feat!: npminstall v8

[elrrrrrrr]

fix https://github.com/eggjs/egg/security/dependabot/52

• 🤖 Upgrade related dependencies to the latest version to address tar security issues.
• ♻️ Drop support for Node versions <= 20.
• 🚚 update CI Flow，add macos support.

Summary by CodeRabbit

• Chores

  • Major version bump to 8.0.0
  • Updated minimum Node.js requirement to 20.0.0
  • Updated build dependencies to latest versions
  • Enhanced CI/CD pipeline with updated tooling and macOS support

• Tests

  • Fixed test compatibility with Node.js 22+
  • Updated test assertions for improved Windows compatibility

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Updated CI workflow and package.json for major version 8.0.0 release with Node.js 20+ support requirement. Added Node.js version compatibility guards in tests to handle breaking changes in Node.js 22+. Updated key dependencies, removed legacy Node versions, and bumped tooling versions.

Changes

Cohort / File(s)	Summary
CI and Build Configuration .github/workflows/ci.yml, package.json	Updated CI node matrix from [14.18.0, 14.x, 16.x, 18.x, 20.x] to [20.x, 22.x, 24.x]; added macOS-latest to matrix. Bumped package version to 8.0.0. Updated major dependencies: @npmcli/arborist (^6.1.3 → ^9.1.9), node-gyp (^9.0.0 → ^12.1.0), pacote (^15.0.0 → ^21.0.4), tar (^6.0.0 → ^7.5.3), egg-bin (^6.1.2 → ^6.13.0). Minimum Node.js requirement raised to >=20.0.0.
Node.js 22+ Compatibility Guards test/css-loader.test.js, test/install-with-python3.test.js	Added semver-based version guards to skip tests on Node.js 22+. CSS loader test skips due to happypack@3 using deprecated util.isRegExp. XProfiler test block wrapped in version check (< 22.0.0) where prebuilt binaries unavailable.
Test Updates test/get.test.js, test/link.test.js	Updated test URL endpoint from https://cnpmjs.org to https://r.cnpmjs.org/binary.html. Relaxed Windows fs.readlink assertion to accept directory with or without trailing backslash for Node.js 22+ junction symlink behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Eight is great, the versions soar,
From twenty forth and never before,
Node paths cleared of old ways,
Guards in place for newer days,
Dependencies dance, release complete!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title 'feat!: npminstall v8' accurately reflects the main change—a major version bump to v8 with breaking changes, supported by the version update from 7.12.0 to 8.0.0 in package.json and dropping Node.js ≤20 support.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @elrrrrrrr, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on a critical maintenance task: updating several key project dependencies to their latest major versions. The most significant update is to the tar package, which directly addresses a known security vulnerability. These upgrades collectively enhance the project's security posture, stability, and ensure compatibility with the most recent features and bug fixes from these foundational libraries.

Highlights

• Dependency Updates: Multiple core dependencies have been updated to their latest major versions, including tar, @npmcli/arborist, node-gyp, and pacote.
• Security Fix: The primary motivation for these updates, particularly for the tar package, is to address a reported security vulnerability as indicated by the linked Dependabot alert.
• Version Bumps: The tar package has been upgraded from ^6.0.0 to ^7.5.3, @npmcli/arborist from ^6.1.3 to ^9.1.9, node-gyp from ^9.0.0 to ^12.1.0, and pacote from ^15.0.0 to ^21.0.4.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This PR updates four key dependencies—@npmcli/arborist, node-gyp, pacote, and tar—across multiple major versions. While the update to tar resolves a security vulnerability, the scope of this PR is much larger than what the title, chore(deps): tar@7, suggests. Each of these major version bumps introduces a significant risk of breaking changes that could impact core functionality, from dependency resolution to package extraction. I've added comments on each updated dependency to highlight the potential risks. The PR title and description should be updated to reflect the full scope of these changes.

[fengmk2]

need to release a major version, drop Node.js < 20 support

[fengmk2]

我先合并，自动发布等我晚上更新后再执行 https://github.com/cnpm/npminstall/blob/master/.github/workflows/release.yml

[github-actions]

🎉 This PR is included in version 8.0.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