Sorry for the noob question, but what Node.js version should I use? The KMP curated version is quite old, v22.0.0 and without patches. Is it just the oldest version KMP supports, or a preferable one? I am using NodeJS just for builds, so security is less of a concern.

You can use any version you want. There is a small snippet in the doc on how to customize it: https://kotlinlang.org/docs/js-project-setup.html#configuring-node-js-settings The simple example is this:

import org.jetbrains.kotlin.gradle.targets.js.nodejs.NodeJsEnvSpec
import org.jetbrains.kotlin.gradle.targets.js.nodejs.NodeJsPlugin

plugins.withType<NodeJsPlugin> {
  the<NodeJsEnvSpec>().version = "22.18.0"
}

https://youtrack.jetbrains.com/issue/WEB-72952 Not sure if this is still valid or not.

Yes, it is

But what is recommended? Update to latest version or keep plugin curated version?

The correct question is "do I need the latest version?"

Not really. I expect better performance and security from more recent versions

Yes but that's the development environment. You're not going to deploy via that tooling.

Also true. Thanks!

Just ran into this. The workaround works. But why are new versions of kotlin still relying on outdated versions of node? What's the reasoning for shipping something without patch releases that presumably fix stability and security bugs applied (node is infamous for those). I just tried kotlin 2.2.20RC and it still bundles a version of node that is more one and half year out of date. Why is this not being updated more regularly? I think we were still on kotlin 1.9 at the time.

I think it has to strike a balance. Maybe it's time to come up with update guidelines? Much like what I proposed for ECMAScript support: picking a baseline used by the compiler and deciding when to update it (e.g., once a year? Stay on latest version - 2?, etc.)

I think if you ship a release, all dependencies should be current and supported. I get not switching major releases of dependencies for a minor release. But keeping the node release on the latest LTS should be fairly uncontroversial. Supported here means latest minor release, not the most unstable and risky .0 release of the LTS version so 22.18.0 instead of 22.0.0. Probably all sorts of important stuff got fixed ...

Yes I get what you mean, but I don't think it's that "urgent". Overriding the version isn't complex and is what I'd expect every team to do, since you most likely want to have control over it (be it because of CI, or because you're in a monorepo).

IMHO the most stable expierence is to use active version: https://nodejs.org/en/about/previous-releases. But the question is, why kotlin bundles the first, and supposelly the most unstable version of

22.0.0

? I seen cached

22.13.0

, but have no idea which project left it.

The version was set to 22.13, and then rolled back because of the mentioned debug issue IIRC. https://github.com/jetbrains/kotlin/commit/08d1935948b074c27e6f9280363c35169e441346

Maybe some potential performance gains? But you re right, I probably won't see the difference. But seeing zeros in versions always makes that odd feeling that I am using first, not yet patched version.

and a lot of closed CVEs