The Alleged ‘End’ of Node.js Is Much Ado About Nothing

Hello, welcome to Node Congress 2025. This is the alleged end of Node JS in much ado about... nothing. Let's get started.

First of all, very quickly. I am employed by Platformatic, which gives the complete out-of-the-box primitive to deploy, optimize, autoscale, and secure all your Node applications, without any rewrite and with no overall. You just plug and play, like in the good old USB times. Check it out and catch up with me via email if you're interested.

Okay. Let's get started. Don't count your chickens before they hatch. You know, or we can say in Italy, don't sell the skin of the bear before selling it, or before having killed it, whatever.

And that's a lot to process today, so let's do. First of all, let me introduce myself. I am Paolo. I'm Principal Engineer at Platformatic and member of the Node T Technical Steering Committee that we're going to see in a bit what it's about. I come from a little city in central Italy called Campobasso, which are welcome to visit if you want to come to Italy.

These are all my colleagues. These are all my contacts that you can ping me. So stay in touch. And also, we have to give credit. This talk was originally made by Matteo Collina, my friend and CTO of Platformatic, which means that whatever goes wrong today, it's on him, not on me. Okay?

First of all, Node is dead, right? Let's look at the numbers of how much Node is dead. Node has roughly 3 billion downloads per month, which makes us a brilliant number of 30 billion downloads per year. Do you think this is a dead project with 30 billion per year? Not really.

Usually, we see on the internet this thing everywhere. ZYX will flip the default backend JavaScript runtime from Node.js. This is random user number one. And now there is, usually, which is something that you see way more often, XYZ will destroy Node.js, which is random excited user number two, which can be anyone. So, this talk is about a question that anybody is asking, everybody is asking, and I want to give an answer for this today.

Is Node dead yet? No. Period. Goodbye. We're done. Obviously, we are not done. I'm going to give you a lot of information about this. But Node is not, nowhere, nearly done, dead, overhauled, undeprecated. Anything you can think about. It's not. And it is going to stay here for a long, long time.

Let me also give you some relatable examples. For anybody that says that a technology is dead, and somebody that says I want to aim to destroy some technologies for any reason. Can you imagine that COBOL, which was born in 1959, is still widely used, is actually on the raise, being on position 19 of popularity. Or that jQuery is still used on roughly 95% of JavaScript-enabled websites, and they just released it before. It's not, nowhere, being dead, despite React, Svelte, Solid, Vue, whatever you can think about. Anyway, I'm not using jQuery, but jQuery is nowhere, near, being dead.

So, what about Node? Well, Node is the most popular technology, according to Stack Overflow. And also, bundling Node and NPM was not a mistake. We were able to basically provide a simple way to people to solve software use. We have a staggering amount of downloads on NPM every month, and that's also due to this choice of bundling Node and NPM. For instance, these are the downloads of ReadableStream, which is the fourth most downloaded module on NPM, which is basically a module that enables to use the Node Streams API on the spot of your Node version and on the browser. So, as you can see, the popularity of Node and the usage is growing over 50% over a year, which means that it's doubling every other year, which is a lot.

Also, half of the downloads in Node are the headers files. Why is that? Well, the thing is that the headers files are needed whenever NPM needs to compile some binary add-on. In that case, they need to download the binary, sorry, the headers, and they are cached to this code. You don't only download it once, but this means that many people or many new machines are being deployed with Node for the very first time regularly every month.

Also, there are a lot of downloads divided by platform, the three main platforms, which is Windows, Mac and Linux. Most of these downloads probably come from the CI, because also projects often test on Windows as well, I know because in platformatic we do that a lot, which means that every time we have to download Node, install it on Windows and run our test suite, which is something we need to do, especially if we are in open source and we support this platform.

