cloudflare · armfazh · Nov 18, 2025 · Nov 18, 2025
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,22 +4,23 @@ on:
   release:
     types:
       - published
-
+permissions:
+  contents: read
 jobs:
   release:
     if: ${{ github.repository_owner == 'cloudflare' }}
     name: Publishing to npmjs registry
     runs-on: ubuntu-latest
     steps:
       - name: Checking out
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
-      - name: Use Node.js v20
-        uses: actions/setup-node@v4
+      - name: Use Node.js v22
+        uses: actions/setup-node@v6
         with:
-          node-version: 20
+          node-version: 22
           # registry-url is required to correctly setup authentication per https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages#publishing-packages-to-the-npm-registry
           registry-url: 'https://registry.npmjs.org'
           cache: 'npm'

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -8,6 +8,8 @@ on:
   schedule:
     - cron: '0 0 * * *'
 name: Semgrep config
+permissions:
+  contents: read
 jobs:
   semgrep:
     name: semgrep/ci
@@ -20,5 +22,5 @@ jobs:
     container:
       image: returntocorp/semgrep
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - run: semgrep ci --verbose
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -7,7 +7,8 @@ on:
   pull_request:
     branches:
       - main
-
+permissions:
+  contents: read
 jobs:
   testing:
     name: Testing on Node v${{ matrix.node }} / CRYPTO_PROVIDER_ARG_REQUIRED=${{ matrix.crypto_arg_required }}
@@ -18,10 +19,10 @@ jobs:
         crypto_arg_required: [ true, false ]
     steps:
       - name: Checking out
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Use Node.js v${{ matrix.node }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node }}
           cache: 'npm'
@@ -59,12 +60,12 @@ jobs:
       security-events: write
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
       with:
         languages: javascript-typescript
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@v4
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4
diff --git a/bench/group.bench.ts b/bench/group.bench.ts
@@ -6,7 +6,7 @@
 import type Benchmark from 'benchmark'
 import type { CryptoProvider } from '../src/cryptoTypes.js'
 
-function asyncFn(call: CallableFunction) {
+function asyncFn(call: () => Promise<unknown>) {
     return {
         defer: true,
         async fn(df: Benchmark.Deferred) {

diff --git a/bench/index.ts b/bench/index.ts
@@ -23,11 +23,11 @@ async function bench(provider: CryptoProvider) {
 
     return new Promise<unknown>((resolve, reject) => {
         bs.on('cycle', (ev: Benchmark.Event) => {
-            console.log(`${provider.id}/${String(ev.target)}`)
+            console.log(`${provider.id}/${String(ev.target.name)}`)
         })
         bs.on('error', (event: Benchmark.Event) => {
             bs.abort()
-            reject(new Error(`error: ${String(event.target)}`))
+            reject(new Error(`error: ${String(event.target.name)}`))
         })
         bs.on('complete', resolve)
 

diff --git a/bench/oprf.bench.ts b/bench/oprf.bench.ts
@@ -19,7 +19,7 @@ import {
 
 import type Benchmark from 'benchmark'
 
-function asyncFn(call: CallableFunction) {
+function asyncFn(call: () => Promise<unknown>) {
     return {
         defer: true,
         async fn(df: Benchmark.Deferred) {