Rafael Gonzaga | Node.js
Node.js Technical Steering Committee member
- My first talk of 2026 can now be shared! I will join NodeCongress to present The State of Node.js Security nodecongress.com#person-rafae...
- 🚨 Node.js assessment of the recent OpenSSL Security Release TL;DR: We'll update OpenSSL versions through a regular release process. nodejs.org/en/blog/vuln...
- We have increased the barrier to submit reports through HackerOne due to the amount of low-quality submissions we have received recently. Please, see: nodejs.org/en/blog/anno...
- Reposted by Rafael Gonzaga | Node.jsThis release contains a bunch of PRs I recently submitted to mark features I contributed to as stable/release candidate. Here is a thread about them 🧵:
- Node.js v25.4.0 is out! 💚 • require(esm) now stable and a new CLI flag: --require-module • http setGlobalProxyFromEnv() added • Multiple APIs promoted to stable (heapsnapshot, build snapshot, v8.queryObjects) • Root CAs updated to NSS 3.117 More in: nodejs.org/en/blog/rele...
- Node.js v25.4.0 is out! 💚 • require(esm) now stable and a new CLI flag: --require-module • http setGlobalProxyFromEnv() added • Multiple APIs promoted to stable (heapsnapshot, build snapshot, v8.queryObjects) • Root CAs updated to NSS 3.117 More in: nodejs.org/en/blog/rele...
- 🚨Our team has decided to postpone the release to Tuesday, January 13th, 2026. This additional time will allow us to properly test all backports and re-run CITGM to ensure the highest quality for our users.
- Additionally, releasing on Tuesday rather than Friday helps ensure that security updates are available during regular business hours across all time zones, particularly for our users in the Asia-Pacific region. nodejs.org/en/blog/vuln...
- Node.s sec release We are doing our best. We are ensuring test passes on all platforms and all active release lines (v20, v22, v24 and v25) - and they aren't currently. Unfortunately, we don't have an ETA for that, and it's likely that this security release will be postponed one more time. Sorry.
- Reposted by Rafael Gonzaga | Node.jsOh hi. 👋 We're back with the latest Security Snapshot that covers how to publish to npm safely and with ease. ✨ @rafaelgss.dev breaks down why local publishing with 2FA gives you the safest setup right now.
- New release of bench-node v0.14.0! Two important features were released: github.com/RafaelGSS/be...
- * Add V8 code elimination detector - This should warn you when it believes your code is being JIT eliminated and the results aren't reliable. * Add t-test feature - It enables a statistical significance test to compare how reliable your results are And more!
- Right on time! Lovely @openjsf.org
- Reposted by Rafael Gonzaga | Node.jsWant to dive in further? Check out Rafael’s release of @nodejs.org 25: twitch.tv/videos/25925...
- Reposted by Rafael Gonzaga | Node.jsSEMVER MAJORS ARE BORING 🚨 Major releases mostly bring breaking changes, not shiny new features. The fun stuff? That’s hiding in the minors. @rafaelgss.dev talks about why you should follow the minor releases in our latest JavaScript Security Snapshot.
- I should get back to this platform. I’ve scrolled it for like 5 minutes and I found many interesting topics that I don’t see in one week of X.
- Reposted by Rafael Gonzaga | Node.js[Not loaded yet]
- Reposted by Rafael Gonzaga | Node.jsBefore automated workflows, releasing @nodejs.org meant 20 manual steps. Now it’s one command. 👀 @ulisesgascon.com and @rafaelgss.dev share how the Node.js build team went from a rack of Raspberry Pis in someone’s garage to full release automation. 👉Build Team on GitHub: github.com/nodejs/build
- Live now!
- Reposted by Rafael Gonzaga | Node.js[Not loaded yet]
- Reposted by Rafael Gonzaga | Node.jsWith npm supply chain attacks on the rise, secure publishing practices are becoming a pressing concern for anyone maintaining npm packages. ⚠️ We've released updated guidance to help maintainers reduce exposure, strengthen release processes, and protect the ecosystem: openjsf.org/blog/publish...
- Thanks for your hard work on this @notwes.bsky.social
- Reposted by Rafael Gonzaga | Node.jsToo many @nodejs.org users are running old versions 😬 The team is exploring changes to the release schedule to fix that. @rafaelgss.dev shares all the details in our latest JavaScript Security Snapshot. Be a part of the conversation on releases: github.com/nodejs/lts-s...
- Reposted by Rafael Gonzaga | Node.jsEver wonder why @nodejs.org drops new versions like clockwork? Here’s the scoop. ⏱️ @rafaelgss.dev shares all the details about the Node.js release schedule in our new series, JavaScript Security Snapshot.
- Done
- Reposted by Rafael Gonzaga | Node.js[Not loaded yet]
- Reposted by Rafael Gonzaga | Node.js[Not loaded yet]
- Reposted by Rafael Gonzaga | Node.jsIntroducing 🥁🥁🥁 our JavaScriptLandia award recipients for this year! Beyond building new features, our recipients guide others, maintain essential systems, document the hard parts, and strengthen the community every step of the way. 💙 Read more about our honorees here: hubs.la/Q03NQvx10
- Reposted by Rafael Gonzaga | Node.js[Not loaded yet]
- Node.js 25 is here! We have upgraded V8 to 14.1, bringing major JSON.stringify performance improvements and JIT pipeline optimizations. This release introduces the permission model --allow-net, Web Storage is enabled by default, and more! nodejs.org/en/blog/rele...
