Deno 2.8 is out β and this time the headline isn't a single killer feature but a cluster of quality-of-life improvements that tighten the gap with Node.js while adding genuinely new tooling. The release dropped May 22, with a patch (v2.8.1) following five days later.
TLDR
deno audit fixautomatically patches vulnerable npm packages in one commanddeno cigives CI pipelines a single, reproducible install signaldeno packbuilds npm-ready tarballs directly from Deno projects- Node.js compatibility coverage climbs toward 75%, per Deno's roadmap goals
deno audit fix β One-Command Vulnerability Remediation
deno audit landed in Deno 2.6 as a security auditing tool for npm packages. Deno 2.8 goes further with deno audit fix, which automatically upgrades vulnerable packages to the nearest patched version that still satisfies your version constraints.
$ deno audit fix
β body-parser vulnerable to denial of service when url encoding is enabled
β Severity: high
β Package: body-parser
β Vulnerable: <1.20.3
β° Info: https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
If a package requires a major-version bump, Deno lists it separately so you can decide whether to relax constraints. Anything within semver range gets fixed silently.
deno ci β Reproducible CI Installs
Deno 2.8 introduces deno ci, a dedicated subcommand for CI environments and Dockerfiles. Previously, getting a reproducible install meant remembering the right combination of flags on deno install. Now:
$ deno ci
It errors if deno.lock is missing, removes any existing node_modules, and runs the install with `--frozen so the lockfile must match the config exactly. Drop it into a CI step or Dockerfile and you get an obvious, greppable signal of "reproducible install" with no flag memorization required.
deno pack β Build npm Tarballs Without Leaving Deno
deno pack combines the behavior of tsc and npm pack into a single command. Given a deno.json:
{
"name": "@scope/my-lib",
"version": "1.0.0",
"exports": "./mod.ts"
}
Running deno pack produces a scope-my-lib-1.0.0.tgz ready for npm publish. The tarball includes:
- A generated
package.jsonwithtype: "module", conditional exports, and extracted runtime dependencies - TypeScript transpiled to JavaScript
.d.tsdeclaration files extracted via the same fast-check pipelinedeno publishuses- README and LICENSE files
Specifiers are rewritten so packages work inside the npm ecosystem: jsr:@std/path becomes @jsr/std__path, relative imports gain .js extensions, and node: builtins are left alone.
deno bump-version β Semver Management for Workspaces
deno bump-version updates the version field in your deno.json or package.json with standard semver increments:
$ deno bump-version patch
$ deno bump-version minor
$ deno bump-version major
$ deno bump-version prerelease
In a workspace, running from the root applies the same increment to every member package, rewrites matching jsr: version constraints, and updates the import map so cross-package references stay in sync. Without an argument, workspace mode derives per-package bumps from Conventional Commits between a base ref and the current branch.
Node.js Compatibility: Heading Toward 75%
Deno's stated goal is reaching 75% Node.js compatibility by 2026. The 2.8 release advances this with broader node: module coverage, improved TLS/SSL context handling, and better compatibility with npm packages that rely on Node.js internals. The changelog lists dozens of ext/node fixes covering fs.promises, crypto, http, tls, and sqlite.
The team has also been working on module.registerHooks() for CommonJS hot-reloading, synthetic ESM for node:worker_threads, and async module resolution β all of which land in 2.8.
Other Notable Changes
deno check --watchnow watches type-check dependencies for changesdeno why <specifier>explains why a dependency is in your lockfile- Browser
package.jsonexportsfield maps are now supported in bundling - New
node:perf_hooksAPIs:createHistogram - Network CDP inspector events for both
fetch()andnode:http
FAQ
How do I upgrade?
Run deno upgrade or install fresh from deno.land/install.sh.
Does deno pack replace deno publish?
No. deno publish publishes to JSR; deno pack targets npm registries. They serve different ecosystems.
Is this release backward compatible? Yes. Deno 2.8 maintains full backward compatibility with 2.x. Breaking changes are not planned until a future major version.
What's the Node.js compatibility number for 2.8 specifically? Deno hasn't published a precise percentage for 2.8. The 75% figure is the roadmap target for mid-2026.
