Download & Update Node.js to the Latest Version! Node v19.6.0 Current / LTS v18.14.0 Direct Links

RisingStack's services:

Sign up to our newsletter!

In this article:

Node 18 is the active LTS version since 2022-10-25, while Node 19 became the Current version from 2022-10-18. The next LTS version, v20 is planned to be initially released on 2023-04-18, and it should become the active LTS from 2023-10-24.

In this article below, you’ll find changelogs and download / update information regarding Node.js!

Node.js LTS & Current Download for macOS:

Node.js LTS & Current Download for Windows:

For other downloads like Linux libraries, source codes, Docker images, etc.. please visit https://nodejs.org/en/download/

Node.js Release Schedule:

Releases

Node.js v19 is the next Current version!

Node.js 19 will replace Node.js 18 as the ‘Current’ release line when Node.js 18 enters long-term support (LTS) later this month. Node.js 19 will be ‘Current’ release for the next 6 months, until April 2023.

HTTP(S)/1.1 KeepAlive by default: Starting with this release, Node.js sets keepAlive to true by default. This means that any outgoing HTTP(s) connection will automatically use HTTP 1.1 Keep-Alive. The default waiting window is 5 seconds. Enable keep-alive will deliver better throughput as connections are reused by default. Additionally the agent is now able to parse the response Keep-Alive which the servers might send. This header instructs the client on how much to stay connected. On the other side, the Node.js HTTP server will now automatically disconnect idle clients (which are using HTTP Keep-Alive to reuse the connection) when close() is invoked). Node.js HTTP(S)/1.1 requests may experience a better throughput/performance by default.

DTrace/SystemTap/ETW Support were removed: The main reason is the lack of resources from Node.js team.

V8 10.7: The V8 engine is updated to version 10.7, which is part of Chromium 107. This version include a new feature to the JavaScript API: Intl.NumberFormat. Intl.NumberFormat v3 API is a new TC39 ECMA402 stage 3 proposal extend the pre-existing Intl.NumberFormat.

llhttp 8.1.0: llhttp has been updated to version 8.1.0.Collectively, this version brings many update to the llhttp API, introducing new callbacks and allow all callback to be pausable.

Node.js v18 is the new LTS version!

Node.js 18 was promoted to Long-term Support (LTS) in October 2022. Node.js 18 will be supported until April 2025.

New globally available browser-compatible APIs

fetch (experimental): In Node.js 18, an experimental global fetch API is available by default. The implementation comes from undici and is inspired by node-fetch which was originally based upon undici-fetch. The implementation strives to be as close to spec-compliant as possible, but some aspects would require a browser environment and are thus omitted. Through this addition, the following globals are made available: fetchFormDataHeadersRequestResponse. It’s possible to disable the API by supplying the --no-experimental-fetch command-line flag.

Web Streams API (experimental): Node.js now exposes the experimental implementation of the Web Streams API on the global scope. The following APIs are now globally available: ReadableStreamReadableStreamDefaultReaderReadableStreamBYOBReaderReadableStreamBYOBRequestReadableByteStreamControllerReadableStreamDefaultControllerTransformStreamTransformStreamDefaultControllerWritableStreamWritableStreamDefaultWriterWritableStreamDefaultControllerByteLengthQueuingStrategyCountQueuingStrategyTextEncoderStreamTextDecoderStreamCompressionStreamDecompressionStream.

Others available experimental APIs:

Test runner module (experimental): The node:test module facilitates the creation of JavaScript tests that report results in TAP format. To access it: import test from 'node:test';

Build-time user-land snapshot (experimental): Starting from Node.js 18.0.0, users can build a Node.js binary with a custom V8 startup snapshot using the --node-snapshot-main flag of the configure script. The resulted binary can deserialize the state of the heap that was initialized by the snapshot entry point at build time, so the application in generated binary can be initialized faster.

V8 10.1

The V8 engine is updated to version 10.1, which is part of Chromium 101. Compared to the version included in Node.js 17.9.0, the following new features are included:

  • The findLast() and findLastIndex() array methods.
  • Improvements to the Intl.Locale API.
  • The Intl.supportedValuesOf function.
  • Improved performance of class fields and private class methods (the initialization of them is now as fast as ordinary property stores).

