Node.js

This release introduces HTTP/1 fallback configuration for http2, supports ESM entry points in SEA, and marks the sqlite module as a release candidate. It also includes several documentation improvements and dependency updates.

This release introduces several minor features across core modules like async_hooks, fs, http, and stream, alongside dependency updates and build improvements. Key additions include better promise tracking in async hooks and new configuration options for fs.watch and http proxy settings.

This release focuses on dependency updates, build system improvements by replacing `cjs-module-lexer` with `merve`, and performance enhancements in HTTP header parsing. It also documents the deprecation of `url.format(urlString)`.

This release introduces stability for several CLI flags and V8 features, updates root certificates, and includes numerous build system improvements and performance enhancements in assertion utilities.

This release introduces new features like promise tracking in async hooks, TOS methods on sockets, and ESM support in the embedder API, alongside performance improvements for TextEncoder and various dependency upgrades.

This release introduces minor features like an 'ignore' option for fs.watch and enhancements to SEA generation, alongside dependency updates including npm 11.8.0 and updated root certificates.

This release introduces several stability promotions for CLI flags and module features, alongside new utility functions and performance improvements in assertion comparisons. Key additions include http.setGlobalProxyFromEnv() and enhanced module import handling.

This is a security release addressing several CVEs across lib, permission, src, and tls modules. Key changes include improved error handling and stricter permission checks.

This is a security release addressing several CVEs across various components including TLS, lib, and src. Key fixes involve error handling, permission requirements for symlinks, and buffer creation refactoring.

This is a security release addressing several CVEs by improving TLS error handling, updating dependency versions, and tightening permissions around symlink operations and buffer creation.

This is a security release addressing several CVEs by disabling futimes under the permission model, improving TLS error handling, tightening symlink API permissions, and fixing stack overflow and buffer creation issues.

This release stabilizes module type stripping, introduces portable compile caches, and adds new options for HTTP, SQLite, and Node-API. It also includes significant V8 engine updates and security-related bug fixes in the crypto module.

This release focuses on security updates including root certificate renewals and OpenSSL 3.0.17, alongside the deprecation of HTTP/2 priority signaling and various dependency bumps.

This release reverts a breaking change to the experimental Web Storage API and includes a crypto fix for RSA-PSS saltLength defaults and a V8 backport.

This release stabilizes type stripping, introduces new Node-API and V8 statistics methods, and improves performance for Buffer and console operations. It also includes a breaking change where localStorage throws on missing storage paths.

This release fixes a critical bug where Buffer.allocUnsafe was incorrectly zero-filling memory and updates several core dependencies including npm, corepack, and root certificates.

This release introduces performance optimizations for empty HTTP requests, defensive flag support for SQLite, and transitions async module loader hooks to experimental status.

This release focuses on performance optimizations for array inspection and HTTP/2, along with critical bug fixes for process execution environment variables and async context handling during unhandled rejections.

This release transitions Node.js 24.x to Long Term Support (LTS) status under the codename 'Krypton' with no functional changes from 24.10.0 other than metadata updates.

This release introduces built-in proxy support for fetch and http/https requests via environment variables, adds a new callback for HTTP upgrade control, and stabilizes .env file support.

Node.js 25 updates the V8 engine to 14.1, enables Web Storage by default, and introduces the --allow-net permission flag. This release also removes several long-deprecated APIs including SlowBuffer and legacy fs constants.

This release introduces a new authorization API for SQLite, stabilizes .env file support, and removes the util.getCallSite internal utility. It also includes significant dependency updates for OpenSSL, npm, and V8.

This release introduces a new HTTP upgrade callback, expands SQLite functionality with a Session class and tagged templates, and adds a heap profile API for workers.

This release updates Node.js 22.x to OpenSSL 3.5.2 for long-term support and introduces several minor features including Brotli support in streams, SEA configuration improvements, and stabilization of path.matchesGlob.

This release introduces experimental HTTP/2 network inspection in DevTools and significantly expands Web Cryptography support with Argon2, KMAC, and ML-DSA. It also stabilizes several features including path.matchesGlob and the --disable-sigusr1 flag.

This release focuses on internal dependency updates (OpenSSL, zlib, acorn), critical bug fixes for DNS and Crypto modules, and several updates to the project's collaborator and TSC membership.

This release introduces several minor features including system CA support, unflagging of WASM modules, and new thread CPU usage tracking, alongside dependency updates for OpenSSL and SQLite.

This release introduces Post-Quantum Cryptography support in node:crypto and the Web Cryptography API, adds Argon2 password hashing, and enables execution argument configuration for Single Executable Applications.

This release introduces support for ML-DSA in crypto, Zstd dictionary support in zlib, and a new Utf8Stream in the fs module. It also adds the ability to use system certificate authorities via a new CLI flag.

This release upgrades to OpenSSL 3.5, unflags WebAssembly ESM integration, and introduces built-in proxy support for the http and https modules.

This release enables experimental TypeScript type stripping by default and introduces several minor features including import.meta.main, new URL buffer APIs, and async disposable Workers.

This security release addresses CVE-2025-27210, fixing a path traversal protection bypass in path.normalize() related to Windows reserved device names.

