chore: bump Meteor to 3.4.1 and Node to 22.22.2

[ggazzo]

Summary

• Updates Meteor from 3.4.0 to 3.4.1 (apps/meteor/.meteor/release + bundled package versions)
• Bumps Node from 22.16.0 to 22.22.2 across Dockerfiles, engines, and the message-parser jest config (squashed from chore(deps): upgrade node from 22.16.0 to 22.22.2 #40332)

Test plan

• CI passes (build, lint, unit, e2e)
• Smoke test: server boots locally with the new Meteor/Node combo
• Verify Docker images build with the updated base Node version

Summary by CodeRabbit

• Chores

  • Bumped Node.js runtime across CI, Docker images and project engines.
  • Updated Node type definitions across packages and services.
  • Upgraded Meteor to a newer patch release and refreshed related package versions.
  • Miscellaneous development dependency bumps for compatibility.

• Tests

  • Improved Jest configuration for better ES module compatibility.

Task: ARCH-2125

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2589dd2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f277ad64-c40f-420c-a2d2-161ad4eb73e1

📥 Commits

Reviewing files that changed from the base of the PR and between e499878 and 2589dd2.

📒 Files selected for processing (1)

• packages/message-parser/jest.config.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/message-parser/jest.config.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: 📦 Build Packages

---

Walkthrough

Bumps Node.js runtime from 22.16.x/22.14.0 to 22.22.2 across CI and Dockerfiles, updates @types/node and engine pins to match, upgrades Meteor to 3.4.1 with related package version bumps, and makes Jest config ESM-safe for packages/message-parser.

Changes

Monorepo Node / Meteor version upgrade

Layer / File(s)	Summary
CI Workflow .github/workflows/update-version-durability.yml	node-version updated from 22.16.0 → 22.22.2.
Docker Base Images apps/meteor/.docker-mongo/Dockerfile, apps/meteor/.docker/Dockerfile.alpine, apps/meteor/.docker/Dockerfile.debian, apps/meteor/ee/server/services/Dockerfile, ee/apps/*/Dockerfile, ee/apps/ddp-streamer/Dockerfile, ee/apps/omnichannel-transcript/Dockerfile, ee/apps/presence-service/Dockerfile, ee/apps/queue-worker/Dockerfile	Multiple Dockerfiles: base images updated (builder and/or runtime stages) to node:22.22.2 variants (alpine/bullseye-slim), replacing earlier 22.16.x/22.14.0.
Package devDependencies (@types/node) package.json, apps/meteor/package.json, packages/*/package.json, ee/*/package.json, packages/message-parser/package.json, ...	@types/node bumped from ~22.16.5 → ~22.19.17 across root and many workspace package.json files.
Root Node engine / tooling pins package.json, packages/message-parser/package.json	engines.node and volta.node updated from 22.16.0 → 22.22.2; individual packages adjust engines.node similarly where present.
Meteor release & packages apps/meteor/.meteor/release, apps/meteor/.meteor/packages, apps/meteor/.meteor/versions	Meteor release pin updated METEOR@3.4 → METEOR@3.4.1; multiple Meteor package versions bumped (e.g., accounts-base, accounts-password, webapp, mongo, ecmascript, typescript, standard-minifier-css) and standard-minifier-js pinned to 3.2.0.
Jest ESM compatibility packages/message-parser/jest.config.ts	Jest config made ESM-safe by computing __dirname via dirname(fileURLToPath(import.meta.url)) and using resolve(__dirname, ...) for the pegjs transformer path.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore(deps): Upgrade some dependencies #37508 — Coordinated dependency/version bumps overlapping workspace package.json updates.

Suggested reviewers

• tassoevan
• d-gubert

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: bump Meteor to 3.4.1 and Node to 22.22.2' clearly and concisely summarizes the two main changes in the PR: upgrading Meteor and Node versions across the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (2)

• ARCH-2125: Request failed with status code 401
• METEOR-3: Request failed with status code 401

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (6)

ee/apps/authorization-service/package.json (1)

33-33: ⚡ Quick win

@types/node belongs in devDependencies, not dependencies

Same issue as ee/apps/omnichannel-transcript – this type-only package will be pulled into production installs unnecessarily.

