build firepit with node 24

[aalej]

Description

• Test local build and verify it runs on Node 24
• Test the docker build somehow

Updates the ff:

Node: 20 -> 24

• Node 20 is getting deprecated

yao-pgk/pgk: 6.4.1 -> 6.20.0

• Support for Node 24 was added on v6.14.0. Their latest version seems stable

npm: 9 -> 11

• I think we've been using npm 11 for a while now. pinning to a stable minor version

Scenarios Tested

Ran the build script node ./pipeline.js --package="/PATH/firebase-tools", then tested the build. TIL you can find out which version of Node.js was bundled in firepit by using is:node and forcing an error:

$ ./firebase-tools-macos is:node something
node:internal/modules/cjs/loader:1482
  throw err;
  ^

Error: Cannot find module '/private/var/folders/6r/csjmhpv13nbbc2wq1mdclkc400t31x/T/firepit_artifacts/something'
    at Module.<anonymous> (node:internal/modules/cjs/loader:1479:15)
    at Module._resolveFilename (pkg/prelude/bootstrap.js:1850:46)
    at wrapResolveFilename (node:internal/modules/cjs/loader:1052:27)
    at defaultResolveImplForCJSLoading (node:internal/modules/cjs/loader:1076:10)
    at resolveForCJSWithHooks (node:internal/modules/cjs/loader:1097:12)
    at Module._load (node:internal/modules/cjs/loader:1265:25)
    at Module.runMain (pkg/prelude/bootstrap.js:1878:12)
    at node:internal/main/run_main_module:33:47 {
  code: 'MODULE_NOT_FOUND',
  requireStack: []
}

Node.js v24.15.0

Sample Commands

[wiz-9635d3485b]

Wiz Scan Summary

Scanner	Findings
Vulnerabilities	-
Sensitive Data	-
Secrets	-
IaC Misconfigurations	1  2  1  2
SAST Findings	-
Software Management Findings	-
Total	1  2  1  2

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[gemini-code-assist]

Code Review

This pull request updates the firepit-builder Dockerfile to use Node 24 and npm 11.13, and upgrades @yao-pkg/pkg to version 6.20.0 in the standalone package. Feedback on the Dockerfile suggests using the active LTS version, Node 22, instead of Node 24 for better stability, and pinning npm to major version 11 rather than a specific minor/patch version to avoid potential build failures.

[gemini-code-assist]

Using Node 24 (which is a non-LTS/Current release, or potentially unreleased depending on the current date) is not recommended for stable production builds. It is highly recommended to use the current active LTS version, Node 22, to ensure stability, compatibility, and that the Docker image is readily available on Docker Hub. Using an unreleased or non-LTS version can lead to build failures or unexpected runtime issues.

FROM node:22

[gemini-code-assist]

Pinning to a specific minor/patch version of npm like 11.13 that may not be released or stable yet can cause build failures. It is safer to either use the default stable npm version bundled with the Node.js image (e.g., npm 10 with Node 22) or pin to the major version npm@11 to get the latest stable minor updates automatically.

RUN npm install --global npm@11