feat: require Node.js >=22.21.0 and drop EOL Node.js 20

[qw-in]

Summary

Drops support for the now end-of-life Node.js 20 and raises the minimum supported Node.js to >=22.21.0 <23 || >=24.5.0 across all packages. This lands ahead of the proxy-support change (#6089) and deliberately pulls in the exact engine range that work requires, so the engines don't have to change twice.

The exact range is driven by @arcjet/transport: its proxy support relies on the built-in proxy support of the Node.js HTTP agent, which is only available on Node.js >=22.21.0 and, on the 24 line, >=24.5.0. Node.js 23 is not supported. Because every package depends (directly or transitively) on @arcjet/transport, the requirement is applied to all of them rather than only those that import it directly. Anyone tracking an active LTS release is unaffected.

This is intentionally just the Node-version policy slice — no proxy/transport implementation (that's #6089).

Changes

• Engines → >=22.21.0 <23 || >=24.5.0 on every workspace package (incl. @arcjet/guard). Marked feat: so release-please surfaces the new requirement in the SDK release notes.
• CI matrices now run Node.js 22, 24, 26 (dropping 20); standalone Deno/examples setup steps bumped 20 → 22.
• @types/node pinned to the latest 22.x (22.19.21) so type checking reflects the minimum supported runtime; renovate keeps it on the 22.x line via a dedicated <23 rule while the node/actions group tracks up to <27.
• Coverage thresholds enabled now that the required --test-coverage-* flags are available on supported Node.js versions (@arcjet/ip at 100%; others ratcheted to current).
• Docs: @arcjet/guard README runtime table + footnote and CONTRIBUTING, a @arcjet/transport README section, the v22 process.version doc link, example README cleanups (removed the obsolete --env-file caveats), and examples/remix-express engines → >=22.0.0.

The framework adapters (@arcjet/astro, bun, deno, nuxt, remix, react-router) carry no engines/@types/node fields, matching existing repo convention.

Verification

• npm run build (33 packages) ✅
• npm run lint (35 packages) ✅
• @arcjet/guard: oxlint ✅, tsgo typecheck against 22.x types ✅
• Coverage gates verified passing on Node 22

🤖 Generated with Claude Code

[arcjet-review]

Arcjet Review — 🔴 High Risk

Decision: Reviewers Assigned

Rationale: This PR changes the supported Node.js runtime range across many published packages, updates CI runtime matrices, and changes pinned @types/node versions. That is broad-impact release and CI behavior, and it fires multiple escalation triggers. No direct security vulnerabilities, secrets, auth changes, injection risks, or cryptographic concerns were identified in the diff. Human review is required; no specific escalation reviewers are configured.

Summary of Changes

Raises the minimum supported Node.js version from Node 20/22.18 to >=22.21.0 <23 || >=24.5.0 across packages, updates CI from Node 20/25 to 22/26, pins @types/node to the Node 22 line, adjusts coverage scripts, and updates related documentation.

Escalation Triggers

• Dependency Changes: Multiple package.json files changed engines.node and several devDependency pins for @types/node.
• CI/CD Pipeline: GitHub Actions workflow files under .github/workflows were modified to change Node.js versions used in CI.

Review Focus Areas

• Should this example use the same engine constraint as the rest of the repository, >=22.21.0 <23 || >=24.5.0, instead of >=22.0.0?
  The PR rationale says transport proxy support requires Node >=22.21.0 or >=24.5.0. Allowing Node 22.0.0 here may advertise an unsupported runtime and create confusing install/runtime failures.
• Confirm that dropping Node 20 and excluding Node 23/early Node 24 is intended as a breaking support-policy change and is reflected in release notes/versioning.
  This affects all package consumers and may require a major version or explicit migration guidance depending on the project’s compatibility policy.
• Verify that actions/setup-node can resolve Node 26 in all CI environments and that Node 26 is intentionally supported/tested.
  If the requested Node version is unavailable or not yet supported by the action cache/manifest, CI jobs will fail.
• Check whether the repository lockfile should be updated alongside the package.json changes to @types/node and engines.
  With npm workspaces, npm ci can fail when package.json dependency pins differ from the lockfile. The diff does not show a lockfile update.
• Confirm Renovate’s Node grouping and the separate @types/node rule produce the intended future updates.
  The new rules allow Node updates below 27 while pinning @types/node below 23; reviewers should ensure this will not accidentally prevent needed type/security updates or create noisy PRs.

Notes

Security checklist applied: no auth/authorization, input handling, injection, secrets, or cryptography changes were identified. Dependency audit found no new third-party packages, but the @types/node pin changes and missing visible lockfile update should be verified by humans.

Path filtering: 3 files excluded by ignore paths. 48 of 51 files included in review.

_{Review: 4367e755 | Model: openai/gpt-5.5 | Powered by Arcjet Review}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​arcjet/​node@​1.5.0 ⏵ 1.5.0
	@​arcjet/​next@​1.5.0 ⏵ 1.5.0
	@​arcjet/​nuxt@​1.5.0 ⏵ 1.5.0
	@​arcjet/​react-router@​1.5.0
	@​arcjet/​sveltekit@​1.5.0 ⏵ 1.5.0
	@​arcjet/​inspect@​1.5.0 ⏵ 1.5.0
	@​nosecone/​sveltekit@​1.5.0 ⏵ 1.5.0
	@​types/​node@​22.19.19 ⏵ 22.19.21			+1	-1
	@​arcjet/​node@​1.5.0 ⏵ 1.1.0				+4

View full report

[arcjet-rei]

This makes more sense than bundling an unrelated semver-minor change into the proxy support, and it sets us up for 26 to go LTS in the fall. Nice! After this merges, I'll update #6089 once this merges to main.