♻️ Proposed fix

 "dependencies": {
     ...
-    "@types/node": "~22.19.17",
     ...
 },
 "devDependencies": {
     ...
+    "@types/node": "~22.19.17",
     ...
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ee/apps/authorization-service/package.json` at line 33, The package.json
currently lists the type-only package "@types/node" under "dependencies"; move
"@types/node" from "dependencies" into "devDependencies" so it isn't installed
in production builds—update the package.json entries accordingly by removing
"@types/node" from the "dependencies" object and adding the same version string
under "devDependencies".

ee/apps/omnichannel-transcript/package.json (1)

35-35: ⚡ Quick win

@types/node belongs in devDependencies, not dependencies

@types/node is consumed only by the TypeScript compiler at build time; it has no runtime value. Listing it in dependencies causes it to be installed during production npm install/Docker builds unnecessarily.

♻️ Proposed fix

 "dependencies": {
     ...
-    "@types/node": "~22.19.17",
     ...
 },
 "devDependencies": {
     ...
+    "@types/node": "~22.19.17",
     ...
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ee/apps/omnichannel-transcript/package.json` at line 35, The package.json
currently lists "@types/node" under dependencies which is only needed at
build/compile time; move the "@types/node": "~22.19.17" entry from
"dependencies" into "devDependencies" in the same package.json so it is
installed only for development and not in production builds.

apps/meteor/ee/server/services/Dockerfile (1)

1-1: ⚡ Quick win

Node base image version bump is consistent with the PR — good.

The Trivy linter also flags that neither the build stage nor the final runtime stage sets a non-root USER. The final runtime stage runs the Node process as root, which unnecessarily escalates container privilege. Dockerfile.alpine in the same repo already demonstrates the pattern.

🔒 Suggested fix: add a non-root USER to the final stage

 FROM node:22.22.2-alpine3.22
 
 ARG SERVICE
 
 WORKDIR /app
 
+RUN addgroup -S rocketchat && adduser -S -G rocketchat rocketchat
+
 COPY --from=build /app/packages/core-services/package.json ...
 ...
 
 ENV NODE_ENV=production \
     PORT=3000
 
 WORKDIR /app/apps/meteor/ee/server/services
 
 RUN apk update && \
     ...
     apk del build-dependencies
 
 WORKDIR /app/apps/meteor/ee/server/services/${SERVICE}
 
+USER rocketchat
+
 EXPOSE 3000 9458
 
 CMD ["node", "service.js"]

Also applies to: 31-87

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/ee/server/services/Dockerfile` at line 1, The final runtime stage
(and the earlier "build" stage) currently run as root; update both stages to
create and use a non-root user (e.g., addgroup/adduser or USE the built-in node
user), chown the app directory and any runtime-needed files, and then switch to
that user with USER before the final CMD/ENTRYPOINT; specifically modify the
"FROM ... as build" stage to create/use a non-root builder or ensure files are
owned appropriately, and in the final stage create a dedicated app user/group
(or use USER node), RUN chown -R /app (or the WORKDIR) to that UID/GID, and add
USER <user> so the container does not run as root.

packages/message-parser/package.json (1)

53-53: ⚡ Quick win

@types/node lags runtime by ~3 minor versions.

engines.node is 22.22.2 but @types/node resolves to ~22.19.17 (i.e. >=22.19.17 <22.20.0). Any Node.js APIs added in 22.20–22.22 will lack type coverage. Not a build-blocker today, but worth aligning as the gap grows.

