The official nodejs 20.19.6 release notes detail a Long-Term Support (LTS) maintenance update for the ‘Iron’ line, shipped on November 25, 2025. This patch focuses on critical security hygiene and stability improvements, headlined by a significant refresh of the root certificate store to NSS 3.114 and 3.116. These updates ensure Node.js applications maintain trust with modern Certificate Authorities for secure TLS connections. The release also bundles important dependency upgrades, including OpenSSL to version 3.0.17 and the built-in HTTP client library, undici, to 6.22.0, patching potential vulnerabilities and delivering bug fixes. Developers should apply this update to benefit from enhanced runtime reliability and compatibility with evolving web standards.

This maintenance release is recommended for all teams running Node.js 20 in production. The upgrade recommendation explanation is straightforward: apply this patch to receive critical security updates for core cryptographic and networking libraries, ensuring your applications remain secure and stable without introducing breaking changes.

What Changed

• Security/Crypto: Updated root certificates to NSS 3.114 and NSS 3.116 to maintain a current list of trusted Certificate Authorities.
• Dependencies: Upgraded undici to 6.22.0, OpenSSL to 3.0.17, corepack to 0.34.1, and other core libraries for security and bug fixes.
• Documentation: Added new security policies, contributor credits, and historical documentation entries.
• Protocol: Marked HTTP/2 priority signaling as deprecated in the documentation, signaling future removal.
• Bug Fixes: Resolved an issue where `asyncContext` was incorrectly set under strict unhandled rejections and fixed high CPU overhead when pasting large strings into the REPL.
• Tooling: Fixed `util.inspect` behavior for highlighting errors within namespaced node_modules, improving debugging clarity.

Why It Matters

• Root Certificate Updates: This is not just a routine update; it ensures your Node.js applications can continue to establish secure TLS connections with websites and services that use certificates from recently added or updated Certificate Authorities. A stale certificate store can lead to connection failures.
• Security Dependency Upgrades: Upgrading OpenSSL and undici addresses known vulnerabilities in these foundational libraries. OpenSSL 3.0.17 includes security patches, and undici 6.22.0 improves the security and reliability of the built-in `fetch` API and HTTP/2 client.
• HTTP/2 Priority Signaling Deprecation: While not an immediate runtime break, this deprecation notice is a critical heads-up for applications optimizing network performance with HTTP/2. Teams should begin planning for its eventual removal.
• Bug Fixes Enhance Stability: Fixes for `asyncContext` and REPL performance directly improve developer experience and application reliability, preventing subtle bugs and unresponsive development tools.

Who Should Upgrade

This release is particularly relevant for DevOps engineers and security teams responsible for maintaining secure and compliant infrastructure, as the certificate and OpenSSL updates are essential. API developers building integrations or using HTTP/2 features should also upgrade to stay ahead of the deprecation notice and benefit from the undici improvements. Any team using Node.js 20 LTS in a production environment should prioritize this maintenance update.

How to Upgrade

1. Backup your current application and its `node_modules` directory.
2. Review the nodejs 20.19.6 release notes, specifically noting the deprecation of HTTP/2 priority signaling to assess impact on your services.
3. Run the upgrade command for your environment (e.g., `nvm install 20.19.6`, `npm install -g node@20.19.6`, or update your Docker base image to `node:20.19.6`).
4. Update your project’s `package-lock.json` by running `npm install` in your project root.
5. Run your full test suite to verify compatibility with the updated dependencies.
6. Deploy to a staging environment first, monitoring for any issues related to the certificate or dependency updates, before proceeding to production rollout.

Usage Examples

• The update to undici 6.22.0 automatically benefits applications using the built-in `fetch` API or the `undici` package directly, providing improved HTTP/1.1 and HTTP/2 client performance and stability behind the scenes.
• The fix to `util.inspect` for error highlighting in namespaced node_modules aids developers in debugging by making error stack traces clearer and easier to read in logs or console output.

Known Issues

• Documentation now marks HTTP/2 priority signaling as deprecated. While not a runtime breaking change, it indicates future removal and requires planning for applications relying on this feature for network optimization.
• Several tests are marked as flaky or skipped on specific platforms like macOS x64, Linux ppc64le, and Windows, indicating potential unresolved platform-specific issues in the codebase that may affect edge cases.

Feature Flow

Official Release Notes

View full release notes on GitHub →