rfellows opened a new pull request, #11109: URL: https://github.com/apache/nifi/pull/11109
# NIFI-15799: Upgrade nifi-frontend to Node 24 LTS ## Description This change moves the **nifi-frontend** toolchain from **Node 22** to **Node 24.14.1 (LTS)**. The root `pom.xml` `node.version` property is what **CI and Maven** use: **frontend-maven-plugin** downloads that exact Node binary during builds. Local workflows are aligned with that version: **package.json** `engines.node` is narrowed to **Node 24.x only**, **engine-strict** is enabled via **.npmrc**, and version manager hints (**.nvmrc**, **.tool-versions**) are added and tracked. **package-lock.json** was regenerated under Node 24.14.1. **npm overrides** add pinned resolutions for **picomatch** (^4.0.4) and **lodash-es** (^4.18.0) to address reported vulnerabilities. After regen, **npm audit** reports **0** vulnerabilities. ## What's Changed ### Maven (authoritative for CI) - **pom.xml**: `<node.version>` **v22.19.0** -> **v24.14.1** (frontend-maven-plugin download target). ### Local development enforcement - **package.json**: `engines.node` **^20.19.0 || ^22.13.0 || >=24.0.0** -> **^24.0.0** (24.x only; no broad `>=24` that would allow future majors). - **.npmrc** (new): `engine-strict=true` so wrong Node fails fast on `npm install` / `npm ci`. - **.nvmrc** (new): `24` for nvm/fnm. - **.tool-versions** (new): `nodejs 24.14.1` for asdf; **.gitignore** no longer ignores `/.tool-versions` so it can be committed. ### Dependencies and security - **package.json** `overrides`: **picomatch** ^4.0.4; **lodash-es** ^4.18.0 (method injection / ReDoS / template / prototype-pollution fixes). - **package-lock.json**: regenerated under Node 24.14.1. ## Key Features / Architecture - **CI vs local**: Maven builds do **not** rely on the developer's global Node; they use **`<node.version>`** via frontend-maven-plugin. The new **engines** / **.npmrc** / dotfiles affect **direct npm/npx** use in **nifi-frontend/src/main/frontend**. - **One-time clean after pull**: An incremental **`mvn install`** without **`clean`** can fail if **target/** still contains Node 22-era frontend artifacts alongside a freshly downloaded Node 24 toolchain. **`mvn clean install`** (or a one-time **`mvn clean`**) fixes that. ## Screenshots No UI changes. ## Validation - **`mvn clean install -pl nifi-frontend`**: BUILD SUCCESS (~2m 29s). - **Tests**: 5 suites, 60 files, 353 tests -- all passed. - **Checkstyle** / **PMD**: pass. - **`npm audit`**: 0 vulnerabilities. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
