boostercloud · MarcAstr0 · Feb 17, 2026 · Jan 29, 2026 · Jan 29, 2026 · Jan 29, 2026
diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml
@@ -3,9 +3,9 @@ name: Build
 runs:
   using: 'composite'
   steps:
-    - uses: actions/setup-node@v3
+    - uses: actions/setup-node@v4
       with:
-        node-version: 20.17
+        node-version: 22
 
     # First we cache the rush project, to ensure we don't build multiple times, nor we download more dependencies than needed
     - name: Cache Rush project

diff --git a/.github/workflows/re_test-integration-prepare.yml b/.github/workflows/re_test-integration-prepare.yml
@@ -26,7 +26,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 18.18
+          node-version: 22
 
       # If this was triggered by a /integration command, check out merge commit
       - name: Fork based /integration checkout

diff --git a/.github/workflows/wf_publish-docs.yml b/.github/workflows/wf_publish-docs.yml
@@ -18,7 +18,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 18.18
+          node-version: 22
           cache: npm
           cache-dependency-path: website/package-lock.json
 

diff --git a/.github/workflows/wf_publish-npm.yml b/.github/workflows/wf_publish-npm.yml
@@ -46,7 +46,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 20.17
+          node-version: 22
           registry-url: https://registry.npmjs.org/
 
       - name: Rush Update

diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-lts/iron
+lts/jod
diff --git a/common/changes/@boostercloud/framework-core/node_22_2026-01-30-16-04.json b/common/changes/@boostercloud/framework-core/node_22_2026-01-30-16-04.json
@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@boostercloud/framework-core",
+      "comment": "Node 22 and Azure Functions v4 migration",
+      "type": "major"
+    }
+  ],
+  "packageName": "@boostercloud/framework-core"
+}
diff --git a/common/config/rush/.pnpmfile.cjs b/common/config/rush/.pnpmfile.cjs
@@ -34,5 +34,24 @@ function readPackage(packageJson, context) {
   //  packageJson.dependencies['log4js'] = '0.6.38';
   // }
 
+  // Security overrides for transitive dependencies (high/critical vulnerabilities).
+  // Each entry targets a specific major version line to avoid breaking cross-major deps.
+  const securityOverrides = [
+    { pkg: 'form-data', major: '4', minSafe: '>=4.0.4 <5.0.0' },    // GHSA-fjxv-7rqg-78g4 (critical)
+    { pkg: 'axios',     major: '1', minSafe: '>=1.12.0 <2.0.0' },    // GHSA-4hjh-wcwx-xvwj, GHSA-jr5f-v2jv-69x6 (high)
+    { pkg: 'tar-fs',    major: '2', minSafe: '>=2.1.4 <3.0.0' },     // GHSA-vj76-c3g6-qr5v, GHSA-8cj5-5rvv-wf4v (high)
+    { pkg: 'glob',      major: '10', minSafe: '>=10.5.0 <11.0.0' },   // GHSA-5j98-mcp5-4vw2 (high)
+    { pkg: 'qs',        major: '6', minSafe: '>=6.14.1 <7.0.0' },    // GHSA-6rw7-vpxm-498p (high)
+    { pkg: 'jws',       major: '3', minSafe: '>=3.2.3 <4.0.0' },     // GHSA-869p-cjfg-cm3x (high)
+    { pkg: 'jws',       major: '4', minSafe: '>=4.0.1 <5.0.0' },     // GHSA-869p-cjfg-cm3x (high)
+  ];
+
+  for (const { pkg, major, minSafe } of securityOverrides) {
+    const spec = packageJson.dependencies && packageJson.dependencies[pkg];
+    if (spec && new RegExp('^[\\^~]?' + major + '\\.').test(spec)) {
+      packageJson.dependencies[pkg] = minSafe;
+    }
+  }
+
   return packageJson;
 }
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		lts/iron
		lts/jod
Comment thread MarcAstr0 marked this conversation as resolved.