Developer Enablement Briefing — April 24, 2024

Executive summary. Node.js 22 marks the 34th major release of the popular JavaScript runtime. As a `Current` release it is supported for six months and is not yet a long‑term support (LTS) version, but it lays the groundwork for features that will appear in future LTS releases. The update ships with the V8 12.4 engine, enabling new ECMAScript language features and WebAssembly Garbage Collection support, and enables the Maglev just‑in‑time (JIT) compiler by default for faster startup and improved throughput. It also stabilises core APIs such as the global `fetch()` implementation, WebSocket client, watch mode for automatic test reruns, and the permissions model for restricting file system and network access. New tooling features include the ability to synchronously `require()` ES modules, a `--run` flag to execute package.json scripts without npm, and pattern matching via `fs.glob()` and `fs.globSync()`. This briefing summarises these enhancements, describes new APIs in Node.js 22 and outlines migration considerations for organisations.

Release cycle and support policy

The Node.js project publishes even‑numbered releases every April and odd‑numbered releases every October. Releases designated `Current` receive active support for six months before either becoming LTS or reaching end‑of‑life. Node.js 22 debuted on 24 April 2024 and will receive bug and security fixes through October 2024, at which point the community will vote on whether to promote it to LTS. Organisations running Node.js should track this cadence to align their platform upgrades with the LTS schedule. Staying on a maintained version is critical because each release receives non‑backward‑compatible changes and security updates that are only delivered during the supported window. Node.js 20 remains the active LTS version until the outcome of the 22.x LTS vote is decided.

V8 12.4 and performance improvements

Node.js 22 ships with V8 12.4, bringing a raft of ECMAScript enhancements. The release adds support for `Array.fromAsync()` for asynchronously constructing arrays from iterables, new `Set` methods (such as `Set.prototype.with()` and `Set.prototype.intersection()`), and a RegExp `v` flag to allow syntax extensions【30357128638039†L40-L123】. V8 12.4 also provides WebAssembly Garbage Collection support, enabling languages that target Wasm GC to run more efficiently. On the performance side, the Maglev JIT compiler is now enabled by default. Maglev is a mid‑tier compiler designed to improve startup times and throughput by optimising hot functions sooner than the existing Turbofan backend. Benchmarks show improved response times for real‑world web applications. Node.js 22 also reduces the default high water mark for streams to 64 KiB, lowering memory usage for file and network I/O. These enhancements combine to deliver smoother user experiences, particularly for API servers and CLI tools. Developers should test workloads under Node.js 22 to evaluate Maglev’s impact and ensure their code remains compatible with new ES features. Code relying on legacy V8 behaviour may require adjustment.

Permissions model and security

After several experimental iterations, Node.js 22 stabilises the permissions model that allows administrators to restrict access to file system paths, network hosts and operating system APIs at runtime. This feature, initially introduced in Node.js 20, can be enabled with `--experimental-permission` flags and configured via `--allow-fs`, `--allow-net` and related options. Stabilising the model signals that the API surface is unlikely to change, encouraging organisations to begin adopting fine‑grained permissions to harden microservices and CLI tools. Node.js 22 also enables the global `fetch()` implementation by default, aligning Node with web standards. TLS defaults have been tightened to prefer modern cipher suites, and native `AbortController` and `AbortSignal` implementations now work consistently across core modules. Together these changes reduce the attack surface and improve security posture. Developers should assess how the permission model interacts with existing code and supply‑chain dependencies. For example, scripts that spawn child processes or access remote URLs may need explicit allowances. Platform teams should integrate permission flags into container entrypoints and CI pipelines to enforce least privilege principles.

