Never miss a release that matters

AI-powered summaries of every GitHub release.

AI Summaries

Changelogs condensed into clear, actionable insights.

Always Free

Track up to 5 packages at no cost, forever.

Weekly Digest

A curated summary of every release, delivered weekly.

Get Started Free
nodejs/nodev26.x
7 releases

TL;DR

Node.js now supports importing text modules via the experimental --experimental-import-text flag, enabling direct use of .txt, .csv, and other text-based files as modules.

New

  • Blob text streams: The buffer module now includes blob.textStream() for efficient handling of text-based blobs (large data chunks).
  • TLS group reporting: TLS connections now report the negotiated TLS groups for improved security auditing (encryption algorithms).
  • ReadableStreamTee: The stream module gains ReadableStreamTee, allowing splitting a single stream into multiple independent streams.

Fixes Worth Knowing

  • Child process permissions: Fixed an issue where permission models weren't correctly propagated to child processes via NODE_OPTIONS.
  • Crypto validation: Improved validation for DH (Diffie-Hellman) key generation and EdDSA (Edwards-curve Digital Signature Algorithm) points, enhancing cryptographic security.

Before You Upgrade

If you intend to use text files as modules, test with the --experimental-import-text flag to ensure compatibility.

nodejs/nodev24.x
25 releases

TL;DR

Node.js has received critical security updates, addressing multiple vulnerabilities including TLS hostname verification, WebCrypto cipher handling, and potential memory exhaustion in HTTP/2. Upgrade to the latest version to protect your applications.

Breaking

  • TLS: Hostname verification is now stricter, potentially impacting connections to servers with unusual or incorrectly configured hostnames. (May require updates to client configurations.)

New

  • Crypto: New TurboSHAKE and KangarooTwelve Web Cryptography algorithms are available. (Advanced cryptographic options.)
  • HTTP: The ability to send arbitrary 1xx status codes via writeInformation has been added. (For advanced HTTP protocol control.)
  • Buffer: The default Buffer.poolSize has increased to 64KiB. (May improve performance in some scenarios.)

Fixes Worth Knowing

  • HTTP Agent: Fixed a potential response queue poisoning issue in the http.Agent. (Improves stability of HTTP connections.)
  • TLS: Fixed issues with case-sensitive SNI context matching and NUL byte handling in hostnames. (Improves TLS connection reliability.)

Before You Upgrade

  • Review your TLS configurations to ensure hostnames are correctly configured, as verification is now stricter.
  • Be aware of the potential impact of the stricter TLS hostname verification on existing connections.
nodejs/nodev22.x
34 releases

TL;DR

This release addresses multiple high-severity security vulnerabilities (TLS, crypto, HTTP/2, DNS) impacting Node.js, and includes a fix for an issue introduced by the previous security release.

Breaking

  • TLS: Hostname normalization is now enforced for server identity checks, potentially affecting applications relying on relaxed hostname verification. (Security - certificate validation)
  • HTTP/2: The originSet size is now capped to prevent unbounded memory growth, potentially impacting applications handling a very large number of origins. (Network protocol)

New

No new features were introduced in this release.

Fixes Worth Knowing

  • A regression introduced in the previous security release (22.23.0) has been resolved.
  • Several vulnerabilities related to handling invalid or malicious input in DNS, HTTP, and crypto modules have been addressed. (Security - input validation)

Before You Upgrade

Review your TLS configuration to ensure hostname verification is correctly configured. If you rely on handling a very large number of HTTP/2 origins, monitor memory usage after upgrading.

nodejs/nodev25.x
14 releases

TL;DR

Node.js now supports TurboSHAKE and KangarooTwelve cryptographic algorithms, enhancing security and performance for applications requiring advanced cryptography.

Breaking

  • Test Runner Mocking: The MockModuleOptions.defaultExport and MockModuleOptions.namedExports options are replaced with a single MockModuleOptions.exports option. Use the npx codemod @nodejs/mock-module-exports command to automate updates. (Test setup)

New

  • AsyncLocalStorage Scopes: AsyncLocalStorage now supports using scopes for better context management. (Application context)
  • Stream/Iter Implementation: A new stream/iter implementation has been added, potentially improving performance for stream-based operations. (Data processing)

Fixes Worth Knowing

  • Buffer Performance: Multiple Buffer operations have been optimized for improved performance. (Data handling)
  • REPL Error Handling: The REPL (Read-Eval-Print Loop - interactive shell) now allows for customizable error handling. (Development tool)

Before You Upgrade

  • Run npx codemod @nodejs/mock-module-exports to automatically update your test mocking configuration.
nodejs/nodev20.x
41 releases

TL;DR

This release addresses multiple security vulnerabilities in Node.js, specifically concerning cryptographic functions, HTTP handling, file system permissions, and TLS connections.