- Reposted by Rafael Gonzaga | Node.jsNode.js v24.10.0 is out. * Per-stream inspectOptions support in console * Removal of util.getCallSite (in favour of util.getCallSites) * Upgraded OpenSSL to 3.5.4 and npm to 11.6.1 * Various src and benchmark optimizations nodejs.org/en/blog/release/v24…
- Reposted by Rafael Gonzaga | Node.js
- Reposted by Rafael Gonzaga | Node.js[Not loaded yet]
- Reposted by Rafael Gonzaga | Node.jsOur goal is to provide guidance and tooling for perf based decisions to the maintainers under our umbrella. Aligning our philosophy for how/what we monitor and how to interpret the results lets us be consistent across our 50+ packages. Ive been learning a lot so far, and big ty to @rafaelgss.dev
- Node.js v24.6.0 is out💚 Highlights: * Use your system’s trusted certificates with NODE_USE_SYSTEM_CA=1 * crypto: ML-DSA (KeyObject/sign/verify) * http: server.keepAliveTimeoutBuffer * zlib: Zstd dictionary support * fs: Utf8Stream (from SonicBoom) Changelog: nodejs.org/en/blog/rele...
- I'm live doing Node.js Core benchmark work! www.twitch.tv/rafaelgss
- I've been working on something interesting (at least for me) github.com/nodejs/node/...
- Hi folks, We will have a Node.js core mentoring live stream today Stay tuned!
- Node.js v24.4.0 is out! 💚 What's new? • crypto.hash() supports outputLength (XOF) • fs.mkdtempSync() gets disposable mode • --watch-kill-signal lands • permission.has('addon') is now supported • spawn() propagates permission flags • sqlite adds readBigInts More in: nodejs.org/en/blog/rele...
- Live on! twitch.tv/rafaelgss
- A warm welcome to our newest Node.js TSC member: Filip Skokan! Happy to see you onboard! github.com/nodejs/node/...
- Reposted by Rafael Gonzaga | Node.js[Not loaded yet]
- Reposted by Rafael Gonzaga | Node.js⚠️ Security release pre-alert: We will release new versions of v20.x, v22.x, v23.x, v24.x release lines on or shortly after May 14, 2025, in order to address: - 1 high severity issue - 1 moderate severity issue - 1 low severity issue Details: nodejs.org/en/blog/vuln...
- I’d love to do something like that but in person… kind of collab summit workshop
- Happy to announce @nodejs v24.0.0 💚! This release brings several updates, including the V8 13.6 and npm to version 11. As a reminder, Node.js 24 will enter long-term support (LTS) in October, but until then, it will be the "Current" release Check it nodejs.org/en/blog/rele...
- A handy way to test Node.js release candidates. I suggest you have something similar in your test suite, so you can act before a semver-major release of Node.js gets out. github.com/fastify/fast...
- RC.2 Node.js v24.0.0 github.com/nodejs/node/...
- Recent updates on Node.js CVE to EOL lines. TL;DR The Node.js team has decided to update previous vulnerability specific CVEs to cover EOL releases, reflecting their ongoing security risks. See: nodejs.org/en/blog/vuln...
- I'm live on Twitch again! www.twitch.tv/rafaelgss
- I'm posting some shorts on Youtube/Instagram of my sessions teaching "How to contribute to Node.js core" on Twitch. Check my social media in github.com/RafaelGSS/Ra...
- With this release we have also issued the CVEs to EOL versions of Node.js
- Node.js @nodejs.org Security Releases: January 21, 2025 Node.js security updates now available for 23.x, 22.x, 20.x, and 18.x, addressing key vulnerabilities. undici (v7.2.3, v6.21.1, v5.28.5) on v23.x, v22.x, v20.x, v18.x. 👉 bit.ly/4hohEIL
- We'll have a second session of Node.js mentoring today! Join us via OpenJS Foundation Slack (nodejs-mentoring channel). See you all in 30 minutes. Live: www.twitch.tv/rafaelgss
- ⚠️The @nodejs.org project will issue a security release for versions 23.x, 22.x, 20.x, 18.x on or shortly after, Tuesday, January 21. nodejs.org/en/blog/vuln...
- Reposted by Rafael Gonzaga | Node.js[Not loaded yet]
- I wrote an alias to `npx` that sets the Permission Model node options. You can use it in the same way you use `npx` but, with Node.js Permission Model restrictions :) Put this in your .zshrc/.bashrc gist.github.com/RafaelGSS/f8...
- Reposted by Rafael Gonzaga | Node.js[Not loaded yet]
- Live at www.twitch.tv/rafaelgss
- Did you know you can run npx with permission model enabled by just passing it through the --node-options npx flag? github.com/nodejs/node/...
- 🚨 @nodejs.org will issue CVE for EOL (End-of-Line) release lines in the next security release. Read more at nodejs.org/en/blog/vuln...
- Announcing bench-node officially! blog.rafaelgss.dev/bench-node-a...
