URL parsing): Prevents user code from crashing Node.js via malformed URLs
• CVE-2026-21717 (HashDoS): Mitigates performance degradation attacks via JSON.parse with crafted input
• CVE-2026-21713 (HMAC timing): Hardens cryptographic operations in user code
• CVE-2026-21716/21715 (Permission bypass): Strengthens Node.js permission model (though sandbox relies on nsjail, not Node.js permissions)

5. Testing Coverage

E2E test suite covers Node.js runtimes:

• e2e/tests/runtime/node.yml - Tests RuntimeNode
• e2e/tests/runtime/node-typescript.yml - Tests RuntimeNodeTypeScript
• CI runs E2E tests on both ubuntu-latest (x64) and ubuntu-24.04-arm (arm64)

6. Other Dependencies

No impact on:

• Go runtime (v1.26.2)
• Ruby, Python, Rust, Bash runtimes
• nsjail configuration
• API handlers or middleware

💡 Recommended Actions

✅ Merge Immediately

This PR is safe to merge without any code modifications:

1. No Breaking Changes: Patch version bump with 100% backward compatibility
2. Security Critical: Fixes 2 high-severity and 7 medium/low-severity CVEs affecting the sandbox runtime
3. No API Changes: Node.js CLI interface and runtime behavior unchanged
4. Type Definitions: @types/node patch update has no runtime impact
5. Automated Testing: CI will validate the update via:
   • Docker build (ensures Node.js v24.14.1 installs correctly via mise)
   • Unit tests (Go code)
   • E2E tests (validates Node.js and TypeScript runtimes execute correctly)

Post-Merge Verification

After merging, monitor CI results:

• ✅ Build job completes successfully
• ✅ E2E tests pass on both amd64 and arm64 architectures
• ✅ Node.js and TypeScript runtime tests execute without errors

No Manual Migration Required

• No configuration changes needed
• No code changes required
• Docker rebuild will automatically pick up new versions
• Existing E2E tests provide coverage

🔗 Reference Links

• Node.js v24.14.1 Release
• March 2026 Security Advisory
• Node.js v24 Changelog
• @types/node Package
• CVE-2026-21710 (High): HTTP Headers DoS
• CVE-2026-21637 (High): TLS SNICallback Crash

Generated by koki-develop/claude-renovate-review