Node.js Version for Client Extension Development and Handling Security Vulnerabilities
Written By
Rishabh Agrawal
How To articles are not official guidelines or officially
supporteddocumentation. They are community-contributed content and may
not alwaysreflect the latest updates to Liferay DXP. We welcome your
feedback toimprove How To articles!
While we make every effort to ensure this Knowledge Base is accurate,it
may not always reflect the most recent updates or official guidelines.We
appreciate your understanding and encourage you to reach out with any
feedback or concerns.
Legacy Article
You are viewing an article from our legacy "FastTrack"
publication program, made available for informational purposes. Articles
in this program were published without a requirement for independent
editing or verification and are provided"as is" without
guarantee.
Before using any information from this article, independently verify its
suitability for your situation and project.
Issue
- When developing client extensions with React for Liferay DXP 2024.Q4 or newer, what is the recommended Node.js version?
- The official compatibility matrix suggests Node.js version 20.12.2, but this version may have known security vulnerabilities (e.g., CVE-2025-23166, CVE-2025-23167).
- Can a newer, more secure version of Node.js be used for development without causing compatibility issues?
Resolution
- Node.js is a build-time dependency used for Liferay's frontend development tools, such as the Theme Generator and JavaScript toolkits. It is not required for the Liferay DXP runtime environment.
- Because Node.js is not part of the runtime, vulnerabilities in the Node.js version used for development do not pose a direct security threat to the running Liferay instance.
- Developers can use the latest stable or LTS version of Node.js that addresses the security vulnerabilities. Using a newer version for developing client extensions and React components is supported and will not cause issues.
- The official compatibility matrix provides the version that Liferay used for testing, but it is not a strict requirement for client-side development tooling.
Did this article resolve your issue ?