Blog: add January 13 security release

[RafaelGSS]

cc: @nodejs/nodejs-website @nodejs/releasers @nodejs/security-release

I tried to create the CHANGELOGs for all release lines as we normally do, but it doesn't respect the version passed on

node --run scripts:release-post x.y.z

In my case, it was always fetching v25.3.0 only. My understanding is that it should be created automatically, but I'm not sure if that's working.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
nodejs-org	Ready	Preview	Jan 13, 2026 2:07pm

[github-actions]

👋 Codeowner Review Request

The following codeowners have been identified for the changed files:

Team reviewers: @nodejs/nodejs-website @nodejs/web-infra

Please review the changes when you have a chance. Thank you! 🙏

[RafaelGSS]

By the way, I have not renamed december-2025-security-releases to january-2026 because people will have broken links in case they are refreshing the page waiting for updates.

[Copilot]

Pull request overview

This PR updates the Node.js website to announce the January 13, 2026 security release, replacing the previously announced postponement notices with the actual release details. The security release addresses 8 vulnerabilities across multiple severity levels affecting Node.js versions 20.x through 25.x.

Changes:

• Updated website banner to announce security release availability instead of pre-release notification
• Replaced postponement notices with full vulnerability disclosures including CVE details, descriptions, impacts, and acknowledgments
• Added links to release downloads for affected Node.js versions (v20.19.7, v22.21.2, v24.12.1, v25.2.2)

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 13 comments.

File	Description
apps/site/site.json	Updated banner configuration to change dates and announcement text for the security release
apps/site/pages/en/blog/vulnerability/december-2025-security-releases.md	Replaced postponement announcements with comprehensive security vulnerability disclosures and release information

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

📦 Build Size Comparison

Summary

Metric	Value
Old Total Size	3.74 MB
New Total Size	3.74 MB
Delta	-19.00 B (-0.00%)

Changes

➕ Added Assets (1)

Name	Size
.next/static/chunks/d6c41d23b20f53e2.js	204.36 KB

➖ Removed Assets (1)

Name	Size
.next/static/chunks/2dca7fe1a056db5e.js	204.38 KB

[avivkeller]

In my case, it was always fetching v25.3.0 only. My understanding is that it should be created automatically, but I'm not sure if that's working.

It did, see the automatic PRs created. It marked you as assignee

[github-actions]

Lighthouse Results

URL	Performance	Accessibility	Best Practices	SEO	Report
/en	🟢 99	🟢 96	🟢 100	🟢 100	🔗
/en/about	🟢 99	🟢 97	🟢 100	🟠 88	🔗
/en/about/previous-releases	🟢 98	🟢 100	🟢 100	🟢 100	🔗
/en/download	🟢 98	🟢 100	🟢 96	🟢 100	🔗
/en/download/archive/current	🟢 99	🟢 100	🟢 96	🟢 100	🔗
/en/blog	🟢 99	🟢 100	🟢 96	🟢 100	🔗

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.00%. Comparing base (3dff177) to head (d536004).
⚠️ Report is 4 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8538   +/-   ##
=======================================
  Coverage   75.00%   75.00%           
=======================================
  Files         103      103           
  Lines        9036     9036           
  Branches      311      311           
=======================================
  Hits         6777     6777           
  Misses       2257     2257           
  Partials        2        2           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[MattIPv4]

Suggested change

	- [Node.js v20.19.7](/blog/release/v20.19.7/)
	- [Node.js v22.21.2](/blog/release/v22.21.2/)
	- [Node.js v24.12.1](/blog/release/v24.12.1/)
	- [Node.js v25.2.2](/blog/release/v25.2.2/)
	- [Node.js 20.19.7](/blog/release/v20.19.7/)
	- [Node.js 22.21.2](/blog/release/v22.21.2/)
	- [Node.js 24.12.1](/blog/release/v24.12.1/)
	- [Node.js 25.2.2](/blog/release/v25.2.2/)

Per #8520?

[MattIPv4]

cc @aduh95 might need some more comms around following these guidelines everywhere? Or a lint rule to ban it?

[mex]

Are the versions included here wrong? It looks like they all link to 404 pages and the new releases today are minor bumps, not patch bumps.

Edit: Fixed in #8540

[MattIPv4]

Yes, would appear so, workflow gremlins. Being addressed in #8540