Node 14 became the LTS version, while Node 15 became the Current version from October 2020! As an odd-numbered release line, Node.js 15 will not be promoted to LTS.

In this article below, you'll find changelogs and download / update information regarding Node.js!

update node js latest version

Node.js LTS & Current Download for macOS:

Node.js LTS & Current Download for Windows:

For other downloads like Linux libraries, source codes, Docker images, etc.. please visit https://nodejs.org/en/download/

Node.js v15 arrived and became the Current version!

Some features delivered in Node.js 15:

AbortController: AbortController is a global utility class used to signal cancelation in selected Promise-based APIs, based on the AbortController Web API.

N-API Version 7: N-API 7 brings additional methods for working with ArrayBuffers.

npm 7: npm 7 comes with many new features like npm workspaces and a new package-lock.json format. npm 7 includes yarn.lock file support. Peer dependencies are now installed by default.

Throw on unhandled rejections: As of Node.js 15, the default mode for unhandledRejection is changed to throw (from warn). In throw mode, if an unhandledRejection hook is not set, the unhandledRejection is raised as an uncaught exception. Users that have an unhandledRejection hook should see no change in behavior, and it’s still possible to switch modes using the --unhandled-rejections=mode process flag.

QUIC (experimental): QUIC is a UDP-based, underlying transport protocol for HTTP/3. QUIC features inbuilt security with TLS 1.3, flow control, error correction, connection migration, and multiplexing. QUIC can be enabled by compiling Node.js with the --experimental-quic configuration flag. The Node.js QUIC implementation is exposed by the core net module.

V8 8.6: The V8 JavaScript engine has been updated to V8 8.6 (V8 8.4 is the latest available in Node.js 14). Along with performance tweaks and improvements the V8 update also brings the following language features:

  • Promise.any() (from V8 8.5)
  • AggregateError (from V8 8.5)
  • String.prototype.replaceAll() (from V8 8.5)
  • Logical assignment operators &&=, ||=, and ??= (from V8 8.5)

Source, and even more info: Node.js v15.0.0 is here! by Bethany Griggs

Node.js LTS v15 Changelogs

Changelog for Node v15.12.0 (Current)

  • crypto:
    • add optional callback to crypto.sign and crypto.verify
    • support JWK objects in create*Key
  • deps:
  • fs:
    • improve fsPromises writeFile performance
    • improve fsPromises readFile performance
  • lib: implement AbortSignal.abort()
  • node-api: define version 8
  • worker: add setEnvironmentData/getEnvironmentData

Changelog for Node v15.11.0 (Current)

  • crypto: make FIPS related options always available
  • errors: remove experimental from --enable-source-maps

Changelog for Node v15.10.0 (Current)

This is a security release. Vulnerabilities fixed:

  • CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion: Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

  • CVE-2021-22884: DNS rebinding in --inspect:
    Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

  • CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate:
    This is a vulnerability in OpenSSL which may be exploited through Node.js.

Changelog for Node v15.9.0 (Current)

  • crypto: add keyObject.export() 'jwk' format option
  • deps: upgrade to libuv 1.41.0
  • fs:
    • add fsPromises.watch()
    • use a default callback for fs.close()
    • add AbortSignal support to watch
  • perf_hooks: introduce createHistogram
  • stream: improve Readable.from error handling
  • timers: introduce setInterval async iterator
  • tls: add ability to get cert/peer cert as X509Certificate object

Changelog for Node v15.8.0 (Current)

  • crypto: add generatePrime/checkPrime
  • crypto: experimental (Ed/X)25519/(Ed/X)448 support
  • deps: upgrade npm to 7.5.0. This update adds a new npm diff command.
  • dgram: support AbortSignal in createSocket
  • doc: add Zijian Liu to collaborators
  • esm: deprecate legacy main lookup for modules
  • readline: add history event and option to set initial history
  • readline: add support for the AbortController to the question method

Changelog for Node v15.7.0 (Current)

  • buffer:
    • introduce Blob
    • add base64url encoding option
  • fs: allow position parameter to be a BigInt in read and readSync
  • http:
    • attach request as res.req
    • expose urlToHttpOptions utility

