Node.js 24: Everything You Need to Know in 2025

Node.js 24, released as the Current line in May 2025 (with LTS promotion expected in October 2025), represents the most significant Node.js release since the ESM transition. Built on V8 Engine 13.6, it delivers measurable performance improvements, a production-ready permission model, native HTTP/3 support, and a completely rewritten npm v11.

For enterprise teams, Node.js 24 brings three transformative changes: the security permission model that restricts what third-party dependencies can access, Undici 7.0 graduating HTTP/3 to stable, and npm v11's workspace management that makes monorepo development dramatically faster. This guide covers every major feature, breaking change, and migration strategy.

The V8 13.6 engine upgrade delivers measurable performance gains across all workload types:

• 16.8% Faster Execution: Optimised JIT compilation with improved Maglev (mid-tier compiler) and Turbofan (optimising compiler) pipelines — benefiting CPU-intensive workloads like JSON parsing, template rendering, and data transformation.
• 15.9% Faster Startup: Cold start times drop from ~220ms to ~185ms through improved snapshot deserialisation and lazy compilation of built-in modules — critical for serverless function deployments.
• 20.8% Higher Throughput: HTTP request handling improves from 1,200 to 1,450 req/sec per core, with optimised event loop scheduling and reduced garbage collection pause times.
• 13.6% Smaller Memory: Baseline memory consumption drops from 125MB to 108MB through improved heap compaction and more efficient internal data structures.

New ECMAScript features include Object.groupBy() and Map.groupBy() for array grouping, the RegExp v flag for set notation in character classes, Promise.withResolvers() for deferred promise patterns, and Array.fromAsync() for converting async iterables to arrays.

The Node.js 24 permission model graduates from experimental to stable, providing Deno-like security controls:

• File System Permissions: --allow-fs-read=/app/data restricts file reading to specific directories. --allow-fs-write=/app/uploads limits write access. Dependencies cannot access arbitrary file system locations without explicit permission.
• Network Permissions: --allow-net=api.example.com:443 restricts outbound network access to specific hosts and ports — preventing supply chain attacks where compromised packages exfiltrate data to attacker-controlled servers.
• Child Process Restrictions: --allow-child-process controls whether dependencies can spawn child processes — blocking common attack vectors like reverse shells or cryptocurrency miners.
• Worker Thread Control: --allow-worker restricts worker thread creation to authorised code paths only.
• Configuration Files: Permission policies can be defined in JSON configuration files for production deployments — node --experimental-policy=policy.json app.js — enabling centralised security management.

This model is transformative for enterprise security — third-party npm packages can be sandboxed to prevent unauthorised file access, network requests, or system command execution.

Undici 7.0.0 replaces the legacy HTTP client with production-ready HTTP/3:

• 30% Faster Requests: Rewritten connection pooling with adaptive keep-alive management, request pipelining, and automatic retry logic — reducing average API call latency from 45ms to 31ms in benchmarks.
• 40% Less Memory: Optimised buffer management with zero-copy data transfer where possible — reducing per-connection memory from ~8KB to ~5KB.
• HTTP/3 with QUIC: Production-ready HTTP/3 support using the QUIC transport protocol — 0-RTT connection establishment, multiplexed streams without head-of-line blocking, and seamless connection migration for mobile clients.
• Native WebSocket: Built-in WebSocket client implementation (no ws package required) with automatic compression, ping/pong handling, and backpressure management.
• Fetch API Improvements: The global fetch() function now supports request/response streaming, custom DNS resolution, connection pooling configuration, and proxy support.

URLPattern is now globally available without import — providing cross-platform URL pattern matching consistent between Node.js and browser environments.

npm v11 delivers the most significant package manager upgrade in years:

• 65% Faster Installs: Rewritten dependency resolution algorithm with parallel downloads, incremental cache updates, and content-addressable storage — a 500-dependency project installs in ~8 seconds (vs ~23 seconds with npm v9).
• Lockfile v3: New lockfile format with deterministic resolution, smaller file size, and faster parsing — ensuring identical installs across development, CI, and production environments.
• Automatic Vulnerability Scanning: npm install automatically scans the entire dependency graph for known vulnerabilities and reports them inline — no separate npm audit step required.
• Workspace Intelligence: Intelligent parallelisation for monorepo workspace commands — npm run build --workspaces automatically determines dependency order and parallelises independent builds.
• Dependency Impact Analysis: npm explain <package> shows why a dependency exists, which packages depend on it, and the security/license implications of updating or removing it.
• Auto-Cleanup: Automatic detection and removal of unused dependencies with npm prune --production integration into the install lifecycle.

The Node.js built-in test runner reaches feature parity with Jest/Vitest for unit testing:

• Comprehensive Assertions: node:assert module with strict equality, deep equality, throws, rejects, and snapshot testing — covering 90% of typical test assertion patterns.
• Smart Watch Mode: node --test --watch monitors file changes and re-runs only affected tests — faster feedback loops than Jest's watch mode for projects without complex mocking.
• Test Coverage: Built-in V8 code coverage with --experimental-test-coverage — generating lcov reports without Istanbul/NYC dependencies.
• Mocking: node:test provides built-in mocking for timers, modules, and functions — mock.fn(), mock.method(), and mock.timers for controlling setTimeout/setInterval.
• 40% Faster Execution: Tests run 40% faster than Node.js 20's test runner — optimised test isolation, parallel test execution, and reduced overhead from V8 snapshot preloading.
• Beautiful Reporting: TAP, spec, and dot reporters with colour output, failure summaries, and timing information — node --test --reporter spec.

For new projects, the built-in test runner eliminates Jest/Vitest dependencies — reducing node_modules by 30-50MB and simplifying CI pipelines.

Node.js 24 deprecates several legacy APIs that teams must address:

• vm.runInNewContext without options: Must pass explicit context options — addresses sandbox escape vulnerabilities in the legacy VM module.
• Legacy HTTP Parser: The llhttp-based parser is now the only option — the legacy http_parser binding is removed entirely.
• process.exit() in Workers: Calling process.exit() inside worker threads is deprecated — use worker.terminate() or parentPort.close() instead.
• Dated Crypto Methods: crypto.createCipher/crypto.createDecipher (without IV) are removed — migrate to crypto.createCipheriv/crypto.createDecipheriv.
• url.parse(): The legacy url.parse() function triggers deprecation warnings — migrate to the WHATWG URL constructor.

Migration strategy: Run node --pending-deprecation app.js on Node.js 22 first to identify deprecated API usage. Update dependencies with npm update and check compatibility with npx is-my-node-version-supported. Test with the Node.js 24 Docker image before upgrading production.

Node.js 24 improves the TypeScript and ESM developer experience:

• Type Stripping (Stable): --experimental-strip-types is promoted to stable — Node.js can run TypeScript files directly by stripping type annotations at load time, without ts-node or build steps for development.
• ESM by Default: New projects should use "type": "module" in package.json. ESM resolution is now faster than CJS for most workloads, with improved interop for mixed ESM/CJS dependency graphs.
• Import Attributes: import config from './config.json' with { type: 'json' } — standard syntax for importing JSON, CSS, and other non-JavaScript modules with explicit type declarations.
• Module Customisation Hooks: Stable loader hooks (--loader) for custom module resolution — enabling path aliases, virtual modules, and compile-on-load transforms without bundler tooling.

These improvements make Node.js 24 the most TypeScript-friendly runtime to date — reducing the gap between TypeScript development experience and production deployment.