Node.js v26.0.0 is out 💚 Temporal API enabled by default, V8 14.6, Undici 8, and key deprecations as we keep modernizing the platform. Check it out nodejs.org/en/blog/rele...

Unfortunately, security reports are no longer eligible for bounties due to the IBB program being paused

We have made our HackerOne policies even more strict. Now, if you don't have any Signal, you shouldn't be able to report through HackerOne. We advise you to contact any of the Security Release Stewards via OpenJS Slack. nodejs.org/en/blog/anno...

My first talk of 2026 can now be shared! I will join NodeCongress to present The State of Node.js Security nodecongress.com#person-rafae...

🚨 Node.js assessment of the recent OpenSSL Security Release TL;DR: We'll update OpenSSL versions through a regular release process. nodejs.org/en/blog/vuln...

We have increased the barrier to submit reports through HackerOne due to the amount of low-quality submissions we have received recently. Please, see: nodejs.org/en/blog/anno...

This release contains a bunch of PRs I recently submitted to mark features I contributed to as stable/release candidate. Here is a thread about them 🧵:

Node.js v25.4.0 is out! 💚 • require(esm) now stable and a new CLI flag: --require-module • http setGlobalProxyFromEnv() added • Multiple APIs promoted to stable (heapsnapshot, build snapshot, v8.queryObjects) • Root CAs updated to NSS 3.117 More in: nodejs.org/en/blog/rele...

🚨Our team has decided to postpone the release to Tuesday, January 13th, 2026. This additional time will allow us to properly test all backports and re-run CITGM to ensure the highest quality for our users.

Node.s sec release We are doing our best. We are ensuring test passes on all platforms and all active release lines (v20, v22, v24 and v25) - and they aren't currently. Unfortunately, we don't have an ETA for that, and it's likely that this security release will be postponed one more time. Sorry.

Oh hi. 👋 We're back with the latest Security Snapshot that covers how to publish to npm safely and with ease. ✨ @rafaelgss.dev breaks down why local publishing with 2FA gives you the safest setup right now.

New release of bench-node v0.14.0! Two important features were released: github.com/RafaelGSS/be...

Right on time! Lovely @openjsf.org

Want to dive in further? Check out Rafael’s release of @nodejs.org 25: twitch.tv/videos/25925...

SEMVER MAJORS ARE BORING 🚨 Major releases mostly bring breaking changes, not shiny new features. The fun stuff? That’s hiding in the minors. @rafaelgss.dev talks about why you should follow the minor releases in our latest JavaScript Security Snapshot.

I should get back to this platform. I’ve scrolled it for like 5 minutes and I found many interesting topics that I don’t see in one week of X.

ok so... I'm writing a book. It's called JavaScript In Depth (www.manning.com/books/javasc...) ... the first four chapters are available by Manning. This has been a difficult project and will continue to be so. The reason is that it isn't a How To book that focuses only on how to use the langauge

Before automated workflows, releasing @nodejs.org meant 20 manual steps. Now it’s one command. 👀 @ulisesgascon.com and @rafaelgss.dev share how the Node.js build team went from a rack of Raspberry Pis in someone’s garage to full release automation. 👉Build Team on GitHub: github.com/nodejs/build

Live now!

It was great working with you on this! As much as I dislike that we had to do this work, I think it is important that we did it so there is a thorough and accurate resource about the current state of things.

With npm supply chain attacks on the rise, secure publishing practices are becoming a pressing concern for anyone maintaining npm packages. ⚠️ We've released updated guidance to help maintainers reduce exposure, strengthen release processes, and protect the ecosystem: openjsf.org/blog/publish...

Thanks for your hard work on this @notwes.bsky.social

Too many @nodejs.org users are running old versions 😬 The team is exploring changes to the release schedule to fix that. @rafaelgss.dev shares all the details in our latest JavaScript Security Snapshot. Be a part of the conversation on releases: github.com/nodejs/lts-s...

Ever wonder why @nodejs.org drops new versions like clockwork? Here’s the scoop. ⏱️ @rafaelgss.dev shares all the details about the Node.js release schedule in our new series, JavaScript Security Snapshot.