Changelog for Node v15.6.0 (Current)

  • child_process:
    • add 'overlapped' stdio flag
    • support AbortSignal in fork
  • crypto:
    • implement basic secure heap support
    • fixup bug in keygen error handling
    • introduce X509Certificate API
    • implement randomuuid
  • doc:
    • update release key for Danielle Adams
    • add dnlup to collaborators
    • add panva to collaborators
    • add yashLadha to collaborator
  • http: set lifo as the default scheduling strategy in Agent
  • net: support abortSignal in server.listen
  • process: add direct access to rss without iterating pages
  • v8: fix native serdes constructors

Changelog for Node v15.5.1 (Current)

This is a security release. Vulnerabilities fixed:

  • CVE-2020-8265: use-after-free in TLSWrap (High): Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

  • CVE-2020-8287: HTTP Request Smuggling in nodejs (Low): Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.

Changelog for Node v15.5.0 (Current)

  • OpenSSL-1.1.1i: OpenSSL-1.1.1i contains a fix for CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High). This is a vulnerability in OpenSSL which may be exploited through Node.js.

  • Extended support for AbortSignal in child_process and stream:

The following APIs now support an AbortSignal in their options object:

  • child_process.spawn(): Calling .abort() on the corresponding AbortController is similar to calling .kill() on the child process except the error passed to the callback will be an AbortError

  • new stream.Writable() and new stream.Readable(): Calling .abort() on the corresponding AbortController will behave the same way as calling .destroy(new AbortError()) on the stream

  • BigInt support in querystring.stringify():

If querystring.stringify() is called with an object that contains BigInt values, they will now be serialized to their decimal representation instead of the empty string.

  • Additions to the C++ embedder APIs:

A new IsolateSettingsFlag is available for those calling SetIsolateUpForNode() : SHOULD_NOT_SET_PREPARE_STACK_TRACE_CALLBACK can be used to prevent Node.js from setting a custom callback to prepare stack traces.

Changelog for Node v15.4.0 (Current)

  • child_processes: add AbortSignal support
  • deps: update ICU to 68.1
  • events: support signal in EventTarget
  • events: graduate Event, EventTarget, AbortController
  • http: enable call chaining with setHeader()
  • module: add isPreloading indicator
  • stream: support abort signal
  • stream: add FileHandle support to Read/WriteStream
  • worker: add experimental BroadcastChannel

Changelog for Node v15.3.0 (Current)

  • dns: add a cancel() method to the promise Resolver
  • events: add max listener warning for EventTarget
  • http: add support for abortsignal to http.request
  • http2: allow setting the local window size of a session
  • lib: add throws option to fs.f/l/statSync
  • path: add path/posix and path/win32 alias modules
  • readline: add getPrompt to get the current prompt
  • src: add loop idle time in diagnostic report
  • util: add util/types alias module

Changelog for Node v15.2.0 (Current)

  • events: getEventListeners static
  • fs: support abortsignal in writeFile, add support for AbortSignal in readFile
  • stream: fix thrown object reference

Changelog for Node v15.1.0 (Current)

Diagnostics channel (experimental module): diagnostics_channel is a new experimental module that provides an API to create named channels to report arbitrary message data for diagnostics purposes. With diagnostics_channel, Node.js core and module authors can publish contextual data about what they are doing at a given time. This could be the hostname and query string of a mysql query, for example.

New child process 'spawn' event: Instances of ChildProcess now emit a new 'spawn' event once the child process has spawned successfully. If emitted, the 'spawn' event comes before all other events and before any data is received via stdout or stderr. The 'spawn' event will fire regardless of whether an error occurs within the spawned process. For example, if bash some-command spawns successfully, the 'spawn' event will fire, though bash may fail to spawn some-command. This caveat also applies when using { shell: true }.

Set the local address for DNS resolution: It is now possible to set the local IP address used by a Resolver instance to send its requests. This allows programs to specify outbound interfaces when used on multi-homed systems. The resolver will use the v4 local address when making requests to IPv4 DNS servers, and the v6 local address when making requests to IPv6 DNS servers.

