Node.js 20 includes new Node.js experimental permission model for improved security
Node.js 20 is the “Current” release for the next six months and incorporates the newest features. For organizations and individuals looking to implement Node.js 20, now is a good time to test and prototype. Node.js 20 will enter long-term support (LTS) in October and be ready for full production deployments. Full release schedule here.
“With the addition of the experimental Permission Model and updates to V8, Node.js 20 is perfect for testing and assessing how Node.js will fit into your development environment. We have made excellent progress making Node.js more secure and performant over the past year,” said Rafael Gonzaga, Node.js TSC Member. “Many thanks to our broad and energetic community of open source contributors for constantly improving Node.js.”
The Node.js team and the OpenJS Foundation would like to say a big thank you to contributors to the Node.js project. Node.js is used worldwide in large and small production environments. It has 94.6K Stars and 24.7K Forks on GitHub. The usefulness, quality, and security are all due in large part to our contributors. Thank you! If you’d like to find out how you can contribute, please see https://nodejs.org/en/get-involved/contribute
“From security to testing to portability, Node.js has made important gains in the past year and Node.js 20 shows it. If you’re already using Node.js, Node.js 20 is a great way to get a close-up look at new features before LTS comes out,” said OpenJS Foundation Executive Director Robin Ginn. “Thank you to our open source contributors from around the world. Node.js 20 is a great example of open source making a difference.”
Main updates for Node.js 20
- Experimental Permission Model
- Synchronous import.meta.resolve()
- Stable Test Runner
- Single Executable Apps allows the distribution of Node.js apps systems without Node.js installed
- Ada to 2.0
The Node.js Permission Model has been built over the past 9 months to be an important mechanism for better security. It allows restriction of access to specific resources during the program execution. The API exists behind a flag –experimental-permission which, when enabled, restricts access to all available permissions. The ability to access the filesystem, spawn process, and create worker_threads can be restricted.
import.meta.resolve() makes it easier to write scripts which are not sensitive to their exact location, or to the web application’s module setup. In alignment with browser behavior, this function now returns synchronously. Despite this, user loader resolve hooks can still be defined as async functions (or as sync functions, if the author prefers). Even when there are async resolve hooks loaded, import.meta.resolve() will still return synchronously for application code.
This version includes 5 new features:
- String.prototype.isWellFormed and toWellFormed
- Methods that change Array and TypedArray by copy
- Resizable ArrayBuffer and growable SharedArrayBuffer
- RegExp v flag with set notation + properties of strings
- WebAssembly Tail Call
Stable Test Runner
Single Executable Apps
It is a way to compile your project into a binary for distribution. Microsoft, an OpenJS Foundation member, is investigating it as a way to reduce vector attacks.
The feature is new, just released in the past 2 months. We are looking for more feedback.
Try it out today
To download Node.js v20.0.0, visit: https://nodejs.org/en/download/current/. Check out the release post by Rafael, which contains the list of commits included in this release. The team would love to hear your feedback!
For the timeline of Node.js releases, check out the Node.js Release Schedule.
Let us know what you think
The Node.js Next 10 Survey is now out! We want your feedback on what is important to you when using Node.js to impact the next 10 years of the project. Take the survey by 11:59 PM PT on April 30, 2023 to let us know what you think.
We’d like to thank all of the Node.js collaborators and contributors. Node.js 20 – and future releases as well! – are a direct result of your commitment and expertise!