Done

i’m starting to get that “this word is weird now” feeling from hearing so many sentences like “releasers releasing releases” at the @nodejs.org collab summit

Starting the day at the Node.js Collab Summit #nodejs #javascript

Introducing 🥁🥁🥁 our JavaScriptLandia award recipients for this year! Beyond building new features, our recipients guide others, maintain essential systems, document the hard parts, and strengthen the community every step of the way. 💙 Read more about our honorees here: hubs.la/Q03NQvx10

I'm excited about net in permissions!

Node.js 25 is here! We have upgraded V8 to 14.1, bringing major JSON.stringify performance improvements and JIT pipeline optimizations. This release introduces the permission model --allow-net, Web Storage is enabled by default, and more! nodejs.org/en/blog/rele...

Node.js v24.10.0 is out. * Per-stream inspectOptions support in console * Removal of util.getCallSite (in favour of util.getCallSites) * Upgraded OpenSSL to 3.5.4 and npm to 11.6.1 * Various src and benchmark optimizations https://nodejs.org/en/blog/release/v24.10.0

Welcome @rafaelgss.dev to the @openjsf.org #CNA team! 👏 👏 👏 github.com/openjs-found...

Lots of GREAT progress and discussion on our @expressjs.bsky.social Performance Working Group. Thanks everyone who is participating as I think this is the second most (security comes first) impactful thing we could be working on. For anyone interested in helping out: github.com/expressjs/pe...

Our goal is to provide guidance and tooling for perf based decisions to the maintainers under our umbrella. Aligning our philosophy for how/what we monitor and how to interpret the results lets us be consistent across our 50+ packages. Ive been learning a lot so far, and big ty to @rafaelgss.dev

Node.js v24.6.0 is out💚 Highlights: * Use your system’s trusted certificates with NODE_USE_SYSTEM_CA=1 * crypto: ML-DSA (KeyObject/sign/verify) * http: server.keepAliveTimeoutBuffer * zlib: Zstd dictionary support * fs: Utf8Stream (from SonicBoom) Changelog: nodejs.org/en/blog/rele...

I'm live doing Node.js Core benchmark work! www.twitch.tv/rafaelgss

I've been working on something interesting (at least for me) github.com/nodejs/node/...

Hi folks, We will have a Node.js core mentoring live stream today Stay tuned!

Node.js v24.4.0 is out! 💚 What's new? • crypto.hash() supports outputLength (XOF) • fs.mkdtempSync() gets disposable mode • --watch-kill-signal lands • permission.has('addon') is now supported • spawn() propagates permission flags • sqlite adds readBigInts More in: nodejs.org/en/blog/rele...

Live on! twitch.tv/rafaelgss

A warm welcome to our newest Node.js TSC member: Filip Skokan! Happy to see you onboard! github.com/nodejs/node/...

Folks, right now @rafaelgss.dev is doing an awesome livestram on m.twitch.tv/rafaelgss talking about Node.js threads, memory management and perfs. Join us!

⚠️ Security release pre-alert: We will release new versions of v20.x, v22.x, v23.x, v24.x release lines on or shortly after May 14, 2025, in order to address: - 1 high severity issue - 1 moderate severity issue - 1 low severity issue Details: nodejs.org/en/blog/vuln...

I’d love to do something like that but in person… kind of collab summit workshop

Happy to announce @nodejs v24.0.0 💚! This release brings several updates, including the V8 13.6 and npm to version 11. As a reminder, Node.js 24 will enter long-term support (LTS) in October, but until then, it will be the "Current" release Check it nodejs.org/en/blog/rele...

A handy way to test Node.js release candidates. I suggest you have something similar in your test suite, so you can act before a semver-major release of Node.js gets out. github.com/fastify/fast...

RC.2 Node.js v24.0.0 github.com/nodejs/node/...

Recent updates on Node.js CVE to EOL lines. TL;DR The Node.js team has decided to update previous vulnerability specific CVEs to cover EOL releases, reflecting their ongoing security risks. See: nodejs.org/en/blog/vuln...

I'm live on Twitch again! www.twitch.tv/rafaelgss

I'm posting some shorts on Youtube/Instagram of my sessions teaching "How to contribute to Node.js core" on Twitch. Check my social media in github.com/RafaelGSS/Ra...