Download & Update Node.js to the Latest Version! Node v17.1.0 Current / LTS v16.13.0 Direct Links

RisingStack's services:

Sign up to our newsletter!

In this article:

Node 16 is the LTS version since 2021-10-26, while Node 17 became the Current version from 2021-10-19. The next LTS version, v18 is planned to take over on 2022-10-25.

In this article below, you’ll find changelogs and download / update information regarding Node.js!

Node.js LTS & Current Download for macOS:

Node.js LTS & Current Download for Windows:

For other downloads like Linux libraries, source codes, Docker images, etc.. please visit https://nodejs.org/en/download/

Node.js Release Schedule:

Releases

Node.js v17 is the Current version!

OpenSSL 3.0

Node.js now includes OpenSSL 3.0, specifically quictls/openssl which provides QUIC support. With OpenSSL 3.0 FIPS support is again available using the new FIPS module. For details about how to build Node.js with FIPS support please see BUILDING.md.

While OpenSSL 3.0 APIs should be mostly compatible with those provided by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to tightened restrictions on the allowed algorithms and key sizes.

If you hit an ERR_OSSL_EVP_UNSUPPORTED error in your application with Node.js 17, it’s likely that your application or a module you’re using is attempting to use an algorithm or key size which is no longer allowed by default with OpenSSL 3.0. A command-line option, --openssl-legacy-provider, has been added to revert to the legacy provider as a temporary workaround for these tightened restrictions.

V8 9.5

The V8 JavaScript engine is updated to V8 9.5. This release comes with additional supported types for the Intl.DisplayNames API and Extended timeZoneName options in the Intl.DateTimeFormat API.

Readline Promise API

The readline module provides an interface for reading data from a Readable stream (such as process.stdin) one line at a time.

The following simple example illustrates the basic use of the readline module:

import * as readline from 'node:readline/promises';
import { stdin as input, stdout as output } from 'process';

const rl = readline.createInterface({ input, output });

const answer = await rl.question('What do you think of Node.js? ');

console.log(`Thank you for your valuable feedback: ${answer}`);

rl.close();

Node.js CURRENT v17 Changelogs

Changelog for Node Version 17.1.0 (Current)

  • doc: add VoltrexMaster to collaborators
  • esm: add support for JSON import assertion
  • lib: add unsubscribe method to non-active DC channels
  • lib: add return value for DC channel.unsubscribe
  • v8: multi-tenant promise hook api

Changelog for Node Version 17.0.1 (Current)

Fixed distribution for native addon builds

This release fixes an issue introduced in Node.js v17.0.0, where some V8 headers were missing from the distributed tarball, making it impossible to build native addons. These headers are now included.

Fixed stream issues

  • Fixed a regression in stream.promises.pipeline, which was introduced in version 16.10.0, is fixed. It is now possible again to pass an array of streams to the function.
  • Fixed a bug in stream.Duplex.from, which didn’t work properly when an async generator function was passed to it.

Node.js v16 became the next LTS!

Node.js 16 got promoted to Long-term Support (LTS) in October 2021. Sneak peak from the announcement:

V8 upgraded to V8 9.0

As always a new version of the V8 JavaScript engine brings performance tweaks and improvements as well as keeping Node.js up to date with JavaScript language features. In Node.js v16.0.0, the V8 engine is updated to V8 9.0 — up from V8 8.6 in Node.js 15.

Stable Timers Promises API

The Timers Promises API provides an alternative set of timer functions that return Promise objects, removing the need to use util.promisify().

Some of the recently released features in Node.js 15, which will also be available in Node.js 16, include:

  • Experimental implementation of the standard Web Crypto API
  • npm 7 (v7.10.0 in Node.js v16.0.0)
  • Node-API version 8
  • Stable AbortController implementation based on the AbortController Web API
  • Stable Source Maps v3
  • Web platform atob (buffer.atob(data)) and btoa (buffer.btoa(data)) implementations for compatibility with legacy web platform APIs

Node.js v16 Changelogs

Changelog for Node Version 16.13.0

This release marks the transition of Node.js 16.x into Long Term Support (LTS) with the codename ‘Gallium’. The 16.x release line now moves into “Active LTS” and will remain so until October 2022. After that time, it will move into “Maintenance” until end of life in April 2024.