Node.js CURRENT v19 Changelogs

Changelog for Node Version 19.6.0 (Current)

ESM: Leverage loaders when resolving subsequent loaders: Loaders now apply to subsequent loaders, for example: --experimental-loader ts-node --experimental-loader loader-written-in-typescript.

Upgrade npm to 9.4.0: Added --install-strategy=linked option for installations similar to pnpm.

Other notable changes

  • fs: add statfs() functions
  • vm: expose cachedDataRejected for vm.compileFunction
  • v8: support gc profile
  • src,lib: add constrainedMemory API for process
  • buffer: add isAscii method
  • test_runner: add reporters

Changelog for Node Version 19.5.0 (Current)

  • http: join authorization headers
  • lib: add webstreams to Duplex.from()
  • stream: implement finished() for ReadableStream and WritableStream

Changelog for Node Version 19.4.0 (Current)

  • buffer: add buffer.isUtf8 for utf8 validation
  • http: improved timeout defaults handling
  • net: add autoSelectFamily global getter and setter
  • os: add availableParallelism()
  • util: add fast path for text-decoder fatal flag

Changelog for Node Version 19.3.0 (Current)

Updated npm to 9.2.0:

  • Engines: The node engines supported by npm@9 make it safe to allow npm@9 as the default in any LTS version of 14 or 16, as well as anything later than or including 18.0.0. npm is now compatible with the following semver range for node: ^14.17.0 || ^16.13.0 || >=18.0.0
  • Filesystem: When run as root previous versions of npm attempted to manage file ownership automatically on the user’s behalf. This behavior was problematic in many cases and has been removed in favor of allowing users to manage their own filesystem permissions npm will no longer attempt to modify ownership of files it creates.
  • Auth: Any errors thrown from users having unsupported auth configurations will show npm config fix in the remediation instructions, which will allow the user to automatically have their auth config fixed. The presence of auth related settings that are not scoped to a specific registry found in a config file is no longer supported and will throw errors.
  • Login: The default auth-type has changed and users can opt back into the old behavior with npm config set auth-type=legacylogin and adduser have also been seperated making each command more closely match it’s name instead of being aliases for each other.
    • Legacy auth types ssosaml & legacy have been consolidated into "legacy".
    • auth-type defaults to "web"
    • login and adduser are now separate commands that send different data to the registry.
    • auth-type config values web and legacy only try their respective methods, npm no longer tries them all and waits to see which one doesn’t fail.
  • Tarball Packing: Previously using multiple ignore/allow lists when packing was an undefined behavior, and now the order of operations is strictly defined when packing a tarball making it easier to follow and should only affect users relying on the previously undefined behavior. npm pack now follows a strict order of operations when applying ignore rules. If a files array is present in the package.json, then rules in .gitignore and .npmignore files from the root will be ignored.
  • Display/Debug/Timing Info: These changes center around the display of information to the terminal including timing and debug log info. We do not anticipate these changes breaking any existing workflows.
    • Links generated from git urls will now use HEAD instead of master as the default ref.
    • timing has been removed as a value for --loglevel.
    • --timing will show timing information regardless of --loglevel, except when --silent.
    • When run with the --timing flag, npm now writes timing data to a file alongside the debug log data, respecting the logs-dir option and falling back to <CACHE>/_logs/ dir, instead of directly inside the cache directory.
    • The timing file data is no longer newline delimited JSON, and instead each run will create a uniquely named <ID>-timing.json file, with the <ID> portion being the same as the debug log.
    • npm now outputs some json errors on stdout. Previously npm would output all json formatted errors on stderr, making it difficult to parse as the stderr stream usually has logs already written to it.
  • Config/Command Deprecations or Removals: install-links is the only config or command in the list that has an effect on package installs. We fixed a number of issues that came up during prereleases with this change. It will also only be applied to new package trees created without a package-lock.json file. Any install with an existing lock file will not be changed.
    • Deprecate boolean install flags in favor of --install-strategy.
    • npm config set will no longer accept deprecated or invalid config options.
    • install-links config defaults to "true".
    • node-version config has been removed.
    • npm-version config has been removed.
    • npm access subcommands have been renamed.
    • npm birthday has been removed.
    • npm set-script has been removed.
    • npm bin has been removed (use npx or npm exec to execute binaries).