30 million downloads in 2021, which became 60 million downloads in 2024. Also, some interesting fact about Node is that version 16, 14 and 12 are still massively popular. While they have a lot of known vulnerabilities and even worse, they're actually end of life, so don't use them. If you are still on this version, try to upgrade as soon as possible, please, because it's a massive vulnerability risk. In other words, if you are not updating Node.js regularly, you are putting yourselves at risk. Period. Also, Node has very good long-term support. One version of Node supports you for roughly 30 months, the old even numbered version. So, they become active for a year and then they become maintenance LTS for more than 18 months, so you have plenty of time to update. We give you a lot of room to update, but you need to update. Don't forget about it.

Now, some numbers on the organizational stats of Node. So, this is a one-year period ranging from November 2023 to November 2024. So, we got 20,000 new stars. We got a staggering number of 5,300 pull requests, which is a lot. 29,000 reviews and 4,500 issues, which is a lot. So, our pull request to issue ratio is close to one to one, so we try not to get too many new issues, but it's still a lot. It's a very, very active and alive project. Also, we have a pretty stable number of comments and pushes to Node Core, which is good.

We got a staggering number of 5,300 pull requests, which is a lot. 29,000 reviews and 4,500 issues, which is a lot. So, our pull request to issue ratio is close to one to one, so we try not to get too many new issues, but it's still a lot. It's a very, very active and alive project. Also, we have a pretty stable number of comments and pushes to Node Core, which is good. So, people are still engaging on the project. And the number of pull requests is also mostly stable, which is good, which means that the project is not going too fast and is not even stagnating and is not dying. That's fine. We have our steady rate, but we are able to keep in touch with everything we need. And I will show you about this.

The gist is that we work very hard to keep you safe. So, you're welcome. We have a lot of security submissions, which they not always, of course, translate into vulnerability because they have to be verified. Of course, they might be duplicated. They must not be supported anymore. There are several cases, but we still need to try and handle them. But anyway, we have a very good average time to first response, which is on median, which is about one day and a half. And also, a good time to triage, which is still on a couple of days. We have improved in last year, but our median time is close to be two days and something, which is brilliant, right?

Also, Node.js was one of the first projects sponsored by the Alpha Omega, which is initiated by the OpenSSF, which was funded by most big companies you can think about, which is Microsoft, Google, Amazon, you name it. Basically, the mission is to protect the society by catalyzing sustainable security improvements to the project. Basically, the idea is that they want to build a world where critical open source are secure and vulnerabilities are found, handled, fixed, and managed promptly and quickly. Because the thing is, the idea is that most of infrastructure we rely on every day for even something not related to technology is run by the open source software. So we need to be very responsible about it. So Node.js got roughly $300,000 per year since 2022 for security work, which is a lot, but I can tell you it's very well spent money.

So let's get to technical, because we all care about technical and I know about it. What did we ship in the last few years? Well, a few things. ESM. Now, the good matter, which is the author of this thing, is not very fond of ESM, but I do, and I'm really excited about this. Everything I'm doing now is finally supported in ESM, and you can now use this browser-compatible syntax rather than having to rely on CommonJS and ESM on the other side.

There are threads. We also had a very interesting talk about how Node hasn't been single threaded since 2018, but whatever. Now we have stable threads and they have a lot of flexibility to do mad science stuff, trust me.

Then we have fetch. We finally had fetch working in Node. Now we can use the same API on browser and on Node, so you don't need to use gotaxios, superrequest, whatever you want to use. You just use fetch, which is based on undici, which is a staggering client for Node. And we have a lot of improvement in the compatibility over the web platform. We have fetch, we have web streams, we have response, web crypto, from data structure clone, which is very important. Please stop doing JSON stringify, JSON parse. Please. It's not needed anymore. We have text encoder and decoder, we have blob and file, even target, and the dispose symbol. So a lot. And we are working to improve this even further, so stay tuned for exciting news on this.

We have promises since forever pretty much, but now many of the Node API are now promised by the design. They don't have to extend them. For instance, this is an example about how to read a file with promises using the FS slash promises API, which I use pretty much all the time now. We have the Node protocol for modules, so you can easily distinguish whether you're including something from Node or from an NPM package, which is very nice. We have the watchmode. Watchmode is brilliant, so you don't have to use concurrently or Node anymore, while they're a lovely project. I'm not against them. I still use them for some use cases, but you can now have everything in Node. You have the watch command line flag and you have the watch path to customize which paths are you watching. Now, they watch imported file and restart Node when they change, as you might expect, of course.

