Bump balena-io/deploy-to-balena-action from 2.0.138 to 2.0.140

[dependabot]

Bumps balena-io/deploy-to-balena-action from 2.0.138 to 2.0.140.

Release notes

Sourced from balena-io/deploy-to-balena-action's releases.

v2.0.140

Update Node.js to v22.22.0

Notable changes

• (CVE-2025-59465) add TLSSocket default error handler
• (CVE-2025-55132) disable futimes when permission model is enabled
• (CVE-2025-55130) require full read and write to symlink APIs
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle
• (CVE-2026-21637) route callback exceptions through error handlers
• [6badf4e6f4] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) [#​60997](nodejs/node#60997)
• [37509c3ff0] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#791
• [eb8e41f8db] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• [ebbf942a83] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
• [6b4849583a] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [ddadc31f09] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [d4d9f3915f] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [25d6799df6] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796
• [af33e8e668] - benchmark: remove unused variable from util/priority-queue (Bruno Rodrigues) [#​59872](nodejs/node#59872)
• [6764ce8756] - benchmark: update count to n in permission startup (Bruno Rodrigues) [#​59872](nodejs/node#59872)
• [4e8d99f0dc] - benchmark: update num to n in dgram offset-length (Bruno Rodrigues) [#​59872](nodejs/node#59872)
• [af0a8ba7f8] - benchmark: adjust dgram offset-length len values (Bruno Rodrigues) [#​59708](nodejs/node#59708)
• [78efd1be4a] - benchmark: update num to n in dgram offset-length (Bruno Rodrigues) [#​59708](nodejs/node#59708)
• [df72dc96e9] - console,util: improve array inspection performance (Ruben Bridgewater) [#​60037](nodejs/node#60037)
• [ef67d09f50] - http: improve writeEarlyHints by avoiding for-of loop (Haram Jeong) [#​59958](nodejs/node#59958)
• [23468fd76b] - http2: fix allowHttp1+Upgrade, broken by shouldUpgradeCallback (Tim Perry) [#​59924](nodejs/node#59924)
• [56abc4ac76] - lib: optimize priority queue (Gürgün Dayıoğlu) [#​60039](nodejs/node#60039)
• [ea5cfd98c5] - lib: implement passive listener behavior per spec (BCD1me) [#​59995](nodejs/node#59995)
• [c2dd6eed2f] - process: fix wrong asyncContext under unhandled-rejections=strict (Shima Ryuhei) [#​60103](nodejs/node#60103)
• [81a3055710] - process: fix default env for process.execve (Richard Lau) [#​60029](nodejs/node#60029)
• [fe492c7ace] - process: fix hrtime fast call signatures (Renegade334) [#​59600](nodejs/node#59600)
• [76b4cab8fc] - src: bring permissions macros in line with general C/C++ standards (Anna Henningsen) [#​60053](nodejs/node#60053)
• [21970970c7] - src: remove AnalyzeTemporaryDtors option from .clang-tidy (iknoom) [#​60008](nodejs/node#60008)
• [609c063e81] - src: remove unused variables from report (Moonki Choi) [#​60047](nodejs/node#60047)
• [987841a773] - src: avoid unnecessary string allocations in SPrintF impl (Anna Henningsen) [#​60052](nodejs/node#60052)
• [6e386c0632] - src: make ToLower/ToUpper input args more flexible (Anna Henningsen) [#​60052](nodejs/node#60052)
• [c3be1226c7] - src: allow std::string_view arguments to SPrintF() and friends (Anna Henningsen) [#​60058](nodejs/node#60058)
• [764d35647d] - src: remove unnecessary std::string error messages (Anna Henningsen) [#​60057](nodejs/node#60057)
• [1289ef89ec] - src: remove unnecessary shadowed functions on Utf8Value & BufferValue (Anna Henningsen) [#​60056](nodejs/node#60056)
• [d1fb8a538d] - src: avoid unnecessary string -> char* -> string round trips (Anna Henningsen) [#​60055](nodejs/node#60055)
• [54b439fb5a] - src: fill options_args, options_env after vectors are finalized (iknoom) [#​59945](nodejs/node#59945)
• [c7c597e2ca] - src: use RAII for uv_process_options_t (iknoom) [#​59945](nodejs/node#59945)
• [b928ea9716] - test: ensure that the message event is fired (Luigi Pinca) [#​59952](nodejs/node#59952)
• [e4b95a5158] - test: replace diagnostics_channel stackframe in output snapshots (Chengzhong Wu) [#​60024](nodejs/node#60024)
• [4206406694] - test: mark test-web-locks skip on IBM i (SRAVANI GUNDEPALLI) [#​59996](nodejs/node#59996)
• [26394cd5bf] - test: expand tls-check-server-identity coverage (Diango Gavidia) [#​60002](nodejs/node#60002)
• [b58df47995] - test: fix typo of test-benchmark-readline.js (Deokjin Kim) [#​59993](nodejs/node#59993)
• [af3a59dba8] - test: verify tracing channel doesn't swallow unhandledRejection (Gerhard Stöbich) [#​59974](nodejs/node#59974)
• [cee362242b] - timers: fix binding fast call signatures (Renegade334) [#​59600](nodejs/node#59600)

... (truncated)

Changelog

Sourced from balena-io/deploy-to-balena-action's changelog.

v2.0.140 - 2026-02-12

• Update Node.js to v22.22.0 [balena-renovate[bot]]

v2.0.139 - 2026-02-12

• Update dependency balena-sdk to v22 [balena-renovate[bot]]

Commits

• e909d8c v2.0.140
• 395f1dc Merge pull request #452 from balena-io/renovate/node-22.x
• 81d986e Update Node.js to v22.22.0
• 74e8cad v2.0.139
• f0de03b Merge pull request #446 from balena-io/renovate/major-22-balena-sdk
• 4484380 Update dependency balena-sdk to v22
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)