Node.js 24 LTS: Upgrade from Node 22 in 2026
TL;DR
Node.js 24 (codename Krypton) became LTS in October 2025 and is the recommended runtime for new projects starting in 2026. Node.js 22 remains in Active LTS until April 2027, so there's no rush — but if you're starting a greenfield project or planning your next major dependency upgrade cycle, Node 24 is the target. The biggest gotchas are OpenSSL 3.5's stricter cryptography defaults, V8 13.6 changes for C++ addons, and a handful of deprecated API removals.
Key Takeaways
- Node.js 24 is Active LTS (codename Krypton) — support through April 2028; Node.js 22 LTS runs until April 2027
- OpenSSL 3.5 is the biggest breaking change — default security level raised to 2; RSA/DSA/DH keys under 2048 bits and ECC keys under 224 bits are now rejected
- V8 upgraded to v13.6 — native Iterator Helpers, URLPattern stable, Float16Array, CloseEvent added to globals
- Post-quantum cryptography — Node 24 ships with NIST-standard post-quantum algorithms via OpenSSL 3.5
- Deprecated APIs removed —
util.is*()methods,fs.truncate()with file descriptors,tls.createSecurePair()are gone - C++ addon maintainers: V8 13.6 may require C++20 (previously C++17 was enough)
- fetch() is stricter — AbortSignal validation tightened; stream/pipe errors now throw instead of silently failing
Node.js Release Timeline: Where Are We?
Understanding the release schedule is the foundation of any upgrade decision. Node.js follows an even/odd versioning scheme — only even-numbered releases become LTS.
| Version | Status | Active LTS Until | End of Life |
|---|---|---|---|
| Node.js 20 | Maintenance LTS | April 2024 | April 2026 |
| Node.js 22 | Active LTS | October 2025 → April 2027 | April 2027 |
| Node.js 24 | Active LTS (Current) | October 2025 → April 2027 | April 2028 |
| Node.js 26 | Releases April 2026 | October 2026 (expected) | TBD |
The immediate action item: If you're still on Node.js 20, its end-of-life is April 2026 — which means right now. Moving to Node.js 22 or 24 is urgent. For teams already on Node 22, you have until April 2027 before it becomes Maintenance, giving you a comfortable upgrade window.
V8 13.6: What the Engine Upgrade Means for You
Node.js 24 ships with V8 version 13.6 (Chromium 136). For application developers, this is mostly transparent — JavaScript engine upgrades improve performance and add new language features without breaking existing code. The exceptions are:
Native Iterator Helpers (No More Lodash for Simple Transformations)
// Previously required lodash, iterare, or custom code
// Node.js 24: native Iterator Helpers
const result = [1, 2, 3, 4, 5]
.values()
.filter(n => n % 2 === 0)
.map(n => n * 10)
.toArray();
// → [20, 40]
Iterator Helpers work with any iterable — arrays, Sets, Maps, custom iterators, generator functions. This eliminates a whole class of utility library dependencies for simple transformations.
URLPattern Now Stable
URLPattern is a web platform API for matching URLs against patterns — similar to what path-to-regexp does, but standardized:
// path-to-regexp (before)
const { pathToRegexp } = require('path-to-regexp');
const re = pathToRegexp('/user/:id');
// URLPattern (Node.js 24 — stable, no import needed)
const pattern = new URLPattern({ pathname: '/user/:id' });
pattern.test('https://example.com/user/42'); // true
const match = pattern.exec('https://example.com/user/42');
match.pathname.groups.id; // '42'
New Global Objects
Node.js 24 adds Float16Array, CloseEvent, and promotes several previously experimental globals to stable. If your code polyfills these, remove the polyfills — you'll get double-definition errors or unexpected behavior.
