chore(node): upgrade Node.js from 24 to 25

[AnnatarHe]

Summary

• Upgrade Node.js version from 24 to 25 across all configuration files
• Updated .node-version, package.json, Dockerfile, and GitHub Actions workflows

Test plan

• CI pipeline passes with Node.js 25
• Docker build succeeds with node:25-alpine image
• Application runs correctly on Node.js 25

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello @AnnatarHe, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the project's Node.js runtime environment to version 25. The primary goal is to leverage the latest features, performance enhancements, and security improvements offered by the new Node.js release. The changes involve modifying relevant configuration files to align the project with the updated Node.js version, ensuring a smooth transition and continued compatibility.

Highlights

• Node.js Version Upgrade: The project's Node.js runtime has been upgraded from version 24 to 25. This update is reflected in key configuration files to ensure consistency across development and deployment environments.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/docker.yml
  • .github/workflows/node.js.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request upgrades the project's Node.js version from 24 to 25 across various configuration files, including .node-version, Dockerfile, and package.json. The changes are straightforward and align with the goal of keeping the Node.js environment up to date. However, I've identified one area for improvement: the TypeScript type definitions for Node.js (@types/node) should also be updated to match the new Node.js version to ensure type safety and consistency.

[gemini-code-assist]

While you've correctly updated the engines field to Node.js 25, the corresponding TypeScript type definitions in devDependencies have not been updated. The @types/node package is still set to ^24.10.2 on line 54.

To ensure type safety and prevent potential issues with new or changed APIs in Node.js 25, please also update @types/node to a version compatible with Node.js 25. For example:

"@types/node": "^25.0.0"

After updating package.json, please remember to run pnpm install to update the pnpm-lock.yaml file accordingly.

[claude]

PR Review: Node.js 24 → 25 Upgrade

Overview

This PR upgrades Node.js from version 24 to 25 across all configuration files and updates dependencies. The changes are well-structured and comprehensive.

---

✅ Positive Observations

1. Comprehensive Coverage: All relevant configuration files have been updated consistently
2. Dependency Updates: The PR includes updates to 43 dependencies, good for compatibility
3. Consistent Versioning: The lockfile changes suggest proper dependency resolution with pnpm

---

⚠️ Concerns & Recommendations

1. Node.js 25 Stability (Critical)

• Issue: Node.js 25 is likely pre-release. Current LTS is Node.js 22, latest stable is 23
• Risk: Production deployments may encounter undiscovered bugs, incompatibilities, limited support
• Recommendation: Consider using Node.js 22 LTS for production stability

2. Build Script Change (Minor Issue)

File: package.json:8

• Issue: Adding --turbo flag changes to experimental Turbopack bundler
• Impact: This is a separate concern from Node.js upgrade, should be in separate PR
• Recommendation: Test thoroughly or separate this change

3. Missing Trailing Newline

File: package.json:227

• File now ends without newline (POSIX standard violation)
• Minor but can cause git tool issues

4. Testing Requirements

Complete these checks before merging:

• Run full test suite with pnpm test
• Test development mode
• Build and run production mode
• Verify critical features (auth, GraphQL, image processing)
• Test Docker build locally

5. Dependency Compatibility

Review changelogs for: next 16.0.8→16.1.1, react 19.2.1→19.2.3, @sentry/nextjs 10.29.0→10.32.1, @tiptap 3.13.0→3.14.0

6. Alpine Linux Compatibility

Ensure all native modules compile correctly (sharp, redis, crypto)

---

🔒 Security

1. Verify Node.js 25 includes all security patches
2. Run pnpm audit for vulnerabilities
3. No code logic changes ✅

---

📋 Summary

Code Quality: ✅ Good
Best Practices: ⚠️ Mixed (Turbopack should be separate)
Potential Bugs: ⚠️ Moderate risk (early Node.js version)
Security: ✅ No direct concerns
Performance: ⚠️ Needs benchmarking

Overall Recommendation: Request Changes - Address Node.js version stability concern and separate Turbopack change before merging to production.

---

Review generated by Claude Code

[claude]

PR Review: Node.js 24 → 25 Upgrade

Summary

This PR upgrades Node.js from version 24 to 25 across the entire project, including configuration files, Docker images, CI workflows, and dependencies. The changes appear comprehensive and well-coordinated.

