The beta includes narrower inference for common conditional patterns.
Node.js changelog digest
May 4 - May 10, 2026. Useful releases, risky migrations, and noisy updates from the Node.js channel.
Node.js updates in 2026-w19
Security release updates bundled dependencies and runtime patches.
Introduced GA release separating alerts into Monitors and Alerts for finer-grained tracking.
Client generation handles workspace output paths more consistently.
Add experimental node:ffi module for loading native libraries (requires --experimental-ffi flag and appropriate permission; API is unsafe).
Patch release includes planner fixes and replication reliability updates.
Application Metrics reach General Availability with high‑cardinality, trace‑connected data.
Introduces Snapshots in Early Access for image storage, diffing, and CI integration
Updated docs call out persistence settings that can surprise small teams.
Temporal API is now enabled by default, providing a modern date‑time API;
Patched several remote‑code‑execution vulnerabilities (CVE‑2026‑23479, ‑25243, ‑23631, ‑25588, ‑25589) affecting unblock client flow, RESTORE, Lua, and Time‑Series modules.
Patched multiple critical Use‑After‑Free and invalid memory access vulnerabilities (CVE‑2026‑23479,‑25243,‑23631,‑25588‑25589) that could lead to remote code execution.
Patched multiple remote code execution vulnerabilities (CVE‑2026‑23479, 25243, 23631, 25588, 25589) affecting client flow, Lua, and RESTORE across modules.
Security patches address multiple RCE vulnerabilities (CVE‑2026‑23479, CVE‑2026‑25243, CVE‑2026‑23631) related to use‑after‑free and invalid memory access.
Fixed multiple remote code execution vulnerabilities (CVE‑2026‑23479, CVE‑2026‑25243, CVE‑2026‑23631) related to use‑after‑free and memory errors.
Fixed CVE‑2026‑25243: corrected invalid memory access in RESTORE to prevent remote code execution.
Cross-Event Querying is now generally available