OpenSSL 3.5: The Breaking Change That Will Actually Bite You
This is the most likely source of production breakage when upgrading. OpenSSL 3.5, which ships with Node.js 24, raises the default security level from 1 to 2. The practical impact:
What's Now Rejected
| Prohibited | Why |
|---|---|
| RSA/DSA/DH keys shorter than 2048 bits | Below security level 2 threshold |
| ECC keys shorter than 224 bits | Below security level 2 threshold |
| RC4 cipher suites | Considered cryptographically broken |
| MD5 signatures (in some contexts) | Known collision vulnerabilities |
How to Check If You're Affected
# List your TLS certificates and check key lengths
openssl x509 -in your-cert.pem -noout -text | grep "Public-Key"
# If output shows "(1024 bit)" or "(512 bit)" — you have a problem
# Test a TLS connection with Node.js 24's security level
node -e "require('tls').connect({host: 'your-api-endpoint.com', port: 443}, function() { console.log('OK'); })"
Common Sources of Legacy Certificates
- Internal PKI systems — older corporate CAs often use 1024-bit RSA
- IoT device certificates — frequently use weak keys to save CPU on constrained hardware
- Legacy vendor APIs — third-party services that haven't updated their TLS infrastructure
- Development certificates — quick self-signed certs generated years ago
Emergency Override (Not Recommended for Production)
If you need to temporarily work around OpenSSL security level 2 while you fix certificate issues:
// Bypass security level check — only for emergency debugging
const https = require('https');
const agent = new https.Agent({
secureOptions: require('crypto').constants.SSL_OP_LEGACY_SERVER_CONNECT,
ciphers: 'DEFAULT@SECLEVEL=1'
});
The right fix is to reissue certificates with 2048-bit+ keys. The bypass is a temporary diagnostic tool.
Post-Quantum Cryptography
On the positive side, OpenSSL 3.5 adds support for NIST-standardized post-quantum algorithms including ML-KEM (CRYSTALS-Kyber) and ML-DSA (CRYSTALS-Dilithium). While you don't need to use these today, Node.js 24 is the first LTS release where you can — which matters for applications in regulated industries with long security horizons.
Removed APIs: The Migration Checklist
util.is*() Methods — Removed
These were deprecated since Node.js 4 and are finally gone:
// Removed in Node.js 24
util.isArray(val) // → Array.isArray(val)
util.isBoolean(val) // → typeof val === 'boolean'
util.isBuffer(val) // → Buffer.isBuffer(val)
util.isDate(val) // → val instanceof Date
util.isError(val) // → val instanceof Error
util.isFunction(val) // → typeof val === 'function'
util.isNull(val) // → val === null
util.isNullOrUndefined(val) // → val == null
util.isNumber(val) // → typeof val === 'number'
util.isObject(val) // → typeof val === 'object' && val !== null
util.isRegExp(val) // → val instanceof RegExp
util.isString(val) // → typeof val === 'string'
util.isSymbol(val) // → typeof val === 'symbol'
util.isUndefined(val) // → val === undefined
Run this to find uses in your codebase:
grep -r "util\.is" src/ --include="*.js" --include="*.ts" | grep -v "util.inspect\|util.isDeepEqual\|util.isNativeError"
fs.truncate(fd, ...) with File Descriptors — Removed
// Removed
fs.truncate(fd, len, callback);
// Use instead
fs.ftruncate(fd, len, callback);
fs.ftruncateSync(fd, len);
tls.createSecurePair() — Removed
This was deprecated since Node.js 0.11. Migrate to tls.TLSSocket:
// Removed
const pair = tls.createSecurePair(context, isServer);
// Replace with
const tlsSocket = new tls.TLSSocket(socket, { secureContext: context, isServer });
Behavioral Changes That Won't Throw Errors (But Will Bite You)
Stricter fetch() Compliance
// Node.js 22: AbortSignal timeout loosely validated
const response = await fetch(url, { signal: AbortSignal.timeout(5000) });
// Node.js 24: Strict validation — non-AbortSignal objects throw TypeError
// If you're passing fake signal objects, this will break
stream.pipeline() Errors Now Throw
Previously, errors in stream.pipeline() could be silently swallowed in some async patterns. Node.js 24 makes these throw consistently. If you have silent pipeline failures you've never noticed, they'll surface now.
Buffer Encoding Behavior
// Edge case: Buffer.from(string, encoding) with unsupported encodings
// Now throws TypeError instead of falling back to 'utf8'
// Check any dynamic encoding logic
How to Upgrade Safely
Step 1: Audit Your Dependencies
# Check which deps require Node >= 24 or still need older Node
npx check-node-version --node 24
# Check for packages flagging Node 24 incompatibility
npm audit
npm outdated
Step 2: Use .nvmrc or .node-version
echo "24" > .nvmrc
# or for fnm/volta
echo "24" > .node-version
Step 3: Test Against Node 24 in CI First
# .github/workflows/test.yml — add Node 24 to matrix
strategy:
matrix:
node: [22, 24]
Step 4: Check Your TLS Connections
# Run against your API endpoints and third-party services
node -e "
const https = require('https');
https.get('https://api.your-service.com', (res) => {
console.log('OK:', res.statusCode);
}).on('error', (e) => console.error('FAILED:', e.message));
"
Step 5: Update Your C++ Addons (If Any)
If you maintain native addons or depend on packages that do, check:
- V8 13.6 API compatibility for your NAN/NAPI bindings
- C++20 requirements if you were using C++17-specific features
Should You Upgrade Now?