---

✅ Positive Aspects

1. Comprehensive Coverage: All Node.js version references updated consistently:

   • .node-version: 24 → 25
   • package.json engines field: 24 → 25
   • Dockerfile: node:24-alpine → node:25-alpine
   • GitHub Actions workflows: Both docker.yml and node.js.yml updated

2. Dependency Updates: The PR includes sensible dependency updates alongside the Node.js upgrade:

   • Next.js: 16.0.8 → 16.1.1
   • React: 19.2.1 → 19.2.3
   • Sentry packages: 10.29.0 → 10.32.1
   • Tiptap editor: 3.13.0 → 3.14.0
   • Various minor version bumps for other dependencies

3. Lock File Consistency: pnpm-lock.yaml properly regenerated with all peer dependencies resolved

4. Performance Improvement: Added --turbo flag to build script for faster builds via Turbopack

---

⚠️ Issues & Concerns

1. Package Manager Inconsistency (Pre-existing)

Location: package.json:8

"build": "npm run codegen && next build --turbo"

Note: This inconsistency existed before this PR, but worth addressing:

• The project uses pnpm exclusively (see CLAUDE.md and packageManager: "[email protected]")
• The build script uses npm run instead of pnpm

Recommendation (separate PR or follow-up): Change to:

"build": "pnpm codegen && next build --turbo"

2. Redundant Codegen in Docker Build

Location: Dockerfile:32

RUN corepack enable pnpm && pnpm run codegen && pnpm run build

Since the build script already runs codegen, this causes it to run twice during Docker builds.

Recommendation: Simplify to:

RUN corepack enable pnpm && pnpm run build

3. Node.js 25 Compatibility - Unknown Risk

Node.js 25 was released in December 2024 (very recent). Potential concerns:

• Ecosystem Maturity: Some native dependencies may not be fully tested with Node 25
• Sharp ([email protected]): Image processing library sometimes has Node version compatibility issues
• OpenTelemetry packages: Multiple telemetry/instrumentation packages might need validation
• Minimal Testing: test/main.test.ts only contains a trivial placeholder test

Recommendations:

• ✅ Monitor CI carefully for native module build failures
• ✅ Test in staging environment before production
• ℹ️ Consider Node 24 LTS as fallback if issues arise

4. Missing EOF Newline

Location: package.json:227

File ends without newline (violates POSIX standard).

Recommendation: Add newline back to end of file

---

🧪 Test Coverage Concerns

Test Plan Checklist:

• CI pipeline passes with Node.js 25
• Docker build succeeds with node:25-alpine image
• Application runs correctly on Node.js 25

Current test suite: Only a trivial test that always passes - provides no validation of Node 25 compatibility.

Recommendations Before Merge:

1. Run full build locally with Node 25
2. Smoke test critical features:
   • Authentication flows (multi-provider)
   • GraphQL queries
   • Image processing (sharp/blurhash)
   • Rich text editor (Tiptap)
3. Verify Docker build completes
4. Check build output for deprecation warnings

---

🔒 Security Considerations

✅ No security concerns identified. Dependency updates include security patches:

• Sentry monitoring updates
• React/Next.js patch versions
• No known vulnerabilities introduced

---

📝 Recommendations Summary

Before Merging (blocking):

1. ✅ Fix Dockerfile redundant codegen execution
2. ✅ Restore EOF newline in package.json
3. ⚠️ Test Docker build locally
4. ⚠️ Verify application runs with Node 25

Follow-up (non-blocking):

• Fix package manager inconsistency (npm run → pnpm)
• Add meaningful integration tests
• Document any Node 25-specific issues

---

📈 Overall Assessment

Risk Level: 🟡 Medium

Pros:

• Comprehensive, consistent upgrade across all configs
• Good dependency hygiene with version bumps
• Performance improvement with Turbopack

Cons:

• Node.js 25 is very new (limited ecosystem testing)
• Minimal test coverage for validation
• Minor issues with Dockerfile redundancy and EOF newline

Verdict: The upgrade is well-executed. Address the Dockerfile redundancy and EOF newline, then merge with appropriate testing. Monitor production closely post-deployment.

[claude]

Code Review - PR #166: Node.js 25 Upgrade

Summary

This PR successfully upgrades the project from Node.js 24 to Node.js 25, along with dependency updates and important code improvements. Overall, the changes are well-executed with good attention to detail.

---

✅ Strengths

1. Comprehensive Node.js 25 Upgrade

• All configuration files properly updated (.node-version, package.json, Dockerfile, CI workflows)
• Dependencies aligned with Node.js 25 (@types/node upgraded to v25)
• Consistent approach across all environments

2. Major Framework Updates

• Next.js: 16.0.8 → 16.1.1 (latest stable)
• React: 19.2.1 → 19.2.3 (latest stable)
• Turbo Mode: Enabled for production builds (--turbo flag) - excellent performance improvement
• All related packages updated cohesively

3. Good Refactoring

The extraction of AccountRemoveButton to a separate file follows best practices:

• ✅ Single responsibility principle
• ✅ Improved code organization
• ✅ Better maintainability

4. Critical SSR Fix

The fix in src/utils/profile.ts:12 properly prevents SSR errors by checking both localStorage and window. This is the correct approach for Next.js server-side rendering.

