[Node.js] Security release delayed again to January 13 - Three High-severity vulnerabilities to be fixed
Contents
The Node.js security release that had been scheduled for Monday, December 15, 2025 was delayed yet again to Tuesday, January 13, 2026.
Delay Timeline
- Original plan: Monday, December 15, 2025
- First delay: Thursday, December 18, 2025 - work on “particularly difficult patches” was taking longer than expected
- Second delay: Wednesday, January 7, 2026 - to avoid holiday-season disruption and give the team enough preparation time
- Third delay: Thursday, January 8, 2026 - issues in Node.js test CI
- Fourth delay: Tuesday, January 13, 2026 - for backport testing and rerunning CITGM; the Tuesday release also gives users in the Asia-Pacific region time to respond during business hours
Impact
| Release line | High | Medium | Low |
|---|---|---|---|
| 25.x | 3 | - | 1 |
| 24.x | 3 | 1 | 1 |
| 22.x | 3 | 1 | 1 |
| 20.x | 3 | 1 | 1 |
Every release line includes three High-severity vulnerabilities.
End-of-Life versions are affected as well, so moving to a supported release is recommended.
Current Supported Versions
| Type | Version |
|---|---|
| Latest LTS | v24.12.0 |
| Latest release | v25.2.1 |
Recommended Actions
- Wait for the January 13, 2026 release and then update
- Subscribe to the
nodejs-secmailing list for updates - If you are using an unsupported version, migrate to a supported one
Thoughts
If the patch is taking that long, maybe it should be released only once it is actually ready. That said, announcing the delay in advance does help enterprise IT teams schedule their update work.
Delaying to avoid the holiday season seems reasonable. Being forced to handle security updates over New Year is rough for operators.
I am curious what the three High-severity issues actually are. I will wait for the January 7 release.
2026-01-09 update: It was delayed twice more and pushed to January 13. The “particularly difficult patch” has been dragging on for almost a month. The CI problems seem to have continued, so they are clearly having trouble with backport testing. It is still better than rushing out a broken patch, but waiting with three HIGH-severity issues hanging over the release feels unpleasant.
2026-01-14 update: It was finally released. See Node.js January 2026 Security Release for details.