Node.js Delivers First LTS with require(esm) Enabled, Enhances Security and Release Automation

JavaScript enthusiasts celebrated the language’s 29th birthday this week, coinciding with the Node.js team delivering some exciting updates. The project has seen significant progress and improvements in late 2024, focusing on security, automation, and new features. Here’s a quick roundup of the most important changes developers need to know:

require(esm) Enabled by Default#

Node.js shipped version 22.12.0 'Jod’ this week, its first LTS with require(esm) enabled by default. The feature is still experimental but it’s no longer behind the --experimental-require-module flag. Support for loading native ES modules via require() is an exciting milestone that impacts the whole ecosystem.

Node.js TSC delegate Joyee Cheung, who contributed this feature, gave a brief background on why it was needed:

It helps accelerating ESM adoption in the ecosystem as package authors can start shipping native ESM with less breakage to their CJS users; it also helps frameworks and tools that take plugins to support native ESM in user/plugin code whilst they are still navigating their own migration to ESM.

• What It Means: Developers can now use require() to load ES modules without encountering ERR_REQUIRE_ESM. However, modules with top-level await may throw ERR_REQUIRE_ASYNC_MODULE. The feature emits an experimental warning unless loaded from a path that contains node_modules.
• Feedback Needed: Developers are encouraged to report regressions or issues via the Node.js issue tracker.

Automated Processes Speed Up Releases#

Automating the release process is an initiative that Node.js maintainers have been working on since 2023 with the goal of reducing the number of time-consuming steps to perform a release. In the last couple months, the project has made major progress in automating some of the housekeeping related to security releases which has made the team more efficient.

• The introduction of a fully automated release proposal marks a major milestone, which was enabled by several automation improvements:
  • New Features:
    • --releaseDate and --yes flags streamline release workflows and enable the automated release proposal.
    • Automated inclusion of CVE-ID metadata in changelogs for security releases.
• From Node.js 24 onwards, major releases will include a mandatory one-month "baking period" to ensure stability, which we covered in a post on the blog in November: Node.js Implements Stricter Policies for Semver-Major Pull Requests Ahead of Release Deadlines

Security Enhancements#

Node.js reports processing its lowest ever number of security reports (10) in October–November 2024. A brief breakdown of the reports:

• Spam (1)
• Non-applicable (4)
• Informative (2)
• New issues (2)
• Triaged (1)

The team attributes the low number of reports to “the effectiveness of our updated security policies in enhancing overall system protection.” They have also improved the release workflow with an automated command for updating the website banner and blog post locations, along with the CVE-ID metadata automatically added to changelogs, speeding up security release proposals.

These recent milestones demonstrate Node.js' ongoing commitment to drive the ecosystem forward and suggest that the platform will continue to be a powerful force in JavaScript’s adaptability, performance, and global impact for years to come.

By enabling require(esm) by default in an LTS release, Node.js is addressing one of the ecosystem's long-standing hurdles—bridging the gap between CommonJS and ES Modules. This shift indicates a commitment to easing the ESM adoption curve, paving the way for modern, interoperable JavaScript development.