Changelog for Node Version 16.12.0

Experimental ESM Loader Hooks API:

Node.js ESM Loader hooks have been consolidated to represent the steps involved needed to facilitate future loader chaining:

  1. resolveresolve [+ getFormat]
  2. loadgetFormat + getSource + transformSource

For consistency, getGlobalPreloadCode has been renamed to globalPreload.

A loader exporting obsolete hook(s) will trigger a single deprecation warning (per loader) listing the errant hooks.

Changelog for Node Version 16.11.1

This is a security release. Notable changes:

  • CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium): The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS).
  • CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium): The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.

Changelog for Node Version 16.11.0

  • crypto: update root certificates
  • deps: upgrade npm to 8.0.0, update nghttp2 to v1.45.1, update V8 to 9.4.146.19
  • tools: update certdata.txt

Changelog for Node Version 16.10.0

  • crypto: add rsa-pss keygen parameters
  • deps: upgrade npm to 7.24.0
  • deps: update Acorn to v8.5.0
  • doc: add Ayase-252 to collaborators
  • fs: make open and close stream override optional when unused
  • http: limit requests per connection
    • The maximum number of requests a socket can handle before closing keep alive connection can be set with server.maxRequestsPerSocket.
  • src: add –no-global-search-paths cli option
    • Adds the –no-global-search-paths command-line option to not search modules from global paths like $HOME/.node_modules and $NODE_PATH.
  • src: make napi_create_reference accept symbol
  • stream: add signal support to pipeline generators

Changelog for Node Version 16.9.1

This release fixes a regression introduced by the V8 9.3 update in Node.js 16.9.0.

Changelog for Node Version 16.9.0

Corepack

Node.js now includes Corepack, a script that acts as a bridge between Node.js projects and the package managers they are intended to be used with during development. In practical terms, Corepack will let you use Yarn and pnpm without having to install them – just like what currently happens with npm, which is shipped in Node.js by default.

V8 9.3

V8 is updated to version 9.3, which includes performance improvements and new JavaScript features.

Object.hasOwn

Object.hasOwn is a static alias for Object.prototype.hasOwnProperty.call:

Object.hasOwn({ value: 42 }, 'value'); // Returns `true`.

Error cause

Errors can now be optionally constructed with a cause option, pointing to another error. This adds a cause property on the new error:

const error1 = new Error('Error one');
const error2 = new Error('Error two', { cause: error1 });
// error2.cause === error1

Other Notable Changes

  • crypto: add RSA-PSS params to asymmetricKeyDetails
  • module: support pattern trailers
  • stream: add stream.compose

Changelog for Node Version 16.8.0

  • doc: deprecate type coercion for dns.lookup options
  • stream: add stream.Duplex.from utility
  • stream: add isDisturbed helper
  • util: expose toUSVString 

Changelog for Node Version 16.7.0

  • fs, experimental: add recursive cp method

Changelog for Node Version 16.6.2

This is a security release. Notable Changes:

  • CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names: Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
  • CVE-2021-22930: Use after free on close http2 on stream canceling: Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix.
  • CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter: If the Node.js HTTPS API was used incorrectly and “undefined” was in passed for the “rejectUnauthorized” parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

Changelog for Node Version 16.6.0

This is a security release. Notable Changes:

The V8 engine is updated to version 9.2.230.21.:

It notably introduces the new Array.prototype.at method (also on Typed Arrays and strings):

const array = [1, 2, 3];

console.log(array.at(-1));
// Prints: 3

Other notable changes:

  • CVE-2021-22930: Use after free on close http2 on stream canceling:
    Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
  • inspector: mark as stable
  • punycode: add pending deprecation
  • repl: enable –experimental-repl-await /w opt-out

Changelog for Node Version 16.5.0

Experimental Web Streams API: Node.js now exposes an experimental implementation of the Web Streams API.

While it is experimental, the API is not exposed on the global object and is only accessible using the new stream/web core module:

import { ReadableStream, WritableStream } from 'stream/web'; // Or from 'node:stream/web'

Importing the module will emit a single experimental warning per process.