Breaking

  • File System Permissions: Added permission checks to fs.promises and realpath.native functions (potentially affecting code relying on bypassing permission restrictions).
  • HTTP Headers: Changed prototype used for headersDistinct and trailersDistinct (may impact code directly manipulating header prototypes).

Fixes Worth Knowing

  • TLS/SSL: Improved error handling for HTTP/2 flow control errors (impacts secure network connections).
  • Cryptography: Implemented timing-safe comparisons in Web Crypto HMAC (improves security of cryptographic operations).
  • Security: Mitigated array index hash collision vulnerabilities (general security improvement).
nodejs/nodev23.x
14 releases

TL;DR

Node.js now includes a critical security fix for asynchronous cryptographic operations, protecting applications from potential errors and vulnerabilities.

Fixes Worth Knowing

Asynchronous crypto operations now have improved error handling, preventing crashes and ensuring more reliable operation. (Cryptography: secure data communication)

nodejs/nodev18.x
38 releases

TL;DR

Node.js has been updated with OpenSSL 3.0.16 and new root certificates, improving security and ensuring compatibility with current security standards.

Fixes Worth Knowing

  • Updated root certificates in NSS and OpenSSL address potential issues with verifying the authenticity of servers and services (security certificates).
  • Corepack and Undici (Node.js dependencies) have been updated, resolving potential bugs and improving performance.
nodejs/nodev21.x
13 releases

TL;DR

Node.js now prevents direct execution of .bat and .cmd files via child_process.spawn to address a critical command injection vulnerability on Windows.

Fixes Worth Knowing

A security vulnerability in child_process.spawn has been resolved, preventing potential command injection attacks when spawning processes without a shell on Windows.

nodejs/nodev16.x
37 releases

TL;DR

This release addresses critical security vulnerabilities in Node.js, specifically bypassing policy restrictions in module loading and process binding, and includes updates to OpenSSL for security fixes.

Breaking

  • Policies can be bypassed via Module._load (module loading).
  • Policies can be bypassed by module.constructor.createRequire (module creation).
  • Policies can be bypassed via process.binding (system access).

Before You Upgrade

Update your applications to the latest version of Node.js as soon as possible to mitigate these security risks. Review the August 2023 Security Releases blog post for detailed information.

nodejs/nodev19.x
13 releases

TL;DR

Node.js now includes URL.canParse, a new API for validating URLs against the WHATWG URL specification, improving reliability when handling user-provided URLs.

Breaking

  • node-api: The napi_module_register function is now deprecated.

New

  • Tracing Channel: A high-performance channel for publishing tracing data about function execution timing has been added, useful for performance analysis.
  • URL Validation: The URL.canParse API allows developers to reliably check if a URL string is valid before parsing, preventing errors.

Fixes Worth Knowing

  • URLSearchParams: Creation performance for URLSearchParams objects has been improved.
  • Error Inspection: Fixed an issue where inspecting errors with throwing getters for cause would fail.
  • File Streams: fs.createReadStream and fs.createWriteStream now support AbortSignal for cancellation.

Before You Upgrade

  • If you are using napi_module_register in your native Node.js addons, plan to migrate to a different registration method as it has been deprecated.
nodejs/nodev14.x
46 releases

TL;DR

This release addresses critical security vulnerabilities in Node.js, including a bypass of permissions policies and insecure loading of internationalization (ICU) data.

Breaking

  • Permissions Policies Bypass: A vulnerability allowed bypassing Node.js permissions policies via process.mainModule. (Security risk)
  • ICU Data Loading: Insecure loading of ICU data via the ICU_DATA environment variable is now prevented. (Security risk)

Fixes Worth Knowing

  • Prototype Mutation: Protection added against prototype mutation, improving code stability.
  • npm Update: npm has been updated to version 6.14.18, addressing several CVEs. (Package manager)
  • OpenSSL Update: Node.js now includes OpenSSL security updates. (Cryptography library)
v14.3.0v14.3.0
May 19, 2020
nodejs/nodev17.x
15 releases

TL;DR

Node.js now includes OpenSSL 3.0.3, addressing potential security vulnerabilities, and has been updated to npm 8.11.0 (package manager).

Fixes Worth Knowing

The npm updates include bug fixes and performance improvements to the package installation process.

Before You Upgrade

Review the OpenSSL security advisory (https://nodejs.org/en/blog/vulnerability/openssl-fixes-in-regular-releases-may2022/) to understand potential impacts to your applications.

nodejs/nodev12.x
51 releases

TL;DR

Node.js 12 is end-of-life on April 30, 2022; upgrade to Node.js 14 or 16 (supported versions) to continue receiving security updates.

Breaking

  • Node.js 12 will no longer receive updates after April 30, 2022 (end-of-life).

