[CDX-398] Update Node version and packages

[esezen]

Updated Node version to resolve vulnerabilities. Tests needed some updates because Node 22 handles some things differently than 18

[Copilot]

Pull request overview

Updates the repository’s Node/npm baseline and related dev dependencies to address vulnerabilities and accommodate Node 22 behavior changes in the test suite.

Changes:

• Bump jsdom to v28 and update Volta-pinned Node/npm versions to Node 22 / npm 11.
• Adjust getWindowLocation unit test to rely on JSDOM URL parsing instead of stubbing window.location.
• Remove ReadableStream polyfill wiring from Assistant/Agent streaming tests (relying on Node 22 Web Streams).

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
spec/src/utils/helpers.js	Updates getWindowLocation test to align with modern JSDOM URL/location behavior.
spec/src/modules/assistant.js	Updates streaming tests to drop ReadableStream polyfill setup and modifies global/window SSE setup.
spec/src/modules/agent.js	Same as Assistant: updates streaming tests and global/window SSE setup.
package.json	Bumps jsdom and updates Volta-pinned Node/npm versions.
package-lock.json	Lockfile regeneration reflecting the dependency and engine changes from the jsdom upgrade.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In this test block, global.EventSource is overwritten in beforeEach but never restored. Under Node 22, EventSource may already exist on global, and jsdom-global cleanup will not delete it (it only cleans keys that weren’t present on the first run). This can leak the polyfill into later tests or mask the native implementation. Save the prior value of global.EventSource/window.EventSource and restore it in afterEach (or delete only if it was originally undefined).

[Copilot]

In this test block, global.EventSource is overwritten in beforeEach but never restored. If Node provides a native EventSource (or if another suite sets one), this can leak the polyfill across tests and make later suites depend on ordering. Capture the previous global.EventSource/window.EventSource values and restore them in afterEach (or delete only if they were originally undefined).

[Copilot]

The PR updates Volta to Node 22 / npm 11, but the repo still pins Node 18 elsewhere (e.g., .github/workflows/* matrices and scripts/verify-node-version.sh which hard-codes the active LTS codename to "Hydrogen"). With jsdom@28 requiring Node >=20, CI and the npm run version workflow will fail unless those Node-version checks are updated to match the new baseline.

[Alexey-Pavlov]

Hey @esezen! It looks like tests are failing there 👀

Wanted to ask you, in this PR, do we need to update Node version from 18.13.0 to 22.18.0 in these 6 workflow files:

• .github/workflows/run-tests.yml
• .github/workflows/run-tests-bundled.yml
• .github/workflows/run-lint.yml
• .github/workflows/run-diffend.yml
• .github/workflows/run-license-check.yml
• .github/workflows/spell-check.yml

And update scripts/verify-node-version.sh to use "Jod" (Node 22 LTS codename) instead of "Hydrogen" (Node 18)? WDYT?

[constructor-claude-bedrock]

Code Review: [CDX-398] Update Node version and packages

Files Reviewed: 14 files, +754/-855 lines

---

P1 Critical Issues (0 found)

No critical issues found.

---

P2 Important Issues (2 found)

Pinned Node 18 for Diffend — Needs a Follow-up Ticket or Comment

• File: .github/workflows/run-diffend.yml:14
• Issue: The Diffend workflow is intentionally kept on Node 18 with a comment # Diffend doesn't work with newer versions of Node/NPM. While the comment is appreciated, this means the dependency security scanning tool is running on a Node version that the project is actively moving away from because of vulnerabilities. If Diffend never gains Node 22 support, the workflow becomes a permanent vestigial fixture that can drift from reality.
• Recommendation: Track this as a known limitation in your ticketing system and consider adding a link to the upstream issue (or a TODO with a ticket number) so it doesn't get forgotten. Also verify whether Diffend has a newer release that supports Node 22 — the install command pulls from /releases/npm/stable.tgz dynamically, so it may already work.

Workflow Action Versions Not Updated Alongside Node Bump

• File: .github/workflows/run-tests.yml:18 (and other workflow files)
• Issue: Several workflows still use actions/checkout@v2 and actions/setup-node@v2 while other workflows (e.g. spell-check.yml) already use actions/checkout@v3. Mixing v2 and v3 is inconsistent, and actions/setup-node@v2 is significantly older than the current v4 which has better caching and Node 22 support.
• Recommendation: Standardize all workflows to at minimum actions/checkout@v3 / actions/setup-node@v3 (ideally v4). This is a good hygiene fix to pair with a Node version bump PR.

---

P3 Suggestions (3 found)

• package.json:86-89 — The volta pin was added for Node 22.18.0 / npm 11.0.0, which is great for developer environment consistency. Consider also adding a .nvmrc or .node-version file for developers not using Volta (nvm is still widely used). This is a nice-to-have but makes onboarding easier.

• spec/src/utils/jsdom-global.js:62-63 — Patching window.fetch and window.ReadableStream from Node globals is now required because jsdom 28 no longer bundles these, which is the correct approach for Node 22. However, there is no guard checking whether global.fetch is defined before assigning it. On Node 17 and below, global.fetch is undefined, which would silently set window.fetch = undefined. Since this project now targets Node 22 this is not a problem in practice, but a one-line comment like // Node 18+ provides global fetch; required since jsdom 28 no longer bundles it would help future readers understand why these lines exist.

• spec/src/modules/agent.js / spec/src/modules/assistant.js — Both files are near-identical mirrors of each other (same defaultOptions shape with only the service URL key differing, same test structure). This is pre-existing duplication, not introduced by this PR, but worth noting as a longer-term refactor opportunity.

---

Strengths

The primary goal of this PR — upgrading jsdom from v16 to v28 and Node from 18 to 22 — is well-executed. The dependency removals are correct (deprecated packages like abab, domexception, acorn-globals, escodegen, form-data, and iconv-lite are all removed because jsdom 28 relies on native Node/browser APIs instead). The jsdom-global.js helper was updated cleanly to expose window.fetch and window.ReadableStream from the Node runtime, which is the right fix for the jsdom 28 breaking change. The comment explaining why Diffend is pinned to Node 18 is a thoughtful addition. The volta field in package.json is a good practice for locking developer environments.

---

Overall Assessment: APPROVED

The changes are technically sound and achieve their stated goal. The two P2 items (Diffend follow-up and workflow action version consistency) are housekeeping improvements that can be addressed in a follow-up PR rather than blocking this one.

[esezen]

@Alexey-Pavlov thanks for catching that! I forgot to update the versions in the workflows. I removed check Node version script completely since Volta takes care of that now. I also had to leave Diffend at the existing version since there seems to be a compatibility issue between Diffend and Node 22.

[Alexey-Pavlov]

Thanks so much for the updates, @esezen! Everything's passing now, so it looks great!