Language features and ES modules

Node.js 22 continues the project’s gradual shift toward ECMAScript modules (ESM). The release introduces experimental support for synchronously requiring ESM graphs using `require()` behind the `--experimental-require-module` flag【30357128638039†L40-L123】. This capability simplifies codebases that mix CommonJS and ESM by allowing legacy files to consume ESM without asynchronous `import()` calls. Developers should note that this feature still has caveats: the entire ESM graph must be synchronous, no top‑level await expressions are allowed, and the feature may change in future revisions. A new CLI flag, `--run`, executes scripts defined in a project’s package.json without invoking npm or yarn【30357128638039†L40-L123】. For example, `node --run build` runs the `build` script. This reduces dependency on package managers and speeds up tasks like test runs and builds. In addition, Node.js 22 standardises `import.meta.resolve()`, which enables modules to resolve specifiers relative to the current module, and adds support for pattern imports, bringing parity with modern ESM semantics. Together these changes make it easier to adopt ES modules incrementally while maintaining developer ergonomics.

Standard library enhancements

Several additions to core modules expand Node.js’s capabilities. The `node:fs` module now offers `fs.glob()` and `fs.globSync()` functions for file pattern matching using the same semantics as popular glob libraries【30357128638039†L40-L123】. These functions enable one‑line directory searches without external dependencies. File copy and move operations via `fs.cp` and `fs.mv` have been promoted to stable API status after proving reliable in earlier releases. The global WebSocket client API, previously behind a flag, is now enabled by default, allowing developers to open WebSocket connections using `new WebSocket()` without importing external packages【476401667362227†L130-L294】. The `stream` module increases the default high water mark for transform streams to 64 KiB, improving throughput for large payloads. Node.js 22’s standard library also features a stable `Blob` and `File` implementation for handling binary data and file metadata, and improved URL and encoding utilities. The `Intl` APIs have been updated to include features such as relative time formatting and list formatting, making localization tasks more straightforward. Many of these APIs originated in browser environments; their standardisation in Node encourages code reuse across client and server.

Testing and developer tooling

The built‑in test runner introduced in Node.js 20 continues to mature. In version 22, watch mode is now stable, allowing developers to rerun tests automatically on file changes without experimental warnings【476401667362227†L130-L294】. Coverage reporting is improved with built‑in support for collecting coverage data from the test runner. The `node:test` module now supports custom reporters, parallel test execution and more granular control over concurrency. These capabilities reduce reliance on external frameworks and simplify continuous integration configurations. Other developer tools include a new inspector subcommand that supports remote debugging of running processes, improved integration with diagnostic channels for capturing application telemetry, and enhanced warnings when experimental APIs are used. A new `node --watch` flag complements the test runner by reloading a Node process when source files change, expediting local development cycles.

Migration considerations

Because Node.js 22 is a `Current` release, organisations should evaluate whether to deploy it in production or wait for LTS status. Teams that track even‑numbered LTS releases can experiment with version 22 in development and staging environments to prepare for adoption should it become the next LTS. Key considerations include reviewing dependency compatibility: certain native modules may require recompilation against V8 12.4; popular frameworks like Express and Next.js typically support new Node versions quickly, but internal code may contain deprecated APIs or rely on removed features. When using the new permissions model, engineers must specify allowances for file system and network access; failing to do so will cause runtime errors. Similarly, loading ESM via `require()` is still experimental and may change, so production usage should be gated behind feature flags. For containerised applications, update base images (e.g., official Node Docker images) to Node.js 22 and test startup scripts and health checks. Some distributions also provide Musl‑based builds or universal binaries for MacOS/Apple Silicon. Document migration plans and ensure that automated provisioning, continuous integration and deployment pipelines specify the correct Node.js version.

