Search across all documentation pages
Node 24 ships most primitives backends need - default to node: modules, promise APIs, and documented security patterns before adding npm surface area.
fetch, test).node: prefix in application code. node:fs/promises, node:crypto, etc.fs/promises, timers/promises) over callbacks. promisify only for third-party callbacks.fetch and node:test before adding node-fetch/Jest for simple cases. Fewer dependencies.@types/node to runtime major (24.x). Typings match API availability.readFileSync/writeFileSync on request paths. Blocks event loop.createReadStream + pipeline. Bounded memory.resolve + prefix check under base dir.0o600 on secrets written to disk. Restrictive permissions.finally when using fs.open. Prevent EMFILE leaks.randomBytes/randomUUID, never Math.random. CSPRNG only.timingSafeEqual on equal-length digests. No plain string compare.URL - not legacy url.parse. SSRF allowlist on hostname.os.availableParallelism(), not raw cpu count in containers. Correct vCPU awareness.process.env once at boot with Zod. Immutable config after parse.http servers too.unref for optional background ticks. Clean deploy exit.util.inspect limits when logging objects - not unbounded JSON.stringify. Avoid cycles and PII dumps.NODE_DEBUG only in dev/staging reproduction. Not permanent in production.perf_hooks event loop metrics in staging load tests. Correlate with user latency.parseEnv, styleText). Avoid outdated blog patterns.diagnostics_channel with cleanup in tests. No listener leaks.When you need recursive copy/remove helpers not in core - otherwise fs/promises + mkdir recursive.
fetch built-in for simple calls; axios/got when interceptors/retries/agent tuning required - ADR optional.
crypto.randomUUID covers most ID cases - uuid npm for non-v4 formats only.
Node --env-file for dev; production inject from platform; always Zod validate after load.
Both acceptable with tuning - pick one org standard; native scrypt reduces deps.
No - internal metrics only; public health stays minimal status + version.
Yes - spawn rules in Processes Best Practices.
Use subtle for AES-GCM interop; HMAC/hashing often simpler on node:crypto.
Mock fs module or use temp dir with cleanup - not sync fs in tests for speed habits.
node:test for unit tests; Vitest/Jest when team needs richer DX - still built-in viable on Node 24.
Built-in http sufficient for probes; Express 5/Fastify 5 for product APIs - built-ins underpin both.
fs and fs/promises in this section.
Stack versions: This page was written for Node.js 24.18.0 (Active LTS), npm 10+, TypeScript 5.6+, Express 5, Fastify 5, and NestJS 11.