Control V8 coverage at runtime: The v8 module includes two new methods to control the V8 coverage started by the NODE_V8_COVERAGE environment variable. With v8.takeCoverage(), it is possible to write a coverage report to disk on demand. This can be done multiple times during the lifetime of the process, and the execution counter will be reset on each call. When the process is about to exit, one last coverage will still be written to disk, unless v8.stopCoverage() was invoked before. The v8.stopCoverage() method allows to stop the coverage collection, so that V8 can release the execution counters and optimize code.

Analyze Worker's event loop utilization: Worker instances now have a performance property, with a single eventLoopUtilization method that can be used to gather information about the worker's event loop utilization between the 'online' and 'exit' events. The method works the same way as perf_hooks eventLoopUtilization().

Take a V8 heap snapshot just before running out of memory (experimental):
With the new --heapsnapshot-near-heap-limit=max_count experimental command line flag, it is now possible to automatically generate a heap snapshot when the V8 heap usage is approaching the heap limit. count should be a non-negative integer (in which case Node.js will write no more than max_count snapshots to disk). When generating snapshots, garbage collection may be triggered and bring the heap usage down, therefore multiple snapshots may be written to disk before the Node.js instance finally runs out of memory. These heap snapshots can be compared to determine what objects are being allocated during the time consecutive snapshots are taken.

Changelog for Node v15.0.1 (Current)

  • crypto: fix regression on randomFillSync
  • deps: upgrade npm to 7.0.3

Node.js v14 Highlights

The highlights in this release include improved diagnostics, an upgrade of V8, an experimental Async Local Storage API, hardening of the streams APIs, removal of the Experimental Modules warning, and the removal of some long deprecated APIs.

Node.js 14 was promoted to Long-term Support (LTS) in October 2020. As a reminder — both Node.js 12 and Node.js 10 will remain in long-term support until April 2022 and April 2021 respectively.

Node.js LTS v14 Changelogs

Changelog for Node v14.16.0 (Current)

This is a security release. Vulnerabilities fixed:

  • CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion: Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

  • CVE-2021-22884: DNS rebinding in --inspect: Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.

  • CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate: This is a vulnerability in OpenSSL which may be exploited through Node.js.

Changelog for Node v14.15.5 (Current)

  • deps:

    • upgrade npm to 6.14.11
    • V8: backport dfcf1e86fac0
  • stream,zlib: do not use stream* anymore

Changelog for Node v14.15.4 (Current)

This is a security release. Vulnerabilities fixed:

  • CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High): This is a vulnerability in OpenSSL which may be exploited through Node.js.

  • CVE-2020-8265: use-after-free in TLSWrap (High): Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

  • CVE-2020-8287: HTTP Request Smuggling in nodejs (Low): Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling

Changelog for Node v14.15.3 (Current)

Node.js v14.15.2 included a commit that has caused reported breakages when cloning request objects. This release reverts the commit that introduced the behaviour change. See https://github.com/nodejs/node/issues/36550 for more details.

Changelog for Node v14.15.2 (Current)

  • deps: upgrade npm to 6.14.9
  • deps: update acorn to v8.0.4
  • doc: add release key for Danielle Adams
  • http2: check write not scheduled in scope destructor
  • stream: fix regression on duplex end

Changelog for Node v14.15.1 (Current)

This is a security release. Vulnerabilities fixed:

CVE-2020-8277: Denial of Service through DNS request (High). A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service by getting the application to resolve a DNS record with a larger number of responses.

Changelog for Node v14.15.0 (Current)

This release marks the transition of Node.js 14.x into Long Term Support (LTS) with the codename 'Fermium'. The 14.x release line now moves into "Active LTS" and will remain so until October 2021. After that time, it will move into "Maintenance" until end of life in April 2023.

