Node.js v4.0.0 has just been released. This is a huge milestone for Node under the new Node.js Foundation. All thanks to the development process inherited from the io.js fork.

As it stands, the v4.0.0 release represents Node at its best. Patches are more thoroughly reviewed, the state of the test suite is better, and there are more active contributors than ever.

Let’s take a deeper dive into the v4.0.0 release and the future of Node releases.

This is the most stable Node ever

Node core now has 44 Collaborators (15 of which are technical steering committee (TSC) members), all who are able to review and sign-off on patches. With so many people able to review, patches are often signed-off on by two or three collaborators. Also, having more than one sign-off is actively encouraged for non-trivial patches. The result is a substantial increase in the quality of code and documentation that ends up being merged in.

Now, all patches submitted must be signed-off on by at least one collaborator and run against the continuous integration testing suite before being merged. This even includes patches submitted by TSC members. Consequently, the nodejs/node repository that releases—including v4.0.0—will now come from has had over 400 more total pull requests than issues filed in its short lifespan. All while still maintaining a lower amount of open pull requests and issues than the original repository.

Since a focus on stability has come to the core of the Node project, a new initiative has been spun up to test a range of common npm modules prior to any Node releases. This testing, known as (npm) smoke-testing, is critical for ensuring API stability going forward. Smoke-testing also lets modules’ test suites extend our own tests, which reinforces our confidence in the stability of the release.

The introduction of SemVer

A Major.Minor.Patch Game

In the past, Node core was versioned much differently than most npm modules the community uses. npm brought the concept of SemVer to the forefront, where releases can be versioned so that developers can more easily tell if changes will be compatible with their current code. Node will take over the Semver-versioned numbering sequence established by io.js moving forward. As io.js v3.x was the most recent major release, the first converged release will be Node v4.0.0.

Going forward, Node.js will rigorously adhere to Semver. As such, changes that would break user code will only be released in bi-yearly Major (X.0.0) releases. This allows more frequent releases of API-stable features in Minor (0.X.0) releases, and regular fixes or improvements in Patch (0.0.X) releases.

Frequent releases with SemVer

With better testing to ensure stability, and more collaborators actively improving the code base, Node v4.0.0 will be able to use SemVer and maintain the much more frequent weekly patch-or-minor release schedule established by io.js. Under this schedule, API-stable fixes, features, and improvements are able to become usable in the hands of developers week-by-week without requiring any changes to user code.

Having more frequent releases also has a positive effect on the state of security practices in Node.js. This means that releases can go out as quickly as the same day a vulnerability is reported, or the same day that dependencies like OpenSSL receive security updates. Node v4.0.0 optimizes for security by default, and does its best to reflect current security best practices in those defaults. As such, insecure ciphers such as RC4 are rejected by default, and the insecure SSLv2/3 support in OpenSSL has been disabled.

The ability to keep more up-to-date with dependencies also has a great effect on the state of Node in regard to its JavaScript engine, V8. V8 is a dependency that moves quite fast, as it tracks Google Chrome. Being able to more closely track V8’s releases means Node.js runs JavaScript faster, more securely, and with the ability to use many desireable ES6 language features. Correspondingly, connections between the Node team and V8 and Chrome teams have also grown to better support Node going forward and put Node in a position of relevance for driving the future of JavaScript.

Going forward

The v4 release line of Node promises to be the best yet. Frequent minor and patch releases will only serve to improve v4.0.0. While seeming like a large version gap, v4.0.0 is actually quite similar to Node v0.12. However, it comes with all the fixes and minor improvements from io.js, as well as the revised development process.

All of this has been done for the benefit of the larger Node community, whether your use- cases for Node are for enterprise deployments, front-end toolchains, hardware hackery, client-side apps, or something out of the box. Node going forward will only improve, both in the v4 release line and beyond. With so many new people joining to collaborate on and around Node core, it is becoming a world-class platform that is built both for the community and by the community. Join us!