🔧 Align `@types/node` with the runtime minor

-		"@types/node": "~22.19.17",
+		"@types/node": "~22.22.2",

Also applies to: 70-70

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/message-parser/package.json` at line 53, Update the package.json
dependency for `@types/node` to match the project's Node runtime minor version
declared in engines.node (e.g., bump "@types/node": "~22.22.x" or an appropriate
semver range that includes 22.22.2) so type definitions cover APIs added in
22.20–22.22; modify the "@types/node" entry and run the package manager install
to regenerate lockfile and ensure consistency between engines.node and the
`@types/node` version.

ee/apps/queue-worker/package.json (1)

31-31: ⚡ Quick win

@types/node belongs in devDependencies, not dependencies.

@types/node is a compile-time type stub with no runtime value. Placing it in dependencies causes yarn workspaces focus --production (called in the Dockerfile) to pull it into the production image unnecessarily.

🔧 Move to devDependencies

 	"dependencies": {
 		...
-		"@types/node": "~22.19.17",
 		...
 	},
 	"devDependencies": {
 		"@rocket.chat/tsconfig": "workspace:*",
+		"@types/node": "~22.19.17",
 		...
 	},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ee/apps/queue-worker/package.json` at line 31, The package entry
"@types/node": "~22.19.17" is a TypeScript type-only package and should be moved
out of dependencies into devDependencies to avoid being installed in production;
remove the "@types/node" line from the "dependencies" block in package.json and
add the same entry under "devDependencies" (keeping the exact version string
"~22.19.17"), then run your package manager (e.g., yarn install) to update the
lockfile so production builds no longer include this dev-only package.

apps/meteor/.meteor/versions (1)

58-58: Heads-up: npm-mongo@6.16.1 is one minor step from the MongoDB 4 driver-drop boundary.

MongoDB driver 6.17.0 will drop MongoDB 4 support. The pinned npm-mongo@6.16.1 keeps the project safe for now, but the next Meteor update pulling in npm-mongo@6.17.x would silently break any deployment still on MongoDB 4. Meteor will keep offering npm-mongo-legacy so you can keep getting Meteor updates with the legacy MongoDB version, but it's worth confirming the production MongoDB version is ≥ 5 before the next Meteor release cycle.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/.meteor/versions` at line 58, The pinned dependency line
"npm-mongo@6.16.1" is one minor release away from dropping MongoDB 4 support;
ensure compatibility before updating: either verify and upgrade your production
MongoDB to >= 5, or explicitly switch to the Meteor legacy package when
upgrading (use the "npm-mongo-legacy" variant) to avoid breakage; update the
dependency line accordingly and add a short comment or CI check to validate the
production MongoDB server version before pulling a Meteor upgrade that may bring
"npm-mongo@6.17.x".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@ee/apps/presence-service/package.json`:
- Line 32: The package.json currently lists "@types/node" in dependencies which
causes it to be installed in production images; move the "@types/node" entry
from the "dependencies" object into the "devDependencies" object so it is only
installed for development/build time (update the package.json entry for
"@types/node" accordingly and remove it from the dependencies block).

---

Nitpick comments:
In `@apps/meteor/.meteor/versions`:
- Line 58: The pinned dependency line "npm-mongo@6.16.1" is one minor release
away from dropping MongoDB 4 support; ensure compatibility before updating:
either verify and upgrade your production MongoDB to >= 5, or explicitly switch
to the Meteor legacy package when upgrading (use the "npm-mongo-legacy" variant)
to avoid breakage; update the dependency line accordingly and add a short
comment or CI check to validate the production MongoDB server version before
pulling a Meteor upgrade that may bring "npm-mongo@6.17.x".

In `@apps/meteor/ee/server/services/Dockerfile`:
- Line 1: The final runtime stage (and the earlier "build" stage) currently run
as root; update both stages to create and use a non-root user (e.g.,
addgroup/adduser or USE the built-in node user), chown the app directory and any
runtime-needed files, and then switch to that user with USER before the final
CMD/ENTRYPOINT; specifically modify the "FROM ... as build" stage to create/use
a non-root builder or ensure files are owned appropriately, and in the final
stage create a dedicated app user/group (or use USER node), RUN chown -R /app
(or the WORKDIR) to that UID/GID, and add USER <user> so the container does not
run as root.