  • doc: add missing link in Node.js 14 Changelog
  • doc: fix Node.js 14.x changelogs
  • Revert "test: mark test-webcrypto-encrypt-decrypt-aes flaky"

Changelog for Node v14.14.0 (Current)

  • crypto: update certdata to NSS 3.56
  • doc: add aduh95 to collaborators
  • fs: add rm method
  • http: allow passing array of key/val into writeHead
  • src: expose v8::Isolate setup callbacks

Changelog for Node v14.13.1 (Current)

  • fs: remove experimental from rmdir recursive

Changelog for Node v14.13.0 (Current)

  • deps: upgrade to libuv 1.40.0
  • module: named exports for CJS via static analysis
  • module: exports pattern support
  • src: allow N-API addon in AddLinkedBinding()

Changelog for Node v14.12.0 (Current)

  • deps:
    • update to uvwasi 0.0.11
  • n-api:
    • create N-API version 7
    • add more property defaults

Changelog for Node v14.11.0 (Current)

This is a security release. Vulnerabilities fixed:

  • Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests.
  • HTTP Request Smuggling due to CR-to-Hyphen conversion.

Changelog for Node v14.10.1 (Current)

Node.js 14.10.0 included a streams regression with async generators and a docs rendering regression that are being fixed in this release.

Changelog for Node v14.10.0 (Current)

  • buffer: also alias BigUInt methods
  • crypto: add randomInt function
  • perf_hooks: add idleTime and event loop util
  • stream: simpler and faster Readable async iterator
  • stream: save error in state

Changelog for Node v14.9.0 (Current)

  • build: set --v8-enable-object-print by default
  • deps:
    • upgrade to libuv 1.39.0
    • upgrade npm to 6.14.8
    • V8: cherry-pick e06ace6b5cdb
  • n-api: handle weak no-finalizer refs correctly
  • tools: add debug entitlements for macOS 10.15+

Changelog for Node v14.8.0 (Current)

  • (SEMVER-MINOR) async_hooks: add AsyncResource.bind utility
  • deps: update to uvwasi 0.0.10
  • doc: add Ricky Zhou to collaborators
  • doc: add release key for Ruy Adorno
  • doc: add DerekNonGeneric to collaborators
  • (SEMVER-MINOR) module: unflag Top-Level Await
  • (SEMVER-MINOR) n-api: support type-tagging objects
  • (SEMVER-MINOR) n-api,src: provide asynchronous cleanup hooks

Changelog for Node v14.7.0 (Current)

  • deps: upgrade npm to 6.14.7
  • dgram: (SEMVER-MINOR) add IPv6 scope id suffix to received udp6 dgrams
  • src:
    • (SEMVER-MINOR) allow preventing SetPromiseRejectCallback
    • (SEMVER-MINOR) allow setting a dir for all diagnostic output
  • worker:
    • (SEMVER-MINOR) make MessagePort inherit from EventTarget
  • zlib: switch to lazy init for zlib streams

Changelog for Node v14.6.0 (Current)

  • deps:
    • upgrade to libuv 1.38.1
    • upgrade npm to 6.14.6
    • (SEMVER-MINOR) update V8 to 8.4.371.19
  • module:
    • (SEMVER-MINOR) doc only deprecation of module.parent
    • (SEMVER-MINOR) package "imports" field
  • src: (SEMVER-MINOR) allow embedders to disable esm loader
  • tls: (SEMVER-MINOR) make createSecureContext honor more options
  • vm: (SEMVER-MINOR) add run-after-evaluate microtask mode
  • worker: (SEMVER-MINOR) add option to track unmanaged file descriptors

Changelog for Node v14.5.0 (Current)

  • V8 engine is updated to version 8.3

This version includes performance improvements and now allows WebAssembly modules to request memories up to 4GB in size. For more information, have a look at the official V8 blog post.

  • Initial experimental implementation of EventTarget

This version introduces an new experimental API EventTarget, which provides a DOM interface implemented by objects that can receive events and may have listeners for them. It is an adaptation of the Web API EventTarget.

Changelog for Node v14.4.0 (Current)

This is a security release. Vulnerabilities fixed:

  • CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
  • CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
  • CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).

Changelog for Node v14.3.0 (Current)

  • REPL previews improvements with autocompletion: The output preview is changed to generate previews for autocompleted input instead of the actual input. Pressing <enter> during a preview is now going to evaluate the whole string including the autocompleted part. Pressing <escape> cancels that behavior.

  • Support for Top-Level Await: It's now possible to use the await keyword outside of async functions, with the --experimental-top-level-await flag.

