Node.js
The Node.js provider tracks the runtime versions published at nodejs.org, reading the release index (nodejs.org/dist/index.json) that lists every release. It resolves the bare runtime version, e.g. a .node-version file or a CI variable. A node:24-bookworm container tag is a Docker image, handled by the Docker provider.
# clover: provider=node constraint=minor
node_version: 24.18.0
Keys
| Key | Description |
|---|---|
provider | node |
lts | Restrict candidates to the long-term-support release lines. Defaults to false. |
constraint | How far the version may move (major/minor/patch, or a semver range) |
include | Keep only matching versions |
exclude | Drop matching versions |
cooldown | Require a minimum age before a version is eligible |
The release index is public, so the Node.js provider needs no authentication. It is selected explicitly with provider=node, or inferred from a node entry in a mise configuration file. Elsewhere a bare version line carries no signal to infer it from.
Release lines
Node.js ships a new current major line every six months, and the even-numbered lines become long-term support (LTS), maintained for years, each under a codename (Krypton, Jod, Iron, Hydrogen, …). By default Clover tracks every release, so the newest version satisfying the constraint wins:
# clover: provider=node constraint=minor
node_version: 24.18.0
lts=true keeps only the LTS lines, dropping the current (odd or pre-promotion) releases. This is the form to track when you want stability over the newest features:
# clover: provider=node lts=true constraint=major
node_version: 24.18.0
The index serves the whole release history in one response, so Clover always sees every line, and --deep has nothing extra to fetch.
Checksums
Node.js publishes a SHASUMS256.txt file for every release at a predictable URL, so a follower can keep a checksum in lockstep with the version by templating sha256-url with <version> and selecting the artifact with pattern:
# clover: provider=node id=node constraint=minor
node_version: 24.18.0
# clover: from=node value=sha256 sha256-url=https://nodejs.org/dist/v<version>/SHASUMS256.txt pattern=node-<version>-linux-x64.tar.xz
node_sha256: 0000000000000000000000000000000000000000000000000000000000000000
The checksum is refreshed only when the version it follows actually changes, so the two never drift out of step, and a digest that was once pinned never moves on its own. Pass --force (or set run.force) to deliberately re-pin it when an unchanged version’s artifact was legitimately re-published.