---

⚠️ Issues & Recommendations

🔴 Critical: Potential Bug in AccountRemoveButton

Location: src/app/dash/[userid]/settings/account/AccountRemoveButton.tsx:93-96

Issue: The confirmation handler calls onCleanServerCookie() before doDeleteMyAccount(), which internally calls profile.onLogout(). This creates a problematic sequence where cookies are cleared BEFORE the delete API call.

Problem: If the delete account API requires authentication (which it likely does), clearing cookies first will cause the API call to fail with a 401 Unauthorized error.

Recommendation: Swap the order - delete the account while authenticated, then clean up cookies. Also note that doDeleteMyAccount() already calls profile.onLogout() internally, so onCleanServerCookie() might be redundant.

---

🟡 Medium: UI/UX Concerns

Location: src/app/dash/[userid]/settings/account/AccountRemoveButton.tsx:41-52

Issues:

1. Style Deviation: The button uses aggressive gradients that don't align with the project's documented UI guidelines in CLAUDE.md which emphasize Simple and Elegant with Subtle Gradients
2. Accessibility: Multiple overlapping gradient layers with blur effects may impact performance

Recommendation: Simplify the button styling to match the project's design system

---

🟡 Medium: Error Handling

Location: src/app/dash/[userid]/settings/account/AccountRemoveButton.tsx:32-35

Issue: Generic error handling loses context. Consider using i18n for error messages to maintain consistency.

---

🟢 Minor: Dependency Updates

Some dependencies have major version jumps. Ensure thorough testing for:

• Zod: 4.1.13 → 4.2.1 (form validation)
• Tiptap: 3.13.0 → 3.14.0 (rich text editor)
• XState: 5.24.0 → 5.25.0 (state machines)

---

📋 Test Coverage Needed

• CI pipeline passes with Node.js 25
• Docker build succeeds
• Application runs correctly on Node.js 25
• Account deletion flow (critical - test the bug fix above)
• SSR/CSR rendering without localStorage errors
• Form validation after Zod update
• Rich text editor after Tiptap update
• Auth flows after XState update

---

🎯 Security and Performance

Security: ✅ No concerns identified. Proper auth checks and cookie handling maintained.

Performance: ✅ Turbo mode enabled - significant build improvement expected.

---

🎓 Conclusion

This is a solid PR with important upgrades. The Node.js 25 migration is thorough and well-executed.

⚠️ Please address the critical bug in the account deletion flow before merging.

Recommendation: Request changes for the critical bug fix, then approve after verification.

[AnnatarHe]

fix the bug in src/app/dash/[userid]/settings/account/AccountRemoveButton.tsx:93-96 @claude

[claude]

Claude finished @AnnatarHe's task in 1m 39s —— View job

---

Fixed Bug in AccountRemoveButton ✅

Task List

• Read the AccountRemoveButton.tsx file to understand current implementation
• Identify the bug in lines 93-96
• Fix the order of operations (delete account before clearing cookies)
• Commit and push the changes
• Verify fix and update comment

Bug Analysis

Found the issue on lines 93-96:

Current (buggy) code:

onClick={async () => {
  await onCleanServerCookie()  // ❌ Clears auth cookies FIRST
  await doDeleteMyAccount()     // ❌ Then tries to delete (will fail - no auth!)
  setConfirming(false)
}}

Problem: Clearing cookies before the API call causes the delete request to fail with 401 Unauthorized.

Additional issue: doDeleteMyAccount() already calls profile.onLogout() internally (line 22), which handles the logout process. The explicit onCleanServerCookie() call was redundant.

Fix Applied ✅

• Removed the redundant onCleanServerCookie() call
• Removed the unused import

New code:

onClick={async () => {
  await doDeleteMyAccount()  // ✅ Deletes with valid auth, then logs out
  setConfirming(false)
}}

Now the flow is correct:

1. doDeleteMyAccount() is called with valid authentication
2. Account is deleted via API
3. profile.onLogout() is called (inside doDeleteMyAccount)
4. User is redirected to home page after 5 seconds
5. Modal is closed

Changes Committed

• Commit: 89995b7 - fix(settings): fix account deletion authentication bug
• Files changed: src/app/dash/[userid]/settings/account/AccountRemoveButton.tsx (-2 lines)

---

|

[claude]

Code Review - PR #166: Node.js 25 Upgrade

Overview

This PR upgrades the project from Node.js 24 to 25. The majority of changes are dependency updates (pnpm-lock.yaml), with some notable source code changes.

