step-security · Raj-StepSecurity · Jan 28, 2026
diff --git a/.github/workflows/actions_release.yaml b/.github/workflows/actions_release.yaml
@@ -11,6 +11,11 @@ on:
         required: false
         type: string
         default: "npm run all"
+      node_version:
+        description: "Specify Node.js version"
+        required: false
+        type: string
+        default: "24"
 
 permissions:
   contents: read
@@ -25,3 +30,4 @@ jobs:
     with:
       tag: "${{ github.event.inputs.tag }}"
       script: "${{ github.event.inputs.script }}"
+      node_version: ${{ github.event.inputs.node_version }}
diff --git a/.github/workflows/audit-package.yml b/.github/workflows/audit-package.yml
@@ -14,6 +14,12 @@ on:
       script:
         required: false
         default: "npm run all"
+      node_version:
+        description: "Specify Node.js version"
+        required: false
+        type: string
+        default: "24"
+
   schedule:
     - cron: "0 0 * * 1"
 
@@ -24,6 +30,7 @@ jobs:
       force: ${{ inputs.force || false }}
       base_branch: ${{ inputs.base_branch || 'main' }} 
       script: ${{ inputs.script || 'npm run all'}}
+      node_version: ${{ inputs.node_version || '24' }}
 
 permissions:
   contents: write

diff --git a/.github/workflows/auto_cherry_pick.yml b/.github/workflows/auto_cherry_pick.yml
@@ -10,6 +10,11 @@ on:
       script:
         required: false
         default: "npm run all"
+      node_version:
+        description: "Specify Node.js version (e.g., '18', '20', 'lts/*')"
+        required: false
+        type: string
+        default: "24"
 
 permissions:
   contents: write
@@ -25,3 +30,4 @@ jobs:
       repo-name: "paths-filter"
       base_branch: ${{ inputs.base_branch }}
       script: ${{ inputs.script }}
+      node_version: ${{ inputs.node_version || '24' }}
diff --git a/action.yml b/action.yml
@@ -47,7 +47,7 @@ outputs:
   changes:
     description: JSON array with names of all filters matching any of changed files
 runs:
-  using: 'node20'
+  using: 'node24'
   main: 'dist/index.js'
 branding:
   color: blue

