Node.js 24.18.0 'Krypton' Lands as LTS Update
Node.js 24.18.0 shipped Tuesday as the latest Long Term Support release. The update brings a focused set of performance adjustments to the HTTP and Buffer modules, alongside a meaningful expansion to the Web Cryptography API. If you're running Node.js 24 in production, you'll want to check the crypto hardening patches first.
The Node.js team drops these LTS minor updates on a predictable schedule, usually packing them with maintenance fixes and slow-moving RFCs. This release leans heavily into cryptographic standards and HTTP stream management. Released on June 23, 2026, it bumps the bundled npm to 11.16.0 and patches SQLite to 3.53.1. You can pull the binaries or tarballs directly from the official downloads page, or just run npm i -g node@24.18.0 if you're feeling impatient.
Crypto and Web Standards
Crypto gets the heavy lifting here. The release adds TurboSHAKE and KangarooTwelve algorithms to the Web Cryptography spec support. That sounds niche until you're actually building zero-knowledge proof systems or working with next-gen key exchange protocols. The team also overhauled crypto.diffieHellman() to accept raw key data directly, skipping the intermediate formatting steps that used to trip up developers.
Keep in mind that the hardening work is doing exactly what it should. The commit log shows prototype pollution vectors being closed, argument checks being strengthened, and ML-DSA and ML-KEM being wired up for BoringSSL builds. Those security patches don't come with fanfare, but they keep the underlying runtime from getting pummeled by malformed inputs. Filip Skokan's changes to CryptoKey internal slots and algorithm guards are particularly relevant if your codebase handles untrusted JWK imports.
HTTP, Buffer, and Runtime Tweaks
If you're juggling high-throughput connections, the HTTP module gets a quiet but meaningful fix. The agent now avoids attaching stream listeners to idle sockets. That trims memory overhead and reduces stray event bindings that tend to linger in long-running processes. Buffer developers will notice the default poolSize jumping to 64 KiB. That's a 50 percent bump over the old 32 KiB baseline, and it should cut down on allocation churn for workloads that deal with heavy binary data.
The inspector module also exposes precise coverage start times to the JS runtime. It matters if you're tracking execution hotspots without burning through CPU cycles. Not exactly groundbreaking, but it fills a gap that's been open since the early profiling tools. The stream team also reverted a noop pause/resume optimization that caused more edge-case bugs than it fixed. Walking back earlier optimizations is rarely fun, but it's the only way to keep the event loop predictable.
I remember when Node.js 24 was first announced back in 2024. The original roadmap focused heavily on stabilizing experimental crypto bindings and tightening up the stream internals. Three years later, those experimental flags are finally getting baked in as stable features. The long wait for proper ML-KEM support is over, even if it only triggers when you're explicitly using BoringSSL rather than OpenSSL.
The release drops across all supported platforms and architectures right now. If you're running a Node.js 24 workload, upgrading is straightforward. Just update your package manager, run the automated tests, and keep an eye on your crypto initialization routines. You can find the full changelog, commit hashes, and binary builds at the official Node.js GitHub repository. Head here to start the upgrade.
Node.js — Node.js 24.18.0 (LTS)
Node.js
is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
