ENG-2954: Upgrade shield to Node v24 (+ pnpm 10.33.1 pin, release gh-CLI swap, SEA stdout-flush fix)

[ajag408]

Summary by CodeRabbit

• Bug Fixes

  • Resolved truncation of large JSON output from the bundled CLI when stdout is piped.

• Chores

  • Bumped library version to 1.3.0 and updated packageManager to pnpm 10.33.1.
  • Tightened minimum requirements to Node ≥20.19.0 and pnpm ≥10.33.1.
  • Updated CI/CD workflows and NVM config to use Node 24; adjusted release creation flow.

• Tests

  • Added an integration test to ensure large piped JSON responses are complete and valid.

ENG-2954 — move shield to Node v24 (the monorepo already cut over; GitHub's forced-deprecation date has passed). The CI hardening PR has already merged to main, so this lands cleanly on top of it as the last change before the first hardened + Node-24 release tag.

Three things are bundled (all touch the release/runtime path, all surfaced while validating this upgrade):

1. Node v24 + pnpm/Node pinning (the core ask)
2. Release reliability fix — the v1.2.6 tag hit a Startup failure because softprops/action-gh-release isn't on the org Actions allowlist. Swapped it for the GitHub-owned gh CLI (no allowlist dependency, same philosophy as the corepack/Socket choices).
3. SEA binary bug fix (ride-along) — the standalone binary truncated any response over ~64 KB when stdout is a pipe (i.e. the documented Python/Go/Rust subprocess integration path). getSupportedYieldIds was returning truncated, unparseable JSON to every consumer. Pre-existing on the Node-22 binaries too

Version bumped 1.2.5 → 1.3.0.

Changes

Runtime / tooling

• .nvmrc: 20.17.0 → 24.16.0
• package.json: version 1.3.0; packageManager pnpm@10.12.2 → 10.33.1; added engines (node >=20.19.0, pnpm >=10.33.1, mirroring the monorepo); @types/node ^20.0.0 → ^20.19.0
• pnpm-lock.yaml: regenerated on pnpm 10.33.1

CI (ci.yml)

• Test matrix [20.17.0, 22.x] → [20.19.0, 22.x, 24.x] (floor raised to the new engines baseline)
• Codecov upload gate and the standalone security job repointed to 24.x
• corepack pnpm@10.33.1

Release (release.yml)

• node-version "22" → "24" across all three jobs (security-audit, publish, build-binaries incl. the Rosetta x64 path); corepack pnpm@10.33.1
• create-release: replaced softprops/action-gh-release with gh release create … --generate-notes (job already has contents: write)

Bug fix

• src/cli.ts: exit inside the process.stdout.write(…, cb) callback so large responses fully flush before exit (was write() then immediate process.exit())
• src/cli.integration.test.ts: new regression test — spawns the bundle, captures getSupportedYieldIds over a pipe, asserts the full >64 KB payload parses

QA Proof (local, Node 24.16.0, darwin-x64)

• pnpm run lint → 0 errors (55 pre-existing warnings, unchanged from main)
• pnpm run build → green
• pnpm run build:binary → shield-darwin-x64 (121.9 MB), SEA inject + codesign OK
• SEA smoke:
  • getSupportedYieldIds over a pipe → 124758 bytes full output (was 65536 truncated pre-fix)
  • isSupported → true (ethereum-eth-lido-staking), false (nope)
  • binary == library parity (diff clean)

Truncation fix, pre vs post (piped | wc -c):

Node	Before fix	After fix
22.18.0	65536 (truncated)	124758 (full)
24.16.0	65536 (truncated)	124758 (full)

What needs to be verified in CI / at the release tag

• CI 24.x leg green — note: the Tron native-staking suite (native-staking.validator.test.ts) failed to run locally under test:coverage on Node 24 macOS (jest-worker "circular structure to JSON"; all 5596 assertions otherwise pass). Verifying whether it reproduces on CI (ubuntu). If it does, it needs a follow-up fix before merge.
• Release workflow runs end-to-end on the v1.3.0 (or an RC) tag — confirm the gh release create step succeeds (this is what startup-failed on v1.2.6)
• All 4 build-binaries legs green on Node 24: linux-x64, darwin-arm64, darwin-x64 (Rosetta), win32-x64
• Each SEA binary runs and reports a Node 24 runtime; checksums + attestation generated
• npm publish job builds/tests clean on Node 24

Risk

Low–moderate. Workflow/config + one targeted CLI fix. No validator logic changed. engines is advisory (.npmrc has no engine-strict). Main risk is the SEA build on Node 24 across the 3 non-local targets — covered by the release matrix.

