Update Node.js requirements to v20

[warengonzaga]

Updates the project to require Node.js version 20.0.0 or higher and documents this requirement.

• Adds "engines": {"node": ">=20.0.0"} to package.json to specify the Node.js version requirement.
• Updates README.md to include a section on Node.js version requirement, clearly stating that Node.js version 20.0.0 or higher is required for the project.

---

For more details, open the Copilot Workspace session.

Summary by CodeRabbit

• Documentation

  • Added Node.js version requirement specification to project documentation.

• Chores

  • Upgraded parcel devDependency to v2.16.3.
  • Added Node.js version constraint in project configuration.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[warengonzaga]

@copilot update this PR and ensure we are using the latest stable version of node.js also, let's update the dependency packages to ensure we are using the latest stable releases to resolve security logs.

[Copilot]

@warengonzaga I've opened a new pull request, #5, to work on those changes. Once the pull request is ready, I'll request review from you.

[coderabbitai]

📝 Walkthrough

Walkthrough

Both files update Node.js version requirements. README.md documents a minimum Node.js 24.0.0 requirement, while package.json specifies this via the engines field and updates the parcel devDependency from ^2.11.0 to ^2.16.3.

Changes

Cohort / File(s)	Summary
Node.js Version Requirement Updates README.md, package.json	Added Node.js >=24.0.0 requirement documentation in README; added engines field to package.json specifying node >= 24.0.0, and updated parcel devDependency from ^2.11.0 to ^2.16.3

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 With whiskers twitched and nose held high,
I hopped through versions climbing sky,
Node twenty-four now takes the lead,
While parcel prances—just what we need!
Updates made with gentle care,
No bugs to patch, no logic to spare! 🌟

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title states 'Update Node.js requirements to v20', but the actual changes update to Node.js v24 LTS with engines field set to 'node >= 24.0.0'.	Update the PR title to accurately reflect that Node.js requirements are being updated to v24 LTS, not v20.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This pull request aims to update the Node.js version requirement to v20.0.0 or higher and updates the Parcel bundler to v2.16.3. However, there is a critical discrepancy between the PR description and the actual code changes.

Changes:

• Updates Parcel from v2.11.0 to v2.16.3
• Adds Node.js version requirement to package.json (incorrectly set to v24.0.0)
• Updates README.md to document Node.js requirement (incorrectly states v24.0.0)

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File	Description
package.json	Updates Parcel to v2.16.3 and adds engines field with incorrect Node.js version requirement (v24 instead of v20)
README.md	Adds documentation about Node.js version requirement with incorrect version (v24 instead of v20)
yarn.lock	Standard lockfile update reflecting Parcel and dependency version upgrades

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The Node.js version requirement in package.json specifies ">=24.0.0" but the PR title and description state that the requirement is Node.js version 20.0.0 or higher. Additionally, Node.js v24 does not exist yet. As of January 2026, the latest LTS version of Node.js is v22. The version should be corrected to match the intended requirement of ">=20.0.0" as stated in the PR description.

Suggested change

	"node": ">=24.0.0"
	"node": ">=20.0.0"

[Copilot]

The Node.js version mentioned here is "24.0.0 or higher" which is inconsistent with the PR title and description that specify "Node.js version 20.0.0 or higher". Additionally, Node.js v24 does not exist yet. As of January 2026, the latest LTS version is v22. This should be corrected to match the intended requirement of "Node.js version 20.0.0 or higher" as stated in the PR title and description.

Suggested change

	- This project requires Node.js version 24.0.0 or higher (latest LTS).
	- This project requires Node.js version 20.0.0 or higher (latest LTS).

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @package.json:
- Line 21: The parcel dependency in package.json ("parcel": "^2.16.3") is
vulnerable; update that version to a patched release (replace the "parcel" value
with a fixed version >=2.16.4 or the latest secure 2.x), then run your package
manager (npm/yarn/pnpm) to reinstall and update lockfile and run npm audit/
audit fix to verify no remaining issues; ensure CI uses the updated lockfile and
consider restricting dev-server exposure until upstream confirms the fix.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 53e1895 and 788c8c7.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• README.md
• package.json

🔇 Additional comments (1)

package.json (1)

25-27: The engines field is correctly configured. The commit message explicitly states "Update to Node.js 24 LTS," which aligns with the >=24.0.0 specification. Node.js 24 is the current Active LTS as of January 2026, making this the appropriate version requirement.

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check latest parcel version and metadata
npm view parcel@latest version
echo "---"
npm view parcel@latest 2>/dev/null | grep -E "name|version|engines" | head -20

Repository: warengonzaga/love-cards

Length of output: 124

---

🏁 Script executed:

#!/bin/bash
# Check if parcel 2.16.3 exists and get its specific metadata
npm view parcel@2.16.3 2>/dev/null | grep -E "name|version|engines|dist"

Repository: warengonzaga/love-cards

Length of output: 129

---

🌐 Web query:

parcel 2.16.3 security vulnerabilities CVE

💡 Result:

Yes — a known vulnerability: CVE-2025-56648 affects Parcel's dev-server reporter (@parcel/reporter-dev-server) in versions from 1.6.1 through 2.16.3. It’s an Origin Validation Error that allows a malicious site to send XMLHttpRequests to a developer’s running dev server and read responses (risk: source-code disclosure). CVSS 3.1 score 6.5 (Medium). No fix was available for 2.16.3 at the time of published advisories; upgrade or follow the project advisory when a patched release is published and avoid exposing dev servers to untrusted networks in the meantime. [1][2]

Sources:
[1] GitLab Advisory / @parcel/reporter-dev-server — CVE-2025-56648. [2] CVE entry summary (cvepremium/circl).

---

🌐 Web query:

parcel bundler Node.js 24 compatibility

💡 Result:

Short answer: Parcel (v2) itself requires Node >=16 and is compatible with Node 24; however native watcher/build tooling (e.g. @parcel/watcher / @parcel/watch) may need rebuilt/prebuilt binaries for the Node 24 ABI. Test and rebuild native deps when upgrading.

Sources:

• Parcel docs (targets / engines guidance). [1]
• Parcel package.json (engines: "node": ">= 16.0.0"). [2]
• GitHub issue discussion showing watcher/watch native-version constraints and related install errors. [3]

---

Address critical security vulnerability in parcel 2.16.3.

The current version is affected by CVE-2025-56648 (CVSS 6.5, Medium), a source-code disclosure vulnerability in @parcel/reporter-dev-server (versions 1.6.1–2.16.3). A malicious site can send XMLHttpRequests to the dev server and read responses. Avoid exposing the dev server to untrusted networks and monitor the Parcel advisory for a patched release. Node.js 24 compatibility is supported (requires >=16.0.0); note that native build tooling may require rebuilding for the Node 24 ABI.

🤖 Prompt for AI Agents

In @package.json at line 21, The parcel dependency in package.json ("parcel":
"^2.16.3") is vulnerable; update that version to a patched release (replace the
"parcel" value with a fixed version >=2.16.4 or the latest secure 2.x), then run
your package manager (npm/yarn/pnpm) to reinstall and update lockfile and run
npm audit/ audit fix to verify no remaining issues; ensure CI uses the updated
lockfile and consider restricting dev-server exposure until upstream confirms
the fix.