diff --git a/dist/index.js b/dist/index.js
@@ -97,10 +97,11 @@ function isPredicateQuantifier(x) {
 }
 exports.isPredicateQuantifier = isPredicateQuantifier;
 class Filter {
+    filterConfig;
+    rules = {};
     // Creates instance of Filter and load rules from YAML if it's provided
     constructor(yaml, filterConfig) {
         this.filterConfig = filterConfig;
-        this.rules = {};
         if (yaml) {
             this.load(yaml);
         }
@@ -126,11 +127,10 @@ class Filter {
         return result;
     }
     isMatch(file, patterns) {
-        var _a;
         const aPredicate = (rule) => {
             return (rule.status === undefined || rule.status.includes(file.status)) && rule.isMatch(file.filename);
         };
-        if (((_a = this.filterConfig) === null || _a === void 0 ? void 0 : _a.predicateQuantifier) === 'every') {
+        if (this.filterConfig?.predicateQuantifier === 'every') {
             return patterns.every(aPredicate);
         }
         else {
@@ -272,14 +272,14 @@ async function getChangesSinceMergeBase(base, head, initialFetchDepth) {
         if (!(await hasMergeBase())) {
             await (0, exec_1.getExecOutput)('git', ['fetch', '--no-tags', `--depth=${initialFetchDepth}`, 'origin', base, head]);
             if (baseRef === undefined || headRef === undefined) {
-                baseRef = baseRef !== null && baseRef !== void 0 ? baseRef : (await getLocalRef(base));
-                headRef = headRef !== null && headRef !== void 0 ? headRef : (await getLocalRef(head));
+                baseRef = baseRef ?? (await getLocalRef(base));
+                headRef = headRef ?? (await getLocalRef(head));
                 if (baseRef === undefined || headRef === undefined) {
                     await (0, exec_1.getExecOutput)('git', ['fetch', '--tags', '--depth=1', 'origin', base, head], {
                         ignoreReturnCode: true // returns exit code 1 if tags on remote were updated - we can safely ignore it
                     });
-                    baseRef = baseRef !== null && baseRef !== void 0 ? baseRef : (await getLocalRef(base));
-                    headRef = headRef !== null && headRef !== void 0 ? headRef : (await getLocalRef(head));
+                    baseRef = baseRef ?? (await getLocalRef(base));
+                    headRef = headRef ?? (await getLocalRef(head));
                     if (baseRef === undefined) {
                         throw new Error(`Could not determine what is ${base} - fetch works but it's not a branch, tag or commit SHA`);
                     }
@@ -411,7 +411,7 @@ async function getLocalRef(shortName) {
         .split(/\r?\n/g)
         .map(l => l.match(/refs\/(?:(?:heads)|(?:tags)|(?:remotes\/origin))\/(.*)$/))
         .filter(match => match !== null && match[1] === shortName)
-        .map(match => { var _a; return (_a = match === null || match === void 0 ? void 0 : match[0]) !== null && _a !== void 0 ? _a : ''; }); // match can't be null here but compiler doesn't understand that
+        .map(match => match?.[0] ?? ''); // match can't be null here but compiler doesn't understand that
     if (refs.length === 0) {
         return undefined;
     }
@@ -563,13 +563,12 @@ const git = __importStar(__nccwpck_require__(3374));
 const shell_escape_1 = __nccwpck_require__(4613);
 const csv_escape_1 = __nccwpck_require__(7402);
 async function validateSubscription() {
-    var _a;
     const API_URL = `https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/subscription`;
     try {
         await axios_1.default.get(API_URL, { timeout: 3000 });
     }
     catch (error) {
-        if ((0, axios_1.isAxiosError)(error) && ((_a = error.response) === null || _a === void 0 ? void 0 : _a.status) === 403) {
+        if ((0, axios_1.isAxiosError)(error) && error.response?.status === 403) {
             core.error('Subscription is not valid. Reach out to support@stepsecurity.io');
             process.exit(1);
         }
@@ -626,7 +625,6 @@ function getConfigFileContent(configPath) {
     return fs.readFileSync(configPath, { encoding: 'utf8' });
 }
 async function getChangedFiles(token, base, ref, initialFetchDepth) {
-    var _a, _b;
     // if base is 'HEAD' only local uncommitted changes will be detected
     // This is the simplest case as we don't need to fetch more commits or evaluate current/before refs
     if (base === git.HEAD) {
@@ -654,8 +652,8 @@ async function getChangedFiles(token, base, ref, initialFetchDepth) {
             throw new Error(`'token' input parameter is required if action is triggered by 'pull_request_target' event`);
         }
         core.info('Github token is not available - changes will be detected using git diff');
-        const baseSha = (_a = github.context.payload.pull_request) === null || _a === void 0 ? void 0 : _a.base.sha;
-        const defaultBranch = (_b = github.context.payload.repository) === null || _b === void 0 ? void 0 : _b.default_branch;
+        const baseSha = github.context.payload.pull_request?.base.sha;
+        const defaultBranch = github.context.payload.repository?.default_branch;
         const currentRef = await git.getCurrentRef();
         return await git.getChanges(base || baseSha || defaultBranch, currentRef);
     }
@@ -664,8 +662,7 @@ async function getChangedFiles(token, base, ref, initialFetchDepth) {
     }
 }
 async function getChangedFilesFromGit(base, head, initialFetchDepth) {
-    var _a;
-    const defaultBranch = (_a = github.context.payload.repository) === null || _a === void 0 ? void 0 : _a.default_branch;
+    const defaultBranch = github.context.payload.repository?.default_branch;
     const beforeSha = github.context.eventName === 'push' ? github.context.payload.before : null;
     const currentRef = await git.getCurrentRef();
     head = git.getShortName(head || github.context.ref || currentRef);

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -2,7 +2,7 @@
   "name": "paths-filter",
   "version": "1.0.0",
   "engines": {
-    "node": ">= 20"
+    "node": ">= 24"
   },
   "private": true,
   "description": "Execute your workflow steps only if relevant files are modified.",
@@ -38,7 +38,7 @@
     "@octokit/webhooks-types": "^7.3.1",
     "@types/jest": "^29.5.11",
     "@types/js-yaml": "^4.0.9",
-    "@types/node": "^20.11.6",
+    "@types/node": "^24.0.0",
     "@types/picomatch": "^2.3.3",
     "@typescript-eslint/eslint-plugin": "^6.19.1",
     "@typescript-eslint/parser": "^6.19.1",

diff --git a/tsconfig.json b/tsconfig.json
@@ -1,6 +1,6 @@
 {
   "compilerOptions": {
-    "target": "es2019",                          /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */
+    "target": "ES2022",                          /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019', 'ES2020', 'ES2021', 'ES2022' or 'ESNEXT'. */
     "module": "commonjs",                     /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */
     "outDir": "./lib",                        /* Redirect output structure to the directory. */
     "rootDir": "./src",                       /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */