Node.js 24 LTS: Upgrade from Node 22 in 2026
Node.js 24 LTS: Upgrade from Node 22 in 2026
TL;DR
Node.js 24 (codename Krypton) became LTS in October 2025 and is the recommended runtime for new projects starting in 2026. Node.js 22 remains in Active LTS until April 2027, so there's no rush — but if you're starting a greenfield project or planning your next major dependency upgrade cycle, Node 24 is the target. The biggest gotchas are OpenSSL 3.5's stricter cryptography defaults, V8 13.6 changes for C++ addons, and a handful of deprecated API removals.
Key Takeaways
- Node.js 24 is Active LTS (codename Krypton) — support through April 2028; Node.js 22 LTS runs until April 2027
- OpenSSL 3.5 is the biggest breaking change — default security level raised to 2; RSA/DSA/DH keys under 2048 bits and ECC keys under 224 bits are now rejected
- V8 upgraded to v13.6 — native Iterator Helpers, URLPattern stable, Float16Array, CloseEvent added to globals
- Post-quantum cryptography — Node 24 ships with NIST-standard post-quantum algorithms via OpenSSL 3.5
- Deprecated APIs removed —
util.is*()methods,fs.truncate()with file descriptors,tls.createSecurePair()are gone - C++ addon maintainers: V8 13.6 may require C++20 (previously C++17 was enough)
- fetch() is stricter — AbortSignal validation tightened; stream/pipe errors now throw instead of silently failing
Node.js Release Timeline: Where Are We?
Understanding the release schedule is the foundation of any upgrade decision. Node.js follows an even/odd versioning scheme — only even-numbered releases become LTS.
| Version | Status | Active LTS Until | End of Life |
|---|---|---|---|
| Node.js 20 | Maintenance LTS | April 2024 | April 2026 |
| Node.js 22 | Active LTS | October 2025 → April 2027 | April 2027 |
| Node.js 24 | Active LTS (Current) | October 2025 → April 2027 | April 2028 |
| Node.js 26 | Releases April 2026 | October 2026 (expected) | TBD |
The immediate action item: If you're still on Node.js 20, its end-of-life is April 2026 — which means right now. Moving to Node.js 22 or 24 is urgent. For teams already on Node 22, you have until April 2027 before it becomes Maintenance, giving you a comfortable upgrade window.
V8 13.6: What the Engine Upgrade Means for You
Node.js 24 ships with V8 version 13.6 (Chromium 136). For application developers, this is mostly transparent — JavaScript engine upgrades improve performance and add new language features without breaking existing code. The exceptions are:
Native Iterator Helpers (No More Lodash for Simple Transformations)
// Previously required lodash, iterare, or custom code
// Node.js 24: native Iterator Helpers
const result = [1, 2, 3, 4, 5]
.values()
.filter(n => n % 2 === 0)
.map(n => n * 10)
.toArray();
// → [20, 40]
Iterator Helpers work with any iterable — arrays, Sets, Maps, custom iterators, generator functions. This eliminates a whole class of utility library dependencies for simple transformations.
URLPattern Now Stable
URLPattern is a web platform API for matching URLs against patterns — similar to what path-to-regexp does, but standardized:
// path-to-regexp (before)
const { pathToRegexp } = require('path-to-regexp');
const re = pathToRegexp('/user/:id');
// URLPattern (Node.js 24 — stable, no import needed)
const pattern = new URLPattern({ pathname: '/user/:id' });
pattern.test('https://example.com/user/42'); // true
const match = pattern.exec('https://example.com/user/42');
match.pathname.groups.id; // '42'
New Global Objects
Node.js 24 adds Float16Array, CloseEvent, and promotes several previously experimental globals to stable. If your code polyfills these, remove the polyfills — you'll get double-definition errors or unexpected behavior.
OpenSSL 3.5: The Breaking Change That Will Actually Bite You
This is the most likely source of production breakage when upgrading. OpenSSL 3.5, which ships with Node.js 24, raises the default security level from 1 to 2. The practical impact:
What's Now Rejected
| Prohibited | Why |
|---|---|
| RSA/DSA/DH keys shorter than 2048 bits | Below security level 2 threshold |
| ECC keys shorter than 224 bits | Below security level 2 threshold |
| RC4 cipher suites | Considered cryptographically broken |
| MD5 signatures (in some contexts) | Known collision vulnerabilities |
How to Check If You're Affected
# List your TLS certificates and check key lengths
openssl x509 -in your-cert.pem -noout -text | grep "Public-Key"
# If output shows "(1024 bit)" or "(512 bit)" — you have a problem
# Test a TLS connection with Node.js 24's security level
node -e "require('tls').connect({host: 'your-api-endpoint.com', port: 443}, function() { console.log('OK'); })"
Common Sources of Legacy Certificates
- Internal PKI systems — older corporate CAs often use 1024-bit RSA
- IoT device certificates — frequently use weak keys to save CPU on constrained hardware
- Legacy vendor APIs — third-party services that haven't updated their TLS infrastructure
- Development certificates — quick self-signed certs generated years ago
Emergency Override (Not Recommended for Production)
If you need to temporarily work around OpenSSL security level 2 while you fix certificate issues:
// Bypass security level check — only for emergency debugging
const https = require('https');
const agent = new https.Agent({
secureOptions: require('crypto').constants.SSL_OP_LEGACY_SERVER_CONNECT,
ciphers: 'DEFAULT@SECLEVEL=1'
});
The right fix is to reissue certificates with 2048-bit+ keys. The bypass is a temporary diagnostic tool.
