Skip to content

feat!: Upgrade Node.js dependencies (Actions and Supported versions)#3498

Merged
brandonlenz merged 7 commits into
mainfrom
bl-upgrade-actions
Jul 16, 2026
Merged

feat!: Upgrade Node.js dependencies (Actions and Supported versions)#3498
brandonlenz merged 7 commits into
mainfrom
bl-upgrade-actions

Conversation

@brandonlenz

@brandonlenz brandonlenz commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Breaking change: Drops support for Node 20 (EOL)
  • Updates the development version to Node 26
  • Updates actions to use v5 Node.js actions since v4 actions will be EOL by September.

TODO: Once approved, in order to merge, update repository settings to

  • require Node 26 tests to pass
  • remove the requirement for Node 20 tests to pass

See also: https://nodejs.org/en/about/previous-releases

Related Issues or PRs

closes: #3458

How To Test

  • Install node 26 locally, run tests and storybook locally
  • Verify CI checks using v5 runners pass

Screenshots (optional)

image image

Author & Maintainer checklist

  • Is this is a breaking change?
    • Yes, and I accounted for the breaking changes according to the linked documentation
    • No
  • Once merged, add the PR and Issue author(s) as a contributor(s) via the all-contributors bot

@brandonlenz brandonlenz self-assigned this Jun 9, 2026
@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor
Warnings
⚠️

Unable to run yarn npm audit — the command did not return JSON (npm has retired the audit endpoint used by Yarn 3). Skipping the dependency audit check.

⚠️

Changes were made to package.json, but not to yarn.lock - Perhaps you need to run yarn install?

Generated by 🚫 dangerJS against 369d461

@brandonlenz

brandonlenz commented Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

TODO: Once approved, in order to merge, update repository settings to

  • require Node 26 tests to pass
  • remove the requirement for Node 20 tests to pass

@brandonlenz
brandonlenz marked this pull request as ready for review June 9, 2026 17:47
@brandonlenz
brandonlenz requested a review from a team as a code owner June 9, 2026 17:47
@brandonlenz brandonlenz mentioned this pull request Jun 10, 2026
3 tasks
@brandonlenz
brandonlenz requested a review from jsclarridge July 9, 2026 19:28
@brandonlenz

Copy link
Copy Markdown
Contributor Author

@jsclarridge can I tag you in for review on this one?

@jsclarridge

Copy link
Copy Markdown

@jsclarridge can I tag you in for review on this one?

As an incremental update to address the GitHub Actions versions that will be EOL by September, this looks good, although I think the use of actions/cache@v4 in .github/workflows/publish-next.yml also needs to be bumped to at least v5.

@brandonlenz

Copy link
Copy Markdown
Contributor Author

As an incremental update to address the GitHub Actions versions that will be EOL by September, this looks good, although I think the use of actions/cache@v4 in .github/workflows/publish-next.yml also needs to be bumped to at least v5.

On this repo we've not historically pinned by sha, but I'm thinking that we probably should, so I can make that change while addressing this comment too

Comment thread .github/dependabot.yml Outdated
Comment on lines +63 to +76
# Keep the GitHub Actions up to date
- package-ecosystem: "github-actions"
directory: "/"
pull-request-branch-name:
separator: '-'
schedule:
interval: "weekly"
labels:
- 'type: dependencies'
- 'type: automerge'
groups:
github-actions:
patterns:
- '*'

@brandonlenz brandonlenz Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually didn't know Dependabot handled sha-style actions dependency management, but it does: https://docs.github.com/en/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories#github-actions

Dependabot updates the version documentation of GitHub Actions when the comment is on the same line, such as actions/checkout@<commit> #<tag or link> or actions/checkout@<tag> #<tag or link>.

@jsclarridge jsclarridge Jul 16, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest leaving the Dependabot config as-is for now and create a separate follow-up issue to possibly make this change later. If we want Dependabot to manage the GitHub Actions updates, I'm not sure if we want them to be automerged. And we should probably add a cooldown period so that Dependabot would wait a certain amount of time before opening a PR to update the actions.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough, I'll make the change!

For the cooldown, I opted for a weekly cadence with schedule.interval: weekly.

Or am I misunderstanding what you mean?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was referring to the cooldown option, which can be used in addition to schedule.interval. According to the documentation, there's a default cooldown of 3 days even if cooldown isn't set, but it may still be a good idea to set it to explicitly, and we may want a slightly longer cooldown, e.g., 7 days.

@jsclarridge

jsclarridge commented Jul 16, 2026

Copy link
Copy Markdown

As an incremental update to address the GitHub Actions versions that will be EOL by September, this looks good, although I think the use of actions/cache@v4 in .github/workflows/publish-next.yml also needs to be bumped to at least v5.

On this repo we've not historically pinned by sha, but I'm thinking that we probably should, so I can make that change while addressing this comment too

The version pin changes look good to me, but I left a comment/suggestion about the Dependabot config update.

@brandonlenz

Copy link
Copy Markdown
Contributor Author

Oh fun, the npm endpoint that Yarn 3 relies on is being retired. It now returns a 410 instead of the json that Dangerfile.ts expects to parse:

yarn npm audit
➤ YN0035: This endpoint is being retired. Use the bulk advisory endpoint instead. See the following docs for more info: https://api-docs.npmjs.com/#tag/Audit
➤ YN0035:   Response Code: 410 (Gone)
➤ YN0035:   Request Method: POST
➤ YN0035:   Request URL: https://registry.yarnpkg.com/-/npm/v1/security/audits/quick

➤ Errors happened when preparing the environment required to run this command.
➤ This might be caused by packages being missing from the lockfile, in which case running "yarn install" might help.

I'm going to bandaid it here with some comments pointing to the npm migration PR which will take care of it for good.

@brandonlenz
brandonlenz merged commit 1c8b5b4 into main Jul 16, 2026
9 checks passed
@brandonlenz
brandonlenz deleted the bl-upgrade-actions branch July 16, 2026 20:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[feat]: Update deprecated Actions runners

2 participants