Node.js 22 Gets Security Patches

- The memory leak vulnerability (CVE-2025-23165) is rated as "low" severity and specifically affects Windows systems. It occurs in an internal function called `ReadFileUtf8` when a pointer is corrupted, causing a small amount of memory to be unrecoverable with each call. - The same security update in May 2025 also patched a high-severity vulnerability, CVE-2025-23166. This flaw could allow a remote attacker to crash the Node.js process through improper error handling in asynchronous cryptographic operations. - Node.js operates on a Long-Term Support (LTS) model where even-numbered versions (like 20 and 22) receive extended support. After an initial "Current" phase, they enter "Active LTS" for 12 months, receiving bug fixes and features, followed by 18 months of "Maintenance" for critical security updates only. - Node.js 22, released in April 2024, entered its "Active LTS" phase in October 2024. It will be actively supported until October 2025 and then move into a maintenance phase until April 2027. - The OpenJS Foundation governs the Node.js project, providing a framework for managing security and releases. It collaborates with organizations like the OpenSSF and receives funding to enhance the security of the JavaScript ecosystem. - The recommended upgrade path from Node.js 20 is to Node.js 24, which is scheduled to become the next LTS release in October 2025. - Key features in Node.js 24 include an updated V8 JavaScript engine for better performance, a stable Permissions API for enhanced security, native WebSocket support without external libraries, and the ability to compile applications into single executable files.