And, of course, it works with the test runner. So you can basically have an auto-restarting test runner very promptly and very easily. There is still limited platform support. Right now, it's only Mac OS and Windows, but we're working on improvements.

We have the async local storage, which is a way to track your asynchronous function calls and have some data in context. And, actually, you are using it every day if you are on Next.js, because these are the foundation for React server components. Without async local storage, you wouldn't have React server components.

We have web crypto, which is still part of the web platform. So, now, the Node crypto is also usable using the web platform API, with an example like that, where you can easily build HMAC of anything, pretty much. And we have the parse args to parse your command line arguments. This is pretty flexible and extensible, and now you don't have to use additional packages if you don't want to. You have everything baked in into Node, so that's a lot.

Finally, single executable application. You can inject Node into the, code into the Node binary, which was originally an idea from Postman Labs. Single command.js is the only supported format so far, and binaries can be distributed without any additional files. So, a single file, like in the Go world, if you're in the Go world. Some other tools you can test, use like postJect, but they're not actively being tested by the Node collaborators at the moment. Permission system, which is crucial for security. So, basically, there are some flags that basically allow you to restrict which API are required in your, sorry, allowed in your code, like FS, like child process worker, we also have net now.

And basically, you can restrict which API can be executed by your script at execution time. And you can check at run time using the process permission as API. There used to be a process permission deny in order to remove permission at run time, and it has been temporarily removed for some implementation details that need to be sorted out and might return in the future. And finally, the test runner. It's very, very flexible and supports subtests, skipping life cycle hooks, supports function and timer mocking, and also module mocking is on the way, coverage support, and it has good reporting defaults, which is defaulting to spec or top protocol depending if you are on a TTY, which means you are a live terminal or an automated system. I use test runner everywhere and it's brilliant, it just rocks. So, I strongly encourage you to take a look to that.

This is an example of a test runner, a test written in Node test runner. As you can see, it's pretty similar on what you are actually accustomed to. So, it should be easy to migrate. And also, we have WebSocket, and I love to thank you, Matthew, for implementing the WebSocket supporting Node.

It was not easy, but now we do. We have support in Node for WebSocket natively without any additional module. Now, here's the question. Given all the exciting things that I've been showing you, are you still stuck on 2015 or are you using the new, exciting, latest Node features? So, if you need even more of this, let me show you something even more exciting.

So, these are the two most exciting things that are coming out on v22 and, of course, 24. First of all, require ESM and no need for .mjs for the syntax detection. I would like to thank you massively, Joey and Geoffrey, for this massive work on this thing. As you can see now, you can load an ESM file using require, so you don't need to do await import or other nasty tricks. If the ESM module has not any top-level await, it will just work. Period. And Node does not need to have .mjs extension anymore to detect ESM because now it can detect which syntax is actually being used, which is brilliant. It's very easy to now interoperate the two formats very easily.

Another one by my very, very good friend Marco. TypeScript. Well, now we have automatic TypeScript support. Marco has done an amazing job to write Amaro, which is the TypeStripper used for this thing. I encourage you to check his native TypeScript talk everywhere online. You can find it everywhere, which gives you the details of that. But the idea is that now, if you look on the left-hand side, you can see the TypeScript file, which Node can execute without any TSCs, SWC, compiler, anything it could take. You just run it. Period. Which is brilliant. Thank you, Marco, again.

Now Node is not always relaxing because it's a massive project with a lot of needs. That's why we need you. I'm not Uncle Sam, but the idea is pretty much the same. So join. Let's talk a bit about how the project governance works. First of all, Node is run by the OpenJS Foundation, which gives us the legal and economic support to run all the infrastructure. And collaborators maintain the Node.js, Node GitHub repository.

