Rajan Patel
on 26 June 2025
The clock was ticking: Node.js 18’s upstream End of Life (EOL)
The OpenJS Foundation is an organization that was founded in 2019 from a merger of JS Foundation and Node.js Foundation. The OpenJS Foundation is the entity supporting the development of the Node.js project. Node.js 18 was released on April 19, 2022. It was the ‘Current’ release for six months before the OpenJS Foundation promoted it to their Long-Term Support (LTS) classification on October 25, 2022. Node.js 18 was classified as a Maintenance LTS by the OpenJS Foundation on October 18, 2023, at which point the OpenJS Foundation only provided critical bug fixes, security updates, and features that supported migration to later release lines. OpenJS Foundation’s end-of-life date for Node.js 18 LTS was April 30, 2025.
Updating the latest version of Node.js is not always desirable. Major version upgrades come with new features, but they may also introduce new security vulnerabilities associated with those new features. In some cases, a full-scale migration may require intensive developer effort, or pulling developers away from commercially-important work. Maintaining the EOL versions of Node.js 18, and other legacy versions, buys organizations time and space to plan a proper migration strategy, while maintaining secure and stable operations.
The magic formula: Ubuntu 24.04 LTS + Ubuntu Pro + Node.js 18
The Ubuntu archive is composed of four components: main, restricted, universe, and multiverse. These components categorize software based on their licensing and origin. Node.js is available on Ubuntu as a deb and snap package. The deb package is published by Canonical in the Universe repository, whereas the snap package is published and maintained by the OpenJS Foundation. Canonical provides up to 12 years of security patching for open source software packaged and published through Ubuntu Pro repositories. These security commitments differ from upstream open source software maintainers, like the OpenJS Foundation.
By using Ubuntu Pro, you can continue to enjoy security updates and full compatibility in your use of Node.js 18. Without Ubuntu Pro, you will not get updates, as the OpenJS foundation EOL announcement will effectively end all security coverage for that version. Furthermore, organizations in need of a Node.js binary with FIPS-compliant cryptography, never need to compile Node.js with these capabilities from source. Canonical publishes a FIPS-compliant Node.js binary in their FIPS repository, which is included with Ubuntu Pro. If FIPS has been enabled in Ubuntu through the Ubuntu Pro Client, the FIPS-compliant version of the Node.js package will be installed automatically.
Five Ubuntu LTS instances can benefit from Ubuntu Pro at no cost for personal use or commercial evaluation purposes, with a free token from the Ubuntu Pro Shop. This token can be attached to an Ubuntu LTS instance with the `sudo pro attach <token>` command. Once attached, the Ubuntu LTS instance receives security coverage for all open source packages in Canonical’s Main and Universe repositories. Ubuntu Pro also includes systems management with self-hosted or SaaS Landscape editions; includes live kernel patching through Canonical Livepatch; includes a comprehensive suite of compliance and hardening automations for CIS, DISA STIG, FIPS, and more; and also provides access to real-time Linux kernel variants.
What this means for you
Your requirements and preferences for security maintenance, software confinement, and software version would influence your choice between the snap and deb Node.js packages. The latest Node.js LTS release at the time was Node.js 18, making it the only suitable deb package version for Ubuntu 24.04 LTS. For those wondering why Node.js 22 LTS was not included in Ubuntu 24.04 LTS: Node.js 22 was released on April 24, 2024, one day before the Ubuntu 24.04 LTS release. However, Node.js 22 officially became an LTS version on October 21, 2024, 235 days after the February 29, 2024 feature freeze date for Ubuntu 24.04 LTS.
There are several methods to install and maintain Node.js. For example, system administrators can install other versions of Node.js on Ubuntu 24.04 LTS using snap packages, third party repositories, Node Version Manager (NVM), or by building their desired Node.js version from source. However, these methods of obtaining Node.js do not obtain the source code from Canonical, and consequently these installations are not covered by Canonical’s 12 year security patching commitment. If long term security is a concern, choose an Ubuntu release which contains the desired major version number of the open source software your application requires. For example, The FreePBX open source project has a major update every two years, but there is a strong interest in running a FreePBX installation for beyond that time frame. I wrote a comprehensive how-to guide and in-depth explanation about deploying FreePBX 17 on Ubuntu 24.04 with every open source dependency (including Asterisk 20.6 and Node.js 18) installed as a deb package from the Ubuntu archives.
Chief Information Security Officers (CISOs) at Fortune 500 companies have consistently chosen Ubuntu as their platform of choice for secure open source software. When projects span multiple years between development and production shelf life, the short length of Node.js end-of-life dates creates a cycle of endless technical debt. With Ubuntu, Node.js (and a vast array of additional open source software, comprising some 36,000 software titles) has security coverage and support through Canonical for over a decade. Ubuntu Pro is used in highly regulated industries, such as financial services, healthcare, and public utilities, as end-of-life software is prohibited in production environments through government regulations.
Using Node.js 18 on Ubuntu 24.04 LTS provides unprecedented stability, with over a decade of security patches on Node.js version 18. With ongoing security patching beyond the end-of-life window, your open source deployment will remain continuously compliant, reduce upgrade pressure, and enhance your security posture.
How Ubuntu Pro benefits creators of open source software
Software publishers and software consumers often have diametrically opposed goals. Software publishers wish for users to remain on the latest version, and engage in the oftentimes perilous act of major version upgrades; in contrast, software consumers wish to deploy a stable application and use it for the longest duration possible, while the software is safe and fit for purpose. Examples of this tug of war are evident in many places:
- In the smartphone market, consumers are demanding longer software maintenance periods, and delaying their hardware refresh cycles.
- Many computer users view operating system updates with disdain, fearful of what new changes they will have to grow accustomed to.
- System administrators have larger worries: will the upgrade fail midway, leaving the entire application offline and in a state of limbo while triaging the issue?
If you build open source software and focus on a first-class experience for users on Ubuntu LTS, you should consider showcasing your creation at the Ubuntu Summit in London on October 23, 2025 and October 24, 2025. While the Ubuntu Summit will be held in London, the event will have a strong decentralized and distributed experience. Interactive participation from remote attendees is encouraged, and local watch parties will be bridged in to be active participants instead of passive watchers. The event will attract developers, engineers, designers and tinkerers from all over the world.
