what stackpulse tracks
Node.js releases from GitHub
StackPulse watches Node.js release notes and keeps the original source link close to every summary.
#stacks/nodejs/runtime
Node.js release notes, breaking changes, and upgrade notes.
JavaScript runtime built on Chrome’s V8 engine StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.
releases
11
breaking
1
security
6
deprecated
0
migrations
0
upgrade risk
Breaking changes and deprecations
Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.
migration notes
Source-backed next steps
Migration steps and recommended actions are only shown when the upstream release notes support them.
# latest_releases
source-backedv26.4.0mediumfeatureJun 24, 2026
2026-06-24, Version 26.4.0 (Current), @aduh95
This release introduces several enhancements including support for caller-supplied buffers in fs.readFile(), package maps in the loader, and new TCP keepalive options. It also adds a minimal node:vfs subsystem and dispatches node:fs/promises to mounted VFS instances.
affected
Developers using fs, net, tls, or loader modules may benefit from the new features.
action
Consider updating to take advantage of new features and improvements.
release_signals
+Support for caller-supplied buffers in fs.readFile()
+Implementation of package maps in the loader
+Support for TCP_KEEPINTVL and TCP_KEEPCNT in setKeepAlive
+Addition of certificateCompression option in tls
+Minimal node:vfs subsystem and dispatch of node:fs/promises to mounted VFS instances
v24.18.0highfeaturesecurityJun 23, 2026
2026-06-23, Version 24.18.0 'Krypton' (LTS), @richardlau prepared by @sxa
This release introduces several notable changes, including updates to root certificates, enhancements to the HTTP and crypto modules, and improvements to buffer handling. It also adds new Web Cryptography algorithms and increases the default Buffer.poolSize.
affected
Developers using the crypto, buffer, and HTTP modules may be affected by the changes.
action
Review the changes and update your code as necessary to leverage new features and ensure compatibility.
release_signals
!Updated root certificates to NSS 3.123.1
!Hardened WebCrypto against prototype pollution
!Strengthened argument checks in TurboSHAKE
+Added TurboSHAKE and KangarooTwelve Web Cryptography algorithms
+Increased Buffer.poolSize default to 64 KiB
+Added writeInformation to HTTP for sending arbitrary 1xx status codes
+Exposed precise coverage start to JS runtime in the inspector module
+Accepted key data in crypto.diffieHellman() and cleaned up DH jobs
v22.23.1mediumJun 23, 2026
2026-06-23, Version 22.23.1 'Jod' (LTS), @RafaelGSS
This release addresses an unexpected behavior introduced by the recent security release (22.23.0), focusing on build and HTTP improvements.
affected
Users affected by the unexpected behavior in the previous security release (22.23.0) should update.
action
Upgrade to version 22.23.1 to resolve the unexpected behavior.
v26.3.1criticalsecurityJun 18, 2026
2026-06-18, Version 26.3.1 (Current), @aduh95
Security release addressing multiple CVEs affecting TLS, crypto, http2, dns, and permission systems.
affected
All users using Node.js's TLS, crypto, http2, dns, or permission features are affected and should upgrade immediately.
action
Upgrade to Node.js v26.3.1 immediately to mitigate security vulnerabilities.
release_signals
!(CVE-2026-48618) tls: normalize hostname for server identity checks (High)
!(CVE-2026-48933) crypto: guard WebCrypto cipher output length (High)
!(CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Medium)
!(CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Medium)
!(CVE-2026-48928) tls: fix case-sensitive SNI context matching (Medium)
!(CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Medium)
!(CVE-2026-48934) tls: bind reusable sessions to authenticated host (Medium)
!(CVE-2026-48617) permission: handle process.chdir on writereport (Low)
!(CVE-2026-48931) http: fix response queue poisoning in http.Agent (Low)
!(CVE-2026-48935) permission: disable FileHandle utimes with permission model (Low)
!(CVE-2026-48936) permission: guard pipe open and chmod with net scope (Low)
v24.17.0criticalsecurityJun 18, 2026
2026-06-18, Version 24.17.0 'Krypton' (LTS), @aduh95
This release primarily focuses on addressing multiple security vulnerabilities across various modules, including TLS, crypto, HTTP/2, and DNS. It includes fixes for issues such as hostname normalization, WebCrypto cipher output length, and memory growth prevention in HTTP/2.
affected
Users relying on TLS, crypto, HTTP/2, DNS, and permission modules are affected by these security fixes.
action
Upgrade to Node.js v24.17.0 to mitigate the identified security vulnerabilities.
release_signals
!(CVE-2026-48618) tls: normalize hostname for server identity checks
!(CVE-2026-48933) crypto: guard WebCrypto cipher output length
!(CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors
!(CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth
!(CVE-2026-48928) tls: fix case-sensitive SNI context matching
v22.23.0criticalbreakingsecurityJun 18, 2026
2026-06-18, Version 22.23.0 'Jod' (LTS), @aduh95
This release focuses on addressing multiple security vulnerabilities across various modules, including TLS, crypto, DNS, HTTP/2, and permissions. Several high and medium severity CVEs have been patched to improve security and stability.
affected
Users relying on HTTP/2 priority signaling or affected by the listed CVEs should upgrade immediately.
action
Upgrade to version 22.23.0 to address security vulnerabilities and breaking changes.
release_signals
-http2: remove support for priority signaling (Matteo Collina) – This is a breaking change for applications relying on HTTP/2 priority signaling.
