Node.js

Node.js 20 Now Available

Node.js 20 includes new Node.js experimental permission model for improved security

Node.js 20 Now Available

Node.js 20 includes new Node.js experimental permission model for improved security

Node.js 20 is now available! Highlights include the new Node.js experimental Permission Model, synchronous import.meta.resolve, a stable test_runner module, updates of the V8 JavaScript engine to 11.3, single executable apps, Ada to 2.0, and more.

Node.js 20 is the “Current” release for the next six months and incorporates the newest features. For organizations and individuals looking to implement Node.js 20, now is a good time to test and prototype. Node.js 20 will enter long-term support (LTS) in October and be ready for full production deployments. Full release schedule here.

“With the addition of the experimental Permission Model and updates to V8, Node.js 20 is perfect for testing and assessing how Node.js will fit into your development environment. We have made excellent progress making Node.js more secure and performant over the past year,” said Rafael Gonzaga, Node.js TSC Member. “Many thanks to our broad and energetic community of open source contributors for constantly improving Node.js.”

The Node.js team and the OpenJS Foundation would like to say a big thank you to contributors to the Node.js project. Node.js is used worldwide in large and small production environments. It has 94.6K Stars and 24.7K Forks on GitHub. The usefulness, quality, and security are all due in large part to our contributors. Thank you! If you’d like to find out how you can contribute, please see https://nodejs.org/en/get-involved/contribute 

“From security to testing to portability, Node.js has made important gains in the past year and Node.js 20 shows it. If you’re already using Node.js, Node.js 20 is a great way to get a close-up look at new features before LTS comes out,” said OpenJS Foundation Executive Director Robin Ginn. “Thank you to our open source contributors from around the world. Node.js 20 is a great example of open source making a difference.”

Main updates for Node.js 20

  • Experimental Permission Model
  • Synchronous import.meta.resolve()
  • Stable Test Runner
  • V8 JavaScript engine updated to 11.3, adds 5 new features
  • Single Executable Apps allows the distribution of Node.js apps systems without Node.js installed
  • Ada to 2.0

Permission Model

The Node.js Permission Model has been built over the past 9 months to be an important mechanism for better security. It allows restriction of access to specific resources during the program execution. The API exists behind a flag –experimental-permission which, when enabled, restricts access to all available permissions. The ability to access the filesystem, spawn process, and create worker_threads can be restricted.

We are continuing to improve the Permission Model and building a roadmap to encourage input. To find out more, see info on the first pull request last August and the recent merge into main

Synchronous import.meta.resolve()

import.meta.resolve() makes it easier to write scripts which are not sensitive to their exact location, or to the web application’s module setup. In alignment with browser behavior, this function now returns synchronously. Despite this, user loader resolve hooks can still be defined as async functions (or as sync functions, if the author prefers). Even when there are async resolve hooks loaded, import.meta.resolve() will still return synchronously for application code.

Updated V8 JavaScript engine to 11.3

The V8 engine is what powers Node.js. It parses and runs your JavaScript inside a Node environment. Node.js follows updates to the V8 JavaScript engine closely. 

This version includes 5 new features:

  • String.prototype.isWellFormed and toWellFormed
  • Methods that change Array and TypedArray by copy
  • Resizable ArrayBuffer and growable SharedArrayBuffer
  • RegExp v flag with set notation + properties of strings
  • WebAssembly Tail Call

Stable Test Runner

The test runner was experimental in Node.js 19, it is now stable. It facilitates the creation of JavaScript tests.

Single Executable Apps

Single Executable Apps allows the distribution of Node.js apps systems without Node.js being installed. Darshan Sen won the Outstanding Contribution from a New Arrival award as part of the JavaScriptLandia Awards at last year’s OpenJS World for creating this functionality. 

It is a way to compile your project into a binary for distribution. Microsoft, an OpenJS Foundation member, is investigating it as a way to reduce vector attacks.

The feature is new, just released in the past 2 months. We are looking for more feedback. 

Try it out today

To download Node.js v20.0.0, visit: https://nodejs.org/en/download/current/. Check out the release post by Rafael, which contains the list of commits included in this release. The team would love to hear your feedback! 

For the timeline of Node.js releases, check out the Node.js Release Schedule.

Let us know what you think

The Node.js Next 10 Survey is now out! We want your feedback on what is important to you when using Node.js to impact the next 10 years of the project. Take the survey by 11:59 PM PT on April 30, 2023 to let us know what you think.

Thank you

We’d like to thank all of the Node.js collaborators and contributors. Node.js 20 – and future releases as well! – are a direct result of your commitment and expertise!

The OpenJS Foundation is made up of 41 open source JavaScript projects including Appium, Dojo, jQuery, Node.js, and webpack and is supported by 30 corporate and end-user members, including GoDaddy, Google, IBM, Joyent, and Microsoft. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value.