Even though October signals the end of summer in my part of the world, it’s one of my favorite times of year because it means a new Node.js major release AND a new LTS version. Today, I’m happy to share that the Node.js community is releasing Node.js 19 and that next week Node.js 18 will be promoted to Long Term Support (LTS). It’s all very predictable due to the community’s well defined release process.
As per the Node.js release process, Node.js 19 will not be promoted to LTS as only even-numbered versions are promoted to LTS. For production deployments we recommend that you stick to LTS releases. However, we hope that you will try out Node.js 19 and provide feedback on the new functionality and features to help pave the way for future releases. If you are still on the Node.js 14 release line, now is a good time to start planning for a move to 16 or 18, since support for the 14 line ends in April.
With Node.js 18 being promoted to LTS, it will now make its way into the next minor release of Red Hat Enterprise Linux (RHEL). If you want to test out the RHEL version of Node.js 18 in advance, we’ve provided Centos stream based containers this year so that you can do that.
If you follow Red Hat’s work in the Node.js project, or have been following our regular updates, you’ll see that our strategy is to focus our community work on aspects we believe are important to our customers, including:
Stable and predictable releases
Code quality and safety net
Those aspects, along with working with our customers and internal teams and sharing our experience in the Node.js reference architecture, keeps us pretty busy.
Node.js 19 - What's new?
With over 1,150 commits since the last release, lots of work went into Node.js 19. Having said that, much of the work was behind the scenes fixing or refactoring existing features so the number of headline features is limited this time. Some of the interesting ones to mention include:
Note: this is an example of how features flow back quickly to earlier releases and this already made it into the Node.js 18 release line before 19 was released!. I still thought it was interesting to mention anyway!
If you have ever used nodemon to speed your development process you’ll be happy that Node.js 19 includes an experimental “--watch” command line option. This feature starts Node.js in watch mode so that Node.js will restart automatically when files are updated. Note that it’s only supported on Windows and macOS, which are the most commonly used platforms for development.
Stable Webcrypto API
The Web Crypto API is now stable in Node.js 19.
keep-alive enabled by default on global Agents
In Node.js 19, http.globalAgent and https.globalAgent use keep-alive by default which in most cases will result in better performance overall. You can read more about that option in the documentation here.
Progress on Diagnostic Channel
Diagnostic channel events have been added for process and worker. It’s great to see ongoing progress on improving diagnostics in Node.js.
While the Node.js 18 line now includes the same version of npm that will be shipped with Node.js 19, it started with version 8.6.0 so new versions continue to keep us up to date on the npm front.
Unlike the previous release, Node.js 19 brings no major changes to the platform levels supported. As always, any operating systems that have gone EOL will no longer be supported but the base requirements as outlined in BUILDING.md have not changed.
Node.js 18 being promoted to LTS
With the promotion of Node.js 18 to LTS, it’s now suitable for use in production. As with every release, Node.js brings features and functionally that makes moving up a good choice. These include:
Experimental Test Runner
ECMAScript modules improvements
Improved support for AbortController and AbortSignal
Updated Platform Support
V8 Version 10.2
OPENSSL 3 Support
Default DNS resolution
You can check out the details in our previous blog, Welcome Node.js 18.
Major releases are a good time to look at what has been accomplished in the project, not just what is in the release itself. The project’s approach to features means that many features are backported into existing release lines and are therefore not “new” in an major release. This is great for users who get new features faster, but means we sometimes miss out on a chance to celebrate.
Lots of great work has been going on in the project over the last 6 months, with progress being made on the Next-10 effort and the project’s top 10 technical priorities. The community just held a great Collaborator summit (site sponsored by Red Hat) where we reviewed the technical priorities with next steps being to adjust and update based on those discussions. Keep an eye out for those updates soon!
Some additional things I’d like to highlight for celebration:
Support from the Open Source Security Foundation has enabled us to make progress on improving our security processes and response times. There has been work on tracking vulnerabilities in dependencies, defining a security model, and work on a permissions system. It’s great to be making progress on these non-functional aspects as security in open source will only grow in importance going forward.
If you have questions about vulnerabilities you see reported in one of the dependencies for Node.js the first place to look is now the nodejs-dependency-vuln-assessment repository. There are scripts that automatically check Node.js dependencies for vulnerabilities against published CVEs and GitHubs vulnerability databases and open issues if they have not yet been addressed in Node.js (which is currently only running for main and 18.x but we plan to expand to all release lines in the future). Often these vulnerabilities do not affect Node.js due to the way they are used. In that case, the issue provides a good place to document that and communicate that assessment to the broader community.
A big thank you
We’d like to thank all of the people who contribute to Node.js releases, including Rafael Gonzaga and Ruy Adorno, on the Node.js community releaser team, who created and coordinated the Node.js 19 release. We also want to thank Beth Griggs from Red Hat who created and coordinated past Node.js releases and helped Rafael and Ruy get up to speed for this release. The community has a large cast of contributors working across the Node.js project and each release is the result of all of their hard work.
As a side note, I’d also like to thank the companies/individuals who have stepped up to help with security releases as security release stewards or as part of the security triage team, along with all of those who make security releases happen. The major releases are the big splash, but security releases are just as important. I’d like to see more companies committing to help with security triage, security stewardship as well as fixing vulnerabilities.
You can read about all the new features and changes from the community post here. To learn more about the Node.js community and how you can contribute, check out the project repository and website. If you want to read more about what Red Hat is up to on the Node.js front, head to the Node.js developers page here. Finally, if you’re a Red Hat customer, visit the customer portal for more information.
About the author
Michael Dawson is an active contributor to the Node.js project and chair of the Node.js Technical Steering Committee (TSC). He contributes to a broad range of community efforts including platform support, build infrastructure, N-API, Release, as well as tools to help the community achieve quality with speed (e.g., ci jobs, benchmarking and code coverage reporting). As the Node.js lead for Red Hat and IBM, he works with Red Hat and IBM's internal teams to plan and facilitate their contributions to Node.js and v8 within the Node and Google communities. Dawson's past experience includes building IBM's Java runtime, building and operating client facing e-commerce applications, building PKI and symmetric based crypto solutions as well as a number of varied consulting engagements. In his spare time, he uses Node.js to automate his home and life for fun.