警惕 Node.js 版本生命周期终止 - 升级或寻求 EOL 后的支持

警惕 Node.js 版本生命周期终止，升级或寻求 EOL 后的支持

¥Beware of End-of-Life Node.js Versions Upgrade or Seek Post-EOL Support

Node.js 生态系统正处于关键时刻。随着 Node.js 18 不再受支持，数百万开发者需要升级到 Node.js 22，但他们应该完全跳过 20，直接升级到 Node.js 22。这些数字令人信服地说明了为什么这次升级不仅是推荐的，而且是必要的。如果你无法升级，请查看我们的生态系统可持续发展计划合作伙伴 HeroDevs，他们提供 Node.js 生命周期结束后的支持。

¥The Node.js ecosystem is at a critical juncture. With Node.js 18 becoming unsupported, millions of developers need to make the jump, but they should skip 20 entirely and go straight to Node.js 22. The numbers tell a compelling story about why this upgrade isn't just recommended, it's essential. If you can’t upgrade, check out our Ecosystem Sustainability Program partner, HeroDevs, which offers post End-Of-Life Node.js support.

支持格局已发生变化，安全问题切实存在

¥The Support Landscape Has Changed—And Security Issues Are Real

Node.js 18 及所有更早版本均已停用。这些版本现在完全不受支持，这意味着它们无法收到任何更新，包括安全补丁。

¥Node.js 18 and all earlier versions are End-Of-Life. They are now completely unsupported, meaning they receive no updates, including security patches.

安全隐患迫在眉睫，而且非常严重。2025 年 5 月的安全发布显示，Node.js 20 存在 1 个低严重性问题、1 个高严重性问题和 1 个中等严重性问题。正如安全公告所述，"安全版本发布时，生命周期终止的版本始终会受到影响" 意味着 Node.js 18 及所有早期版本都存在同样的漏洞，但永远不会收到补丁。以下是我们的发布时间表：

¥The security implications are immediate and serious. The May 2025 security releases revealed that Node.js 20 is vulnerable to 1 low severity issue, 1 high severity issue, and 1 medium severity issue. As the security advisory notes, "End-of-Life versions are always affected when a security release occurs", meaning Node.js 18 and all earlier versions have these same vulnerabilities but will never receive patches. Here is our release schedule:

许多人问：“为什么 Node.js 项目不修复所有版本的漏洞？”。因为这将是一项持续增长的任务，而且某些漏洞甚至无法修复，因为它们依赖于大量其他补丁的安装。这项工作实在太繁重了，依赖旧版 Node.js 的组织可以选择升级，或者使用提供此服务的供应商。

¥Many ask, “Why does the Node.js project not fix vulnerabilities for all releases?”. Because it would be an ever-growing task, and some vulnerabilities could not even be fixed because they depend on a multitude of other patches to be applied. The work is simply too much, and organizations depending on ancient Node.js versions could upgrade or use a vendor that provides this service.

如果你正在寻找更多证据，以下是一些 Node.js 旧版本受影响的漏洞示例：

¥If you are looking for additional proof points, here are a few examples of vulnerabilities that older versions of Node.js are impacted:

• https://nvd.nist.gov/vuln/detail/CVE-2025-23167 影响 18、16、14 (llhttp) - medium

  ¥https://nvd.nist.gov/vuln/detail/CVE-2025-23167 affects 18, 16, 14 (llhttp) - medium

• https://nvd.nist.gov/vuln/detail/CVE-2023-5678 影响 16、14 (openssl) - medium

  ¥https://nvd.nist.gov/vuln/detail/CVE-2023-5678 affects 16, 14 (openssl) - medium

• https://nvd.nist.gov/vuln/detail/CVE-2024-22019 影响 16、14 (llhttp) - high

  ¥https://nvd.nist.gov/vuln/detail/CVE-2024-22019 affects 16, 14 (llhttp) - high

• https://nvd.nist.gov/vuln/detail/CVE-2021-39135 影响 14 (npm) - high

  ¥https://nvd.nist.gov/vuln/detail/CVE-2021-39135 affects 14 (npm) - high

这影响了数量惊人的项目。根据下载统计数据，最新的 Node.js 终止版本 v18 每月仍有约 5000 万次下载，而早期版本（v16 及以下版本）每月仍有数千万次下载。这意味着无数应用在已知的易受攻击且不受支持的运行时环境中运行。

¥This affects a staggering number of projects. Based on download statistics, Node.js v18, the most recent End-of-Life version, still accounts for approximately 50 million monthly downloads, while earlier legacy versions (v16 and below) continue to see tens of millions of downloads per month. That represents countless applications running on known vulnerable, unsupported runtime environments.

