Node.js 18 End of Life: Which Vendors Offer Extended Security Support?
Node.js 18 is end of life. It has not received security patches since April 30, 2025. Any CVE disclosed after that date is a permanent unpatched vulnerability in your production environment. Organizations running Node.js 18 need either a migration plan or a commercial extended support contract — now.
Node.js 18 lifecycle timeline
Node.js 18 entered its Active LTS phase in October 2022 and moved to security-maintenance-only in October 2023. The OpenJS Foundation ended all support on April 30, 2025. No further patches will be released for any CVE, regardless of severity.
Which vendors offer extended CVE patches for Node.js 18?
Several commercial vendors have built extended lifecycle support programs specifically for EOL Node.js versions. Here is a comparison of the main options available as of 2026:
Third-Party ELS Vendors
Extended Lifecycle SupportSpecialist ELS vendors cover Node.js runtimes as part of their open-source extended support offerings. Multi-year contracts available, typically covering CVSS 7+ vulnerabilities.
View via endoflife.ai →Feature comparison
| Vendor | CVE patching | Compliance docs | Multi-year contracts | Other EOL runtimes |
|---|---|---|---|---|
| Third-party ELS vendors | ✓ CVSS 7+ | ✓ | ✓ | Linux, PHP, Python |
Migrate or extend? How to decide
Choose migration if your Node.js 18 application can be moved to Node.js 22 LTS within 6–12 months without major breaking changes. Node.js 22 is supported until April 2027 and Node.js 24 entered LTS in 2025. Migration eliminates ongoing support costs.
Choose extended support if migration is blocked by: third-party dependency incompatibilities, regulatory change-freeze periods, insufficient engineering bandwidth, or complex monorepos where upgrading the runtime requires months of testing.
ELS is a bridge — not a destination. The right answer is always to establish a migration timeline alongside any extended support contract.
Check your full EOL exposure
See which vendors cover every EOL component in your stack — not just Node.js 18.
Open CVE Intelligence Tool →