Farabi/fix-depandabot-issues

[farabi-deriv]

This pull request updates the Node.js version used throughout the project from 18.x to 20, ensuring consistency across development, testing, and deployment workflows. It also upgrades a few dependencies in package.json to their latest versions for improved security and compatibility.

Node.js version upgrades:

• Updated the Node.js version in all GitHub Actions workflow files (generate_preview_link.yml, release_production.yml, release_staging.yml, test.yml) to use version 20 instead of 18.x.
• Changed the engines.node field in package.json to require Node.js version >=20.

Dependency updates:

• Upgraded node-gettext from version 3.0.0 to 3.0.1 in package.json.
• Upgraded serialize-javascript from version 6.0.2 to 7.0.5 in package.json.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details

Scanned Manifest Files

package-lock.json

• node-gettext@3.0.0
• serialize-javascript@6.0.2
• node-gettext@3.0.1
• serialize-javascript@7.0.5
• randombytes@2.1.0

package.json

• node-gettext@3.0.0
• node-gettext@3.0.1

[github-actions]

Claude finished @farabi-deriv's task in 2m 17s —— View job

---

PR Review: Dependency bumps

• Read the dependency diff (package.json, package-lock.json)
• Assess node-gettext 3.0.0 → 3.0.1
• Assess serialize-javascript 6.0.2 → 7.0.5
• Check CI status and root-cause the failing build

---

🔴 Blocker — serialize-javascript@7.0.5 breaks the build on Node 18

This PR bumps the overrides entry (package.json:158) for serialize-javascript from 6.0.2 to 7.0.5. Because it's an override, it forces every consumer (webpack/terser-webpack-plugin, mocha) onto 7.0.5 — which is why the nested 6.0.2 copies and randombytes were dropped from the lockfile.

The problem: serialize-javascript@7.0.0 requires node >=20.0.0 and replaced its randombytes dependency with the global Web Crypto crypto API, which is not a global in Node 18. This project targets Node 18:

• package.json → "engines": { "node": "18.x" }
• .github/workflows/test.yml:18 and the release build steps run on node-version: 18.x
• CLAUDE.md → "Node Version: Use Node 18.x"

The DSmartTrader Test and Generate preview link workflows are already failing on this PR. The build log (run 27326809429) shows:

npm warn EBADENGINE   package: 'serialize-javascript@7.0.5',
npm warn EBADENGINE   required: { node: '>=20.0.0' }, current: { node: 'v18.20.8' }
...
Loading "Gruntfile.js" tasks...ERROR
>> ReferenceError: crypto is not defined
Warning: Task "releaseci" not found. Use --force to continue.
Aborted due to warnings.

ReferenceError: crypto is not defined is the direct consequence of v7 relying on the global crypto on a Node 18 runtime. This is a hard build/release regression, not just a warning.

Recommended fix

Keep node-gettext@3.0.1 (harmless patch), but revert the serialize-javascript override to the 6.0.x line until the project moves to Node 20:

// package.json overrides
"serialize-javascript": "6.0.2",   // or "^6.0.2" for the latest 6.0.x patch

Then regenerate the lockfile with npm install so the nested 6.0.2 resolutions (and randombytes) are restored.

Fix this →

If the intent is actually to move the whole project to Node 20, that's a much larger change (update engines, all node-version workflow steps, .nvmrc/docs) and should be its own PR — not bundled into a Dependabot bump.

---

Summary

Priority	Item
🔴 High	serialize-javascript@7.0.5 requires Node ≥20 (global crypto) but project/CI is Node 18 → build fails with ReferenceError: crypto is not defined. Revert to 6.0.2.
🟢 Low	node-gettext 3.0.0 → 3.0.1 — safe patch bump (only used in scripts/gettext.js at build time). No concerns.
🟢 Low	Lockfile changes are internally consistent given the override semantics; they'll need regenerating after the revert.

No XSS/auth/secret or render-performance concerns — this is a dev-dependency/build-tooling change only.

[github-actions]

Claude finished @farabi-deriv's task in 6m 37s —— View job

---

PR Review: Dependency bumps + Node 20 upgrade

• Read the updated diff (package.json, package-lock.json, workflows)
• Verify the Node 20 upgrade resolves the previous serialize-javascript blocker
• Check for remaining Node 18 references (.nvmrc, docs, configs)
• Root-cause the still-failing Generate preview link check
• Post review

---

✅ The original blocker is fixed

The previous review flagged that serialize-javascript@7.0.5 requires Node ≥20 and broke the build with ReferenceError: crypto is not defined. This revision addresses that the other way — by moving the project to Node 20 (all 4 workflows + engines), instead of reverting the bump.