Other notable changes:

  • build: disable v8 snapshot compression by default
  • doc: add doc-only deprecation for headers/trailers setters
  • doc: add Rafael Gonzaga to the TSC
  • net: add autoSelectFamily and autoSelectFamilyAttemptTimeout options
  • src: add uvwasi version
  • test_runner: add t.after() hook
  • test_runner: don’t use a symbol for runHook()
  • tls: remove trustcor root ca certificates

Changelog for Node Version 19.2.0 (Current)

Time zone data has been updated to 2022f. This includes changes to Daylight Savings Time (DST) for Fiji and Mexico. Other notable changes:

  • buffer: introduce File class
  • deps: update V8 to 10.8.168.20
  • doc: deprecate use of invalid ports in url.parse 
  • util: add fast path for utf8 encoding

Changelog for Node Version 19.1.0 (Current)

Support function mocking on Node.js test runner: The node:test module supports mocking during testing via a top-level mock object.

test('spies on an object method', (t) => {
  const number = {
    value: 5,
    add(a) {
      return this.value + a;
    },
  };
  t.mock.method(number, 'add');

  assert.strictEqual(number.add(3), 8);
  assert.strictEqual(number.add.mock.calls.length, 1);
});

fs.watch recursive support on Linux: fs.watch supports recursive watch using the recursive: true option.

const watcher = fs.watch(testDirectory, { recursive: true });
watcher.on('change', function(event, filename) {
});

Other notable changes:

  • deps: update ICU to 72.1
  • lib: drop fetch experimental warning
  • util: add MIME utilities, improve textdecoder decode performance

Changelog for Node Version 19.0.0 (LTS)

Node.js 19 is here! Highlights include the update of the V8 JavaScript engine to 10.7, HTTP(s)/1.1 KeepAlive enabled by default, and ESM Resolution adjusts.

  • HTTP(S)/1.1 KeepAlive by default: Starting with this release, Node.js sets keepAlive to true by default.
  • DTrace/SystemTap/ETW Support were removed: The main reason is the lack of resources from Node.js team. 
  • V8 10.7: The V8 engine is updated to version 10.7, which is part of Chromium 107. This version include a new feature to the JavaScript API: Intl.NumberFormat.
  • llhttp 8.1.0: llhttp has been updated to version 8.1.0.Collectively, this version brings many update to the llhttp API, introducing new callbacks and allow all callback to be pausable.
  • doc: graduate webcrypto to stable
  • esm: remove specifier resolution flag

Node.js LTS v18 Changelogs

Changelog for Node Version 18.14.0 (LTS)

Updated npm to 9.3.1

Based on the list of guidelines they established on integrating npm and node, here is a grouped list of the breaking changes with the reasoning as to why they fit within the guidelines linked above. Note that all the breaking changes were made in 9.0.0. All subsequent minor and patch releases after npm@9.0.0 do not contain any breaking changes.

Engines:

Explanation: the node engines supported by npm@9 make it safe to allow npm@9 as the default in any LTS version of 14 or 16, as well as anything later than or including 18.0.0

  • npm is now compatible with the following semver range for node: ^14.17.0 || ^16.13.0 || >=18.0.0

Filesystem:

Explanation: when run as root previous versions of npm attempted to manage file ownership automatically on the user’s behalf. this behavior was problematic in many cases and has been removed in favor of allowing users to manage their own filesystem permissions

  • npm will no longer attempt to modify ownership of files it creates.

Auth:

Explanation: any errors thrown from users having unsupported auth configurations will show npm config fix in the remediation instructions, which will allow the user to automatically have their auth config fixed.

  • The presence of auth related settings that are not scoped to a specific registry found in a config file is no longer supported and will throw errors.

Login:

Explanation: the default auth-type has changed and users can opt back into the old behavior with npm config set auth-type=legacylogin and adduser have also been seperated making each command more closely match it’s name instead of being aliases for each other.