In `@ee/apps/authorization-service/package.json`:
- Line 33: The package.json currently lists the type-only package "@types/node"
under "dependencies"; move "@types/node" from "dependencies" into
"devDependencies" so it isn't installed in production builds—update the
package.json entries accordingly by removing "@types/node" from the
"dependencies" object and adding the same version string under
"devDependencies".

In `@ee/apps/omnichannel-transcript/package.json`:
- Line 35: The package.json currently lists "@types/node" under dependencies
which is only needed at build/compile time; move the "@types/node": "~22.19.17"
entry from "dependencies" into "devDependencies" in the same package.json so it
is installed only for development and not in production builds.

In `@ee/apps/queue-worker/package.json`:
- Line 31: The package entry "@types/node": "~22.19.17" is a TypeScript
type-only package and should be moved out of dependencies into devDependencies
to avoid being installed in production; remove the "@types/node" line from the
"dependencies" block in package.json and add the same entry under
"devDependencies" (keeping the exact version string "~22.19.17"), then run your
package manager (e.g., yarn install) to update the lockfile so production builds
no longer include this dev-only package.

In `@packages/message-parser/package.json`:
- Line 53: Update the package.json dependency for `@types/node` to match the
project's Node runtime minor version declared in engines.node (e.g., bump
"@types/node": "~22.22.x" or an appropriate semver range that includes 22.22.2)
so type definitions cover APIs added in 22.20–22.22; modify the "@types/node"
entry and run the package manager install to regenerate lockfile and ensure
consistency between engines.node and the `@types/node` version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a9952a3f-f137-4d7c-af63-3698c2a6262e

📥 Commits

Reviewing files that changed from the base of the PR and between 5906dac and e499878.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (34)

• .github/workflows/update-version-durability.yml
• apps/meteor/.docker-mongo/Dockerfile
• apps/meteor/.docker/Dockerfile.alpine
• apps/meteor/.docker/Dockerfile.debian
• apps/meteor/.meteor/packages
• apps/meteor/.meteor/release
• apps/meteor/.meteor/versions
• apps/meteor/ee/server/services/Dockerfile
• apps/meteor/ee/server/services/package.json
• apps/meteor/package.json
• ee/apps/account-service/Dockerfile
• ee/apps/account-service/package.json
• ee/apps/authorization-service/Dockerfile
• ee/apps/authorization-service/package.json
• ee/apps/ddp-streamer/Dockerfile
• ee/apps/ddp-streamer/package.json
• ee/apps/omnichannel-transcript/Dockerfile
• ee/apps/omnichannel-transcript/package.json
• ee/apps/presence-service/Dockerfile
• ee/apps/presence-service/package.json
• ee/apps/queue-worker/Dockerfile
• ee/apps/queue-worker/package.json
• ee/packages/abac/package.json
• ee/packages/federation-matrix/package.json
• ee/packages/network-broker/package.json
• ee/packages/omnichannel-services/package.json
• ee/packages/presence/package.json
• package.json
• packages/apps-engine/package.json
• packages/message-parser/jest.config.ts
• packages/message-parser/package.json
• packages/peggy-loader/package.json
• packages/release-action/package.json
• packages/release-changelog/package.json

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• packages/message-parser/jest.config.ts

🧠 Learnings (3)

📚 Learning: 2026-04-16T14:31:16.307Z

Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 40128
File: apps/meteor/.docker/Dockerfile.debian:42-42
Timestamp: 2026-04-16T14:31:16.307Z
Learning: When reviewing Dockerfiles/scripts, treat `npm cache clear` as a valid alias of `npm cache clean` (and also accept `npm cache rm`). Do not flag uses of `npm cache clear --force` as an invalid/unknown npm subcommand (e.g., avoid false-positive warnings like `Unknown command: clear`)—even if the alias was removed from npm docs in npm v7+.