你可以使用 is-my-node-vulnerable 软件包检查你的 Node.js 安装是否容易受到已知安全漏洞的攻击。此工具会根据已知漏洞数据库检查你的 Node.js 版本，并指导你是否需要升级。

¥You can check if your Node.js installation is vulnerable to known security vulnerabilities using the is-my-node-vulnerable package. This tool checks your Node.js version against a database of known vulnerabilities and provides guidance on whether you need to upgrade.

Node.js v22：明智的长期选择

¥Node.js v22: The Smart Long-Term Choice

虽然 Node.js 20 目前是维护 LTS 版本，但 Node.js 22 是更明智的升级目标。以下是为什么你应该跳过 20 直接升级到 22：

¥While Node.js 20 is currently the maintenance LTS release, Node.js 22 is the smarter upgrade target. Here's why you should skip 20 and go straight to 22:

• 更长的支持期：Node.js 22 处于 LTS 状态，并将持续支持到 2027 年 4 月 - 比 20 的支持期长整整一年。

  ¥Longer Support Window: Node.js 22 is in active LTS status and will be actively supported until April 2027—a full year longer than 20's support window.

• 面向未来：现在升级到 v22，可以避免在短短几年内再次经历重大升级周期。这可以节省大量的工程时间并减少升级疲劳。

  ¥Future-Proofing: By upgrading to 22 now, you avoid another major upgrade cycle in just a couple of years. This saves significant engineering time and reduces upgrade fatigue.

• 新功能：22 提供 Node.js 的所有最新功能，包括原生 TypeScript 支持（需通过 flag 进行）。

  ¥New Features: 22 offers all the latest features of Node.js, including native TypeScript support (behind a flag).

• 最新性能提升：22 包含 20 的所有改进，并进行了一些额外的优化，以提供最佳性能。

  ¥Latest Performance Gains: 22 includes all the improvements from 20, plus additional optimizations, offering the best performance available.

迁移数字游戏

¥The Migration Numbers Game

下载统计数据揭示了一个有趣的迁移模式。虽然 Node.js 所有版本的月下载量已超过 3.5 亿次，但其分布情况如下：

¥The download statistics reveal an interesting migration pattern. While the total Node.js downloads have grown to over 350 million monthly downloads across all versions, the distribution shows:

• Node.js v22+：随着各团队采用面向未来的方法，我们的版本正在快速增长，下载量已达 1.2 亿次。

  ¥Node.js v22+: Growing rapidly as teams adopt the future-forward approach, with 120 million downloads.

• Node.js v20：每月下载量约 1 亿次（稳定但生命周期较短）

  ¥Node.js v20: ~100 million monthly downloads (solid but shorter lifespan)

• 已停产版本（v18 及以下版本）：每月下载量约 1.2 亿次以上（存在严重安全风险）

  ¥End-of-Life versions (v18 and below): ~120+ million montlhy downloads (critical security risk)

这意味着大约 30% 的 Node.js 社区仍在使用不受支持的版本。聪明的团队不会进行增量升级，而是直接跳到 v22 以获得最大程度的未来适应性，或者采用商业解决方案。

¥This means that roughly 30% of the Node.js community is still running on unsupported versions. Rather than making incremental upgrades, smart teams are leapfrogging directly to v22 for maximum future-proofing, or adopting a commercial solution.

为什么要跳过 v20 直接升级到 v22？

¥Why Skip v20 and Go Straight to v22?