Fixes Worth Knowing

  • Resolved crashes in Node-API (native addons) during shutdown.
  • Fixed a potential stack overflow (memory error) when using vm.runInNewContext() (JavaScript virtual machine).
  • Corrected issues with finalization and garbage collection within Node-API.
nodejs/nodev15.x
18 releases

TL;DR

This release addresses critical security vulnerabilities in OpenSSL and the y18n npm package, and updates npm to version 7.7.6 which adds workspaces support to npm run and npm exec.

Breaking

  • OpenSSL Vulnerabilities (CVE-2021-3450, CVE-2021-3449): These vulnerabilities could allow attackers to bypass certificate checks. Upgrade immediately.
  • npm Vulnerability (CVE-2020-7774): A prototype pollution vulnerability in the y18n npm package is fixed.

New

  • http.ClientRequest.getRawHeaderNames(): A new method to retrieve raw header names in HTTP requests.
  • fsPromises.writeFile Async Iterators: Support for async iterators added to this file system method.

Fixes Worth Knowing

  • http2: Improved handling of non-EOF empty frames and options setting.
  • readline: Added AbortSignal support for improved cancellation.
  • stream: Pipeline now accepts Buffer as a valid first argument.

nodejs/nodev10.x
41 releases

TL;DR

This release addresses critical security vulnerabilities in OpenSSL and the y18n npm package, requiring an immediate upgrade to protect against potential exploits.

Fixes Worth Knowing

  • Updated npm to version 6.14.12 (package manager).
  • OpenSSL updated to 1.1.1k (encryption library).
nodejs/nodev13.x
17 releases

TL;DR

Node.js now supports dynamic import() within its vm module, offering more flexible module loading options for isolated JavaScript environments.

Breaking

  • async_hooks: The run and exit methods have been merged, potentially impacting custom async hook implementations that rely on separate behavior for these lifecycle events.

New

  • vm: The compileFunction method now accepts an importModuleDynamically option, enabling dynamic import() calls within the compiled function's scope.
  • tls: You can now specify a default cipher list from the command line for TLS connections.

Fixes Worth Knowing

  • http: Improved the reliability of the HTTP agent's free socket handling.
  • fs: Fixed potential memory leaks and improved error handling in file system operations.
  • streams: Corrected an issue where streams weren't being properly closed, preventing resource leaks.
  • worker: Resolved issues related to accessing environment variables and message handling in worker threads.

Before You Upgrade

  • If you are using custom async hooks, review your implementation to ensure compatibility with the merged run and exit methods.
nodejs/nodev8.x
25 releases

TL;DR

This release addresses a critical security vulnerability related to potential malicious code execution via npm (Node Package Manager), requiring immediate attention.

Before You Upgrade

Update your npm client to version 6.13.4 or later before installing any new or existing packages to mitigate the security risk.

nodejs/nodev11.x
16 releases

TL;DR

Node.js now supports TLS 1.3 (encryption protocol) for improved security and performance, and offers greater control over TLS versions via a new command-line switch.

New

  • TLS 1.3 Support: The latest version of TLS is now supported, offering enhanced security and speed.
  • TLS Version Control: A new --tls-min-v1.2 command-line switch allows you to specify the minimum acceptable TLS version.

Fixes Worth Knowing

  • Improved error handling and debugging within the native TLS implementation.
  • Updated OpenSSL sources to version 1.1.1b, addressing potential security vulnerabilities.
nodejs/nodev6.x
18 releases

TL;DR

Node 6 is nearing its end-of-life on April 30th, and you should upgrade to a supported version to continue receiving security updates.

Fixes Worth Knowing

A fix resolves an error check within the http module, improving stability when handling HTTP requests (web server functionality).

nodejs/nodev9.x
18 releases

TL;DR

This release significantly improves Node.js security by patching multiple Denial of Service (DoS) vulnerabilities in core modules like http2, tls, net, and buffer.

Fixes Worth Knowing

  • Fixed a memory exhaustion issue when using net.Socket as a stream.
  • Resolved a hang that could occur when calling Buffer.fill().
  • Improved stability of TLS connections by fixing SSL write error handling.
  • Addressed potential crashes in http2 during cleanup and when handling specific requests.
nodejs/nodev4.x
5 releases

TL;DR

This release addresses critical security vulnerabilities (CVE-2018-7158 and CVE-2018-7159) in the path module and HTTP parser, requiring all Node.js users to upgrade.

Breaking

  • PPC Little Endian ABI: A compiler issue in previous releases caused ABI breakage on PPCLE systems; this has been corrected. (Application Binary Interface - how software components interact)

Fixes Worth Knowing

  • Path Module: Fixed a denial of service vulnerability caused by maliciously crafted file paths.
  • HTTP Header Parsing: Invalid Content-Length headers with spaces are now rejected, preventing potential issues.
  • Root Certificates: Updated trusted root certificates for secure connections.

Before You Upgrade

Review the security release summary at https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ to understand the patched vulnerabilities and their potential impact on your applications.