Merged PR 12242: Update Node.js to v20

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [node](https://github.com/nodejs/node) | engines | major | [`18.x` -> `20.x`](https://renovatebot.com/diffs/npm/node/v18.18.2/v20.9.0) |

---

### Release Notes

<details>
<summary>nodejs/node (node)</summary>

### [`v20.9.0`](https://github.com/nodejs/node/releases/tag/v20.9.0): 2023-10-24, Version 20.9.0 &#x27;Iron&#x27; (LTS), @&#8203;richardlau

[Compare Source](nodejs/node@v20.8.1...v20.9.0)

##### Notable Changes

This release marks the transition of Node.js 20.x into Long Term Support (LTS)
with the codename 'Iron'. The 20.x release line now moves into "Active LTS"
and will remain so until October 2024. After that time, it will move into
"Maintenance" until end of life in April 2026.

##### Known issue

Collecting code coverage via the `NODE_V8_COVERAGE` environment variable may
lead to a hang. This is not thought to be a regression in Node.js 20 (some
reports are on Node.js 18). For more information, including some potential
workarounds, see issue [#&#8203;49344](nodejs/node#49344).

### [`v20.8.1`](https://github.com/nodejs/node/releases/tag/v20.8.1): 2023-10-13, Version 20.8.1 (Current), @&#8203;RafaelGSS

[Compare Source](nodejs/node@v20.8.0...v20.8.1)

This is a security release.

##### Notable Changes

The following CVEs are fixed in this release:

-   [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High)
-   [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High)
-   [CVE-2023-39332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39332): Path traversal through path stored in Uint8Array (High)
-   [CVE-2023-39331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39331): Permission model improperly protects against path traversal (High)
-   [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552):  Integrity checks according to policies can be circumvented (Medium)
-   [CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333): Code injection via WebAssembly export names (Low)

More detailed information on each of the vulnerabilities can be found in [October 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/) blog post.

##### Commits

-   \[[`c86883e844`](nodejs/node@c86883e844)] - **deps**: update nghttp2 to 1.57.0 (James M Snell) [#&#8203;50121](nodejs/node#50121)
-   \[[`2860631359`](nodejs/node@2860631359)] - **deps**: update undici to v5.26.3 (Matteo Collina) [#&#8203;50153](nodejs/node#50153)
-   \[[`cd37838bf8`](nodejs/node@cd37838bf8)] - **lib**: let deps require `node` prefixed modules (Matthew Aitken) [#&...

Author: s-ch-Renovate-TechnicalUser

.azure-pipelines/templates/variables.yaml

@@ -1,4 +1,4 @@
 variables:
   VM_IMAGE: 'ubuntu-latest'
-  NODE_VERSION: '18.x'
+  NODE_VERSION: '20.x'
   NODE_OPTIONS: '--max_old_space_size=8192' # increase node memory size to avoid out-of-memory exceptions

.nvmrc

@@ -0,0 +1 @@
+v20.8

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:18.15-alpine AS build-app
+FROM node:20.8-alpine AS build-app
 
 # Provide overrides for APP_VERSION and APP_RELEASE as build-args and expose them as ENV variables for the update-version.js script
 ARG APP_VERSION

README.md

@@ -4,12 +4,28 @@ This project was generated with [Angular CLI](https://github.com/angular/angular
 
 > # Table of Contents
 >
-> 1. [Development server](#development-server)
-> 2. [Docker](#docker)
-> 3. [Local Backend](#local-backend)
-> 4. [Naming conventions](#naming-conventions)
-> 5. [Code documentation](#code-documentation)
-> 6. [Git conventions](#git-conventions)
+> 1. [Node version](#node-version)
+> 2. [Development server](#development-server)
+> 3. [Docker](#docker)
+> 4. [Local Backend](#local-backend)
+> 5. [Naming conventions](#naming-conventions)
+> 6. [Code documentation](#code-documentation)
+> 7. [Git conventions](#git-conventions)
+
+## Node version
+
+We strive to use the most recent LTS version. Whenever an update is due, make sure you adjust the following:
+
+- `Dockerfile`
+- `.azure-pipelines/templates/variables.yaml`
+- `.nvmrc`
+- `package.json`, update the `@typed/node` package to the matching version; run `npm install` afterwards to freshly generate the `package-lock.json`
+- `renovate.json` update both `"matchManagers": ["dockerfile"]` and `"matchManagers": ["npm"]` to the matching version
+
+You should point it towards the latest minor update (e.g. 20.x), such that we can control potentially larger updates.
+
+If you're using [nvm](https://github.com/nvm-sh/nvm) on a Unix-based environment, you can conveniently use `nvm use` in
+the root directory and it will automatically set the node version to the correct one.
 
 ## Development server
 

package-lock.json

@@ -21,7 +21,7 @@
   },
   "private": true,
   "engines": {
-    "node": "18.x"
+    "node": "20.x"
   },
   "dependencies": {
     "@angular-devkit/build-angular": "^16.1.0",
@@ -48,7 +48,7 @@
     "@ngrx/store-devtools": "^16.0.1",
     "@terraformer/arcgis": "^2.1.2",
     "@types/geojson": "^7946.0.10",
-    "@types/node": "^18.13.0",
+    "@types/node": "^20.8",
     "@types/terraformer__arcgis": "^2.0.2",
     "@types/twitter-for-web": "^0.0.4",
     "@types/uuid": "^9.0.4",

package.json

@@ -10,12 +10,12 @@
     {
       "matchManagers": ["npm"],
       "matchPackageNames": ["@types/node"],
-      "allowedVersions": "<18"
+      "allowedVersions": "<20"
     },
     {
       "matchManagers": ["dockerfile"],
       "matchPackageNames": ["node"],
-      "allowedVersions": "<18"
+      "allowedVersions": "<20"
     },
     {
       "matchManagers": ["npm"],