✅ Positive Changes

Infrastructure Updates

• Consistent Node.js version updates: All configuration files updated (.node-version, package.json, Dockerfile, GitHub Actions)
• Dependency updates: All dependencies properly updated to compatible versions
• Build optimization: Added --turbo flag to the build script, which can significantly improve build performance

Code Quality Improvements

• Component extraction: AccountRemoveButton.tsx properly extracted from page.tsx (lines 1-109) - good separation of concerns
• UI/UX enhancement: The account deletion flow now has a much better user experience with proper visual warnings and confirmation

[claude]

⚠️ Issues & Concerns (Part 1)

1. Security Issue - Race Condition in Account Deletion

Location: src/app/dash/[userid]/settings/account/AccountRemoveButton.tsx:17-35

The logout happens immediately after initiating the delete mutation, but there's no verification that the delete actually succeeded on the server. If the mutation fails silently or the server takes longer to respond, the user gets logged out but their account might not be deleted.

Recommendation: Check the result of the mutation before proceeding with logout.

2. UX Issue - Timing Problem

Location: src/app/dash/[userid]/settings/account/AccountRemoveButton.tsx:28-30

The 5-second delay before redirect is arbitrary and problematic:

• User might close the tab/browser thinking it's done
• No loading state or countdown shown to the user
• If navigation happens during this time, the redirect might fail

Recommendation: Redirect immediately after logout or show a countdown timer.

[claude]

⚠️ Issues & Concerns (Part 2)

3. Code Quality - Duplicate Modal Header

Location: src/app/dash/[userid]/settings/account/AccountRemoveButton.tsx:54-77

The modal has duplicate headers - one passed as the title prop (lines 55-64) and another rendered inside the modal content (lines 70-77). This is redundant.

Recommendation: Remove one of the headers, preferably the one inside the modal content (lines 70-77).

4. Accessibility Issue - Missing ARIA Labels

Location: src/app/dash/[userid]/settings/account/AccountRemoveButton.tsx:40-51, 90-102

The buttons lack proper ARIA attributes for screen readers:

• No aria-label or aria-describedby
• No role specification for the destructive action
• Modal doesn't have aria-modal="true"

Recommendation: Add proper ARIA attributes for better accessibility.

[claude]

⚠️ Issues & Concerns (Part 3)

5. Style Guide Violation - Gradient Colors

Location: src/app/dash/[userid]/settings/account/AccountRemoveButton.tsx:41, 45, 91

According to CLAUDE.md, the project prefers subtle gradients with closely related colors (e.g., from-blue-300 to-blue-500). The red-to-orange gradient is acceptable for a destructive action, but the pink-to-purple overlay (line 45) seems unnecessary and doesn't match the project's "simple & elegant" design principle.

Recommendation: Remove the pink/purple overlay or use a simpler hover effect.

6. Missing Import - Linting Issue

Location: src/app/dash/[userid]/settings/account/page.tsx:1

Missing blank line after import according to standard ESLint rules.

7. Node.js 25 Compatibility Not Verified

The PR description includes a test plan that's unchecked. Before merging:

• Verify all dependencies are compatible with Node.js 25
• Test Docker build succeeds
• Run full test suite
• Verify no runtime deprecation warnings

[claude]

🧪 Testing Recommendations

1. Test the account deletion flow thoroughly:

   • Test with network failures
   • Test with slow network conditions
   • Test the mutation error handling
   • Verify account is actually deleted from the database

2. Test Node.js 25 compatibility:

   • Run pnpm test
   • Run pnpm build
   • Check for deprecation warnings in dev mode
   • Build and test Docker image

3. Test accessibility:

   • Use a screen reader to test the deletion flow
   • Verify keyboard navigation works properly
   • Test focus management when modal opens/closes

[claude]

📝 Summary

Recommendation: Request changes before merging.

While the Node.js upgrade and dependency updates are solid, the account deletion implementation has a critical security/reliability issue that should be addressed. The race condition between mutation and logout could lead to user accounts not being properly deleted while users think they are.

Minor Observations

• The package.json now uses --turbo for builds, which is great for performance
• All dependency updates look reasonable and follow semantic versioning
• The refactoring to extract AccountRemoveButton is a good architectural decision

The UX and accessibility improvements would significantly enhance the user experience for this critical action.

🤖 Generated with Claude Code