Node.js 20

It's that time of year again for the Node.js community to release a new major version, and this year it's Node.js 20. This release line is an even-numbered one, which means that it will be promoted to long-term support (LTS) in October 2023 and receive support until April 2026.

However, before the release is officially promoted to LTS, the Node.js team needs the help of the wider community to test it out and provide feedback. This will help identify and fix any issues before the release, ensuring a smoother experience for everyone.

For those using Red Hat Enterprise Linux (RHEL), Node.js support will start after the release is promoted to LTS, which means you can expect to find packages for the RPM Package Manager (rpm) and containers in RHEL 8 and 9 around that time. However, to facilitate advanced testing, the Red Hat Node.js team plans to provide some unofficial container images.

Red Hat's focus in the Node.js project is on aspects that are important to our customers, including stable and predictable releases, platform support, security, diagnostics, performance, and code quality.

Our commitment to these priorities, combined with our collaborations with customers and internal teams, as well as our sharing of expertise in the Node.js reference architecture, keeps us busy.

At the time of Node.js 20, we are excited to share some recent features and ongoing initiatives that have piqued our interest or in which our team has played a role. Due to how quickly features flow back into the existing Node.js release line, they all may not be technically new in Node.js 20 but they are worth mentioning as having landed since the last major release. Here are a few highlights:

• Stable Test Runner
• WASI (Experimental) no longer a requires command line flag, and version is required
• Permission model (Experimental)
• Single Executable Applications (Experimental)
• Tracing channel (Experimental)

As you can tell from the list of highlights, a lot is happening in the world of Node.js. Additionally, this release will feature updated platform support and a new version of V8 - both common elements of new major Node.js releases. These updates are a testament to the rapid pace of Node.js development and its continued evolution.

The usage of Node.js is steadily increasing, with billions of downloads of Node.js binaries and containers reported in the past year (based on our informal count using Node.js download data and DockerHub pulls). From the perspective of Red Hat customers, we have observed a persistent growth in the downloads of Red Hat Node.js containers, as well as an increase in inquiries from our customers.

Recent Feature Highlights

Stable Test Runner

Last year, Node.js shipped an experimental built-in test runner. The feature is not intended to replace full-featured test frameworks like Jest or Mocha, but to offer a quick and easy way to write and run a test suite without the need to install additional dependencies. Since its addition, many enhancements have been made including:

• Command-line test runner that can be invoked via node --test
• Configurable and custom test reporters via --test-reporter 
• Experimental test coverage through the --experimental-test-coverage
• Mocking capabilities
   

With Node.js 20, the test runner graduates from stable to experimental, thanks to all the end-user testing and feedback. Detailed usage information can be found in the API Documentation.

WASI no longer requires a command line flag, version is required

Emerging technologies like Web Assembly (WASM) and the Web Assembly System Interface (WASI) are gaining popularity due to their compact code, cross-platform compatibility, and security model. Red Hat is one of the companies exploring these technologies, and you can find out more in Red Hat and WebAssembly.

There are many different runtimes for executing WASM with WASI and Node.js is one of them! While WASI remains an experimental feature in this release, the --experimental-wasi-unstable-preview1 flag is no longer required to enable it. This development makes WASI easier to use and brings it one step closer to being supported.

The other important change in Node.js 20 is that the version option becomes mandatory when you are creating the WASI object. You will now get an error if version is left out instead of preview1 being used as the default. As different versions of WASI are supported, applications must be specific as to which version they rely on versus relying on the default matching their needs.

If you have an interest in WASM/WASI and Node.js, we'd love to have you join the uvwasi team and help out.

Permission Model

Node.js 20 ships with an experimental Permission Model feature. The Permissions Model provides a mechanism in which the developer can restrict access to specified resources during process execution.

The feature is currently available behind a command-line flag --experimental-permission. Once the feature is enabled, you can manage the following permissions via their respective command-line flags:

• File System with --allow-fs-read and --allow-fs-write

• Child Process with --allow-child-process

• Worker Threads with --allow-worker

Refer to the Permission Model section of the Node.js documentation for more information. 

Single Executable Applications

A long-time ask from the community was the ability to support single executable applications (SEA) built with Node.js. This involves bundling your application with the Node.js binary so that end users can distribute and run it as a single executable file (such as an .exe on Windows) Work to implement the feature was initiated in a Next-10 deep dive a while back, and Node.js now includes experimental support for packaging applications into the Node.js community binaries. Different tools can be used to bundle the application into the binaries and then the Node.js binary will recognize the bundled application and execute it on startup.