Implications for organisations

From an organisational perspective, Node.js 22 demonstrates the project’s commitment to security and developer experience. The stabilisation of the permissions model enables platforms to adopt least‑privilege principles at runtime, aligning with frameworks like NIST SP 800‑53 and SOC 2 CC7.2. The built‑in test runner and watch mode encourage test‑driven development and faster feedback loops. Standard library additions reduce dependency sprawl, simplifying supply‑chain management and auditing. However, the rapid release cadence means governance teams must regularly assess runtime versions, update vulnerability management tools to scan new core APIs, and coordinate upgrades across microservices to avoid version skew. Enterprises running regulated workloads should wait for the LTS vote and ensure vendor support before adopting Node.js 22 in production. Platform engineers should evaluate Maglev’s performance benefits on their workloads, particularly for serverless functions and high‑throughput APIs. If Maglev consistently improves latency without regressions, teams can anticipate more predictable scaling behaviour when 22.x becomes LTS. Likewise, adopting `fs.glob()` and WebSocket global APIs can simplify code and reduce transitive dependencies.

Zeph Tech analysis and recommendations

Zeph Tech sees Node.js 22 as a strategic release that bridges today’s production needs with tomorrow’s language innovations. The combination of V8 12.4, the Maglev JIT, and improved core APIs sets the stage for significant performance gains and modern developer ergonomics. Organisations should pilot Node.js 22 in controlled environments to assess the benefits of Maglev, the permissions model and synchronous ESM loading. Meanwhile, they should continue to prioritise LTS releases for production workloads until the 22.x LTS vote is finalised. When the time comes to upgrade, treat Node.js version changes as part of a holistic supply‑chain risk management plan: update dependencies, integrate runtime permission flags, enforce test coverage through the built‑in runner, and monitor performance closely after deployment. Zeph Tech will publish follow‑up guidance if Node.js 22 is promoted to LTS or if subsequent releases introduce breaking changes that affect enterprise adoption.

Zeph Tech produces developer enablement briefings to help engineering teams evaluate runtime releases, adopt emerging language features and align platform strategy with industry best practices.

Related briefings

Curated signals from the same pillar or overlapping topics.

Developer · Credibility 40/100 · April 19, 2022

Developer Briefing — April 19, 2022

Node.js 18 debuted on April 19 2022 as the project’s ‘Current’ release line. In addition to an update to V8 10.1 and planned promotion to long‑term support (LTS) status in October 2022 with the codename Hydrogen…

Developer · Credibility 80/100 · April 30, 2025

Developer Enablement Briefing — April 30, 2025

Node.js 18 exits support on 30 April 2025, forcing platform teams to move CI/CD runners, serverless runtimes, and self-hosted services to Node 20+ before security patches stop.

Developer · Credibility 40/100 · July 8, 2025

Developer Briefing — July 8, 2025

Enterprises must complete Node.js 18 end-of-life remediation by July 2025 with board-approved upgrade governance, evidence-backed asset inventories, and reporting on residual technical debt and third-party exposure.

Developer · Credibility 40/100 · July 7, 2022

Runtime Briefing — Node.js 18.7 Adds Built-in Test Runner

Node.js 18.7.0, released 7 July 2022, introduced an experimental built-in test runner and fetch API stabilization, prompting teams to revisit unit-test tooling, CI performance, and HTTP client migration plans.

Developer · Credibility 90/100 · April 23, 2024

Developer Briefing — April 23, 2024

Microsoft made GitHub Advanced Security for Azure DevOps generally available, bundling code scanning, secret scanning, and dependency checks directly into ADO pipelines.

Continue in the Developer pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Secure Software Supply Chain Tooling Guide — Zeph Tech

  Engineer developer platforms that deliver verifiable provenance, SBOM distribution, vendor assurance, and runtime integrity aligned with SLSA v1.0, NIST SP 800-204D, and CISA SBOM…

• AI-Assisted Development Governance Guide — Zeph Tech

  Govern GitHub Copilot, Azure AI, and internal generative assistants with controls aligned to NIST AI RMF 1.0, EU AI Act enforcement timelines, OMB M-24-10, and enterprise privacy…

• Developer Enablement & Platform Operations Guide — Zeph Tech

  Plan AI-assisted development, secure SDLC controls, and runtime upgrades using Zeph Tech research on GitHub Copilot, GitHub Advanced Security, and major language lifecycles.