Post-Quantum Cryptography
On the positive side, OpenSSL 3.5 adds support for NIST-standardized post-quantum algorithms including ML-KEM (CRYSTALS-Kyber) and ML-DSA (CRYSTALS-Dilithium). While you don't need to use these today, Node.js 24 is the first LTS release where you can — which matters for applications in regulated industries with long security horizons.
Removed APIs: The Migration Checklist
util.is*() Methods — Removed
These were deprecated since Node.js 4 and are finally gone:
// Removed in Node.js 24
util.isArray(val) // → Array.isArray(val)
util.isBoolean(val) // → typeof val === 'boolean'
util.isBuffer(val) // → Buffer.isBuffer(val)
util.isDate(val) // → val instanceof Date
util.isError(val) // → val instanceof Error
util.isFunction(val) // → typeof val === 'function'
util.isNull(val) // → val === null
util.isNullOrUndefined(val) // → val == null
util.isNumber(val) // → typeof val === 'number'
util.isObject(val) // → typeof val === 'object' && val !== null
util.isRegExp(val) // → val instanceof RegExp
util.isString(val) // → typeof val === 'string'
util.isSymbol(val) // → typeof val === 'symbol'
util.isUndefined(val) // → val === undefined
Run this to find uses in your codebase:
grep -r "util\.is" src/ --include="*.js" --include="*.ts" | grep -v "util.inspect\|util.isDeepEqual\|util.isNativeError"
fs.truncate(fd, ...) with File Descriptors — Removed
// Removed
fs.truncate(fd, len, callback);
// Use instead
fs.ftruncate(fd, len, callback);
fs.ftruncateSync(fd, len);
tls.createSecurePair() — Removed
This was deprecated since Node.js 0.11. Migrate to tls.TLSSocket:
// Removed
const pair = tls.createSecurePair(context, isServer);
// Replace with
const tlsSocket = new tls.TLSSocket(socket, { secureContext: context, isServer });
Behavioral Changes That Won't Throw Errors (But Will Bite You)
Stricter fetch() Compliance
// Node.js 22: AbortSignal timeout loosely validated
const response = await fetch(url, { signal: AbortSignal.timeout(5000) });
// Node.js 24: Strict validation — non-AbortSignal objects throw TypeError
// If you're passing fake signal objects, this will break
stream.pipeline() Errors Now Throw
Previously, errors in stream.pipeline() could be silently swallowed in some async patterns. Node.js 24 makes these throw consistently. If you have silent pipeline failures you've never noticed, they'll surface now.
Buffer Encoding Behavior
// Edge case: Buffer.from(string, encoding) with unsupported encodings
// Now throws TypeError instead of falling back to 'utf8'
// Check any dynamic encoding logic
How to Upgrade Safely
Step 1: Audit Your Dependencies
# Check which deps require Node >= 24 or still need older Node
npx check-node-version --node 24
# Check for packages flagging Node 24 incompatibility
npm audit
npm outdated
Step 2: Use .nvmrc or .node-version
echo "24" > .nvmrc
# or for fnm/volta
echo "24" > .node-version
Step 3: Test Against Node 24 in CI First
# .github/workflows/test.yml — add Node 24 to matrix
strategy:
matrix:
node: [22, 24]
Step 4: Check Your TLS Connections
# Run against your API endpoints and third-party services
node -e "
const https = require('https');
https.get('https://api.your-service.com', (res) => {
console.log('OK:', res.statusCode);
}).on('error', (e) => console.error('FAILED:', e.message));
"
Step 5: Update Your C++ Addons (If Any)
If you maintain native addons or depend on packages that do, check:
- V8 13.6 API compatibility for your NAN/NAPI bindings
- C++20 requirements if you were using C++17-specific features
Should You Upgrade Now?
| Scenario | Recommendation |
|---|---|
| New project starting in 2026 | Use Node.js 24 from day one |
| On Node.js 20 | Upgrade urgently — EOL is April 2026 |
| On Node.js 22, stable product | Upgrade in H2 2026; Node 22 is safe until April 2027 |
| On Node.js 22, security-sensitive | Test and upgrade soon — OpenSSL 3.5's post-quantum features matter |
| Heavy use of native addons | Test carefully; V8 13.6 and C++20 changes may require addon updates |
| Legacy TLS infrastructure | Audit certificates before upgrading — OpenSSL 3.5 will reject weak keys |
What's Next: Node.js 26
Node.js 26 is expected in April 2026, following the same even/odd cadence. It will become LTS in October 2026. If you're upgrading now, Node.js 24 is the correct LTS target — don't wait for 26.
Methodology
- Sources: Node.js official release blog, nodejs.org release schedule, NodeSource LTS guide, OpenJSF announcement, Red Hat Node.js 24 release notes, endoflife.date
- Tested: OpenSSL 3.5 breaking change verification via Node.js 24.5.0+ changelogs
- Date: March 2026
Running Node.js 22 and 24 side-by-side? See our Node.js 22 vs Node.js 24 Upgrade Guide for a full feature comparison. Also in the runtime series: Bun 2 vs Node.js 24 vs Deno 3.
Managing multiple Node.js versions? fnm vs nvm vs Volta: Node.js Version Managers 2026