chore(deps): update all patch dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
node	final	patch	22.22.1-alpine3.23 → 22.22.2-alpine3.23
node	stage	patch	22.22.1-alpine3.23 → 22.22.2-alpine3.23
node (source)		patch	22.22.1 → 22.22.2
requests (changelog)		patch	==2.33.0 → ==2.33.1

Review

• Updates have been tested and work
• If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

---

Release Notes

nodejs/node (node)

v22.22.2: 2026-03-24, Version 22.22.2 'Jod' (LTS), @​RafaelGSS prepared by @​aduh95

Compare Source

This is a security release.

Notable Changes

• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low

Commits

• [6f14ee5101] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#809
• [52a52ef619] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#822
• [30a3ab11e2] - (CVE-2026-21717) deps: V8: cherry-pick aac14dd (Joyee Cheung) nodejs-private/node-private#809
• [e3f4d6a42e] - (CVE-2026-21717) deps: V8: backport 1361b2a (Joyee Cheung) nodejs-private/node-private#809
• [7dc00fa5f4] - (CVE-2026-21717) deps: V8: backport 185f0fe (Joyee Cheung) nodejs-private/node-private#809
• [076acd052d] - (CVE-2026-21717) deps: V8: backport 0a8b1cd (snek) nodejs-private/node-private#809
• [963c60a951] - deps: V8: override depot_tools version (Richard Lau) #​62344
• [a688117d5d] - deps: upgrade npm to 10.9.7 (npm team) #​62330
• [859c8c761b] - deps: update undici to v6.24.1 (Matteo Collina) #​62285
• [d5ed384a2f] - deps: upgrade npm to 10.9.6 (npm team) #​62215
• [a2fe9fd81a] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [73deff77c1] - lib: backport _tls_common and _tls_wrap refactors (Dario Piotrowicz) #​57643
• [06fc3436f6] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
• [db48d9c675] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
• [2a6105a63b] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [91b970886f] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

psf/requests (requests)

v2.33.1

Compare Source

Bugfixes

• Fixed test cleanup for CVE-2026-25645 to avoid leaving unnecessary
  files in the tmp directory. (#​7305)
• Fixed Content-Type header parsing for malformed values. (#​7309)
• Improved error consistency for malformed header values. (#​7308)

---

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone America/Montreal, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.