That works. The crypto error is gone, and two checks that were failing before are now green:

Check	Before (Node 18)	Now (Node 20)
DSmartTrader Test (runs grunt releaseci --production + npm test)	❌ crypto is not defined	✅ pass
PR #1223	❌	✅ pass

So the approach is sound and the dependency bumps themselves (node-gettext 3.0.0→3.0.1, serialize-javascript 6.0.2→7.0.5) are fine. Lockfile changes are internally consistent with the override semantics.

---

🟡 Generate preview link is still red — but not because of these bumps

The remaining failing check fails at the grunt task-load stage of ./.github/actions/build (grunt releaseci --staging), run log:

Invalid js-yaml extension type type: Type { tag: 'tag:yaml.org,2002:js/regexp', ... }
Loading "Gruntfile.js" tasks...ERROR
>> YAMLException: Schema.extend argument should be a Type, [ Type ], or a schema definition
Warning: Task "releaseci" not found.  →  Aborted due to warnings. (exit 3)

This is a dependency-resolution artifact, not a regression from this PR. Proof: the identical grunt releaseci build runs in DSmartTrader Test (--production) and passes, while it fails here (--staging). The only difference between the two jobs is the dependency installer:

Job	npm_install action	grunt load result
DSmartTrader Test	./.github/actions/npm_install → npm ci (honours lockfile)	✅ works
Generate preview link	deriv-com/shared-actions/.../npm_install@master (external)	❌ Schema.extend error

Root cause: the overrides force js-yaml@4.1.1 (package.json:129 + the nested load-grunt-config override at :160), but load-grunt-config@4.0.1 and its transitive js-yaml-js-types@1.0.0 are written/tested against js-yaml@4.1.0. js-yaml 4.1.1 changed Schema.extend/Type validation, so the !!js/regexp type that js-yaml-js-types registers is rejected as "not a Type". Under npm ci the tree dedupes cleanly and this doesn't surface; the external npm_install@master resolves it into the broken state.

Note: this js-yaml@4.1.1 override already exists on master and is not touched by this PR — fixing the crypto error simply unmasked it (previously the build aborted earlier). So it's a pre-existing latent issue rather than something you introduced.

Recommended (pick one):

1. Pin the override back to the version the toolchain expects — removes the fragility regardless of installer:

   // package.json overrides — change BOTH occurrences
   "js-yaml": "4.1.0",
   "load-grunt-config": { "js-yaml": "4.1.0" }

   then regenerate the lockfile with npm install. (If 4.1.1 was a required security bump, instead keep it at top level and only pin the nested load-grunt-config one to 4.1.0.)
2. Align the shared npm_install@master action to use npm ci so it matches the lockfile (this is the actual divergence). Note: I can't edit .github/workflows files myself due to GitHub App permissions.

First, please confirm whether Generate preview link is already red on master — if so, this shouldn't block the dependency bump and can be tracked separately.

Fix this →

---

🟢 Low — doc/config follow-ups

Some Node-18 references were left behind (docs only, non-blocking):

• CLAUDE.md:9 — "…jQuery, Node 18.x"
• CLAUDE.md:342 — "Node Version: Use Node 18.x … nvm use 18"
• README.md:58,62 — "Ensure you are running node version 14" / "To install node 18 nvm install 18"

Updating these to Node 20 keeps onboarding consistent with the new engines. There's no .nvmrc in the repo, so nothing to change there. Minor: engines.node: ">=20" is a bit loose vs. the pinned CI node-version: 20 — consider "20.x" if you want to keep them in lockstep.

---

Summary

Priority	Item
✅ Resolved	Node 20 upgrade fixes the prior serialize-javascript@7 / crypto is not defined blocker. DSmartTrader Test + PR #1223 now pass.
🟡 Medium	Generate preview link still fails — pre-existing js-yaml@4.1.1 vs js-yaml-js-types@1.0.0 incompatibility, exposed only under the external npm_install@master (passes under npm ci). Not caused by these bumps. Pin js-yaml override to 4.1.0 or align the install action.
🟢 Low	Stale Node-18 references in CLAUDE.md / README.md; slightly loose engines: ">=20".

No XSS/auth/secret or render-performance concerns — this is a build-tooling / dev-dependency change only.

[github-actions]

Name	Result
Build status	Failed ❌
Action URL	Visit Action