Rafael Gonzaga | Node.js
Node.js Technical Steering Committee member
- My first talk of 2026 can now be shared! I will join NodeCongress to present The State of Node.js Security nodecongress.com#person-rafae...
- 🚨 Node.js assessment of the recent OpenSSL Security Release TL;DR: We'll update OpenSSL versions through a regular release process. nodejs.org/en/blog/vuln...
- We have increased the barrier to submit reports through HackerOne due to the amount of low-quality submissions we have received recently. Please, see: nodejs.org/en/blog/anno...
- Node.js v25.4.0 is out! 💚 • require(esm) now stable and a new CLI flag: --require-module • http setGlobalProxyFromEnv() added • Multiple APIs promoted to stable (heapsnapshot, build snapshot, v8.queryObjects) • Root CAs updated to NSS 3.117 More in: nodejs.org/en/blog/rele...
- 🚨Our team has decided to postpone the release to Tuesday, January 13th, 2026. This additional time will allow us to properly test all backports and re-run CITGM to ensure the highest quality for our users.
- Additionally, releasing on Tuesday rather than Friday helps ensure that security updates are available during regular business hours across all time zones, particularly for our users in the Asia-Pacific region. nodejs.org/en/blog/vuln...
- Node.s sec release We are doing our best. We are ensuring test passes on all platforms and all active release lines (v20, v22, v24 and v25) - and they aren't currently. Unfortunately, we don't have an ETA for that, and it's likely that this security release will be postponed one more time. Sorry.
- [Not loaded yet]
- That's how it works in Brazil. Holidays extend until the Carnival!
- New release of bench-node v0.14.0! Two important features were released: github.com/RafaelGSS/be...
- * Add V8 code elimination detector - This should warn you when it believes your code is being JIT eliminated and the results aren't reliable. * Add t-test feature - It enables a statistical significance test to compare how reliable your results are And more!
- Right on time! Lovely @openjsf.org
- I should get back to this platform. I’ve scrolled it for like 5 minutes and I found many interesting topics that I don’t see in one week of X.
- Live now!
- Thanks for your hard work on this @notwes.bsky.social
- After a few months of targeted attacks on our ecosystem, followed by a confusing and rapidly changing response from @github.com, we wanted to put together some guidance for maintainers on how to help us all secure our supply chain together. Here is that guidance 👇
- Done
- @rafaelgss.dev any chance y'all could update the v8docs.nodesource.com to include 25.x? Pretty please :-)
- @rafaelgss.dev any chance y'all could update the v8docs.nodesource.com to include 25.x? Pretty please :-)
- I’ll ping the team
- Node.js 25 is here! We have upgraded V8 to 14.1, bringing major JSON.stringify performance improvements and JIT pipeline optimizations. This release introduces the permission model --allow-net, Web Storage is enabled by default, and more! nodejs.org/en/blog/rele...
- Node.js v24.6.0 is out💚 Highlights: * Use your system’s trusted certificates with NODE_USE_SYSTEM_CA=1 * crypto: ML-DSA (KeyObject/sign/verify) * http: server.keepAliveTimeoutBuffer * zlib: Zstd dictionary support * fs: Utf8Stream (from SonicBoom) Changelog: nodejs.org/en/blog/rele...
- I'm live doing Node.js Core benchmark work! www.twitch.tv/rafaelgss
- I've been working on something interesting (at least for me) github.com/nodejs/node/...
- Hi folks, We will have a Node.js core mentoring live stream today Stay tuned!
- Node.js v24.4.0 is out! 💚 What's new? • crypto.hash() supports outputLength (XOF) • fs.mkdtempSync() gets disposable mode • --watch-kill-signal lands • permission.has('addon') is now supported • spawn() propagates permission flags • sqlite adds readBigInts More in: nodejs.org/en/blog/rele...
- Live on! twitch.tv/rafaelgss
- A warm welcome to our newest Node.js TSC member: Filip Skokan! Happy to see you onboard! github.com/nodejs/node/...
- [Not loaded yet]
- I will talk with the team
- Folks, right now @rafaelgss.dev is doing an awesome livestram on m.twitch.tv/rafaelgss talking about Node.js threads, memory management and perfs. Join us!
- Thank you
- I’d love to do something like that but in person… kind of collab summit workshop
- Okay, I collected some data on the NodeSchool "workshoppers", as listed on nodeschool.io. For simplicity, I excluded ones that aren't terminal-based npm-installable things. Some fun facts in thread. 🧵 To start off: None have had any updates since 2022. Would have expected older. 1/
- Happy to announce @nodejs v24.0.0 💚! This release brings several updates, including the V8 13.6 and npm to version 11. As a reminder, Node.js 24 will enter long-term support (LTS) in October, but until then, it will be the "Current" release Check it nodejs.org/en/blog/rele...
- A handy way to test Node.js release candidates. I suggest you have something similar in your test suite, so you can act before a semver-major release of Node.js gets out. github.com/fastify/fast...
- RC.2 Node.js v24.0.0 github.com/nodejs/node/...
- Recent updates on Node.js CVE to EOL lines. TL;DR The Node.js team has decided to update previous vulnerability specific CVEs to cover EOL releases, reflecting their ongoing security risks. See: nodejs.org/en/blog/vuln...
- I'm live on Twitch again! www.twitch.tv/rafaelgss
- I'm posting some shorts on Youtube/Instagram of my sessions teaching "How to contribute to Node.js core" on Twitch. Check my social media in github.com/RafaelGSS/Ra...
- [Not loaded yet]
- [Not loaded yet]
- I’m almost sure there are projects for comprehensive stress test out there. Are you targeting http?
- [Not loaded yet]
- Yeah, these kind of tests is important to find saturation. I have never built something for this specifically
- A stress test? This is not recommended as a benchmark methodology. The data produced by a stress test should not be compared as other factors will affect the result. I think this should be considered as an infrastructure test instead.
- With this release we have also issued the CVEs to EOL versions of Node.js
- Node.js @nodejs.org Security Releases: January 21, 2025 Node.js security updates now available for 23.x, 22.x, 20.x, and 18.x, addressing key vulnerabilities. undici (v7.2.3, v6.21.1, v5.28.5) on v23.x, v22.x, v20.x, v18.x. 👉 bit.ly/4hohEIL
- [Not loaded yet]
- Next Guinness is on you
- [Not loaded yet]
- I have just updated it. I forgot to push it publicly. It should be fine now.
- [Not loaded yet]
- I was waiting for the global nodejs config to be decided. node —config=node.json 😅
- We'll have a second session of Node.js mentoring today! Join us via OpenJS Foundation Slack (nodejs-mentoring channel). See you all in 30 minutes. Live: www.twitch.tv/rafaelgss
- ⚠️The @nodejs.org project will issue a security release for versions 23.x, 22.x, 20.x, 18.x on or shortly after, Tuesday, January 21. nodejs.org/en/blog/vuln...
- [Not loaded yet]
- Yes
- I wrote an alias to `npx` that sets the Permission Model node options. You can use it in the same way you use `npx` but, with Node.js Permission Model restrictions :) Put this in your .zshrc/.bashrc gist.github.com/RafaelGSS/f8...
- Live at www.twitch.tv/rafaelgss
- Did you know you can run npx with permission model enabled by just passing it through the --node-options npx flag? github.com/nodejs/node/...
- 🚨 @nodejs.org will issue CVE for EOL (End-of-Line) release lines in the next security release. Read more at nodejs.org/en/blog/vuln...
- [Not loaded yet]
- Yes
- [Not loaded yet]
- Me too
- Announcing bench-node officially! blog.rafaelgss.dev/bench-node-a...
