Node.js Version for Client Extension Development and Handling Security Vulnerabilities
written-by
Rishabh Agrawal
How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!
While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.
legacy-article
learn-legacy-article-disclaimer-text
Issue
- When developing client extensions with React for Liferay DXP 2024.Q4 or newer, what is the recommended Node.js version?
- The official compatibility matrix suggests Node.js version 20.12.2, but this version may have known security vulnerabilities (e.g., CVE-2025-23166, CVE-2025-23167).
- Can a newer, more secure version of Node.js be used for development without causing compatibility issues?
Resolution
- Node.js is a build-time dependency used for Liferay's frontend development tools, such as the Theme Generator and JavaScript toolkits. It is not required for the Liferay DXP runtime environment.
- Because Node.js is not part of the runtime, vulnerabilities in the Node.js version used for development do not pose a direct security threat to the running Liferay instance.
- Developers can use the latest stable or LTS version of Node.js that addresses the security vulnerabilities. Using a newer version for developing client extensions and React components is supported and will not cause issues.
- The official compatibility matrix provides the version that Liferay used for testing, but it is not a strict requirement for client-side development tooling.
did-this-article-resolve-your-issue