The raw API is implemented and we are now working on its integration with various existing core APIs.

Other notable changes:

  • fs: allow empty string for temp directory prefix
  • deps: upgrade npm to 7.19.1

Changelog for Node Version 16.4.2

Node.js 16.4.1 introduced a regression in the Windows installer on non-English locales that is being fixed in this release. There is no need to download this release if you are not using the Windows installer.

Changelog for Node Version 16.4.1

This is a security release. Vulnerabilities fixed:

  • CVE-2021-22918: libuv upgrade – Out of bounds read (Medium): Node.js is vulnerable to out-of-bounds read in libuv’s uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node’s dns module’s lookup() function and can lead to information disclosures or crashes.
  • CVE-2021-22921: Windows installer – Node Installer Local Privilege Escalation (Medium): Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking.

Changelog for Node Version 16.4.0

  • async_hooks: stabilize part of AsyncLocalStorage
  • deps: upgrade npm to 7.18.1, update V8 to 9.1.269.36
  • dns: allow --dns-result-order to change default dns verbatim

Changelog for Node Version 16.3.0

  • cli: add -C alias for –conditions flag
  • deps: add workspaces support to npm install commands

Changelog for Node Version 16.2.0

  • async_hooks: use new v8::Context PromiseHook API
  • lib: support setting process.env.TZ on windows
  • module: add support for URL to import.meta.resolve
  • process: add ‘worker’ event
  • util: add util.types.isKeyObject and util.types.isCryptoKey

Changelog for Node Version 16.1.0

fs: allow no-params fsPromises fileHandle read

Changelog for Node Version 16.0.0

  • Stable Timers Promises API: The Timers Promises API provides an alternative set of timer functions that return Promise objects. Added in Node.js v15.0.0, in this release they graduate from experimental status to stable.
  • Toolchain and Compiler Upgrades: Node.js v16.0.0 will be the first release where we ship prebuilt binaries for Apple Silicon. While we’ll be providing separate tarballs for the Intel (darwin-x64) and ARM (darwin-arm64) architectures the macOS installer (.pkg) will be shipped as a ‘fat’ (multi-architecture) binary.
  • V8 9.0: The V8 JavaScript engine is updated to V8 9.0, including performance tweaks and improvements. This update also brings the ECMAScript RegExp Match Indices, which provide the start and end indices of the captured string. The indices array is available via the .indices property on match objects when the regular expression has the /d flag.
  • Other Notable Changes:
    • assert: graduate assert.match and assert.doesNotMatch
    • buffer: expose btoa and atob as globals
    • deps: bump minimum ICU version to 68
    • deps: update ICU to 69.1
    • deps: update llhttp to 6.0.0
    • deps: upgrade npm to 7.10.0
    • http: add http.ClientRequest.getRawHeaderNames()
    • lib,src: update cluster to use Parent
    • module: add support for node:‑prefixed require(…) calls
    • perf_hooks: add histogram option to timerify
    • repl: add auto‑completion for node:‑prefixed require(…) calls
    • util: add getSystemErrorMap() impl

Learn More Node.js from RisingStack

At RisingStack we’ve been writing JavaScript / Node tutorials for the community in the past 5 years. If you’re beginner to Node.js, we recommend checking out our Node Hero tutorial series! The goal of this series is to help you get started with Node.js and make sure you understand how to write an application using it.

See all chapters of the Node Hero tutorial series:
  1. Getting Started with Node.js
  2. Using NPM
  3. Understanding async programming
  4. Your first Node.js HTTP server
  5. Node.js database tutorial
  6. Node.js request module tutorial
  7. Node.js project structure tutorial
  8. Node.js authentication using Passport.js
  9. Node.js unit testing tutorial
  10. Debugging Node.js applications
  11. Node.js Security Tutorial
  12. How to Deploy Node.js Applications
  13. Monitoring Node.js Applications

As a sequel to Node Hero, we have completed another series called Node.js at Scale – which focuses on advanced Node / JavaScript topics. Take a look!

Share this post

Share on twitter
Twitter
Share on facebook
Facebook
Share on linkedin
LinkedIn
Share on reddit
Reddit