Node.js 25.8.1 finally resolves the annoying “extensionless CommonJS in type: module” issue by forcing Node to treat such files as CommonJS rather than silently misinterpreting them as ES modules—a fix that has saved projects from mysterious syntax errors when adding new utilities without a .js suffix. The crypto API now scopes --use-system-ca per‑environment, eliminating cross‑process leakage, and restores missing AES dictionaries so encryption behaves exactly as the spec describes. Additionally, an unsafe use‑after‑free in HTTP parsing is patched, V8 dependencies are trimmed for non‑bundled builds, and async context helpers are exposed to JavaScript for clearer debugging. A quick upgrade with node --version or your package manager ensures your code runs smoother without any code changes—just drop the new binary into production and keep calm.

Node.js 25.8.1 Released: Fixes for Extensionless CommonJS in ESM Projects

The newest LTS update slaps a handful of bugs that have been bothering developers who mix type: "module" projects with legacy CommonJS files. It also tightens the crypto API and patches a use‑after‑free flaw that could crash Node during HTTP parsing.

Why the extensionless CJS fix matters

When a project declares `"type": "module"`, Node treats every file without an explicit `.js` or `.cjs` suffix as ES modules. If you accidentally leave out the extension on a CommonJS module, older releases would silently treat it as ESM and throw a syntax error at runtime. The fix in 25.8.1 guarantees that files still end up being loaded as CommonJS, so a project that previously ran into “unexpected token” errors after adding a new `.js` file will now boot cleanly again.

A developer I know had to push back a release because the CI pipeline kept failing with a mysterious SyntaxError: Unexpected identifier. The culprit turned out to be an accidental omission of the .js extension on a utility module. After upgrading to 25.8.1, the same code ran without hiccups.

Crypto API gets a tidy update

Two changes touch the crypto side of things:

• --use-system-ca is now per‑environment instead of per‑process. That means if you run multiple Node processes in the same container and set that flag once, only the intended process inherits it. Previously, the flag could bleed over to unrelated services.
• AES dictionaries that were accidentally omitted in a prior patch are now back on the list, ensuring encryption functions behave as documented.

If your project relies on low‑level crypto primitives or you’ve had to manually tweak the CA bundle, bumping to 25.8.1 removes a source of subtle bugs.

Stability bumps that keep Node running smoothly

* A use‑after‑free bug in `llhttp_execute` has been squashed, preventing random crashes when parsing large or malformed HTTP requests. * The V8 build no longer pulls in unnecessary dependencies on non‑bundled builds, reducing binary size and potential attack surface. * Several internal async context helpers are now exposed to JavaScript, making stack traces clearer during debugging.

While none of these changes require code modifications, they collectively raise the reliability floor for production workloads. If you’re running a service that handles heavy traffic or processes user‑supplied input, upgrading is a no‑brainer.

How to upgrade

Node’s standard update mechanism works as usual:

node --version   # should show v25.8.1
# if you use nvm:
nvm install 25.8.1

If you’re on a system that locks package versions (e.g., npm or Yarn with lockfiles), just bump the dependency and run npm ci or yarn install. No other migration steps are needed.

Node.js — Node.js 25.8.1 (Current)

Node.js is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.

Node.js — Node.js 25.8.1 (Current)