Changelog for Node v14.2.0 (Current)

  • Track function calls with assert.CallTracker: assert.CallTracker is a new experimental API that allows to track and later verify the number of times a function was called.

  • Console groupIndentation option: The Console constructor (require('console').Console) now supports different group indentations.

Changelog for Node v14.1.0 (Current)

  • deps: upgrade openssl sources to 1.1.1g
  • doc: add juanarbol as collaborator
  • http: doc deprecate abort and improve docs
  • module: do not warn when accessing __esModule of unfinished exports
  • n-api: detect deadlocks in thread-safe function
  • src: deprecate embedder APIs with replacements
  • stream:
    • don't emit end after close
    • don't wait for close on legacy streams
    • pipeline should only destroy un-finished streams
  • vm: add importModuleDynamically option to compileFunction

Changelog for Node v14.0.0 (Current)

  • Deprecations:

    • (SEMVER-MAJOR) crypto: move pbkdf2 without digest to EOL
    • (SEMVER-MAJOR) fs: deprecate closing FileHandle on garbage collection
    • (SEMVER-MAJOR) http: move OutboundMessage.prototype.flush to EOL
    • (SEMVER-MAJOR) lib: move GLOBAL and root aliases to EOL
    • (SEMVER-MAJOR) os: move tmpDir() to EOL
    • (SEMVER-MAJOR) src: remove deprecated wasm type check
    • (SEMVER-MAJOR) stream: move _writableState.buffer to EOL
    • (SEMVER-MINOR) doc: deprecate process.mainModule
    • (SEMVER-MINOR) doc: deprecate process.umask() with no arguments
  • ECMAScript Modules - Experimental Warning Removal

In Node.js 13 we removed the need to include the --experimental-modules flag, but when running EcmaScript Modules in Node.js, this would still result in a warning ExperimentalWarning: The ESM module loader is experimental.

As of Node.js 14 there is no longer this warning when using ESM in Node.js. However, the ESM implementation in Node.js remains experimental. As per our stability index: “The feature is not subject to Semantic Versioning rules. Non-backward compatible changes or removal may occur in any future release.” Users should be cautious when using the feature in production environments.

The ESM implementation in Node.js is still experimental but we do believe that we are getting very close to being able to call ESM in Node.js “stable”. Removing the warning is a huge step in that direction.

  • New V8 ArrayBuffer API src: migrate to new V8 ArrayBuffer API. Multiple ArrayBuffers pointing to the same base address are no longer allowed by V8. This may impact native addons.

  • Toolchain and Compiler Upgrades

    • (SEMVER-MAJOR) build: update macos deployment target to 10.13 for 14.x
    • (SEMVER-MAJOR) doc: update cross compiler machine for Linux armv7
    • (SEMVER-MAJOR) doc: update Centos/RHEL releases use devtoolset-8
    • (SEMVER-MAJOR) doc: remove SmartOS from official binaries
    • (SEMVER-MAJOR) win: block running on EOL Windows versions

It is expected that there will be an ABI mismatch on ARM between the Node.js binary and native addons. Native addons are only broken if they interact with std::shared_ptr. This is expected to be fixed in a later version of Node.js 14.

  • Update to V8 8.1 (SEMVER-MAJOR) deps: update V8 to 8.1.307.20

    • Enables Optional Chaining by default
    • Enables Nullish Coalescing by default
    • Enables Intl.DisplayNames by default
    • Enables calendar and numberingSystem options for Intl.DateTimeFormat by default
  • Other Notable Changes:

    • cli, report: move --report-on-fatalerror to stable
    • deps: upgrade to libuv 1.37.0
    • fs: add fs/promises alias module

Learn More Node.js from RisingStack

At RisingStack we've been writing JavaScript / Node tutorials for the community in the past 5 years. If you're beginner to Node.js, we recommend checking out our Node Hero tutorial series! The goal of this series is to help you get started with Node.js and make sure you understand how to write an application using it.

As a sequel to Node Hero, we have completed another series called Node.js at Scale - which focuses on advanced Node / JavaScript topics. Take a look!