Wasp Language Mandates Node.js 22.x Security Upgrade by March 24, 2026

The Wasp language project is mandating a critical infrastructure upgrade, requiring all users to move to the latest Node.js 22.x release starting March 24, 2026. This is not a routine update; it is a forced migration tied directly to a scheduled security patch from the Node.js project, necessitating a breaking release for Wasp itself. The move from the current version 22.12 is non-negotiable for security compliance, closing GitHub issue #3914 and fundamentally altering the project's operational baseline.

The upgrade carries immediate technical implications for the Wasp development toolchain. A key side effect is the deprecation of the `--experimental-strip-types` flag, which will become enabled by default in the new Node.js version. This change will streamline configuration but requires developers to audit and potentially adjust their build processes to avoid unexpected behavior post-upgrade. The directive creates a hard deadline for the entire Wasp ecosystem, tying its security posture and continued functionality to an external dependency's release cycle.

This action signals heightened scrutiny on supply chain security within developer tooling. Projects like Wasp that build on Node.js are forced to explicitly track and mandate upstream security releases, transforming a runtime update into a breaking change for their own users. It places pressure on maintainers to coordinate releases and on downstream teams to prioritize these updates, highlighting the cascading security responsibilities in modern software stacks. Failure to comply by the deadline could leave projects vulnerable to the unspecified security flaws addressed in the March 2026 Node.js patches.