feat: add node 26 to matrix (#10927)

* sec: update to using staged publishing

* feat: bump all ci versions to either include 26 or run on 26

* test(http): use localhost for HTTPS proxy fixtures

.github/workflows/bundle-size.yml

@@ -21,7 +21,7 @@ jobs:
       - name: Setup node
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.x
+          node-version: 26.x
           registry-url: 'https://registry.npmjs.org'
           package-manager-cache: false
 

.github/workflows/lockfile-lint.yml

@@ -28,7 +28,7 @@ jobs:
       - name: Setup node
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.x
+          node-version: 26.x
           registry-url: 'https://registry.npmjs.org'
           package-manager-cache: false
 

.github/workflows/publish.yml

@@ -22,7 +22,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.x
+          node-version: 26.x
           registry-url: 'https://registry.npmjs.org'
           package-manager-cache: false
 

.github/workflows/release-branch.yml

@@ -32,7 +32,7 @@ jobs:
       - name: Setup node
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.x
+          node-version: 26.x
           registry-url: 'https://registry.npmjs.org'
           package-manager-cache: false
 
@@ -108,7 +108,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [20, 22, 24]
+        node-version: [20, 22, 24, 26]
     steps:
       - name: Checkout repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -186,7 +186,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [20, 22, 24]
+        node-version: [20, 22, 24, 26]
     steps:
       - name: Checkout repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -302,7 +302,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.x
+          node-version: 26.x
           registry-url: 'https://registry.npmjs.org'
           package-manager-cache: false
 

.github/workflows/run-ci.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Setup node
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.x
+          node-version: 26.x
           registry-url: 'https://registry.npmjs.org'
           package-manager-cache: false
 
@@ -106,7 +106,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [20, 22, 24]
+        node-version: [20, 22, 24, 26]
     steps:
       - name: Checkout repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -184,7 +184,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [20, 22, 24]
+        node-version: [20, 22, 24, 26]
     steps:
       - name: Checkout repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/verify-build-reproducibility.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Setup node
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.x
+          node-version: 26.x
           registry-url: 'https://registry.npmjs.org'
           package-manager-cache: false
 

tests/unit/adapters/http.test.js

@@ -1754,7 +1754,7 @@ describe('supports http with nodejs', () => {
         res.setHeader('Content-Type', 'text/html; charset=UTF-8');
         res.end('12345');
       });
-      httpsServer.listen(0, '127.0.0.1', () => resolve(httpsServer));
+      httpsServer.listen(0, 'localhost', () => resolve(httpsServer));
       httpsServer.on('error', reject);
     });
 
@@ -1794,7 +1794,7 @@ describe('supports http with nodejs', () => {
       rejectUnauthorized: false,
     });
     try {
-      const response = await axios.get(`https://127.0.0.1:${server.address().port}/`, {
+      const response = await axios.get(`https://localhost:${server.address().port}/`, {
         httpsAgent: tunnelingAgent,
       });
 
@@ -1803,7 +1803,7 @@ describe('supports http with nodejs', () => {
       assert.strictEqual(plaintextRequests, 0, 'proxy must not see plaintext requests');
       assert.strictEqual(connectTargets.length, 1, 'proxy should see exactly one CONNECT');
       assert.ok(
-        connectTargets[0].startsWith(`127.0.0.1:${server.address().port}`),
+        connectTargets[0].startsWith(`localhost:${server.address().port}`),
         `CONNECT should target the origin: ${connectTargets[0]}`
       );
     } finally {
@@ -1844,7 +1844,7 @@ describe('supports http with nodejs', () => {
         res.setHeader('Content-Type', 'text/html; charset=UTF-8');
         res.end('secret-body-12345');
       });
-      s.listen(0, '127.0.0.1', () => resolve(s));
+      s.listen(0, 'localhost', () => resolve(s));
       s.on('error', reject);
     });
 
@@ -1879,7 +1879,7 @@ describe('supports http with nodejs', () => {
     process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
     try {
       const response = await axios.post(
-        `https://127.0.0.1:${origin.address().port}/path?token=abc123`,
+        `https://localhost:${origin.address().port}/path?token=abc123`,
         { sensitive: 'leak-canary' },
         {
           proxy: {
@@ -1896,7 +1896,7 @@ describe('supports http with nodejs', () => {
       assert.strictEqual(captured.plaintext, 0, 'proxy must not see any plaintext request line');
       assert.strictEqual(captured.connectTargets.length, 1, 'proxy should see exactly one CONNECT');
       assert.ok(
-        captured.connectTargets[0].startsWith(`127.0.0.1:${origin.address().port}`),
+        captured.connectTargets[0].startsWith(`localhost:${origin.address().port}`),
         `CONNECT should target the origin host:port, got ${captured.connectTargets[0]}`
       );
       assert.ok(captured.connectAuth[0], 'Proxy-Authorization should be present on the CONNECT request');
@@ -2103,7 +2103,7 @@ describe('supports http with nodejs', () => {
         res.setHeader('Content-Type', 'text/html; charset=UTF-8');
         res.end('12345');
       });
-      httpsServer.listen(0, '127.0.0.1', () => resolve(httpsServer));
+      httpsServer.listen(0, 'localhost', () => resolve(httpsServer));
       httpsServer.on('error', reject);
     });
 
@@ -2142,7 +2142,7 @@ describe('supports http with nodejs', () => {
     const originalReject = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
     process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
     try {
-      const response = await axios.get(`https://127.0.0.1:${server.address().port}/`);
+      const response = await axios.get(`https://localhost:${server.address().port}/`);
 
       assert.strictEqual(Number(response.data), 12345, 'origin body should be received unmodified');
       assert.strictEqual(plaintextRequests, 0, 'proxy must not see plaintext requests');