Security Update: Upgrade Node runtime

Node has published a security advisory addressing a denial-of-service issue related to their Copy to clipboardasync_hooks API. Read the full advisory here for more information and a technical deep dive.

The issue affects Medusa applications that use APM providers, including OpenTelemetry, or other libraries that rely on the async hooks from Node’s runtime.

Regardless of whether your application relies on async hooks or not, we advise following the required actions to ensure the issue is fully mitigated now and going forward.

Required actions

Please upgrade to one of the patched Node releases from January 13, 2026 as soon as possible:

• Node.js 20.20.0
• Node.js 22.22.0
• Node.js 24.13.0
• Node.js 25.3.0

These releases include the fix for this issue as well as other security improvements.

Users on Medusa Cloud

We have introduced a change to ensure that projects deployed on Medusa Cloud use a secure Node version. The only exception is when a project specifies a version constraint that is not satisfied by any of the secure Node versions. For example, if a project specifies Copy to clipboard>=22.1.2 <22.19.0, we will not enforce a secure version, as we assume the constraint was intentionally defined. Please review your project configuration to ensure it does not contain unintended constraints that prevent us from enforcing a secure Node version.

If you created a project on Medusa Cloud using one of Medusa’s starters before January 14, you should follow the guidance above, as those projects may specify an insecure Node version. Starters created after January 14 use a secure Node version by default, and no further action is required for those projects.