Tracing Channel

Diagnostics are important to Red Hat customers who run applications in production and it's great to see that this release brings progress on this front. Node.js 20 includes the recently introduced tracing channel as an experimental extension to the Diagnostics Channel feature. Tracing channels help to group diagnostic channels for use in generating and consuming trace data.

V8 JavaScript engine version 11.3

The V8 JavaScript engine functions as the environment where JavaScript code is executed, allowing it to run seamlessly across a multitude of platforms. This eliminates the need for developers to be concerned about the specifics of the platform, such as the operating system being used (Linux, Windows, macOS) or the hardware architecture (x64, Arm, or Power PC) that underlies it. V8 is coded in C++ and necessitates that the Node.js community take responsibility for the maintenance and enhancement of V8 across various hardware and operating system configurations.

Members of the Node.js team at Red Hat are responsible for maintaining V8 on Power PC and s390, and they commit changes every week to ensure its continued operation on these platforms. As a result, the Red Hat Node.js team has insight into new changes and features in upcoming versions of the V8 JavaScript engine.

The initial release of Node.js 20 updates the V8 JavaScript engine to 11.3. New features in V8 since the last major release include:

• String.prototype.isWellFormed and String.prototype.toWellFormed
• RegExp v flag with set notation + properties of strings
• Resizable ArrayBuffer and growable SharedArrayBuffer
• WebAssembly Tail Call

Platform support

As with most major releases, this release updates the minimum supported levels for platforms and tooling used to build Node.js. The Node.js building instructions document the new minimum levels.  

Recent changes to platform support include upgrading the compiler used for gcc-based builds to gcc10. Windows on ARM has also recently been elevated to a tier 2 platform, and prebuilt binaries are now made available by the project for Node.js versions 19 and later.   

For those who use the Red Hat Node.js binaries or containers, this change will not affect you as Red Hat builds and makes available binaries that match Fedora and RHEL major versions through rpms and containers.

Security and Supply Chain security

While security and supply chain security have always been important, there has been growing awareness and interest in these areas in recent years. Within the Node.js project, a significant amount of effort is devoted to security-related work, ranging from identifying and resolving vulnerabilities to executing security releases.

We’d like to express our appreciation to the companies and individuals who have stepped up to help with security releases as security release stewards or as part of the security triage team, the Release Working Group, and all those who contribute to the security release efforts. While major releases gather considerable attention, security releases are equally essential. We’d like to see more companies committing to help with security triage, security stewardship, and fixing vulnerabilities.

On the good news front, funding from the Open Source Security Foundation (OSSF) has allowed the project to better keep on top of fixing vulnerabilities and to accelerate progress on key initiatives including:

• automation of dependency updates
• monitor and resolve vulnerabilities in dependencies through node js-dependency-vuln-assessments 
• assess compliance with best practices
• improving the security release process

The project is also looking at emerging practices and technologies like Sigstore and SLSA, to determine their potential applications in the project. 

If you are planning to be at the Open Source Summit in May and want to learn more about some of this work, make sure to check out Improving the Security of a Large Open Source Project One Step at a Time.

In line with what is important to our customers, Red Hat is proud to be doing part of this work through our involvement in the triage team, doing security releases and contributing to the efforts of the security working group team along with all of the other contributors across the project.

Next-10

While major releases are the time people look at what’s new. It’s also important to look forward to what’s coming in the future. The project is working on that as part of the Next-10 effort and has defined the constituencies, needs of those constituencies and the technical priorities based on those needs. Of note is that the Next-10 team will be doing a survey, supported by the OpenJS foundation, soon. We hope you participate so that the next-10 team can incorporate your feedback into future work.

A big thank you

Our gratitude goes out to every individual involved in the release of Node.js. The Node.js project has a diverse group of contributors who work tirelessly, and each release is a culmination of their collective efforts.

Wrapping up

The community changelog for Node.js 20.0.0 and OpenJS blog post contain more details about the latest enhancements and modifications.

For further insights on the Node.js community and ways to participate, visit the project repository and website. To explore Red Hat's involvement in the Node.js space, refer to the Red Hat Node.js Developers page. Additionally, Red Hat customers can refer to the customer portal for additional information.