Node.js Version 20.20.2 'Iron' (LTS) Released with Security Fixes
Node.js version 20.20.2 'Iron' (LTS) has been released, addressing several security vulnerabilities. The update includes fixes for issues such as array index hash collision, timing-safe comparison in Web Cryptography HMAC and KMAC, and permission checks for certain operations. Notable changes include the use of null prototype for headersDistinct/trailersDistinct, permission checks on lib/fs/promises, and the handling of NGHTTP2_ERR_FLOW_CONTROL error code. Developers are advised to update to this version to ensure the security of their applications. The release notes provide a detailed list of changes and commits made in this version, including fixes for CVE-2026-21717, CVE-2026-21713, CVE-2026-21710, CVE-2026-21716, CVE-2026-21715, CVE-2026-21714, and CVE-2026-21637. To learn more, read the release notes and review the migration steps to ensure a smooth transition.