NodeJS 16 End of Life - Is it important?
NodeJS version 16 will no longer be supported after September 11th, 2023. This is 7 months earlier than initially planned. Why is it happening, what are the impacts, and do you need to upgrade?
Here is the release schedule for NodeJS taken from the official github repository. NodeJS 16 (codename Gallium) was initially released on 20th April 2021 with new features including support for V8 engine 9.0, new regex features, Timers API and (eventually) the AsyncLocalStorage API. Support is due to end on 11th September 2023. This 29 month support cycle of NodeJS 16 is 7 months shorter than the usual 3 year cycle which NodeJS adopts. This was done to coincide with the end of life of OpenSSL 1.1.1. You can read more about why this decision was made on the NodeJS Blog.
Is this a big deal?
Many users and applications run on old unsupported NodeJS versions. Looking at the download metrics for NodeJS during July 2023 shows hundreds of thousands of downloads for versions 12.x and 14.x. If it's a common occurence, can it really be that bad? YES - by staying on unsupported versions you are not receiving security updates for known vulnerabilities. Here is an example of a NodeJS Update made to fix several OpenSSL vulnerabilities which was only applied to NodeJS 16, 18 and 20. This is a concrete example of why 16.x is already insecure compared to 18.x. It will only get worse the longer you wait.
How do I upgrade?
First you should check which node version you are using:
node -v
If you are using any version lower than 18.x, you should definitely upgrade. If you are on an older version than 16.x, then this guide may not be enough an you will have other things break. You can check the official releases for detailed changelogs.
How you upgrade your NodeJS version will depend on how you installed it and your OS. Here are some of the most common:Upgrade using NVM
NVM is a popular node version manager. The command below will install the version of node which is currently in LTS (Long Term Support), which at the time of writing would be 18.17.0. It will then reinstall all node packages using this NodeJS version.
nvm install 'lts/*' --reinstall-packages-from=current
Upgrade from website
If you downloaded an installer directly from NodeJS.org then you should download the current LTS version and follow the usual instructions for installing it to replace your old version. Don't forget to reinstall node packages afterwards, including any global packages.
npm i && npm i -g
Upgrade on Mac using brew
Brew is the ever popular package manager for Mac. There can be some caveats with upgrading node using brew, for which I direct you to this excellent StackOverflow thread. Don't forget to reinstall node packages afterwards, including any global packages.
brew upgrade node
Did anything break?
Thankfully everything should keep running for most users when upgrading NodeJS from 16.x to 18.x. There are some major changes listed in the release, but you will also need to check minor version release notes as the DNS depreceation was already reverted in 18.4. Most users interact with some of these APIs only through intermediary libraries. When NodeJS plans to remove existing features, they first add warnings, before removing it fully in later releases. This gives actively developed projects time to adapt to changes while giving users an uninterrupted experience as much as possible.
To be certain that everything in your codebase still works, you will need some extensive testing. The biggest breaking changes should throw errors as soon as you launch your node applications. Ideally you should have a high coverage of regression tests to help with this. But not every development team exists in such a utopia. If anything breaks as a result of this upgrade, use it as an argument in favor of automated tests and CI/CD.
How come there are no major problems with OpenSSL in this upgrade? Simply put, because NodeJS did such a good job with the upgrade. The OpenSSL changes were first included in Node 17 was released 19 October 2021. Major libraries depending on OpenSSL have already upgraded to version 3 with the help of an extensive migration guide. Nevertheless, if you are using cryptography or certificates directly in NodeJS you should check this document if any changes impact your code.
One example of a breaking change is the dropped support of MD4 hashing via node crypto. Running the below code in Node 16 will run (though not print any output) while Node 18 will throw an error.
crypto.createHash("md4")
No one should be using the MD4 hash algorithm for any cryptographical purposes. Though it's still useful for teaching and understanding the principles of message digest algorithms. If you really need to use it, you can always enable legacy OpenSSL features (at your own risk). This command will run even against Node 18+
node --openssl-legacy-provider -e "crypto.createHash(\"md4\")"
Staying upgraded
Even if you are on a currently supported LTS version of NodeJS, you need to stay up to date on major vulnerabilities and changes. The easiest way for NodeJS is to check their officical blog every few days. The laziest way to do it is using a service like NewReleases.io or, if you prefer old school methods, subscribe to NodeJS's RSS feed.
While you're at it, I recommend reviewing all of your tech stack and checking for updates across major libraries and frameworks. Especially those with network access, as an exploit in any of these could open up your entire application/server to bad actors.
Free stuff!
After all that work you are finally on NodeJS 18.x and are safe from unpatched exploits until this version reaches End of Life (30th April 2025). It may seem a futile part of software development to stay on top of dependency updates, but there's a silver lining: shiny new features!
- The fetch API which you may know from browser environments is now a part of NodeJS
- A native --watch CLI option which reruns commands when files change.
- Faster perfomance thanks to V8 engine v9.
For more changes, take a look at the official release announcement or the excellent blog post on NodeSource.
Happy Coding!