This is a security release primarily addressing CVE-2025-27210, which involved a path traversal bypass on Windows using reserved device names.

This security release addresses a HashDoS vulnerability in V8 (CVE-2025-27209) and a path traversal protection bypass on Windows involving reserved device names (CVE-2025-27210).

This release introduces several minor features including disposable mkdtempSync, enhanced permission model propagation, and new SQLite options. It also addresses a memory leak in DNS and fixes a crypto regression related to OpenSSL 3.4.

This release stabilizes several utility and file system APIs, introduces explicit resource management for directory handles, and deprecates legacy behaviors in the HTTP and child_process modules.

This release introduces the fileURLToPathBuffer API, object property mocking in the test runner, and stabilizes type stripping by removing its experimental warning. It also includes significant dependency updates and reverts changes to test_runner promises.

This release stabilizes Ed25519/X25519 in WebCrypto, updates several core dependencies like ICU and root certificates, and introduces deprecations for invalid types in fs.existsSync.

This release introduces import.meta.main for ESM entry point detection, stabilizes Symbol.dispose, and removes HTTP/2 priority signaling in alignment with RFC 9113. It also includes several deprecations to align with modern JavaScript practices and updates core dependencies like nghttp2 and SQLite.

This release introduces explicit resource management for fs.Dir and stabilizes fs.glob. It also includes a major V8 update to 13.6 and various bug fixes for AsyncLocalStorage and file system operations.

This release graduates several experimental APIs and ESM features to stable, introduces a native node.config.json support, and adds new utilities for SQLite, Worker threads, and Float16Arrays.

A security-focused release addressing CVE-2025-23166 to fix error handling in asynchronous crypto operations.

This security release addresses CVE-2025-23166 by fixing error handling in asynchronous crypto operations and updates the c-ares dependency to v1.34.5.

This is a security release addressing two vulnerabilities: CVE-2025-23166 regarding async crypto error handling and CVE-2025-23165 regarding filesystem request cleanup.

This security release addresses multiple vulnerabilities (CVE-2025-23166, CVE-2025-23167, CVE-2025-23165, CVE-2024-27982) by updating the llhttp parser and fixing critical issues in the crypto and fs modules.

This release primarily focuses on documentation improvements and reverts the deprecation of SlowBuffer. It also includes build tool updates and clarifies the future roadmap for Corepack.

Node.js 24 updates the V8 engine to 13.6 and npm to 11, while promoting URLPattern to a global and stabilizing the Permission Model flag. It introduces several runtime deprecations for legacy APIs and mandates ClangCL for Windows compilation.

This release introduces Zstd compression support, native system CA store integration for Windows and macOS, and several new APIs in the assert, module, and process namespaces.

This maintenance release focuses on dependency updates for undici and c-ares, alongside a fix for DNS query cache TTL and documentation corrections regarding ESM requirements.

This release introduces partial error comparison in the assert module, adds process.execve, and expands the sqlite and crypto APIs. It also includes several dependency updates and stabilizes multiple experimental APIs.

This release focuses on security and dependency updates, notably upgrading OpenSSL to 3.0.16 and root certificates to NSS 3.108, alongside internal improvements to the inspector API.

This release introduces an experimental JSON configuration file for Node.js flags and adds new utility methods to the TLS and V8 modules. It also includes several dependency updates, including OpenSSL 3.0.16 and NSS 3.108 root certificates.

This release enables require(esm) and module syntax detection by default on Node.js v20.x. It also introduces the postMessageToThread worker API and updates several core dependencies including ICU, NSS, and Corepack.

This release introduces TLSA record support in the DNS module and a new threadCpuUsage method in the process module. It also includes several dependency updates (SQLite, ada, ngtcp2) and various build and documentation fixes.

This release updates root certificates to NSS 3.107, adds support for Python 3.13, and includes several dependency updates and documentation accessibility improvements.

This release introduces the URL Pattern API, support for Zstandard (zstd) compression, and the ability to use system CA certificate stores on macOS and Windows. It also includes a timezone update to 2025a and improved thread naming for debugging.

This release introduces TypeScript support for STDIN and workers, adds new process control methods, and enhances the test runner and SQLite modules. It also includes critical bug fixes for crypto and child_process modules.

This release stabilizes ESM import attributes and JSON modules, updates root certificates to NSS 3.104, and enables the --heap-prof flag in NODE_OPTIONS. It also includes several build fixes and dependency updates for c-ares, zlib, and simdutf.

This release introduces several new features to the test_runner and sqlite modules, updates root certificates to NSS 3.107, and adds support for glob patterns in fs exclude options. It also includes performance improvements for assertions and various bug fixes in crypto and child_process.

This security release addresses three medium-severity vulnerabilities (CVE-2025-23085, CVE-2025-23084, CVE-2025-22150) involving HTTP2 memory leaks, Windows path traversal, and undici fetch randomness.

This security release addresses several vulnerabilities including a high-severity issue in the Permission Model, path traversal on Windows, and memory leaks in HTTP/2.

This security release addresses critical vulnerabilities including a path traversal on Windows, an HTTP/2 memory leak, and unauthorized InternalWorker access when the permission model is active.

Security release addressing multiple CVEs including path traversal on Windows, HTTP/2 memory leaks, and permission model bypasses.