fix(CI): upgrade yao-pkg and fix Node 24 native addon resolution

[TheLastCicada]

Summary

• Upgrade @yao-pkg/pkg from ^6.12.0 to ^6.14.1 — v6.14.0 added proper Node.js 24 support, fixing a runtime incompatibility where the prelude's statSync patch throws ENOENT before the bindings package can retry alternate paths for node_sqlite3.node
• Add node_sqlite3.node as a pkg asset in package.json so the native addon is available in the snapshot's virtual filesystem as a fallback
• Add CI verification step that fails fast with a helpful error and searches for the actual .node file location if the hardcoded sqlite-path becomes stale after a future sqlite3 upgrade

Context

The deb package for 1.7.25-rc was crashing at startup with:

Error: File or directory '/**/cadt/node_modules/sqlite3/build/node_sqlite3.node'
was not included into executable at compilation stage.

Root cause: @yao-pkg/pkg@6.13.1's runtime prelude doesn't correctly handle Node v24's CJS module resolution for native addons. The findNativeAddonForStat function throws an ENOENT error (not MODULE_NOT_FOUND), which bypasses both pkg's own retry logic and the bindings package's path iteration.

Test plan

• CI build workflow passes on all platforms
• Deb package installs and starts without the node_sqlite3.node ENOENT error
• Verify node_sqlite3.node is present in the build artifact alongside the cadt binary

---

Note

Medium Risk
Moderate risk because it changes the binary packaging/release pipeline and how the sqlite3 native addon is shipped, which can break builds or runtime startup across platforms if paths/assets are wrong.

Overview
Fixes Node 24 packaged-binary startup issues by upgrading @yao-pkg/pkg to ^6.14.1 (and updating lockfile deps like esbuild).

Updates the pkg build to explicitly bundle the sqlite3 native addon: adds prepare-pkg-assets to copy node_sqlite3.node to an additional location and lists both .node paths under pkg.assets.

Hardens CI packaging in .github/workflows/build.yaml by normalizing the Windows sqlite-path, removing global pkg install, adding a fail-fast check that the .node file exists, and running a smoke test that boots the built binary and polls GET /health before uploading artifacts.

^{Written by Cursor Bugbot for commit c6c3f5c. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​yao-pkg/​pkg@​6.13.1 ⏵ 6.14.1			+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm @yao-pkg/pkg is 100.0% likely to have a medium risk anomaly Notes: This module is a legitimate-looking build tool that downloads Node binaries, verifies checksums, generates a SEA blob from a provided entrypoint, and injects that blob into Node executables for distribution. The code itself does not contain clear malware (no data exfiltration, no hard-coded credentials, no reverse shell). However it performs high-impact actions: downloading and extracting executables, executing shell commands with interpolated, potentially unescaped paths, and injecting arbitrary blobs into binaries. These behaviors present supply-chain and command-injection risks if inputs (targets, nodePath, entryPoint, opts) or the downloaded resources are attacker-controlled or untrusted. Use requires trusting the blob generation inputs, target definitions, and the remote hosts providing Node binaries and checksums. Recommend validating and sanitizing all inputs used in shell commands and pinning trusted sources for binaries and checksums; prefer using execFile/spawn with argument arrays or proper escaping to avoid shell injection. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@yao-pkg/pkg@6.14.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@yao-pkg/pkg@6.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}