V17.4.12 — drop Node 18 from CI; require Node 20+
Direct fallout from V17.4.11's uuid override. The 232-test suite passed locally and on Node 20.x / 22.x runners, but 76 of them failed on Node 18.x in CI (run 26342320472). Investigation in this commit + the surrounding triage on Issues showed the cause is intrinsic to uuid 14, not something fixable in our code.
Why Node 18 stopped working
The V17.4.11 override forces every transitive uuid to ^14.0.0. uuid changed packaging shape over its 9-14 evolution:
| Version | type
| CJS support |
|---|---|---|
| 9.x | commonjs
| ✓ |
| 10.x | commonjs
| ✓ |
| 11.x | module
| ✓ (dual-publish, exports.['.'].node.require → ./dist/cjs/index.js)
|
| 12.x, 13.x, 14.x | module
| ✗ (pure-ESM, no CJS entry) |
@cypress/request/lib/auth.js does var { v4: uuid } = require('uuid'). For that require() of a pure-ESM package to work, Node needs the require(esm) feature:
- Node 22+ — works by default
- Node 20.17+ — works by default
- Node 18 —
require('uuid')throwsERR_REQUIRE_ESM
The throw inside auth.js cascades into @cypress/request-promise/lib/rp.js's catch block, which prints the misleading "The 'request' library is not installed automatically anymore" banner before re-throwing. Every test that constructs a bot then fails because node-telegram-bot-api can't load its HTTP transport.
What changes
.github/workflows/ci.yml: matrix shrinks from[18.x, 20.x, 22.x]to[20.x, 22.x]package.jsonengines.nodeformalises the floor:>=20.0.0(was>=14.0.0)
Why this is the right call
- Node 18 reached EOL on 2025-04-30, over a year ago.
- The two alternative resolutions both have worse trade-offs:
- Pin uuid to
^11(last CJS-supporting major): keeps Node 18 working, but leaves an open security advisory in perpetuity since the patch landed in 14.0.0. - Selective override (uuid 14 only under @cypress/request): doesn't help — Node 18's
require()would still fail on the ESM-only uuid 14 regardless of where it sits in the tree.
- Pin uuid to
- Node-RED itself recommends Node 20+ for current versions.
- Adding
engines: {node: '>=20.0.0'}topackage.jsonmakesnpm installwarn (or fail withengine-strict) for users on older Node, so they get an informative message rather than a confusing runtime crash.
Verification
Local npm test on Node 22 passes all 232 tests. The CI run on this commit should pass on both 20.x and 22.x legs with no Node 18 leg to fail on.
No runtime code changes
This release is purely build/CI infrastructure. Users already on Node 20+ are unaffected; users on Node 18 will be blocked from upgrading via npm install (with a clear engines warning) until they migrate to Node 20+.