  • Legacy auth types ssosaml & legacy have been consolidated into "legacy".
  • auth-type defaults to "web"
  • login and adduser are now separate commands that send different data to the registry.
  • auth-type config values web and legacy only try their respective methods, npm no longer tries them all and waits to see which one doesn’t fail.

Tarball Packing:

Explanation: previously using multiple ignore/allow lists when packing was an undefined behavior, and now the order of operations is strictly defined when packing a tarball making it easier to follow and should only affect users relying on the previously undefined behavior.

  • npm pack now follows a strict order of operations when applying ignore rules. If a files array is present in the package.json, then rules in .gitignore and .npmignore files from the root will be ignored.

Display/Debug/Timing Info:

Explanation: these changes center around the display of information to the terminal including timing and debug log info. We do not anticipate these changes breaking any existing workflows.

  • Links generated from git urls will now use HEAD instead of master as the default ref.
  • timing has been removed as a value for --loglevel.
  • --timing will show timing information regardless of --loglevel, except when --silent.
  • When run with the --timing flag, npm now writes timing data to a file alongside the debug log data, respecting the logs-dir option and falling back to <CACHE>/_logs/ dir, instead of directly inside the cache directory.
  • The timing file data is no longer newline delimited JSON, and instead each run will create a uniquely named <ID>-timing.json file, with the <ID> portion being the same as the debug log.
  • npm now outputs some json errors on stdout. Previously npm would output all json formatted errors on stderr, making it difficult to parse as the stderr stream usually has logs already written to it.

Config/Command Deprecations or Removals:

Explanation: install-links is the only config or command in the list that has an effect on package installs. We fixed a number of issues that came up during prereleases with this change. It will also only be applied to new package trees created without a package-lock.json file. Any install with an existing lock file will not be changed.

  • Deprecate boolean install flags in favor of --install-strategy.
  • npm config set will no longer accept deprecated or invalid config options.
  • install-links config defaults to "true".
  • node-version config has been removed.
  • npm-version config has been removed.
  • npm access subcommands have been renamed.
  • npm birthday has been removed.
  • npm set-script has been removed.
  • npm bin has been removed (use npx or npm exec to execute binaries).

Other notable changes:

  • doc:
    • add parallelism note to os.cpus()
  • http:
    • join authorization headers
    • improved timeout defaults handling
  • stream:
    • implement finished() for ReadableStream and WritableStream

Changelog for Node Version 18.13.0 (LTS)

Add support for externally shared js builtins: By default Node.js is built so that all dependencies are bundled into the Node.js binary itself. Some Node.js distributions prefer to manage dependencies externally. There are existing build options that allow dependencies with native code to be externalized. This commit adds additional options so that dependencies with JavaScript code (including WASM) can also be externalized. This addition does not affect binaries shipped by the Node.js project but will allow other distributions to externalize additional dependencies when needed.

Introduce File: The File class is part of the FileAPI. It can be used anywhere a Blob can, for example in URL.createObjectURL and FormData. It contains two properties that Blobs do not have: lastModified, the last time the file was modified in ms, and name, the name of the file.

Support function mocking on Node.js test runner: The node:test module supports mocking during testing via a top-level mock object.

test('spies on an object method', (t) => {
  const number = {
    value: 5,
    add(a) {
      return this.value + a;
    },
  };
  t.mock.method(number, 'add');

  assert.strictEqual(number.add(3), 8);
  assert.strictEqual(number.add.mock.calls.length, 1);
});

Other notable changes:

  • build:
    • disable v8 snapshot compression by default
  • crypto:
    • update root certificates
  • deps:
    • update ICU to 72.1
  • doc:
    • add doc-only deprecation for headers/trailers setters
    • add Rafael to the tsc
    • deprecate use of invalid ports in url.parse
    • add lukekarrys to collaborators
    • add anonrig to collaborators
    • deprecate url.parse()
  • lib:
    • drop fetch experimental warning
  • net:
    • add autoSelectFamily and autoSelectFamilyAttemptTimeout options
  • src:
    • add uvwasi version
    • add initial shadow realm support
  • test_runner:
    • add t.after() hook
    • don’t use a symbol for runHook()
  • tls:
    • add “ca” property to certificate object
    • remove trustcor root ca certificates
  • tools:
    • update certdata.txt
  • util:
    • add fast path for utf8 encoding
    • improve textdecoder decode performance
    • add MIME utilities (#21128)