| Scenario | Recommendation |
|---|---|
| New project starting in 2026 | Use Node.js 24 from day one |
| On Node.js 20 | Upgrade urgently — EOL is April 2026 |
| On Node.js 22, stable product | Upgrade in H2 2026; Node 22 is safe until April 2027 |
| On Node.js 22, security-sensitive | Test and upgrade soon — OpenSSL 3.5's post-quantum features matter |
| Heavy use of native addons | Test carefully; V8 13.6 and C++20 changes may require addon updates |
| Legacy TLS infrastructure | Audit certificates before upgrading — OpenSSL 3.5 will reject weak keys |
What's Next: Node.js 26
Node.js 26 is expected in April 2026, following the same even/odd cadence. It will become LTS in October 2026. If you're upgrading now, Node.js 24 is the correct LTS target — don't wait for 26.
Performance Improvements in V8 13.6 for Real Applications
Beyond the new APIs, V8 13.6 in Node.js 24 includes optimizer improvements that benefit real-world JavaScript patterns. The Maglev compiler (V8's mid-tier JIT, introduced in V8 12.4) has been significantly improved in 13.6, with better inlining of common object operations and improved escape analysis that eliminates unnecessary heap allocations for short-lived objects. Applications that create many short-lived objects in tight loops — JSON parsing, data transformation pipelines, and request handlers that build response objects — should see modest but consistent throughput improvements without any code changes.
The TurboFan optimizer's handling of TypedArrays and SharedArrayBuffer has also improved. Applications that use TypedArrays for binary protocol parsing, image processing, or WebAssembly interop will see reduced optimization overhead. The specific gains depend heavily on workload: microbenchmarks show 5-15% improvements in TypedArray operations, while real-world backend workloads typically see 2-5% throughput improvements due to the mix of V8-optimizable and I/O-bound work. The iterator helpers shipped in V8 13.6 are also implemented using optimized native code paths rather than polyfill-style JavaScript, so array.values().filter().map().toArray() is faster than the equivalent manual for-loop in modern V8.
Native TypeScript Support in Node.js 24
Node.js 24 continues the progression of built-in TypeScript support that began in Node 22.6 with the experimental --experimental-strip-types flag and stabilized in Node 23.6. In Node.js 24, running TypeScript files with node file.ts requires no flag — type stripping is on by default for .ts files. This eliminates tsx, ts-node, and the compile-then-run workflow for scripts, CLI tools, and serverless functions that don't use TypeScript features requiring code generation (enums, decorators, namespaces).
The practical impact for teams upgrading from Node 22 is that many small TypeScript utilities that previously required a tsconfig.json and a build step can now run directly. A database migration script, a one-off data processing job, or a CI helper script written in TypeScript can be invoked as node migrate.ts without any tooling setup. The --experimental-transform-types flag (needed for enum and decorator support) is also available in Node 24, but the most common migration scenario — plain TypeScript with type annotations but no TypeScript-specific runtime features — works without any flags.
The --watch flag integration with TypeScript is also improved in Node 24: node --watch file.ts re-runs the script on file changes, replacing the need for nodemon or tsx --watch in development workflows. Node.js's watch mode uses the native file system events API, which is faster than polling-based watchers and handles the TypeScript stripping transparently. For serverless environments where cold start time matters, native TypeScript support eliminates the startup cost of transpilation middleware — the file is stripped and executed in a single pass without the initialization overhead of ts-node or @swc/register.
Methodology
- Sources: Node.js official release blog, nodejs.org release schedule, NodeSource LTS guide, OpenJSF announcement, Red Hat Node.js 24 release notes, endoflife.date
- Tested: OpenSSL 3.5 breaking change verification via Node.js 24.5.0+ changelogs
- Date: March 2026
Running Node.js 22 and 24 side-by-side? See our Node.js 22 vs Node.js 24 Upgrade Guide for a full feature comparison. Also in the runtime series: Bun 2 vs Node.js 24 vs Deno 3.
Managing multiple Node.js versions? fnm vs nvm vs Volta: Node.js Version Managers 2026