Applied to files:

• apps/meteor/.docker/Dockerfile.debian

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• packages/message-parser/jest.config.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• packages/message-parser/jest.config.ts

🪛 Trivy (0.69.3)

apps/meteor/.docker-mongo/Dockerfile

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

apps/meteor/ee/server/services/Dockerfile

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🔇 Additional comments (28)

ee/apps/ddp-streamer/package.json (1)

57-57: LGTM – @types/node correctly placed in devDependencies and major version matches the Node 22 runtime.

packages/release-changelog/package.json (1)

16-16: LGTM – correctly placed in devDependencies, major version matches Node 22 runtime.

packages/peggy-loader/package.json (1)

37-37: LGTM – correctly placed in devDependencies, consistent with the repo-wide bump.

ee/packages/presence/package.json (1)

27-27: LGTM – correctly placed in devDependencies, consistent with the repo-wide bump.

.github/workflows/update-version-durability.yml (1)

26-26: LGTM – consistent with the repo-wide Node 22.22.2 runtime bump; action is pinned to a SHA which is good practice.

apps/meteor/package.json (1)

381-381: > Likely an incorrect or invalid review comment.

ee/packages/omnichannel-services/package.json (1)

32-32: LGTM — routine @types/node version bump.

ee/packages/federation-matrix/package.json (1)

46-46: LGTM — routine @types/node version bump.

packages/apps-engine/package.json (1)

97-97: LGTM — routine @types/node version bump.

apps/meteor/.docker-mongo/Dockerfile (1)

1-1: Node base image version bump is correct and consistent with the PR.

apps/meteor/.docker/Dockerfile.alpine (1)

1-1: Node base image bump LGTM — non-root USER is already set in the final stage.

Also applies to: 23-23

ee/apps/account-service/package.json (1)

33-33: LGTM — routine @types/node version bump.

package.json (1)

105-105: @types/node is already at the latest version available for Node.js 22.x.

The runtime is pinned to 22.22.2, and @types/node is at ~22.19.17. However, 22.19.17 is the latest available version in the 22.x series on npm—there is no 22.22.0 or higher. The major version match (22.x) aligns correctly with the Node.js major version in use, which is the primary requirement per DefinitelyTyped. No upgrade action is necessary.

			> Likely an incorrect or invalid review comment.

apps/meteor/.docker/Dockerfile.debian (1)

5-5: LGTM — straightforward runtime bump aligned with the rest of the PR.

ee/packages/abac/package.json (1)

43-43: LGTM — @types/node bump is correctly placed in devDependencies and aligns with the Node 22 runtime upgrade.

ee/packages/network-broker/package.json (1)

28-28: LGTM — consistent @types/node bump in devDependencies.

packages/release-action/package.json (1)

24-24: LGTM — consistent @types/node bump in devDependencies.

ee/apps/account-service/Dockerfile (1)

1-1: LGTM — both builder and runtime stages updated consistently to node:22.22.2-alpine3.22.

Also applies to: 91-91

ee/apps/authorization-service/Dockerfile (1)

1-1: LGTM — both stages updated consistently to node:22.22.2-alpine3.22.

Also applies to: 97-97

apps/meteor/ee/server/services/package.json (1)

56-56: LGTM — consistent @types/node bump in devDependencies.

ee/apps/omnichannel-transcript/Dockerfile (1)

1-1: LGTM — Node 22.22.2 is a confirmed security release.

Node.js 22.22.2 is a valid LTS security release (published March 24, 2026) addressing multiple CVEs including two High-severity issues (CVE-2026-21637, CVE-2026-21710). Both the builder and final runtime stages are updated consistently.

Also applies to: 104-104

ee/apps/presence-service/Dockerfile (1)

1-1: LGTM — both stages updated consistently.

Also applies to: 92-92

ee/apps/ddp-streamer/Dockerfile (1)

1-1: LGTM — both stages updated consistently.