传统观点可能建议先逐步升级到 Node.js v20，但这是一个战略错误。以下是为什么 v22 是更好的目标：

¥The conventional wisdom might suggest upgrading incrementally to Node.js v20 first, but this is a strategic mistake. Here's why v22 is the better target:

维护期：

¥Maintenance Window:

• Node.js v20 LTS：2023 年 10 月 - 2026 年 4 月（剩余 1 年）

  ¥Node.js v20 LTS: October 2023 - April 2026 (1 year remaining)

• Node.js v22 LTS：10 月 2024 - 2027 年 4 月（剩余 2 年）

  ¥Node.js v22 LTS: October 2024 - April 2027 (2 years remaining)

升级疲劳预防：Node.js 的重大升级需要测试、依赖更新和潜在的代码更改。现在升级到 v22，可以避免在 2026-2027 年再次经历升级周期。

¥Upgrade Fatigue Prevention: Major Node.js upgrades require testing, dependency updates, and potential code changes. By going to v22 now, you avoid another upgrade cycle in 2026-2027.

升级

¥Making the Jump

对于开发团队：首先要审核你当前的 Node.js 使用情况。在所有项目和环境中检查 node --version。创建一个直接以 v22 为目标的迁移时间表，跳过 v20 的过渡阶段。

¥For Development Teams: Start by auditing your current Node.js usage. Check node --version across all your projects and environments. Create a migration timeline that targets 22 directly, skipping the 20 stepping stone.

对于 DevOps 团队：更新你的 CI/CD 管道、Docker 镜像和部署脚本，使其升级到 Node.js 22。在预发布环境中进行全面测试，但不要将时间浪费在 20 版本上作为中间步骤。

¥For DevOps Teams: Update your CI/CD pipelines, Docker images, and deployment scripts to target Node.js 22. Test thoroughly in staging environments, but don't waste time on 20 as an intermediate step.

对于开源维护者：考虑将 Node.js 22 作为新主要版本的最低版本要求。这将使你的项目处于生态系统的最前沿，并提供最长的支持周期。

¥For Open Source Maintainers: Consider requiring Node.js 22 as your minimum version for new major releases. This positions your project at the forefront of the ecosystem and provides the longest support runway.

无法立即升级？提供商业支持

¥Can't Upgrade Right Away? Commercial Support is Available

我们了解，一些组织面临着一些限制，例如遗留代码库、合规性要求或复杂的依赖链，导致无法立即升级。如果你的公司无法立即升级，但需要 Node.js v18 或更早版本的持续安全支持，你可以通过 HeroDevs 获取 商业支持。

¥We understand that some organizations face constraints that prevent immediate upgrades, such as legacy codebases, compliance requirements, or complex dependency chains. If your company cannot upgrade immediately but needs continued security support for Node.js v18 or earlier versions, commercial support is available through HeroDevs.

作为 OpenJS 生态系统可持续发展计划 合作伙伴关系的一部分，HeroDevs 为已过官方维护阶段的 Node.js 版本提供永不终止支持 (NES)。这包括安全补丁、合规性协助和技术支持，以帮助你在规划升级策略时弥补差距。

¥As part of the OpenJS Ecosystem Sustainability Program partnership, HeroDevs provides Never-Ending Support (NES) for Node.js versions past their official maintenance phase. This includes security patches, compliance assistance, and technical support to help bridge the gap while you plan your upgrade strategy.

但是，这应该被视为一个临时解决方案 - 目标应该始终是升级到积极支持的版本，例如 Node.js 22。

¥However, this should be viewed as a temporary solution—the goal should always be to upgrade to actively supported versions like Node.js 22.

底线

¥The Bottom Line

Node.js 生态系统每月下载量达数亿次，迁移到 22 代表着一个战略机遇，可以让你的应用面向未来。仅从安全隐患来看，从不受支持的版本升级就至关重要，但在 20 和 22 之间做出选择则需要进行明智的长期规划。

¥With hundreds of millions of monthly downloads across the Node.js ecosystem, the migration to 22 represents a strategic opportunity to future-proof your applications. The security implications alone make upgrading from unsupported versions critical, but the choice between 20 and 22 is about smart long-term planning.

前进的道路很清晰：Node.js 22 提供最长的支持期、最佳性能和最大程度的未来适应性。不要浪费时间进行增量升级 - 直接升级到 22，保障你的应用未来数年的安全。

¥The path forward is clear: Node.js 22 offers the longest support window, best performance, and maximum future-proofing. Don't waste time on incremental upgrades—make the jump directly to 22 and secure your applications for years to come.

你的应用、你的用户以及你未来的自己都会感谢你今天做出战略性迁移到 Node.js v22 的决定。

¥Your applications, your users, and your future self will thank you for making the strategic move to Node.js v22 today.