Changelog for Node Version 18.12.1 (LTS)

This is a security release. The following CVEs are fixed in this release:

  • CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow (High)
  • CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow (High)
  • CVE-2022-43548: DNS rebinding in –inspect via invalid octal IP address (Medium)

Changelog for Node Version 18.12.0 (LTS)

This release marks the transition of Node.js 18.x into Long Term Support (LTS) with the codename ‘Hydrogen’. The 18.x release line now moves into “Active LTS” and will remain so until October 2023. After that time, it will move into “Maintenance” until end of life in April 2025.

Changelog for Node Version 18.11.0 (LTS)

watch mode (experimental): Running in ‘watch’ mode using node --watch restarts the process when an imported file is changed. Other notable changes:

  • fs: add FileHandle.prototype.readLines 
  • http: add writeEarlyHints function to
  • http2: make early hints generic
  • lib: refactor transferable AbortSignal
  • src: add detailed embedder process initialization API
  • util: add default value option to parsearg

Changelog for Node Version 18.10.0 (LTS)

  • doc:
    • deprecate modp1, modp2, and modp5 groups
    • add legendecas to TSC list
    • move policy docs to the permissions scope
  • gyp: libnode for ios app embedding
  • http: throw error on content-length mismatch
  • stream: add ReadableByteStream.tee()

Changelog for Node Version 18.9.1 (LTS)

This is a security release. The following CVEs are fixed in this release:

  • CVE-2022-32212: DNS rebinding in –inspect on macOS (High) Insufficient fix for macOS devices on v18.5.0
  • CVE-2022-32222: Node 18 reads openssl.cnf from /home/iojs/build/ upon startup on MacOS (Medium)
  • CVE-2022-32213: HTTP Request Smuggling – Flawed Parsing of Transfer-Encoding (Medium) Insufficient fix on v18.5.0
  • CVE-2022-32215: HTTP Request Smuggling – Incorrect Parsing of Multi-line Transfer-Encoding (Medium) Insufficient fix on v18.5.0
  • CVE-2022-35256: HTTP Request Smuggling – Incorrect Parsing of Header Fields (Medium)
  • CVE-2022-35255: Weak randomness in WebCrypto keygen

llhttp updated to 6.0.10: llhttp is updated to 6.0.10 which includes fixes for the following vulnerabilities.

  • HTTP Request Smuggling – CVE-2022-32213 bypass via obs-fold mechanic (Medium)(CVE-2022-32213): The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
  • HTTP Request Smuggling – Incorrect Parsing of Multi-line Transfer-Encoding (Medium)(CVE-2022-32215): The llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
  • HTTP Request Smuggling – Incorrect Parsing of Header Fields (Medium)(CVE-35256): The llhttp parser in the http does not correctly handle header fields that are not terminated with CLRF. This can lead to HTTP Request Smuggling (HRS).

Changelog for Node Version 18.9.0 (LTS)

  • doc: add daeyeon to collaborators
  • lib: add diagnostics channel for process and worker
  • os: add machine method
  • report: expose report public native apis
  • src: expose environment RequestInterrupt api
  • vm: include vm context in the embedded snapshot

Changelog for Node Version 18.8.0 (LTS)

  • bootstrap: implement run-time user-land snapshots via –build-snapshot and –snapshot-blob: This patch introduces --build-snapshot and --snapshot-blob options for creating and using user land snapshots.
  • crypto: allow zero-length IKM in HKDF and in webcrypto PBKDF2, allow zero-length secret KeyObject
  • deps: upgrade npm to 8.18.0 – Adds a new npm query command
  • http: make idle http parser count configurable
  • net: add local family
  • src: print source map error source on demand

Changelog for Node Version 18.7.0 (LTS)

  • doc:
    • add F3n67u to collaborators
    • deprecate coercion to integer in process.exit
    • deprecate diagnostics_channel object subscribe method
  • events:
    • expose CustomEvent on global with CLI flag
    • add CustomEvent
  • http: add drop request event for http server
  • lib: improved diagnostics_channel subscribe/unsubscribe
  • util: add tokens to parseArgs

Changelog for Node Version 18.6.0 (LTS)

Experimental ESM Loader Hooks API: Node.js ESM Loader hooks now support multiple custom loaders, and composition is achieved via “chaining”: foo-loader calls bar-loader calls qux-loader (a custom loader must now signal a short circuit when intentionally not calling the next). See the ESM docs for details.

