Node.js 22 LTS Adoption — when and how should I migrate?
Node.js 20 (Iron) reaches end-of-life April 30, 2026. Teams must migrate to Node.js 22 (Maintenance LTS, EOL April 2027) or Node.js 24 (Active LTS, EOL April 2028). Node.js 22 removes import assertion syntax, enables require(ESM) by default, changes worker thread module hook behavior, and raises the stream high-water mark default. Skipping to Node.js 24 adds OpenSSL 3.5 security-level-2 enforcement and stricter fetch/stream behavior. Migration path and EOL runway differ significantly between the two targets.
Blockers
- import assert syntax removed — must use import...with instead
- require(ESM) enabled by default since v22.12.0
- worker thread module hooks changed — register() now uses shared hooks thread (v22.2.0+)
- stream default high-water mark raised from 16 KiB to 64 KiB
- OpenSSL 3.5 security level 2 — blocks RSA/DSA/DH < 2048 bits, ECC < 224 bits, RC4 prohibited
- stream/pipe errors now throw instead of silently failing
Who this is for
- enterprise
- high-scale
- small-team
- low-ops
- compliance
Candidates
Migrate Node.js 20 to Node.js 22 (Maintenance LTS)
As of 2026-03-16, Node.js 22 (Jod) is in Maintenance LTS and receives critical security fixes only until its EOL of April 30, 2027. It removes the deprecated import-assert syntax, enables require(ESM) by default since v22.12.0, enables the WebSocket client by default, and raises the stream default high-water mark from 16 KiB to 64 KiB.
When to choose
Best for enterprise + compliance or small-team + low-ops teams that need a lower-risk migration step before Node.js 20 EOL on April 30, 2026. Choose this if your codebase uses import assertions, native addons with V8 bindings, or CommonJS packages with synchronous require paths benefiting from require(ESM), and you want more time before absorbing the larger OpenSSL and stream-behavior changes that come with Node.js 24. Node.js 22 Maintenance LTS gives you until April 30, 2027 — plan your next hop to Node.js 24 within that window.
Tradeoffs
Fewer breaking changes from Node.js 20 than jumping directly to Node.js 24. The one required code change is replacing import assert { type: 'json' } with import ... with { type: 'json' } — an official codemod is available via npx codemod run @nodejs/import-assertions-to-attributes. Worker thread module hooks changed at v22.2.0: calling register() from a new Worker execArgv now registers hooks on a single shared hooks thread rather than per-worker threads, which can silently change APM and tracing behavior for tools using module-level instrumentation. The stream high-water mark increase (16 KiB to 64 KiB) improves throughput but raises peak memory under backpressure.
Cautions
Node.js 22 is already in Maintenance LTS as of late 2025, meaning no new features are added — only critical security patches. EOL is April 30, 2027, leaving roughly 13 months of runway from today. APM tools and test frameworks that use module-level worker thread hooks (e.g. Jest workers, instrumentation layers) must be verified against the v22.2.0+ module hooks behavior change documented in nodejs/node issue 53182. Native addons built against V8 APIs must be rebuilt for V8 12.4. The WebSocket client is enabled by default — if you polyfill or mock globalThis.WebSocket in tests, those shims may now conflict.
Skip directly to Node.js 24 (Active LTS)
As of 2026-03-16, Node.js 24 (Krypton) is the Active LTS release with EOL April 30, 2028. It includes all Node.js 22 changes plus OpenSSL 3.5 at security level 2 (blocking RSA/DSA/DH keys under 2048 bits and ECC keys under 224 bits), stricter fetch() spec compliance, stream/pipe errors that now throw instead of silently failing, and removal of 32-bit Windows and armv7 Linux support.
When to choose
Best for enterprise + compliance or high-scale teams that want maximum LTS runway and can absorb both the Node.js 22 import-assertion and require(ESM) changes and the Node.js 24 OpenSSL and stream-behavior changes in a single migration. Choose this if your infrastructure already uses 2048-bit or larger keys everywhere, you have no legacy 32-bit Windows or armv7 Linux build targets, and you want to avoid a second major migration before April 2027.
Tradeoffs
Active LTS means ongoing feature additions and full security-patch commitment through April 2028 — the longest runway of any current option. Migration from Node.js 20 requires both the import-attributes codemod and an audit of TLS/crypto key sizes for OpenSSL 3.5 level-2 compliance. Stream pipelines that previously swallowed pipe errors silently will now surface thrown errors and must be updated with explicit error handlers.
Cautions
Verify all TLS certificates, key sizes, and cipher suites before deploying on Node.js 24: RSA/DSA/DH keys under 2048 bits and ECC keys under 224 bits are rejected at OpenSSL 3.5 security level 2, and RC4 cipher suites are prohibited. macOS build environments require Xcode 16.1+ and macOS 13.5+. C/C++ addons linked against V8 APIs may need updates for V8 13.6 and possible C++20 requirements — use NODE-API to reduce native addon rebuild churn. The Node.js team provides migration codemods for crypto-rsa-pss-update and fs-access-mode-constants deprecations.
Commercial extended support for Node.js 20 (emergency bridge only)
Vendors offer post-EOL commercial security patches for Node.js 20 after April 30, 2026. This is a short-term bridge only and is not a substitute for migration — it does not provide new features, ecosystem support, or guarantee that npm packages will remain compatible with Node.js 20.
When to choose
Only consider this for compliance or enterprise teams with frozen production environments (e.g. fintech, healthcare, government) that have hard change-freeze windows extending past April 30, 2026 and cannot complete a runtime migration in time. Not suitable for teams with active development or package dependency updates.
Tradeoffs
Provides continued security patching past EOL without a code-level migration, buying weeks or months of runway. The ecosystem will stop testing against Node.js 20: packages will drop it from their engines field and CI matrices, and version mismatches accumulate over time. AWS Lambda and other managed runtimes enforce their own deprecation schedules independently of commercial support.
Cautions
AWS Lambda's Node.js 20 deprecation schedule runs independently: function creation is blocked August 31, 2026 and function updates are blocked September 30, 2026 — commercial extended support does not override platform-level enforcement. npm package authors will stop supporting Node.js 20 in their engines field after EOL, and incompatibilities compound over time. Treat commercial support as an emergency bridge only; execute the Node.js 22 or 24 migration as the primary path.
Try with your AI agent
$ npm install -g pocketlantern $ pocketlantern init # Restart Claude Code, Cursor, or your MCP client, then ask: # "Node.js 22 LTS Adoption — when and how should I migrate?"