build(deps): bump actions/setup-node from 6 to 6.3.0

[dependabot]

Bumps actions/setup-node from 6 to 6.3.0.

Release notes

Sourced from actions/setup-node's releases.

v6.3.0

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in actions/setup-node#1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in actions/setup-node#1491
• Replace uuid with crypto.randomUUID() by @​trivikr in actions/setup-node#1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in actions/setup-node#1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in actions/setup-node#1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in actions/setup-node#1495

New Contributors

• @​susnux made their first contribution in actions/setup-node#1283

Full Changelog: actions/setup-node@v6...v6.3.0

v6.2.0

What's Changed

Documentation

• Documentation update related to absence of Lockfile by @​mahabaleshwars in actions/setup-node#1454
• Correct mirror option typos by @​MikeMcC399 in actions/setup-node#1442
• Readme update on checkout version v6 by @​deining in actions/setup-node#1446
• Readme typo fixes @​munyari in actions/setup-node#1226
• Advanced document update on checkout version v6 by @​aparnajyothi-y in actions/setup-node#1468

Dependency updates:

• Upgrade @​actions/cache to v5.0.1 by @​salmanmkc in actions/setup-node#1449

New Contributors

• @​mahabaleshwars made their first contribution in actions/setup-node#1454
• @​MikeMcC399 made their first contribution in actions/setup-node#1442
• @​deining made their first contribution in actions/setup-node#1446
• @​munyari made their first contribution in actions/setup-node#1226

Full Changelog: actions/setup-node@v6...v6.2.0

v6.1.0

What's Changed

Enhancement:

• Remove always-auth configuration handling by @​priyagupta108 in actions/setup-node#1436

Dependency updates:

• Upgrade @​actions/cache from 4.0.3 to 4.1.0 by @​dependabot[bot] in actions/setup-node#1384
• Upgrade actions/checkout from 5 to 6 by @​dependabot[bot] in actions/setup-node#1439

... (truncated)

Commits

• 49933ea Bump @​action/cache from 4.0.2 to 4.0.3 (#1262)
• e3ce749 feat: support private mirrors (#1240)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk: workflow-only change that updates the GitHub Action used to install Node.js; potential impact is limited to CI/installer build behavior if the new action version changes version-file parsing or caching details.

Overview
Updates CI workflows to pin actions/setup-node from v6 to v6.3.0 for Node setup across Linux (DEB/RPM), macOS, Windows installer builds, and install-script tests.

^{Reviewed by Cursor Bugbot for commit c0638a3. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Gathering local evidence: how setup-node is referenced and whether workflow changes match a typical Dependabot bump.

Verdict: benign

Why this looks safe

• Identity / typosquatting: The ref is actions/setup-node under the official actions org—correct action name, not a fork or lookalike.
• Version semantics: Moving from @v6 to @v6.3.0 is still major 6; it only pins the floating v6 tag to a concrete release. That matches normal Dependabot behavior for GitHub Actions.
• Workflow edits: For package-manager: github_actions, updating .github/workflows/*.yml is the expected change surface—the “dependency” is the uses: pin. Your repo uses actions/setup-node@v6.3.0 in several workflows (e.g. test-install-scripts.yml, installer build workflows); that is consistent with a legitimate bump, not an unrelated workflow takeover.
• Release alignment: The PR body’s changelog (devEngines preference, dependency bumps, mirror-url fix) is consistent with actions/setup-node’s published v6.x line—not a random or “ghost” version story.

Malware scanner vs interpretation

• Hard positives: The report shows 0 unicode, 0 confusable, and 0 IOC findings—no scanner-backed signal of hidden Unicode, exfil patterns, or known indicators.
• Heuristic noise: The large codepoint_decoder / charCodeAt hit list is on bundled dist/*.js in the upstream action. That pattern is routine in minified/bundled JS (parsers, encodings, HTTP handling) and is a known weak signal without corroborating IOC/unicode findings. Here it does not outweigh the absence of stronger findings.
• “Maintainer drift” style hints in auxiliary scan metadata reflect version string movement (e.g. 6→6.3.0), not evidence that a different publisher replaced the package.

Checklist (short)

• Classic obfuscation / exfil / persistence: No evidence in scope of this bump; you’re not vendoring opaque payloads—only pinning a GitHub-hosted action tag.
• Invisible Unicode: Scanner: none post-allowlist.
• Dependency integrity: Transitive churn in upstream package-lock.json / dist/ is normal for action releases; nothing here suggests an unexpected substitute action name or mystery registry package in your repo beyond the pin change.
• Dependabot context: Workflow-only (or mostly workflow) diffs are expected for this dependency type.

Actionable note: If package.json uses both engines.node and devEngines.runtime, v6.3.0 can prefer devEngines.runtime when using node-version-file: package.json—worth a quick sanity check on CI Node version if you rely on engines.node alone; that’s a behavior change, not a security issue.

Bottom line: Treat as routine, low-risk; scanner “warn” is heuristic-only and consistent with false positives on bundled action code.

Compatibility Analysis

Searching the repo for actions/setup-node usage and reviewing workflow context.