Real-world use-cases are laid out for end-users with working examples in the article Custom ESM loaders: Who, what, when, where, why, how.

Changelog for Node Version 18.5.0 (LTS)

This is a security release. The following CVEs are fixed in this release:

  • CVE-2022-2097: OpenSSL – AES OCB fails to encrypt some bytes (Medium)
  • CVE-2022-32212: DNS rebinding in –inspect via invalid IP addresses (High)
  • CVE-2022-32213: HTTP Request Smuggling – Flawed Parsing of Transfer-Encoding (Medium)
  • CVE-2022-32214: HTTP Request Smuggling – Improper Delimiting of Header Fields (Medium)
  • CVE-2022-32215: HTTP Request Smuggling – Incorrect Parsing of Multi-line Transfer-Encoding (Medium)
  • CVE-2022-32222: Attempt to read openssl.cnf from /home/iojs/build/ upon startup (Medium)
  • CVE-2022-32223: DLL Hijacking on Windows (High)

Changelog for Node Version 18.4.0 (LTS)

  • crypto: remove Node.js-specific webcrypto extensions, add CFRG curves to Web Crypto API
  • dns: accept 'IPv4' and 'IPv6' for family
  • report: add more heap infos in process report

Changelog for Node Version 18.3.0 (LTS)

  • deps: update undici to 5.4.0
  • util: add parseArgs module
  • http: add uniqueHeaders option to request and createServer
  • deps: upgrade npm to 8.11.0
  • deps: patch V8 to 10.2.154.4
  • deps: update V8 to 10.2.154.2
  • fs: make params in writing methods optional
  • http: add uniqueHeaders option to request and createServer
  • net: add ability to reset a tcp socket
  • Revert “build: make x86 Windows support temporarily experimental. This means 32-bit Windows binaries are back with this release.

Changelog for Node Version 18.2.0 (LTS)

OpenSSL 3.0.3: This update can be treated as a security release as the issues addressed in OpenSSL 3.0.3 slightly affect Node.js 18.

  • deps: update archs files for quictls/openssl-3.0.3+quic
  • deps: upgrade openssl sources to quictls/openssl-3.0.3
  • Revert “deps: add template for generated headers”
  • deps: update undici to 5.2.0
  • deps: upgrade npm to 8.9.0
  • deps: upgrade openssl sources to quictls/openssl-3.0.3
  • fs: add read(buffer[, options]) versions
  • http: added connection closing methods
  • perf_hooks: add PerformanceResourceTiming

Changelog for Node Version 18.1.0 (LTS)

  • lib,src: implement WebAssembly Web API
  • test_runner: add initial CLI runner
  • worker: add hasRef() to MessagePort

Learn More Node.js from RisingStack

At RisingStack we’ve been writing JavaScript / Node tutorials for the community in the past 5 years. If you’re beginner to Node.js, we recommend checking out our Node Hero tutorial series! The goal of this series is to help you get started with Node.js and make sure you understand how to write an application using it.

See all chapters of the Node Hero tutorial series:
  1. Getting Started with Node.js
  2. Using NPM
  3. Understanding async programming
  4. Your first Node.js HTTP server
  5. Node.js database tutorial
  6. Node.js request module tutorial
  7. Node.js project structure tutorial
  8. Node.js authentication using Passport.js
  9. Node.js unit testing tutorial
  10. Debugging Node.js applications
  11. Node.js Security Tutorial
  12. How to Deploy Node.js Applications
  13. Monitoring Node.js Applications

As a sequel to Node Hero, we have completed another series called Node.js at Scale – which focuses on advanced Node / JavaScript topics. Take a look!


Share this post

Twitter
Facebook
LinkedIn
Reddit