Bump actions/setup-node from 4 to 6

[dependabot]

Bumps actions/setup-node from 4 to 6.

Release notes

Sourced from actions/setup-node's releases.

v6.0.0

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in actions/setup-node#1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #1362

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in actions/setup-node#1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in actions/setup-node#1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in actions/setup-node#1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in actions/setup-node#1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in actions/setup-node#1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in actions/setup-node#1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-node#1345

New Contributors

• @​priya-kinthali made their first contribution in actions/setup-node#1348
• @​salmanmkc made their first contribution in actions/setup-node#1325

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

... (truncated)

Commits

• 2028fbc Limit automatic caching to npm, update workflows and documentation (#1374)
• 1342781 Bump actions/publish-action from 0.3.0 to 0.4.0 (#1362)
• 89d709d Bump prettier from 2.8.8 to 3.6.2 (#1334)
• cd2651c Bump ts-jest from 29.1.2 to 29.4.1 (#1336)
• a0853c2 Bump actions/checkout from 4 to 5 (#1345)
• b7234cc Upgrade action to use node24 (#1325)
• d7a1131 Enhance caching in setup-node with automatic package manager detection (#1348)
• 5e2628c Bumps form-data (#1332)
• 65becef Bump undici from 5.28.5 to 5.29.0 (#1295)
• 7e24a65 Bump uuid from 9.0.1 to 11.1.0 (#1273)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[austenstone]

📋 Summary

This is a major version update for actions/setup-node from v4 to v6, which includes two major version bumps (v4 → v5 → v6) with significant breaking changes related to caching behavior.

🔒 Security

No known vulnerabilities addressed. This update focuses on feature enhancements and dependency upgrades rather than security fixes. However, v5 included an upgrade to form-data to address a critical vulnerability in that transitive dependency.

⚠️ Breaking Changes

Version 6.0.0 Breaking Changes:

1. Automatic caching now limited to npm only - Previously in v5, the action automatically enabled caching when a packageManager field was detected in package.json. In v6, this automatic caching is now restricted to npm only. For other package managers (yarn, pnpm), you must explicitly set the cache input.

Version 5.0.0 Breaking Changes:

1. Automatic package manager detection - Introduced automatic caching when a valid packageManager field is present in package.json. This can be disabled by setting package-manager-cache: false.
2. Node.js runtime upgrade to Node 24 - The action itself now runs on Node.js 24 (upgraded from Node 16). Requires runner version v2.327.1 or later.

🚀 New Features & Improvements

Version 6 Features:

• Dependency upgrades (ts-jest, prettier, publish-action)

Version 5 Features:

• Automatic caching based on packageManager field in package.json
• Upgraded internal dependencies (uuid, undici, form-data, @octokit packages)
• Upgraded actions/checkout from v4 to v5

Version 4.4.0 Features (skipped versions):

• Support for private mirrors via mirror and mirror-token inputs
• Enhanced eslint matcher compatibility

📝 Migration & Impact Analysis

I have analyzed the codebase and found one usage of actions/setup-node in action.yml:

- uses: actions/setup-node@v6
  with:
    node-version: '22'

Impact Assessment:

✅ No code changes required. Here's why:

1. No caching configuration - The current usage doesn't specify a cache input, so the v6 breaking change about npm-only automatic caching doesn't affect us.

2. No packageManager field dependency - Since we're not relying on automatic package manager detection (v5 feature), we won't be impacted by the v6 limitation.

3. Simple node-version setup - We're only using the basic functionality to install Node.js 22, which remains fully compatible.

4. Runner compatibility - The repository appears to be using GitHub-hosted runners, which are already at version v2.327.1+ and support Node 24 runtime.

Verification:

• ✅ No cache parameter is used
• ✅ No packageManager field is being relied upon
• ✅ No custom package manager configurations (yarn, pnpm)
• ✅ Using standard node-version specification

✅ Recommendation

✅ Safe to Merge - This update is a major version upgrade but appears to be fully compatible with our current usage.

Reasoning:

• Our usage pattern is simple and unaffected by the breaking changes
• No migration steps required
• GitHub-hosted runners already meet the minimum version requirement
• Keeps the action up-to-date with latest improvements and security patches

Next Steps:

1. The PR can be safely merged
2. CI workflows should pass without issues
3. No additional configuration changes needed

[dependabot]

Looks like actions/setup-node is up-to-date now, so this is no longer needed.