Node.js 20 Released, Features Experimental Permission Model for Improved Security

Published on April 21, 2023

Node.js recently released version 20 (current release). After entering the long-term support (LTS) stage in October, Node v20 will be ready for full production deployments. There are several key features, including an experimental permission model for improved security and the ability to build Node applications as standalone executables.

When enabled, the –experimental-permission flag restricts access to all permissions available to developers. The current permissions configure access to the file system (e.g., –allow-fs-read and –allow-fs-write flags), the creation of child processes (–allow-child-process flag), and the creation of worker threads (–allow-worker flag). For instance, –allow-fs-write=* –allow-fs-read=/tmp/ will allow FileSystemRead access to the /tmp/ folder and allow all the FileSystemWrite operations.

Permissions are process-specific. It is therefore not possible for developers to deny permissions to a specific module. Normally, a process with the experimental-permission will not be able to spawn a child process. Upon enabling the –allow-child-process flag, the user is responsible for passing along the correct arguments to spawn the child process with the appropriate permissions. Developers may refer to this pull request and the permission model roadmap for more information.

With Node v20, developers can build their Node applications into a standalone executable (single executable apps) for users who do not have or cannot install Node.js. Support for single executable apps is available on Windows, MacOS, and Linux platforms (all Node.js distributions except Alpine, as well as all Node.js architectures except s390x and ppc64). To reduce vector attacks, Microsoft is experimenting with single executable applications.

The test runner introduced in Node v19 has been stabilized in Node v20, signalling its readiness for production. V8’s JavaScript/WebAssembly engine has been updated to version 11.3. This update includes new JavaScript APIs, including resizable ArrayBuffers and growable SharedArrayBuffers. Node v20 also supports WebAssembly tail calls (introduced in version 11.2). Finally, import.meta.resolve() is now synchronous.

The Open JS Foundation provides Node.js as open-source software under the MIT license. The Node.js contribution guidelines and code of conduct encourage contributions and feedback.