Maintenance: Node.js 18 (EOL) pinned in Volta and CI workflows

[pratikchaskar]

Severity: Low

Summary

Node.js 18 reached End-of-Life on April 30, 2025. The Volta configuration pins local development to 18.15.0, and four CI workflows still use Node.js 18, while four other workflows have already been updated to Node.js 20 — creating an inconsistency.

Affected Locations

Local development (Volta pin):

package.json, lines 50-52:

"volta": {
    "node": "18.15.0"
},

CI workflows still on Node.js 18:

Workflow	Line	Version
.github/workflows/code-analysis.yml	18	18.15
.github/workflows/publish-public-build.yml	17	18
.github/workflows/publish.yml	19	18
.github/workflows/tag-release.yml	25	18.15

CI workflows already on Node.js 20 (correct):

Workflow	Version
chromatic.yml	20
storybook-tests.yml	20
storybook-deployment.yml	20.x

Why Low Severity

• Node.js is used only at build time for this UI component library, not at runtime
• CI runners are ephemeral — the Node.js process runs briefly and the runner is destroyed
• The primary risk is that Node.js 18 no longer receives security patches, but the HTTP smuggling and path traversal CVEs in older 18.x releases are server-side concerns, not build-tool concerns

Recommended Fix

Update the Volta pin and all CI workflows to Node.js 20 LTS (or 22 LTS):

"volta": {
    "node": "20.18.0"
}

# In all four workflow files:
node-version: 20

---

Found by automated security audit — VULN-11