We have made our HackerOne policies even more strict. Now, if you don't have any Signal, you shouldn't be able to report through HackerOne. We advise you to contact any of the Security Release Stewards via OpenJS Slack.
nodejs.org/en/blog/anno...
My first talk of 2026 can now be shared!
I will join NodeCongress to present The State of Node.js Security
nodecongress.com#person-rafae...
🚨 Node.js assessment of the recent OpenSSL Security Release
TL;DR: We'll update OpenSSL versions through a regular release process.
nodejs.org/en/blog/vuln...
We have increased the barrier to submit reports through HackerOne due to the amount of low-quality submissions we have received recently.
Please, see: nodejs.org/en/blog/anno...
This release contains a bunch of PRs I recently submitted to mark features I contributed to as stable/release candidate. Here is a thread about them 🧵:
Node.js v25.4.0 is out! 💚
• require(esm) now stable and a new CLI flag: --require-module
• http setGlobalProxyFromEnv() added
• Multiple APIs promoted to stable (heapsnapshot, build snapshot, v8.queryObjects)
• Root CAs updated to NSS 3.117
More in: nodejs.org/en/blog/rele...
Additionally, releasing on Tuesday rather than Friday helps ensure that security updates are available during regular business hours across all time zones, particularly for our users in the Asia-Pacific region.
nodejs.org/en/blog/vuln...
🚨Our team has decided to postpone the release to Tuesday, January 13th, 2026. This additional time will allow us to properly test all backports and re-run CITGM to ensure the highest quality for our users.
Node.s sec release
We are doing our best. We are ensuring test passes on all platforms and all active release lines (v20, v22, v24 and v25) - and they aren't currently.
Unfortunately, we don't have an ETA for that, and it's likely that this security release will be postponed one more time. Sorry.
That's how it works in Brazil. Holidays extend until the Carnival!
Oh hi. 👋 We're back with the latest Security Snapshot that covers how to publish to npm safely and with ease. ✨
@rafaelgss.dev breaks down why local publishing with 2FA gives you the safest setup right now.
* Add V8 code elimination detector - This should warn you when it believes your code is being JIT eliminated and the results aren't reliable.
* Add t-test feature - It enables a statistical significance test to compare how reliable your results are
And more!
New release of bench-node v0.14.0! Two important features were released:
github.com/RafaelGSS/be...
Right on time! Lovely @openjsf.org
Want to dive in further? Check out Rafael’s release of @nodejs.org 25: twitch.tv/videos/25925...
SEMVER MAJORS ARE BORING 🚨
Major releases mostly bring breaking changes, not shiny new features. The fun stuff? That’s hiding in the minors.
@rafaelgss.dev talks about why you should follow the minor releases in our latest JavaScript Security Snapshot.
I should get back to this platform. I’ve scrolled it for like 5 minutes and I found many interesting topics that I don’t see in one week of X.
ok so... I'm writing a book. It's called JavaScript In Depth (www.manning.com/books/javasc...) ... the first four chapters are available by Manning.
This has been a difficult project and will continue to be so. The reason is that it isn't a How To book that focuses only on how to use the langauge
Before automated workflows, releasing @nodejs.org meant 20 manual steps. Now it’s one command. 👀
@ulisesgascon.com and @rafaelgss.dev share how the Node.js build team went from a rack of Raspberry Pis in someone’s garage to full release automation.
👉Build Team on GitHub: github.com/nodejs/build
Live now!
It was great working with you on this! As much as I dislike that we had to do this work, I think it is important that we did it so there is a thorough and accurate resource about the current state of things.
With npm supply chain attacks on the rise, secure publishing practices are becoming a pressing concern for anyone maintaining npm packages. ⚠️
We've released updated guidance to help maintainers reduce exposure, strengthen release processes, and protect the ecosystem: openjsf.org/blog/publish...
Thanks for your hard work on this @notwes.bsky.social
Too many @nodejs.org users are running old versions 😬 The team is exploring changes to the release schedule to fix that.
@rafaelgss.dev shares all the details in our latest JavaScript Security Snapshot.
Be a part of the conversation on releases: github.com/nodejs/lts-s...
Ever wonder why @nodejs.org drops new versions like clockwork? Here’s the scoop. ⏱️
@rafaelgss.dev shares all the details about the Node.js release schedule in our new series, JavaScript Security Snapshot.
Done
I’ll ping the team
i’m starting to get that “this word is weird now” feeling from hearing so many sentences like “releasers releasing releases” at the @nodejs.org collab summit
picture of a group exercise
collab summit sign in the hallway
Starting the day at the Node.js Collab Summit #nodejs #javascript
Introducing 🥁🥁🥁 our JavaScriptLandia award recipients for this year!
Beyond building new features, our recipients guide others, maintain essential systems, document the hard parts, and strengthen the community every step of the way. 💙
Read more about our honorees here: hubs.la/Q03NQvx10