Notes for reviewers

• esbuild --target=node20 left as-is intentionally — it's a transpile floor, not a runtime cap; the bundle runs fine on the embedded Node 24, and it's SEA-only.
• The gh-CLI release step needs no allowlist entry (it's a run: step, not an action). When release.yml later flips harden-runner to egress-policy: block (Phase 2), api.github.com/uploads.github.com will need allowlisting.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5a7b4c08-6e97-40c5-9925-c1dd1fb117b8

📥 Commits

Reviewing files that changed from the base of the PR and between 68396a8 and bc4be2f.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/release.yml
• src/cli.integration.test.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• src/cli.integration.test.ts
• .github/workflows/ci.yml
• .github/workflows/release.yml

---

📝 Walkthrough

Walkthrough

Fixes CLI stdout truncation for large piped outputs by deferring process.exit calls inside stdout.write callbacks on both success and error paths, and adds a regression integration test. Also bumps the package to v1.3.0, upgrades Node.js to 24.x and pnpm to 10.33.1 across CI/release workflows, and switches GitHub Release creation to the gh CLI.

Changes

CLI stdout flush fix and regression test

Layer / File(s)	Summary
CLI stdout flush fix on success and error paths src/cli.ts	Success path defers process.exit(0) inside the stdout.write callback; error path destroys process.stdin and defers process.exit(1) inside its stdout.write callback, ensuring large piped responses are not truncated at the buffer boundary.
Integration test for stdout non-truncation src/cli.integration.test.ts	Integration test builds the bundled CLI if absent, spawns it via spawnSync with a large getSupportedYieldIds request, sets maxBuffer to 10MB, and asserts process exit code 0, stdout exceeds 64KB, stdout parses as valid JSON, and yieldIds array contains more than 1000 entries.

Node/pnpm toolchain upgrade to v1.3.0

Layer / File(s)	Summary
Package version, engine constraints, and .nvmrc package.json, .nvmrc	Version bumped to 1.3.0, packageManager set to pnpm@10.33.1, engines.node raised to >=20.19.0, engines.pnpm raised to >=10.33.1, @types/node bumped to ^20.19.0, .nvmrc pinned to 24.16.0.
CI workflow Node/pnpm version updates .github/workflows/ci.yml	Test matrix replaces 20.17.0 with 20.19.0 and adds 24.x; disables package-manager-cache; Corepack pnpm activation updated to pnpm@10.33.1; Codecov upload condition switched to matrix.node-version == '24.x'; security job updated to Node 24.x and pnpm@10.33.1.
Release workflow Node/pnpm updates and gh CLI release creation .github/workflows/release.yml	Security audit, publish, and binary build jobs updated from Node 22 to Node 24 and pnpm from 10.12.2 to 10.33.1; disables package-manager-cache. Release creation step replaced from softprops/action-gh-release to gh release create with GITHUB_TOKEN, uploading shield-* artifacts and generating release notes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• stakekit/shield#10: Overlaps on CI and release workflow updates including Node/pnpm setup steps and release publishing behavior in .github/workflows/ci.yml and .github/workflows/release.yml.

Suggested reviewers

• Philippoes
• petar-omni
• jdomingos
• raiseerco
• auralshin

Poem

🐇 Hoppity-hop, no more truncated bytes,
The stdout now waits till the callback ignites!
Node 24 leaps in, pnpm climbs high,
gh release create waves the old action goodbye.
The bunny is pleased — not a yieldId was lost! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically summarizes all major changes: Node v24 upgrade, pnpm 10.33.1 pinning, release workflow gh-CLI swap, and SEA stdout-flush fix.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch eng-2954-node-v24

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 291-294: Make the release creation step idempotent by first
checking if the release already exists using gh release view command before
attempting to create it. If the release exists, use gh release upload with the
--clobber flag to re-upload the shield-* assets instead of creating a new
release. If the release does not exist, proceed with the current gh release
create command with the GITHUB_REF_NAME, title, and generate-notes options.
- Around line 43-47: The actions/setup-node steps in the release workflow do not
explicitly disable package-manager caching, creating a cache-poisoning attack
surface in a privileged workflow with security audits and production environment
access. Add the `package-manager-cache: false` input parameter to all four
setup-node action invocations in the release workflow to prevent automatic
caching and harden the security posture.

In `@src/cli.integration.test.ts`:
- Line 36: The file src/cli.integration.test.ts is missing a trailing newline at
the end, which is causing Prettier violations and CI failures. Add a newline
character at the very end of the file after the closing brace and semicolon to
satisfy Prettier formatting requirements.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: af9fc4d3-7214-4816-9e23-88a43283acd9

📥 Commits

Reviewing files that changed from the base of the PR and between ec7e17d and 68396a8.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (6)

• .github/workflows/ci.yml
• .github/workflows/release.yml
• .nvmrc
• package.json
• src/cli.integration.test.ts
• src/cli.ts

[raiseerco]

lgtm