Node.js 14 went end-of-life on April 30, 2023, leaving some framework-dependent applications on an unsupported runtime while upstream projects completed major migration work.
One of the most visible downstream cases was Rocket.Chat, a communications platform whose federal government page states that it is “trusted across the federal stack with DoD ATO up to IL6” and displays NIPR, SIPR, and JWICS badges alongside the DoD seal.
Rocket.Chat CTO Rodrigo Nascimento said in a GitHub discussion that the platform could not move to a supported Node.js version until Meteor 3.0 was out. The blocker was the framework.
The Node.js 14 Problem for Meteor Applications
Meteor remains active across the open-source and commercial software ecosystem. The project has 44,800-plus GitHub stars, while Wappalyzer, TheirStack, and Enlyft show Meteor being used by live companies. npm download data for meteor-node-stubs also points to continued activity, with weekday activity in May and June 2026 noticeably higher than early 2025 levels.
The technical problem came down to one library: node-fibers. Meteor relied on it to make asynchronous code behave synchronously, a practical workaround that later became a structural liability. When Node.js 16 arrived, node-fibers stopped working. That meant any Meteor application wanting to move to a supported runtime had to remove Fibers and rebuild around native async/await. This was not a routine patch. It required a programming model change.
The gap between identifying the problem and completing the migration opened in June 2021 and stayed open for years. GitHub Discussion #11505 laid out why the transition needed to happen. But knowing a migration is needed and completing it across a large framework are different problems. Meteor continued shipping with node-fibers. Node.js 14 reached EOL. The migration still had to be completed.
The Migration Approach
Meteor Software, the company behind both Meteor.js and the Galaxy hosting platform, restructured in 2022 and brought in new leadership. Henrique Schmaiske joined as the first technical hire under the incoming CEO. He became one of three core contributors who helped take Meteor 3.0 from problem to release.
The team had a choice: deliver one large breaking release, or provide a path developers could follow in stages. They chose the second option. Versions 2.8 and 2.9 introduced async versions of major components, including Meteor.callAsync, a reworked MongoDB API, OAuth, and accounts-password, before Fibers were removed. Downstream teams were given a runway to prepare.
In March 2023, Meteor published a public roadmap thread on the Meteor Forum: “Fibers Public Roadmap and Meteor 3.0.” Weekly updates followed over the next two years. That mattered because organizations running their own security, compliance, and upgrade timelines needed visibility into when the migration would land and what was still in progress.
Schmaiske held CODEOWNER status on the meteor/meteor repository. His sign-off was required for changes touching key parts of the codebase. The role covered roadmap definition, migration sequencing, and direct coordination with major downstream consumers.
Meteor 3.0 Ships
Meteor 3.0 landed on July 16, 2024. The work behind it was substantial: 2,300-plus commits, more than 800 modified files, and over 200 pull requests. node-fibers was removed. The codebase moved to native async/await, Connect gave way to Express, and Node.js 20 support arrived with the release.
Schmaiske worked directly with Rocket.Chat’s engineering team through the migration. Rocket.Chat runs on Meteor and React, with framework code inside the apps/meteor/ directory of its monorepo. For Rocket.Chat’s engineers, the Meteor 3.0 transition was not an abstract upstream change. It affected their production codebase directly.
Rocket.Chat 7.0.0 shipped on November 1, 2024. The release notes confirmed the move to Node.js 20.x and Meteor 3.0. Pull request #31438 in the same release named Fibers removal directly. For a platform carrying DoD ATO up to IL6 and operating across NIPR, SIPR, and JWICS environments, this was more than a routine version bump. It brought the runtime back onto a supported foundation.
There is no indication that the runtime gap was exploited against Rocket.Chat. The issue is that unsupported runtimes create audit, patching, and exposure risks even when no public CVE or active exploit is involved.
Supply-Chain Risk Without a CVE
Meteor 3.0 puts a name to a category of supply-chain risk that standard vulnerability management does not always catch. No CVE was filed. No exploit was circulating. The exposure was structural: an unsupported runtime underneath a downstream ecosystem, including software used in environments where security and compliance requirements are strict.
Rocket.Chat is the most visible case, not the only one. ANY.RUN, Qualia, and Clinical Meteor all point to Meteor’s presence across security, healthcare, real estate, and enterprise software. Decisions made deep inside the Meteor.js codebase can reach production environments where reliability is expected.
That is the main lesson. Framework modernization is not only a developer convenience. In large open-source ecosystems, the gap between a documented problem and a completed fix can affect many downstream users. EOL dates do not always trigger immediate action. They pass, and the consequences move downstream.
What made Meteor 3.0 manageable was not technical work alone. It was the public roadmap, the staged migration path, weekly progress updates, and direct coordination with teams most likely to be affected. Whether this becomes a model for how open-source projects handle runtime debt will depend on whether maintainers treat EOL dependencies as a supply-chain risk before they become someone else’s incident report.
Sources
- Meteor Software. (2023, March 2). Fibers public roadmap and Meteor 3.0 (Forum post). Meteor Forum. https://forums.meteor.com/t/fibers-public-roadmap-and-meteor-3-0/59627
- Meteor Software. (2024, July 16). It’s official, Meteor 3.0 official release is out! (Forum post). Meteor Forum. https://forums.meteor.com/t/its-official-meteor-3-0-official-release-is-out/61860
- meteor/meteor. (n.d.). Meteor.js (Source code repository). GitHub. https://github.com/meteor/meteor
- meteor/meteor. (2021, June). Change how Meteor executes async code (Discussion #11505). GitHub. https://github.com/meteor/meteor/discussions/11505
- Nascimento, R. (2023, June). NodeJS 14 end of life (Discussion #29658). GitHub. https://github.com/orgs/RocketChat/discussions/29658
- Rocket.Chat. (n.d.). Secure collaboration for the US federal government. https://www.rocket.chat/industry/us-federal-government
- RocketChat. (2024, November 1). Release 7.0.0 (Software release). GitHub. https://github.com/RocketChat/Rocket.Chat/releases/tag/7.0.0
- RocketChat. (2024). feat!: Meteor 3.0 – Node.js 20 (Pull request #31438). GitHub. https://github.com/RocketChat/Rocket.Chat/pull/31438
