Node.js v 12 arrived on schedule. It is going into LTS in October and will be maintained until 2022. Until then, the LTS version remains Node.js 10.

update node js latest version

Node.js LTS & Current Download for macOS:

Node.js LTS & Current Download for Windows:

For other downloads like Linux libraries, source codes, Docker images, etc.. please visit

Node.js v12 - New Features You Shouldn't Miss

Here is a list of changes we consider essential to highlight:

  • V8 updated to version 7.4
    • Async stack traces arrived
    • Faster async/await implementation
    • New JavaScript language features
    • Performance tweaks & improvements
    • Progress on Worker threads, N-API
  • Default HTTP parser switched to llhttp
  • New experimental “Diagnostic Reports” feature

You can browse the full changelog here and read our deep-dive on Node.js v12 here.

Changelog for Current and LTS Node Versions

Changelog for Node v12.10.0 (Current)

  • deps:
    • Update npm to 6.10.3
  • fs:
    • Add recursive option to rmdir()
    • Allow passing true to emitClose option
    • Add *timeNs properties to BigInt Stats objects
  • net:
    • Allow reading data into a static buffer

Changelog for Node v12.9.0 (Current)

  • crypto:
    • Added an oaepHash option to asymmetric encryption which allows users to specify a hash function when using OAEP padding
  • deps:
    • Updated V8 to 7.6.303.29
      • Improves the performance of various APIs such as JSON.parse and methods called on frozen arrays.
      • Adds the Promise.allSettled method.
      • Improves support of BigInt in Intl methods.
      • For more information:
    • Updated libuv to 1.31.0
      • UV_FS_O_FILEMAP has been added for faster access to memory mapped files on Windows.
      • uv_fs_mkdir() now returns UV_EINVAL for invalid filenames on Windows. It previously returned UV_ENOENT.
      • The uv_fs_statfs() API has been added.
      • The uv_os_environ() and uv_os_free_environ() APIs have been added.
  • fs:
    • Added fs.writev, fs.writevSync and filehandle.writev (promise version) methods. They allow to write an array of ArrayBufferViews to a file descriptor
  • http:
    • Added three properties to OutgoingMessage.prototype: writableObjectMode, writableLength and writableHighWaterMark
  • stream:
    • Added an new property readableEnded to readable streams. Its value is set to true when the 'end' event is emitted.
  • Added an new property writableEnded to writable streams. Its value is set to true after writable.end() has been called.

Changelog for Node v12.8.0 (Current)

  • assert:
    • Legacy mode deprecation (DEP0089) is revoked
  • crypto:
    • The outputLength option is added to crypto.createHash
    • The maxmem range is increased from 32 to 53 bits
  • n-api:
    • Added APIs for per-instance state management
  • report:
    • Network interfaces get included in the report
  • src:
    • v8.getHeapCodeStatistics() is now exported

Changelog for Node v12.7.0 (Current)

  • deps:
    • Updated nghttp2 to 1.39.1
    • Updated npm to 6.10.0
  • esm:
    • Implemented experimental "pkg-exports" proposal. A new "exports" field can be added to a module's package.json file to provide custom subpath aliasing. See proposal-pkg-exports for more information
  • http:
    • Added response.writableFinished
    • Exposed headers, rawHeaders and other fields on an http.ClientRequest "information" event
  • inspector:
    • Added inspector.waitForDebugger()
  • policy:
    • Added --policy-integrity=sri CLI option to mitigate policy tampering. If a policy integrity is specified and the policy does not have that integrity, Node.js will error prior to running any code
  • readline,tty:
    • Exposed stream API from various methods which write characters
  • src:
    • Use cgroups to get memory limits. This improves the way we set the memory ceiling for a Node.js process. Previously we would use the physical memory size to estimate the necessary V8 heap sizes. The physical memory size is not necessarily the correct limit, e.g. if the process is running inside a docker container or is otherwise constrained. This change adds the ability to get a memory limit set by linux cgroups, which is used by docker containers to set resource constraints

Changelog for Node v12.6.0 (Current)

  • build:
    • Experimental support for building Node.js on MIPS architecture is back
  • child_process:
    • The promisified versions of child_process.exec and child_process.execFile now both return a Promise which has the child instance attached to their child property
  • deps: Updated libuv to 1.30.1
    • Support for the Haiku platform has been added.
    • The maximum UV_THREADPOOL_SIZE has been increased from 128 to 1024.
    • uv_fs_copyfile() now works properly when the source and destination files are the same.
  • process:
    • A new method, process.resourceUsage() was added. It returns resource usage for the current process, such as CPU time
  • src:
    • Fixed an issue related to stdio that could lead to a crash of the process in some circumstances
  • stream:
    • Added a writableFinished property to writable streams. It indicates that all the data has been flushed to the underlying system
  • worker:
    • Fixed an issue that prevented worker threads to listen for data on stdin

Changelog for Node v10.16.3 (LTS)

This is a security release.

Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks.

Vulnerabilities fixed:

  • CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

  • CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

  • CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.

  • CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.

  • CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

  • CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.

  • CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.

  • CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service.

Changelog for Node v10.16.2 (LTS)

This release patches a regression in the OpenSSL upgrade to 1.1.1c that causes intermittent hangs in machines that have low entropy.

Changelog for Node v10.16.1 (LTS)

  • deps:
    • upgrade openssl sources to 1.1.1c
  • stream:
    • do not unconditionally call _read() on resume()
  • worker:
    • fix nullptr deref after MessagePort deser failure

Changelog for Node v10.16.0 (LTS)

  • deps:
    • update ICU to 64.2
    • upgrade npm to 6.9.0
    • upgrade openssl sources to 1.1.1b
    • upgrade to libuv 1.28.0
  • events:
    • add once method to use promises with EventEmitter
  • n-api:
    • mark thread-safe function as stable
  • repl:
    • support top-level for-await-of
  • zlib:
    • add brotli support

Learn More Node.js from RisingStack

At RisingStack we've been writing JavaScript / Node tutorials for the community in the past 5 years. If you're beginner to Node.js, we recommend checking out our Node Hero tutorial series! The goal of this series is to help you get started with Node.js and make sure you understand how to write an application using it.

As a sequel to Node Hero, we have completed another series called Node.js at Scale - which focuses on advanced Node / JavaScript topics. Take a look!