1) Where actions/setup-node is used

It appears only in five workflow files, all with the same pattern:

Workflow	Purpose (from step name)
.github/workflows/test-install-scripts.yml	Setup Node for GUI
.github/workflows/build-windows-installer.yml	Same
.github/workflows/build-macos-installers.yml	Same
.github/workflows/build-linux-installer-rpm.yml	Same
.github/workflows/build-linux-installer-deb.yml	Same

Each step uses:

uses: actions/setup-node@v6.3.0
with:
  node-version-file: chia-blockchain-gui/.nvmrc

No other uses: actions/setup-node hits showed up under .github for *.yml / *.yaml.

---

2) Overlap with release-note / API changes

Change	Your usage
v6.3.0 — devEngines / prefers devEngines.runtime over engines.node when node-version-file: package.json	You point at chia-blockchain-gui/.nvmrc, not package.json. This behavior does not apply.
Mirror / mirror-url (bearer fix)	Not used in these workflows.
v6.1.0 — removed always-auth handling	No always-auth (or other registry-auth knobs) in the shown with: blocks.
Internal: uuid → crypto.randomUUID, minimatch, npm audit, @actions/cache	Implementation detail inside the action; your YAML inputs are unchanged.

So there is no meaningful intersection between your declared inputs and the user-visible behavioral changes called out in the notes.

---

3) Risks / unknowns

• Low: Same major (v6), pin moves from floating @v6 to @v6.3.0 (more reproducible).
• Residual: Any rare regression inside the action (e.g. parsing .nvmrc) is possible in theory but not suggested by the release notes; CI on this PR is the right gate.
• Future: If someone later switches to node-version-file: package.json with both engines and devEngines, v6.3.0’s precedence rule could surprise them—that is not your current setup.

---

4) Recommendation

Merge — usage is minimal, consistent, and node-version-file points at .nvmrc, so the notable v6.3.0 package.json / devEngines change does not affect these jobs. Rely on green workflows on the PR as the final check.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 13
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e..53b83947a5a98c8d113130e565377fae1a50d02f
• Resolved refs: from=48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e to=53b83947a5a98c8d113130e565377fae1a50d02f
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 546

Top findings

• dist/cache-save/index.js:11209 codepoint_decoder :: decTable[encTable[i].charCodeAt(0)] = i;
• dist/cache-save/index.js:11211 codepoint_decoder :: decTable["-".charCodeAt(0)] = encTable.indexOf("+");
• dist/cache-save/index.js:11212 codepoint_decoder :: decTable["_".charCodeAt(0)] = encTable.indexOf("/");
• dist/cache-save/index.js:11239 codepoint_decoder :: b = decTable[base64Str.charCodeAt(i)];
• dist/cache-save/index.js:15199 codepoint_decoder :: : str.charCodeAt(0);
• dist/cache-save/index.js:15735 codepoint_decoder :: hash = ((hash << 5) - hash) + namespace.charCodeAt(i);
• dist/cache-save/index.js:22027 codepoint_decoder :: const code = this.code = key.charCodeAt(index)
• dist/cache-save/index.js:22051 codepoint_decoder :: const code = key.charCodeAt(index)
• dist/cache-save/index.js:22741 codepoint_decoder :: if (!isTokenCharCode(characters.charCodeAt(i))) {
• dist/cache-save/index.js:28754 codepoint_decoder :: for (let i = 'A'.charCodeAt(0); i <= 'Z'.charCodeAt(0); i++) {
• dist/cache-save/index.js:31865 codepoint_decoder :: const charCode = attributeValue.charCodeAt(0)
• dist/cache-save/index.js:32013 codepoint_decoder :: const code = value.charCodeAt(i)
• dist/cache-save/index.js:32037 codepoint_decoder :: const code = name.charCodeAt(i)
• dist/cache-save/index.js:32087 codepoint_decoder :: const code = value.charCodeAt(i++)
• dist/cache-save/index.js:32108 codepoint_decoder :: const code = path.charCodeAt(i)
• dist/cache-save/index.js:33209 codepoint_decoder :: if (value.charCodeAt(i) < 0x30 || value.charCodeAt(i) > 0x39) return false
• dist/cache-save/index.js:34344 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 0x003D) {
• dist/cache-save/index.js:34346 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 0x003D) {
• dist/cache-save/index.js:34544 codepoint_decoder :: while (lead < str.length && predicate(str.charCodeAt(lead))) lead++
• dist/cache-save/index.js:34548 codepoint_decoder :: while (trail > 0 && predicate(str.charCodeAt(trail))) trail--

[coveralls-official]

Coverage Report for CI Build 24744674217

Coverage decreased (-0.006%) to 91.171%

Details

• Coverage decreased (-0.006%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 29 coverage regressions across 7 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

29 previously-covered lines in 7 files lost coverage.

File	Lines Losing Coverage	Coverage
chia/server/address_manager.py	7	92.83%
chia/server/server.py	7	85.56%
chia/server/node_discovery.py	6	80.21%
chia/full_node/full_node.py	5	87.54%
chia/_tests/core/test_farmer_harvester_rpc.py	2	98.06%
chia/full_node/full_node_api.py	1	86.69%
chia/_tests/simulation/test_simulation.py	1	96.49%

---

Coverage Stats

Relevant Lines:	117497
Covered Lines:	107289
Line Coverage:	91.31%
Relevant Branches:	11720
Covered Branches:	10519
Branch Coverage:	89.75%
Branches in Coverage %:	Yes
Coverage Strength:	1.83 hits per line

---

💛 - Coveralls