We want to test two scenarios:
- When libgit2 spawns threads to do the work (when doing a checkout).
- When libigt2 leverages a single thread to do the work (for example when working with submodules).

In each scenario, we'll run synchronous work inside the callbacks, where no locking is applied, so they should succeed.
We'll also run asynchronous work inside the callbacks that lock the same objects already locked. These tests should be able to run by temporary unlocking those objects until the callback ends.

This is a temporary workaround in order to avoid the lost of performance with LFS checkout.

The change is limited to the processing of callbacks from Workers that leverage threaded libgit2 functions. Basically what it does is allowing the callbacks from executorEventsQueue to be queued in jsThreadCallbackQueue without waiting for the current one to end.

It is unsafe because with threaded libgit2 functions there is a potential risk of deadlock if the callbacks need to lock an object.

This commit will be reverted when nodegit-lfs is integrated into nodegit.

Checkout leverages libgit2 threads and when applying filters it runs JS callbacks. These tests check that when running checkout on a worker thread and this is terminated, it exists gracefully without memory leaks.

Update Github Actions for node 16

To update Windows box we need to upgrade node-gyp, so we need python 3.6 in ubuntu 16.04, but last version is 3.5. This is the reason Python 3.6 is build from source.

…gression

UNSAFE Temporary workaround for LFS checkout performance regression

Since 15 March 2022 the unauthenticated git protocol on port 9418 is no longer supported in Github.
https://github.blog/2021-09-01-improving-git-protocol-security-github/

…upported-github

Skip "can clone with git" test, unauthenticated git protocol is no longer supported in Github

No longer supporting node_pre_gyp_accessKeyId & node_pre_gyp_secretAccessKey, use AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY instead to authenticate against s3

…actions

Update windows 2016 CI to 2019

Issues with mac and openssl_fips

Bring in newer packages, we're getting issues with outdated packages

Fix electron build

woops

- replace private.ppk since github killed it
- encode private.ppk so github won't flag it again
- drop win32 sha1 rsa test since we don't a have a key that github allows this
 - update pageant because why not
 - add docs on test keys because I just had figure all this out myself

Use custom electron for non-static builds on linux and fix cross-compilation

Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 3.0.9 to 3.1.1.
- [Commits](mafintosh/tar-fs@v3.0.9...v3.1.1)

---
updated-dependencies:
- dependency-name: tar-fs
  dependency-version: 3.1.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

…3.1.1

Bump tar-fs from 3.0.9 to 3.1.1

add macos arm64 tests and prebuilts

Fix Alloc-Dealloc mismatches

Switch back to upstream nan version

Fixes #1962

issue template: remove redundant console.log

Added missing sshKeyMemoryNew to Cred

Non-breaking semver-compatible updates via npm audit fix:

- tar 7.4.3 to 7.5.10 (High: path traversal, symlink poisoning, hardlink attacks)
- lodash 4.17.21 to 4.17.23 (Moderate: prototype pollution in _.unset/_.omit)
- js-yaml 3.14.1 to 3.14.2, 4.1.0 to 4.1.1 (Moderate: prototype pollution in merge)
- glob 10.4.5 to 10.5.0 (High: command injection via --cmd)
- brace-expansion 1.1.11 to 1.1.12, 2.0.1 to 2.0.2 (Low: ReDoS)
- minimatch 3.1.2 to 3.1.5, 9.0.5 to 9.0.9, 5.1.6 to 9.0.9 (High: ReDoS)
- mocha 11.4.0 to 11.7.5 (within ^11.4.0)
- jshint 2.13.4 to 2.13.6 (within ^2.10.0)

All updates stay within declared semver ranges. Only package-lock.json changed.
Resolves 5 of 11 reported npm audit vulnerabilities.

…ties

Adds overrides in package.json for transitive dependencies that cannot
be updated within their parent packages declared semver ranges:

- mocha > diff: ^7.0.0 overridden to ^8.0.3
  Fixes DoS in parsePatch/applyPatch (GHSA-73rr-hh4g-fpgx)
- mocha > serialize-javascript: ^6.0.2 overridden to ^7.0.4
  Fixes RCE via RegExp.flags and Date.prototype.toISOString (GHSA-5c6j-r48x-rmvq)
- jshint > minimatch: ~3.0.2 overridden to 3.1.5
  Fixes multiple ReDoS vulnerabilities (GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74)

Remaining: aws-sdk v2 low-severity advisory (GHSA-j965-2qgj-vjmq)
affects all of v2, requires migration to v3 which is out of scope.

Lint (jshint) verified passing after minimatch override.

Resolves npm audit high-severity vulnerabilities

Add and update npm overrides to resolve high and moderate severity
vulnerabilities in transitive dependencies:

- tar: upgrade to ^7.5.11 (GHSA-9ppj-qmqm-q256, high - symlink path traversal)
- picomatch: upgrade to ^4.0.4 (GHSA-c2c7-rcm5-vvqj, high - ReDoS;
  GHSA-3v7f-55p6-f55p, medium - method injection)
- serialize-javascript: upgrade override to ^7.0.5 (GHSA-qj8w-gfj5-8c6v,
  medium - CPU exhaustion DoS)
- brace-expansion: upgrade to ^2.0.3 and ^1.1.13 (GHSA-f886-m6hf-6m8v,
  medium - process hang and memory exhaustion)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Fix 5 Dependabot security alerts via npm overrides