Node.js is moving to one major release per year starting with Node 27! 🚀
✅ Simpler: Every release becomes LTS.
✅ Predictable: Version numbers now align with the year.
✅ New: A 6-month Alpha channel for early testing.
https://bit.ly/4rnosLg
This will work with "useCodeCache": true in the next semver-minor release
github.com/nodejs/node/...
(Although if they can get us singing robots the next time, that will surely save us from the torture from all these actors with zero singing skills lip-syncing to their lifeless recordings)
The nerd in me: this is cool
The Chinese in me: Nice try. Robot dancing doesn’t save how boring the Spring Festival Gala has become.
Landed initial support for ESM in Node.js SEA: github.com/nodejs/node/...
Similar to CJS entrypoints, it only supports importing builtins, so generally require bundling. @nodeland.dev is working on support for VFS in SEA that will unlock loading other modules within SEA github.com/nodejs/node/...
Sounds like a cool idea, though I am more in the camp of “a town reachable by train” than “a castle that needs to be reached by car” ;)
I got thanked with good karma on GitHub.
Failed catastrophically at the “don’t look at GitHub” weekend challenge.
But on the bright side…
Started iteration on ESM support in the Node.js embedder API with new overloads that likely will be less prone to ABI breakages as more features are added..
github.com/nodejs/node/...
Initial support has released in 25.6.0
nodejs.org/en/blog/rele...
Or you need to step up your game in Spanish 😉 febrile -> febril
This was fun to hack on - a gdb unwinder for V8 JIT-compiled frames on x64.
chromium-review.googlesource.com/c/v8/v8/+/75...
Also interesting to learn this trick from the gdb source: caller's rsp before call = callee's rbp + 16, and this seems to be a conventional CFA in debuggers
I think I figured out what's going on. Here is another blog post about tinkering with Node.js Core on ARM64 Windows (and tips about reducing the wait time on Windows) joyeecheung.github.io/blog/2026/01...
New blog post on the journey of the new --build-sea flag and how SEA injection works
joyeecheung.github.io/blog/2026/01...
This just landed! Thanks @addaleax.bsky.social and @legendecas.bsky.social for the reviews! It will be out in the next semver-minor release of 25, and likely backportable to older LTS - the new workflow is a compatible improvement to the existing postject-based SEA building workflows from v18.x.
To be fair I think it doesn’t need to be me, it just needs a contributor with enough time and energy and hopefully who can do it at work hours (I did, thanks to sponsorship by Bloomberg). The slow progress of Node.js development largely comes from lack of contributors, especially funded ones
Following the naming scheme that Elon Musk also used to name his own children already feels like biting the bait, when that platform didn’t even get built as X originally in the first place 😅
Good read. A submission to the European Commission's call for evidence on Towards European Open Digital Ecosystems (importance of OSS for EU tech sovereignty, security and competitiveness). It ends with:
> If you work in OSS, consider adding your voice. The feedback period ends February 3, 2026.
I think with the direction this PR is going, there's supposedly a way out of this: instead of relying on system APIs to load the addons (e.g. with memfd_create + dlopen on Linux, but not available on Windows), we can build custom loaders and map the libraries ourselves, or at least fallback to that
Now is the time to realize I have been compiling with host arch = x64 the whole time because for whatever reason I have been using x64 python the whole time to run the configure script 😅
They are mostly already on v24, the changes are primarily just flipping the status in the documentation.
Also @aditeigh.bsky.social and I are looking into what else need to be done to enable built-in http proxy support and custom/system CA support by default, hopefully in 26 and possibly as semver-major. Tracking issues:
github.com/nodejs/node/...
github.com/nodejs/node/...
v8.queryObjects(): I wrote about the motivation of this API for more reliable memory leak testing in joyeecheung.github.io/blog/2024/03...
--heapsnapshot-near-heap-limit: see documentation here: nodejs.org/api/cli.html...
Startup snapshot APIs: I gave a talk about this a few years ago at Node Congress: gitnation.com/contents/nod...
There are several features that have been stable de facto, but nobody remembered to send a PR to bump the stability index 😅 I marked them in bulk while I was at it.
crypto.hash(): a faster alternative to crypto.createHash() for one-shot hashing. See github.com/nodejs/perfo...
Then there are also the module compile cache going stable and module.registerHooks() becoming release candidate. I gave a talk at JSConf Japan recently covering the evolution of these features: www.youtube.com/watch?v=MYVn...
First and likely the most anticipated, marking require(esm) as stable. I wrote a blog post about the journey of it going from experiment to stability: joyeecheung.github.io/blog/2025/12...
This release contains a bunch of PRs I recently submitted to mark features I contributed to as stable/release candidate. Here is a thread about them 🧵:
I believe that’s one of the several projects that inspired nodejs.org/api/single-e... (note that this feature has existed since v18, the PR merely moves the injection process into core). The difference is that SEA building does not require installing compilers, it’s just binary surgery
This is a mitigation, not a guarantee.
Stack space exhaustion recovery is NOT specified by ECMAScript. V8 does it on a best-effort basis.
If the recursion depth can be controlled by attackers, explicitly limit the depth.
This is what the React and Next.js teams fixed in vercel.com/kb/bulletin/....
We appreciate your patience and understanding as we work to deliver a secure and reliable release.
Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines to address:
- 3 high severity issues
- 4 medium severity issues
- 1 low severity issue
nodejs.org/en/blog/vuln...