Also applies to: 94-94

packages/message-parser/jest.config.ts (1)

1-7: LGTM — standard ESM __dirname polyfill applied correctly.

dirname(fileURLToPath(import.meta.url)) is the canonical ESM equivalent of the CJS __dirname and is safe to use in an export default Jest config.

ee/apps/queue-worker/Dockerfile (1)

1-1: LGTM — both stages updated consistently.

Also applies to: 104-104

apps/meteor/.meteor/packages (1)

10-63: LGTM — all package pins align with the resolved .meteor/versions.

Every bumped version (accounts-base@3.2.1, accounts-password@3.2.3, webapp@2.1.2, mongo@2.3.0, standard-minifier-css@1.10.1, ecmascript@0.18.0, typescript@5.10.0, standard-minifier-js@3.2.0) matches the corresponding entry in apps/meteor/.meteor/versions, confirming internal consistency for the Meteor 3.4.1 upgrade.

apps/meteor/.meteor/release (1)

1-1: LGTM!

Release pin correctly updated to METEOR@3.4.1.

apps/meteor/.meteor/versions (1)

44-54: LGTM — core meteor/mongo/minimongo bumps are consistent with the 3.4.1 release.

Meteor 3.4.1 also ships a fix for a DDP session memory leak that affected apps in production, which lands via the updated ddp-client@3.2.0 / ddp-server@3.2.0 entries (lines 19 and 22). No action needed, just a positive callout.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

@types/node is in dependencies instead of devDependencies

Unlike every other package in this PR, @types/node ends up in the production dependencies block here. yarn workspaces focus --production (used in the service Dockerfile) will therefore install it in the production image, adding a needless download that has zero runtime value.

🔧 Proposed fix

 "dependencies": {
     ...
-    "@types/node": "~22.19.17",
     ...
 },
 "devDependencies": {
     "@rocket.chat/tsconfig": "workspace:*",
     "@types/polka": "^0.5.8",
+    "@types/node": "~22.19.17",
     ...
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

"@types/node": "~22.19.17",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ee/apps/presence-service/package.json` at line 32, The package.json currently
lists "@types/node" in dependencies which causes it to be installed in
production images; move the "@types/node" entry from the "dependencies" object
into the "devDependencies" object so it is only installed for development/build
time (update the package.json entry for "@types/node" accordingly and remove it
from the dependencies block).

[ggazzo]

/jira ARCH-2124

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.99%. Comparing base (5906dac) to head (2589dd2).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40389      +/-   ##
===========================================
- Coverage    70.01%   69.99%   -0.03%     
===========================================
  Files         3301     3301              
  Lines       120462   120462              
  Branches     21606    21583      -23     
===========================================
- Hits         84345    84314      -31     
- Misses       32834    32852      +18     
- Partials      3283     3296      +13     

Flag	Coverage Δ
e2e	59.61% <ø> (-0.07%)	⬇️
e2e-api	46.23% <ø> (-0.03%)	⬇️
unit	70.85% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sampaiodiego]

is this really needed? if so, may you add a comment then why it is needed?

[ggazzo]

Yes, it's required after the Node bump.

Node 22.18 enables type stripping by default, so Jest 30 now loads jest.config.ts through Node directly and treats it as an ES module. In ESM __dirname is not a global, so without this line Jest fails before any test runs:

Error: Jest: Failed to parse the TypeScript config file .../packages/message-parser/jest.config.ts
  ReferenceError: __dirname is not defined in ES module scope
    at readConfigFileAndSetRootDir (.../jest-config/build/index.js:2274:13)

[julio-rocketchat]

/backport 8.4.1

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.4.1-40389
git cherry-pick 6cb6b274543ba3bbfee6c744b9225045ae0406f2
// solve the conflict
git push

after that just run /backport 8.4.1 again

[julio-rocketchat]

/backport 8.4.1

[dionisio-bot]

Pull request #40453 added to Project: "Patch 8.4.1"