Node.js 20.19.5 (LTS) has been released with a wide range of updates and fixes. The release includes contributions from numerous collaborators and addresses various issues across different components, such as build, crypto, debugger, dependencies, documentation, HTTP, HTTP2, lib, module, DNS, OS, permission, readline, REPL, source, test, tools, util, V8, VM, Windows, and zlib. Notable changes include the addition of new team members, updates to several dependencies, and fixes for issues such as memory leaks, incorrect argument orders, and FIPS init error handling. 

Node.js 20.19.5 (LTS) released

Node.js v20.19.5 (LTS), also known as "Iron," was released on September 3, 2025. This release includes a wide range of updates, fixes, and contributions from numerous collaborators.

Notable Changes

• Several new contributors were added to the Node.js team: Jonas Badalic, Giovanni Bucci, Filip Skokan, Edy Silva, Marco Ippolito, and many others.
• A few existing team members moved to emeritus status: ovflowd, RedYetiDev, and RaisinTen.

Commits and Changes

Build (build)

• Fixed issues with uvwasi package name, pointer compression builds, and 64-bit architecture compatibility.
• Improved search for libnode.so in multiple locations.

Crypto (crypto)

• Corrected a breaking change introduced by OpenSSL 3.4 regarding SHAKE128/256.

Debugger (debugger)

• Fixed the behavior of plain object execution in debugger repl.

Dependencies (deps)

• Updated several dependencies, including:
  • zlib to 1.3.1-470d3a2
  • zlib to 1.3.0.1-motley-780819f
  • zlib to 1.3.0.1-motley-788cb3c
  • OpenSSL to quictls/openssl-3.0.16
  • cjs-module-lexer to 2.1.0 and 2.0.0
  • corepack to 0.33.0
  • acorn to 8.15.0 and 8.14.1
  • minimatch to 10.0.3
  • llhttp to 9.3.0

Documentation (doc)

• Added review guidelines for collaborator nominations.
• Explicitly mentioned arbitrary code execution as a vulnerability.
• Added information on how the project manages social media and pings Node.js TSC for security pull requests.
• Clarified path.isAbsolute is not path traversal mitigation.
• Fixed rendering of DEP0174 description.
• Added missing assert return types.

HTTP (http)

• Coerced content-length to number.

HTTP2 (http2)

• Fixed check for frame->hd.type.

Lib (lib)

• Optimized prepareStackTrace on builtin frames.
• Suppressed source map lookup exceptions.
• Corrected incorrect argument order in assertEncoding.

Meta

• Added Ilyas Shabi to collaborators.
• Bumped several GitHub Actions and dependencies:
  • codecov/codecov-action to 5.4.3
  • oscf/scorecard-action to 2.4.2
  • rtCamp/action-slack-notify to 2.3.3
  • actions/download-artifact to 4.3.0
  • actions/setup-node to 4.4.0
  • actions/cache to 4.2.3
  • step-security/harden-runner to 2.12.2

Module (module)

• Throws error when re-running errored module jobs.
• Allows cycles in require() in the CJS handling in ESM loader.
• Clarifies cjs global-like error on ModuleJobSync.

DNS (dns)

• Removed redundant code using common variable.
• Fixed parse memory leak.
• Fixed DNS query cache implementation.

OS (os)

• Fixed GetInterfaceAddresses memory leak.

Permission

• Ignored internalModuleStat on module loading.

Readline (readline)

• Fixed unresolved promise on abortion.

REPL (repl)

• Avoided deprecated require.extensions in tab completion.
• Fixed tab completion not working with computed string properties.

Source (src)

• Did not format single string argument for THROW_ERR_*.
• Fixed error handling in various places.
• Fixed module buffer allocation.
• Fixed build when using shared simdutf.
• Fixed possible dereference of null pointer.
• Fixed FIPS init error handling.
• Fixed -Wunreachable-code in src/node_api.cc.

Test (test)

• Skipped test-http-imports on macOS.
• Fixed internet/test-dns.

Tools

• Updated coverage GitHub Actions to fixed version.
• Disabled failing coverage jobs.

Util (util)

• Fixed formatting of objects with built-in Symbol.toPrimitive.
• Fixed parseEnv incorrectly splitting multiple ‘=‘ in value.

V8 (v8)

• Fixed missing callback in heap utils destroy.

VM (vm)

• Ensured import call returns a promise in the current context.

Windows (win) / Build

• Fixed MSVS v17.14 compilation issue.

Zlib (zlib)

• Removed mentions of unexposed Z_TREES constant.
• Fixed pointer alignment.

Node.js v20.19.5 (LTS)

Node.js is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

Node.js