They basically have commit access to the repo and they can start CI jobs. Anyone can send a PR to Node, whether it's a collaborator or not collaborator. Usually people start by sending us non-collaborator. We basically rely on GitHub pull requests. And the only collaborator, they review and merge, which we also refer to as Lend, pull requests. Pretty easy.

We are based on a consensus process. So basically, the idea is that two collaborators must approve a PR and then it can Lend. If a PR has been open for more than seven days, then one approval is enough. After being approved, the collaborator must, sorry, the person that sends the PR must wait for 48 hours. So it gives more time to people to make last minute objection before lending it. Approving a PR as a collaborator means that you accept the responsibility for that change. So if anything goes wrong, you are responsible for fixing it. And of course, if you are the author of this change, you cannot approve yourself. That's granted.

Now, if another collaborator asks for changes, so oppose a change, then the change cannot Lend. In that case, it's the responsibility of the TSC, which I'm a member of, to eventually overturn and dismiss this objection by a motion or a vote. But usually that doesn't happen. Most of the time, I mean, since I've been a collaborator, which has been for the last five years, I haven't seen any overturn from the TSC. Usually, collaborator, they chat to each other and they are able to resolve the issue by themselves, by just seeking consensus.

Now, the Node Technical Steering Committee, which is myself, Matteo, and other people, obviously. So they are responsible for the technical development in Node, which is, we set the release date, quality standard, the technical direction, the governance. The hosting on GitHub and all the other, basically, organizational stuff. We are responsible for maintaining the COC, the code of conduct. And also, we are responsible for mediating and collaborating with other projects in the foundation. That's pretty much it. That's what we do. And we're also responsible for resolving disputes between other members. So we basically take the final decision between other members. There are two types of TSC members, regular and voting.

Regular are basically members that can attend in TSC discussion, but they do not vote. Voting, instead, they do everything. They are regular members. That's plus voting.

Now, there is no time limit, neither the size limit of the TSC. And the TSC must have at least four voting members at all times. Basically, the only way to lose your voting member status, mostly, is to fail to vote. If you fail to vote several times in a year, you basically switch to be a regular member. That's it.

Also, this is gigantic, no more than 1 fourth of the TSC can be affiliated with the same employer. Which means, no one can control Node. We are totally community-run project. Period. It's not that we are run by anyone. Microsoft, Google, Facebook, or whatever. Just to make names. But we are run by ourselves. We set our own direction. That's it. Mind-blowing, right?

But that was not the most mind-blowing stuff. This is the most mind-blowing stuff. In order for Node to work with all these people, we all have to compromise a lot. Even myself, as a TSC member, for instance, I have to compromise a lot when I'm just sending a PR. That's it. We have to compromise to achieve our objectives and to make things work. Done. There's no other way. So if you run any open source project, that's an advice I'm giving you. Consensus-seeking is very good. Because you can improve a lot, both on the personal side and on the technical side.

And if you feel that you want to have a say in the future of Node.js, there is one simple advice I can give you. Start contributing. We are just waiting for you. We need your help, energy, expertise. So, start contributing. You can be a coder, you can be a triager, you can take care of the website, you can be an evangelist of the project. We need any help on anything because it's a huge project. Everyone is always welcome. We are waiting.

Now, we're almost done. I usually love to finish my presentation with a quote from people way smarter than me. And since I started by saying, don't count your chickens before they hatch, I'm going to leave you with a similar quote. By Jules Renard, which was a very good French writer from the 19th century, which says that, It's not how old you are, but how you are old. Yes, Node.js is an old project, it is 16 years old now, but it still has very young promises and cutting-edge projects, despite its age. We are not dead yet and we don't plan to be dead anytime soon. So, please stop saying that or stop trying to troll me when you meet me in person because I experience that a lot. I will sustain your trolling, but this is my extensive and exhaustive response.

Once again, welcome to being here for attending my talk. Once again, thanks, Matteo, for putting the material for this talk together and thanks Node.Congress for hosting me here today. With that said, I thank you very much for your attention and I'll see you soon. Cheers!