A release in Node.js refers to the code changes that have been made to the code base that will be built and released on the Node.js distribution channels. Code changes are evaluated by commit.

Node.js may have up to 5 active release lines at a time. A release line is the semver major (ie. v18.x, etc) version that is maintained.

Releasers prepare the releases and are responsible for testing the release builds and deploying the releases.

Release lines have two git branches that are used to work off of. One branch represents the state of what is released, and the other is the branch used to prepare the following release.

Node.js collaborators use GitHub labels to categorize commits by their semver change so it is easier to figure out which commits should go into a release line.

There may be hundreds of commits in a single release, so automation is key. While we can't automate all the cherry-picks (yet) because a human needs to resolve conflicts, scripts are used to move commits around and drop any conflicting changes.

A backport is a change that has already been made and approved on the main branch, but the change lands on a release line branch with substantial conflicts. Therefore, a backport is created where the change is based off the release line's staging branch.

Node.js, like many open source projects, uses a public bug-reporting tool for security researchers to submit potential bugs. Once the bug has been verified as a security vulnerability by the Node.js team, a security release is started.

Security releases can take several weeks of coordination, which is why each Node.js security release has a security release steward. The steward is someone that works with the Node.js team to coordinate each step of the release.

This year, the Node.js project was the first open source project to be funded by Project Alpha-Omega under the Linux Foundation. This new effort provides funding for widely-used open source projects for security efforts that include security triaging, stewarding releases, and improving the security efforts across the project.

This takes the burden off the maintainers, that are usually focused on feature and operationally-heavy tasks.

The Node.js project has a private code base that is kept in sync with the public repository. Security patches are made to the base branch and each release line, and the code is reviewed and tested before a release is started and the vulnerability is made public.

Releasers start preparing for the next releases. Releases and major release lines are scheduled years and months in advance. There are Node releases currently scheduled through 2026.

Code names (Fermium, Gallium, etc) have been chosen years in advance. Right now, there are not code names for "Q" and "W", so if you have ideas please open a pull request!

This model allows Node.js to have multiple release lines for multiple types of developers and platforms at once.

While some developers may want the latest features that have been merged to the Node.js codebase, others can only sustain an update every few years.