!(CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
!(CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
!(CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
!(CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
!(CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
v26.3.0highfeaturesecurityJun 1, 2026
2026-06-01, Version 26.3.0 (Current), @aduh95
This release includes updates to macOS Universal Binary availability, increases the default `Buffer.poolSize` to 64 KiB, and introduces new features like `permission.drop` and `httpValidation` options. Security updates include hardening WebCrypto against prototype pollution and updating root certificates.
affected
Users on macOS may need to prepare for potential changes in Universal Binary availability, and developers using `Buffer` or `http` modules may benefit from the new defaults and options.
action
Update to Node.js v26.3.0 to benefit from the latest features and security improvements.
release_signals
!Harden WebCrypto against prototype pollution
!Update root certificates to NSS 3.123.1
+Increase `Buffer.poolSize` default to 64 KiB
+Add `httpValidation` option to configure header value validation
+Expose precise coverage start to JS runtime
+Add `permission.drop` method
+Harden WebCrypto against prototype pollution
v24.16.0highfeatureMay 21, 2026
2026-05-21, Version 24.16.0 'Krypton' (LTS), @aduh95
This release introduces several new features and improvements, including a new `randomUUIDv7()` method in the crypto module, enhanced debugging capabilities with edit-free runtime expression probes, and additional options for `fs.stat()` and `http.ClientRequest`. The release also includes various internal optimizations and dependency updates.
affected
Developers using the crypto, debugger, fs, and http modules may benefit from the new features and improvements.
release_signals
+Added `randomUUIDv7()` method to the crypto module.
+Introduced edit-free runtime expression probes in the debugger.
+Added a `signal` option to `fs.stat()`.
+Exposed the `frsize` field in `statfs`.
+Hardened `ClientRequest` options merge in the http module.
v26.2.0highfeatureMay 20, 2026
2026-05-20, Version 26.2.0 (Current), @aduh95
This release introduces support for `Temporal.Instant` in `fs` module, adds a new `writeInformation` method to `http` for sending arbitrary 1xx status codes, and marks `stream.compose` as stable. Additionally, several crypto improvements and updates to dependencies are included.
affected
Developers using `fs`, `http`, and `crypto` modules may benefit from new features and improvements.
release_signals
+Add `Temporal.Instant` support to `Stats` and `BigIntStats` in the `fs` module
+Introduce `writeInformation` method in `http` for sending arbitrary 1xx status codes
+Mark `stream.compose` as stable
+Wire ML-DSA and ML-KEM for use with BoringSSL in the `crypto` module
+Wire ChaCha20-Poly1305 in Web Cryptography when using BoringSSL
v22.22.3mediumfeaturesecurityMay 13, 2026
2026-05-13, Version 22.22.3 'Jod' (LTS), @marco-ippolito
This release focuses on dependency updates, including OpenSSL, npm, and V8, alongside minor fixes and documentation improvements.
affected
Users relying on updated dependencies or needing security fixes in crypto will be affected.
action
Upgrade to version 22.22.3 to benefit from the latest dependency updates and security fixes.
release_signals
!Fixed a potential null pointer dereference in crypto when BIO_meth_new() fails
+Updated root certificates to NSS 3.121
+Upgraded OpenSSL sources to openssl-3.5.6
+Updated npm to version 10.9.8
+Updated simdjson to version 4.5.0
+Updated sqlite to version 3.52.0
v26.1.0highfeatureMay 7, 2026
2026-05-07, Version 26.1.0 (Current), @aduh95
This release introduces an experimental `node:ffi` module for interacting with native libraries, alongside several minor improvements across the `buffer`, `crypto`, `fs`, `http`, and `test_runner` modules.
affected
Developers interested in native library integration or those using `buffer`, `crypto`, `fs`, `http`, and `test_runner` modules may be affected.
action
Review the new features and updates to determine if any changes are needed in your codebase.
release_signals
+Experimental `node:ffi` module for loading dynamic libraries and calling native symbols (requires `--experimental-ffi` flag).
+Added `end` parameter to `buffer` methods for improved indexing.
+Implemented `randomUUIDv7()` in the `crypto` module.
+Added `signal` option to `fs.stat()` for better control over file operations.
+Exposed `frsize` field in `statfs` for filesystem statistics.