Node.js security patch day: what to update in 20.x/22.x/24.x/25.x and how to avoid EOL risk

TL;DR: On March 24, Node.js announced security releases for 25.x, 24.x, 22.x, and 20.x, including 2 High + multiple Medium/Low issues. Each Security release in this batch is a direct signal to close known risk now. If you run Node in production, this is not “later” work. The minimum responsible response is: verify support status, patch supported lines, and pull EOL instances out of risk.

Why this patch window matters

According to the official advisory, all supported release lines at that moment (20/22/24/25) are affected with different vulnerability counts. Node.js also explicitly reminds teams that EOL versions are always exposed when security releases happen, because they no longer receive fixes.

Practical takeaway: even if nothing is visibly broken, your risk level still increased.

Which release lines are currently relevant

Based on the official release schedule:

Line	Status	EOL
25.x	Current	2026-06-01
24.x	Active LTS (Krypton)	2028-04-30
22.x	Maintenance LTS (Jod)	2027-04-30
20.x	Maintenance LTS (Iron)	2026-04-30

What this means for teams:

• 24.x is the most comfortable production target for most stacks.
• 20.x is still supported, but close to end-of-life.
• 25.x is fine for teams intentionally operating on Current.

30-minute upgrade playbook (no chaos)

1) Build a real version inventory

Do not rely only on package.json constraints—check what actually runs in environments:

node -v
npm -v

For containerized services, verify runtime base images (FROM node:...).

2) Pull patch targets from the official index

Avoid guessing version targets. Query index.json directly:

curl -fsSL https://nodejs.org/dist/index.json | jq -r '
  map(select(.version|test("^v(20|22|24|25)\\.")))
  | group_by(.version|split(".")[0])
  | map({line: (.[0].version|split(".")[0]|ltrimstr("v")) + ".x", latest: .[0].version, date: .[0].date})
  | sort_by(.line)
  | .[] | "\(.line) -> \(.latest) (\(.date))"'

3) Patch high-risk services first

Suggested priority:

1. Internet-facing APIs and backend gateways.
2. Services handling auth/session/payment flows.
3. Internal workers and utility jobs.

4) Run a minimal Smoke test

After each upgrade:

• process boots cleanly;
• TLS/HTTP communication works;
• CI tests pass;
• key user flows behave as expected;
• no new critical errors in logs.

5) Track EOL remediation as a separate urgent stream

If any services are still on older lines (for example 18.x or lower), create explicit migration tickets with deadlines. “When we have time” is not a risk strategy.

Common post-advisory mistakes

• Patching only one “important” service. Result: hidden exposure remains elsewhere.

• Staying on “still-supported but near-EOL” without a migration plan. Result: you soon lose security coverage.

• Not operationalizing patch review. Result: repeated fire drills every patch day.

How to make this repeatable

Minimum sustainable routine:

• weekly security-update check;
• monthly audit of real Node versions in production;
• policy: no EOL Node in new deployments;
• short internal runbook for upgrade + rollback.

Conclusion

Node.js security patch day is not just another release note—it is a direct prompt to close known holes quickly. The practical path is simple: auto-resolve latest patch targets, patch supported lines now, and move EOL migrations into a tracked priority plan.

Official sources:

• https://nodejs.org/en/blog/vulnerability/march-2026-security-releases
• https://github.com/nodejs/release#release-schedule
• https://nodejs.org/dist/index.json
• https://nodejs.org/en/blog/announcements/evolving-the-nodejs-release-schedule
• https://nodejs.org/en/blog/release/v25.8.1