From 9516e8889103a91800cf54533c07c5b9ee098095 Mon Sep 17 00:00:00 2001
From: Christoph Hamsen <37963496+xopham@users.noreply.github.com>
Date: Wed, 20 May 2026 14:08:19 +0200
Subject: [PATCH 1/4] Fix release tag push and pin actions by SHA (#335)

The release workflow's tag push was rejected by the tag ruleset because
actions/checkout persisted GITHUB_TOKEN credentials, which took precedence
over the dd-octo-sts token in the explicit push URL. Drop the persisted
credentials and downgrade contents permission to read.

Also pin actions/download-artifact and actions/setup-node by commit SHA.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8114f84a..ddd4e082 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,7 +25,7 @@ jobs:
     environment: npm
     permissions:
       id-token: write # Required for OIDC
-      contents: write
+      contents: read
     steps:
       - uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
         id: octo-sts
@@ -33,8 +33,10 @@ jobs:
           scope: DataDog/pprof-nodejs
           policy: self.github.release.push-tags
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-      - uses: actions/download-artifact@v4
-      - uses: actions/setup-node@v3
+        with:
+          persist-credentials: false # drop GITHUB_TOKEN so the dd-octo-sts token is used for the tag push
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1
         with:
           node-version: '24'
           registry-url: 'https://registry.npmjs.org'
@@ -58,8 +60,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
-      - uses: actions/download-artifact@v4
-      - uses: actions/setup-node@v3
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1
         with:
           node-version: '24'
           registry-url: 'https://registry.npmjs.org'

From 1ba98f59faeeebaebb7989adc345bd3bf989bb27 Mon Sep 17 00:00:00 2001
From: Ilyas Shabi <ilyas.shabi@datadoghq.com>
Date: Thu, 21 May 2026 14:16:03 +0200
Subject: [PATCH 2/4] Specify node-gyp-build to major v4 (#336)

---
 package-lock.json | 2 +-
 package.json      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 3674a317..188d8321 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -10,7 +10,7 @@
       "hasInstallScript": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "node-gyp-build": "<5.0",
+        "node-gyp-build": "^4.8.4",
         "pprof-format": "^2.2.1",
         "source-map": "^0.7.4"
       },
diff --git a/package.json b/package.json
index 3f45375b..aa6384d7 100644
--- a/package.json
+++ b/package.json
@@ -36,7 +36,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "node-gyp-build": "<5.0",
+    "node-gyp-build": "^4.8.4",
     "pprof-format": "^2.2.1",
     "source-map": "^0.7.4"
   },

From 9b065714d9c080b852e148cba09cb935d5b5cbc9 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 21 May 2026 12:24:03 +0000
Subject: [PATCH 3/4] build(deps-dev): bump @types/node from 25.7.0 to 25.9.1
 (#333)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 25.7.0 to 25.9.1.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.9.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Attila Szegedi <szegedi@users.noreply.github.com>
---
 package-lock.json | 16 ++++++++--------
 package.json      |  2 +-
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 188d8321..5ed86c7e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -16,7 +16,7 @@
       },
       "devDependencies": {
         "@types/mocha": "^10.0.1",
-        "@types/node": "25.7.0",
+        "@types/node": "25.9.1",
         "@types/semver": "^7.5.8",
         "@types/sinon": "^21.0.1",
         "@types/tmp": "^0.2.3",
@@ -936,13 +936,13 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "25.7.0",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.7.0.tgz",
-      "integrity": "sha512-z+pdZyxE+RTQE9AcboAZCb4otwcrvgHD+GlBpPgn0emDVt0ohrTMhAwlr2Wd9nZ+nihhYFxO2pThz3C5qSu2Eg==",
+      "version": "25.9.1",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.9.1.tgz",
+      "integrity": "sha512-xfrlY7UD5rMJk3ZVJP8BNzS28J36YJg+xp+LPXV1TdWxr8uMH5A860QNxYDGQe/ylDSgjxE52Q9VnO7p75tJxg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "undici-types": "~7.21.0"
+        "undici-types": ">=7.24.0 <7.24.7"
       }
     },
     "node_modules/@types/normalize-package-data": {
@@ -6314,9 +6314,9 @@
       }
     },
     "node_modules/undici-types": {
-      "version": "7.21.0",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.21.0.tgz",
-      "integrity": "sha512-w9IMgQrz4O0YN1LtB7K5P63vhlIOvC7opSmouCJ+ZywlPAlO9gIkJ+otk6LvGpAs2wg4econaCz3TvQ9xPoyuQ==",
+      "version": "7.24.6",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.24.6.tgz",
+      "integrity": "sha512-WRNW+sJgj5OBN4/0JpHFqtqzhpbnV0GuB+OozA9gCL7a993SmU+1JBZCzLNxYsbMfIeDL+lTsphD5jN5N+n0zg==",
       "dev": true,
       "license": "MIT"
     },
diff --git a/package.json b/package.json
index aa6384d7..4ebeacd3 100644
--- a/package.json
+++ b/package.json
@@ -42,7 +42,7 @@
   },
   "devDependencies": {
     "@types/mocha": "^10.0.1",
-    "@types/node": "25.7.0",
+    "@types/node": "25.9.1",
     "@types/semver": "^7.5.8",
     "@types/sinon": "^21.0.1",
     "@types/tmp": "^0.2.3",

From c7f50bbe7824cfe2c5ddeb5dec0274ceaf3a4be7 Mon Sep 17 00:00:00 2001
From: ishabi <ilyasshabi94@gmail.com>
Date: Thu, 21 May 2026 14:35:33 +0200
Subject: [PATCH 4/4] v5.14.4

---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 5ed86c7e..1d4d7210 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@datadog/pprof",
-  "version": "5.14.3",
+  "version": "5.14.4",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@datadog/pprof",
-      "version": "5.14.3",
+      "version": "5.14.4",
       "hasInstallScript": true,
       "license": "Apache-2.0",
       "dependencies": {
diff --git a/package.json b/package.json
index 4ebeacd3..6daa1175 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@datadog/pprof",
-  "version": "5.14.3",
+  "version": "5.14.4",
   "description": "pprof support for Node.js",
   "repository": {
     "type": "git",