Node.js v24.7.0 Released – Post-Quantum Cryptography, Modern WebCrypto, and More

#node #javascript #security #opensource

Node.js v24.7.0 – Future-Proof Cryptography, Modern WebCrypto, and More

Released on August 27, 2025, Node.js v24.7.0 (Current) introduces quantum-resistant cryptography, modern WebCrypto APIs, single executable app improvements, Argon2 password hashing, Brotli streaming, and updated root certificates.

This release isn’t just a step forward — it’s Node.js preparing for the future of secure, scalable applications.

Post-Quantum Cryptography in `node:crypto`

With the rise of quantum computing, today’s encryption standards risk becoming obsolete. To future-proof Node.js, v24.7.0 introduces NIST’s post-quantum cryptography standards:

ML-KEM (FIPS 203) → Module-Lattice-Based Key Encapsulation Mechanism, available via:

const { encapsulate, decapsulate, generateKeyPairSync } = require('crypto');

const { publicKey, privateKey } = generateKeyPairSync('ml-kem');
const { sharedSecret, ciphertext } = encapsulate(publicKey);
const { sharedSecret: decrypted } = decapsulate(privateKey, ciphertext);

ML-DSA (FIPS 204) → Module-Lattice-Based Digital Signature Algorithm, supported in:

const { sign, verify } = require('crypto');

const signature = sign(null, Buffer.from("hello world"), privateKey);
const isValid = verify(null, Buffer.from("hello world"), publicKey, signature);

This means Node.js applications can now experiment with quantum-resistant encryption and signatures.

Modern Algorithms in Web Cryptography API

The Web Crypto API (globalThis.crypto.subtle) gets a massive upgrade with next-gen algorithms, bringing Node.js closer to browser parity:

AES-OCB (high-performance authenticated encryption)
ChaCha20-Poly1305 (modern, fast AEAD cipher)
SHA-3 & SHAKE digests
ML-KEM & ML-DSA (post-quantum cryptography for WebCrypto)
subtle.getPublicKey() – Extract a public key from a CryptoKey
SubtleCrypto.supports() – Feature detection for algorithms

Example:

const key = await crypto.subtle.generateKey(
  { name: "AES-OCB", length: 128 },
  true,
  ["encrypt", "decrypt"]
);

console.log(await SubtleCrypto.supports("AES-OCB")); // true

Single Executable Applications (SEA) – Smarter Config

Node.js Single Executable Apps (SEA) now support runtime arguments (execArgv) directly in the SEA config.

Example sea-config.json:

{
  "main": "app.js",
  "output": "myapp.blob",
  "execArgv": ["--no-warnings"],
  "execArgvExtension": "cli"
}

Run it like this:

./myapp --node-options="--max-old-space-size=4096"

This makes distributing Node.js apps as binaries much more flexible.

Root Certificates Updated

The built-in root CA store has been updated to NSS 3.114.

Certificates Added:

TrustAsia TLS ECC Root CA
TrustAsia TLS RSA Root CA
SwissSign RSA TLS Root CA 2022 - 1

Certificates Removed:

GlobalSign Root CA
Entrust.net Premium 2048 Secure Server CA
Baltimore CyberTrust Root
Comodo AAA Services Root
XRamp Global CA Root
Go Daddy Class 2 CA
Starfield Class 2 CA

Other Notable Changes

Argon2 Password Hashing
- crypto.argon2() and crypto.argon2Sync() now available.
- More secure password hashing, alongside scrypt and bcrypt.
HTTP Enhancements
- New Agent.agentKeepAliveTimeoutBuffer option.
HTTP/2 Updates
- Support for raw header arrays in h2Stream.respond().
Streaming Compression
- Brotli support added to CompressionStream & DecompressionStream.