Node.js 18 End of Life: Which Vendors Offer Extended Security Support?

Updated: May 24, 2026 EOL: April 30, 2025 5 min read

Node.js 18 is end of life. It has not received security patches since April 30, 2025. Any CVE disclosed after that date is a permanent unpatched vulnerability in your production environment. Organizations running Node.js 18 need either a migration plan or a commercial extended support contract — now.

Node.js 18 lifecycle timeline

Active LTS
Oct 2022 – Oct 2023
Security only
Oct 2023 – Apr 2025
EOL
Apr 30, 2025 ✕

Node.js 18 entered its Active LTS phase in October 2022 and moved to security-maintenance-only in October 2023. The OpenJS Foundation ended all support on April 30, 2025. No further patches will be released for any CVE, regardless of severity.

Which vendors offer extended CVE patches for Node.js 18?

Several commercial vendors have built extended lifecycle support programs specifically for EOL Node.js versions. Here is a comparison of the main options available as of 2026:

Third-Party ELS Vendors

Extended Lifecycle Support

Specialist ELS vendors cover Node.js runtimes as part of their open-source extended support offerings. Multi-year contracts available, typically covering CVSS 7+ vulnerabilities.

View via endoflife.ai →

Feature comparison

Vendor CVE patching Compliance docs Multi-year contracts Other EOL runtimes
Third-party ELS vendors ✓ CVSS 7+ Linux, PHP, Python

Migrate or extend? How to decide

Choose migration if your Node.js 18 application can be moved to Node.js 22 LTS within 6–12 months without major breaking changes. Node.js 22 is supported until April 2027 and Node.js 24 entered LTS in 2025. Migration eliminates ongoing support costs.

Choose extended support if migration is blocked by: third-party dependency incompatibilities, regulatory change-freeze periods, insufficient engineering bandwidth, or complex monorepos where upgrading the runtime requires months of testing.

ELS is a bridge — not a destination. The right answer is always to establish a migration timeline alongside any extended support contract.

Check your full EOL exposure

See which vendors cover every EOL component in your stack — not just Node.js 18.

Open CVE Intelligence Tool →

Frequently asked questions

Is Node.js 18 still supported?
No. Node.js 18 reached its official end of life on April 30, 2025. It no longer receives security patches, bug fixes, or CVE remediation from the OpenJS Foundation. Organizations still running Node.js 18 in production are exposed to any vulnerability disclosed after that date.
Which vendors offer extended security support for Node.js 18 after end of life?
Several commercial vendors provide extended lifecycle support for Node.js 18: Several vendors provide extended lifecycle support (ELS) for Node.js 18, including options covering ongoing CVE patches, compliance documentation, and multi-year contracts. See the vendor directory for current options.
What are the risks of running Node.js 18 past its EOL date?
Any CVE disclosed after April 30, 2025 will remain permanently unpatched. Vulnerability scanners may stop flagging issues against EOL versions, creating a false sense of security. Compliance frameworks including SOC 2, PCI DSS, and ISO 27001 typically require running supported software.
What version of Node.js should I migrate to?
Node.js 22 is the current Active LTS release, supported until April 2027. Node.js 24 entered LTS in late 2025. Both are valid migration targets — choose based on your ecosystem's compatibility with each version.
How long does extended support for Node.js 18 last?
Duration depends on the vendor. Duration depends on the vendor — options range from 1–3 year contracts to indefinite support while subscription is active. Most organizations pair a 1-year ELS contract with a parallel migration project.