stack.pulse
#stacks/nodejs/runtime

Node.js release notes, breaking changes, and upgrade notes.

JavaScript runtime built on Chrome’s V8 engine StackPulse turns upstream changelogs into scannable summaries with risky changes, deprecations, migration notes, and source links.

source repo$track this stackplan upgraderss
releases
11
breaking
1
security
6
deprecated
0
migrations
0

Get source-linked upgrade notes and occasional sponsor recommendations. No GitHub login required.

what stackpulse tracks

Node.js releases from GitHub

StackPulse watches Node.js release notes and keeps the original source link close to every summary.

upgrade risk

Breaking changes and deprecations

Risky changes are separated from normal feature notes so you can scan upgrade impact before changing production dependencies.

migration notes

Source-backed next steps

Migration steps and recommended actions are only shown when the upstream release notes support them.

# latest_releases

source-backed
allbreakingdeprecationmigrationsecurity
v24.18.0highfeaturesecurityJun 23, 2026

2026-06-23, Version 24.18.0 'Krypton' (LTS), @richardlau prepared by @sxa

This release introduces several notable changes, including updates to root certificates, enhancements to the HTTP and crypto modules, and improvements to buffer handling. It also adds new Web Cryptography algorithms and increases the default Buffer.poolSize.

affected

Developers using the crypto, buffer, and HTTP modules may be affected by the changes.

action

Review the changes and update your code as necessary to leverage new features and ensure compatibility.

release_signals
!Updated root certificates to NSS 3.123.1
!Hardened WebCrypto against prototype pollution
!Strengthened argument checks in TurboSHAKE
+Added TurboSHAKE and KangarooTwelve Web Cryptography algorithms
+Increased Buffer.poolSize default to 64 KiB
+Added writeInformation to HTTP for sending arbitrary 1xx status codes
+Exposed precise coverage start to JS runtime in the inspector module
+Accepted key data in crypto.diffieHellman() and cleaned up DH jobs
view source on github->
v26.3.1criticalsecurityJun 18, 2026

2026-06-18, Version 26.3.1 (Current), @aduh95

Security release addressing multiple CVEs affecting TLS, crypto, http2, dns, and permission systems.

affected

All users using Node.js's TLS, crypto, http2, dns, or permission features are affected and should upgrade immediately.

action

Upgrade to Node.js v26.3.1 immediately to mitigate security vulnerabilities.

release_signals
!(CVE-2026-48618) tls: normalize hostname for server identity checks (High)
!(CVE-2026-48933) crypto: guard WebCrypto cipher output length (High)
!(CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Medium)
!(CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Medium)
!(CVE-2026-48928) tls: fix case-sensitive SNI context matching (Medium)
!(CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Medium)
!(CVE-2026-48934) tls: bind reusable sessions to authenticated host (Medium)
!(CVE-2026-48617) permission: handle process.chdir on writereport (Low)
!(CVE-2026-48931) http: fix response queue poisoning in http.Agent (Low)
!(CVE-2026-48935) permission: disable FileHandle utimes with permission model (Low)
!(CVE-2026-48936) permission: guard pipe open and chmod with net scope (Low)
view source on github->
v24.17.0criticalsecurityJun 18, 2026

2026-06-18, Version 24.17.0 'Krypton' (LTS), @aduh95

This release primarily focuses on addressing multiple security vulnerabilities across various modules, including TLS, crypto, HTTP/2, and DNS. It includes fixes for issues such as hostname normalization, WebCrypto cipher output length, and memory growth prevention in HTTP/2.

affected

Users relying on TLS, crypto, HTTP/2, DNS, and permission modules are affected by these security fixes.

action

Upgrade to Node.js v24.17.0 to mitigate the identified security vulnerabilities.

release_signals
!(CVE-2026-48618) tls: normalize hostname for server identity checks
!(CVE-2026-48933) crypto: guard WebCrypto cipher output length
!(CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors
!(CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth
!(CVE-2026-48928) tls: fix case-sensitive SNI context matching
view source on github->
v22.23.0criticalbreakingsecurityJun 18, 2026

2026-06-18, Version 22.23.0 'Jod' (LTS), @aduh95

This release focuses on addressing multiple security vulnerabilities across various modules, including TLS, crypto, DNS, HTTP/2, and permissions. Several high and medium severity CVEs have been patched to improve security and stability.

affected

Users relying on HTTP/2 priority signaling or affected by the listed CVEs should upgrade immediately.

action

Upgrade to version 22.23.0 to address security vulnerabilities and breaking changes.

release_signals
-http2: remove support for priority signaling (Matteo Collina) – This is a breaking change for applications relying on HTTP/2 priority signaling.
!(CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
!(CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
!(CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
!(CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
!(CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
view source on github->
v26.3.0highfeaturesecurityJun 1, 2026

2026-06-01, Version 26.3.0 (Current), @aduh95

This release includes updates to macOS Universal Binary availability, increases the default `Buffer.poolSize` to 64 KiB, and introduces new features like `permission.drop` and `httpValidation` options. Security updates include hardening WebCrypto against prototype pollution and updating root certificates.

affected

Users on macOS may need to prepare for potential changes in Universal Binary availability, and developers using `Buffer` or `http` modules may benefit from the new defaults and options.

action

Update to Node.js v26.3.0 to benefit from the latest features and security improvements.

release_signals
!Harden WebCrypto against prototype pollution
!Update root certificates to NSS 3.123.1
+Increase `Buffer.poolSize` default to 64 KiB
+Add `httpValidation` option to configure header value validation
+Expose precise coverage start to JS runtime
+Add `permission.drop` method
+Harden WebCrypto against prototype pollution
view source on github->
v22.22.3mediumfeaturesecurityMay 13, 2026

2026-05-13, Version 22.22.3 'Jod' (LTS), @marco-ippolito

This release focuses on dependency updates, including OpenSSL, npm, and V8, alongside minor fixes and documentation improvements.

affected

Users relying on updated dependencies or needing security fixes in crypto will be affected.

action

Upgrade to version 22.22.3 to benefit from the latest dependency updates and security fixes.

release_signals
!Fixed a potential null pointer dereference in crypto when BIO_meth_new() fails
+Updated root certificates to NSS 3.121
+Upgraded OpenSSL sources to openssl-3.5.6
+Updated npm to version 10.9.8
+Updated simdjson to version 4.5.0
+Updated sqlite to version 3.52.0
view source on github->