Node.js

Node.js patch release day ✨ Full changelog and download links here: - https://lnkd.in/gBPqrtab - https://lnkd.in/gQvE6yiw

Are you currently hiring for a role that includes using Node.js? Reply with a link to the opening and any relevant context. If you're not, we'd appreciate a repost for visibility 💚

Big year for security at OpenJS 👀 With support from Alpha-Omega, we leveled up security across Node.js and the OpenJS ecosystem in 2025. Faster vulnerability response, automated releases, a new OpenJS CNA, stronger disclosure practices, and hands on support for over 10 projects. Read the full 2025 security recap 👇 https://hubs.la/Q040m4w80

Big news 👀 The OpenJS Foundation is bringing a dedicated summit to RenderATL (Render Atlanta) 2026. 🔥 Created by and for the JavaScript and Node.js community. Expect technical talks, real world lessons, and practical takeaways. Check out the details + register for the conference: https://hubs.la/Q0407r7c0

Node.js 25.5.0 (Current) is out! 💚 Notable changes here: https://lnkd.in/gf7P_NQn

⚠️ The Node.js Project now requires a HackerOne Signal score of 1.0 or higher to submit vulnerability reports. This will help our team streamline reports and support effective security reviews. https://lnkd.in/gmQrc2AV

Node.js v25.4.0 is out! 💚 • require(esm) now stable and a new CLI flag: --require-module • Module compile cache now stable • http.setGlobalProxyFromEnv() added • Multiple APIs promoted to stable (heapsnapshot, build snapshot, v8.queryObjects) • Root CAs updated to NSS 3.117 • Several semver-minor improvements across events, module, stream, process, util See: https://lnkd.in/dRdzDw9Y

Critical Node.js Security Release: What React, Next.js, and APM Users Need to Know Today, we released security patches for Node.js that address a bug affecting a massive portion of the ecosystem. If you're running React Server Components, Next.js, or using any APM tool in production, this affects you. The Problem When async_hooks is enabled, and user code triggers a stack overflow, Node.js would immediately exit with code 7. No try-catch block could catch it. No uncaughtException handler would fire. The process would simply terminate. Why does this matter? Because async_hooks is enabled automatically when you use AsyncLocalStorage, and AsyncLocalStorage is used by: - React Server Components (for rendering context) - Next.js (for request context tracking) - Every major APM tool: Datadog, New Relic, Dynatrace, Elastic APM, OpenTelemetry This means an attacker could crash your entire server by sending a single request with deeply nested JSON data. The Fix Working with Anna Henningsen over the past month, we developed a fix that detects stack overflow errors and rethrows them to user code instead of treating them as fatal errors. Your try-catch blocks now work as expected. Important Context This fix is a mitigation, not a complete solution. Stack overflow recovery is not specified by ECMAScript. V8 implements it on a best-effort basis. If your application processes recursive data structures whose depth can be controlled by user input, you should always explicitly validate and limit that depth. Good News for Node.js 24+ Users In Node.js 24, we reimplemented AsyncLocalStorage using V8's new AsyncContextFrame API, which doesn't use the traditional async_hooks machinery. React and Next.js applications on Node.js 24+ are not affected by this specific bug. Action Required Update to the patched versions: - Node.js 20.20.0 - Node.js 22.22.0 - Node.js 24.13.0 - Node.js 25.3.0 Read the full technical deep dive on our blog: https://lnkd.in/d73QGkDT Thanks to the React and Next.js teams at Meta and Vercel for reporting this issue, and to Rafael Gonzaga, Joyee Cheung, James Snell, and Marco Ippolito for their help with triaging and releasing the fix.

We appreciate your patience and understanding as we work to deliver a secure and reliable release. Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines to address: - 3 high severity issues - 4 medium severity issues - 1 low severity issue https://lnkd.in/eMA5QM2U

🚨Our team has decided to postpone the release to Tuesday, January 13th, 2026. This additional time will allow us to properly test all backports and re-run CITGM to ensure the highest quality for our users. Additionally, releasing on Tuesday rather than Friday helps ensure that security updates are available during regular business hours across all time zones, particularly for our users in the Asia-Pacific region. https://lnkd.in/dZxT4dad