30 Node.js Interview Questions and Answers (2026)

Node.js is on the required skills list for most backend and full-stack job postings in 2026. It powers APIs at Netflix, LinkedIn, Uber, and thousands of startups. But knowing how to write an Express route is the baseline. Interviewers probe deeper: how the event loop actually works, what happens when you block it, how to scale across CPU cores, how to handle memory leaks, and how to shut down a server without dropping live connections.

These 30 questions cover what interviewers ask, from junior fundamentals to senior architecture. The answers are written to be said in an interview: precise, grounded in real behavior, with working code where it helps. If you're heading into a role where Node.js sits underneath a framework like Nest, it's worth pairing this with our NestJS interview prep guide, since several of these runtime questions resurface there in framework-specific form.

If you're setting up a project to practice these concepts in, getting your Node.js project tooling right first means you're not fighting build configuration while you're trying to demo streams or graceful shutdown.

These questions establish whether you understand what Node.js actually is under the hood, not just how to use it. They are almost always the opening questions in a Node.js interview, and a shaky answer here sets a weak tone for everything that follows.

Node.js is a JavaScript runtime built on Chrome's V8 engine. It lets you run JavaScript on the server side. What makes it distinct is its execution model: Node.js is single-threaded and uses a non-blocking, event-driven I/O model instead of spawning a new thread per request like Apache or traditional Java servers do.

In a thread-per-request model, each incoming connection gets its own OS thread. Under heavy load you end up with hundreds or thousands of threads consuming memory and context-switching. Node.js handles all requests on one thread, delegating I/O operations (file reads, network calls, database queries) to the operating system via libuv, and continuing to process other requests while waiting for those results to come back.

This makes Node.js very efficient for I/O-bound workloads: REST APIs, real-time apps, proxies, WebSocket servers. It is not the right choice for CPU-intensive work like video encoding or scientific computation. Those block the single thread and degrade performance for everyone.

V8 is Google's open-source JavaScript engine, originally built for Chrome. It compiles JavaScript to native machine code using Just-In-Time (JIT) compilation. Node.js uses V8 to execute JavaScript.

libuv is a C library that handles asynchronous I/O, the thread pool, the event loop, and platform-specific abstractions (file system, networking, DNS, timers) across Linux, macOS, and Windows.

They work together like this: V8 executes your JavaScript. When your code calls something asynchronous, fs.readFile(), https.get(), setTimeout(), Node.js delegates that work to libuv. libuv either uses the OS's async I/O primitives (epoll on Linux, kqueue on macOS) or offloads to its internal thread pool (4 threads by default, configurable with UV_THREADPOOL_SIZE). When the operation completes, libuv pushes the callback into the event loop queue and V8 executes it on the main thread.

The event loop is the mechanism that allows Node.js to perform non-blocking I/O on a single thread. It runs continuously, processing queued callbacks in a specific phase order.

Between every phase transition, Node.js drains two microtask queues: process.nextTick() callbacks first, then resolved Promise callbacks. This means nextTick and Promise .then() callbacks always run before the next event loop phase begins.

This is one of the most asked Node.js interview questions. The answer comes down to when in the event loop each callback executes.

Node.js supports two module systems. CommonJS (CJS) is the original Node.js module system. You use require() to load modules and module.exports to export. Files use the .js or .cjs extension. Modules are loaded synchronously, require() blocks until the file is read, and module resolution happens at runtime.

ES Modules (ESM) is the JavaScript standard module system, supported natively in Node.js since v12 and stable since v16. You use import/export syntax. Files use .mjs, or .js with "type": "module" in package.json. Modules are loaded asynchronously and statically: imports are resolved before code executes, which enables tree shaking and top-level await.

When you require() a module for the first time, Node.js loads the file, executes it, and caches the result in require.cache. Every subsequent require() call for the same absolute file path returns the cached export object immediately. The module code does not execute again.

This matters in two ways. First, it improves performance: file I/O only happens once per module. Second, it means modules behave like singletons. If you export a database connection from a module, every file that requires it gets the same connection. This is intentional and useful. If you want fresh instances each time, export a factory function instead.

You can inspect or clear the cache via require.cache, though deleting cache entries manually is almost never the right solution outside of testing.

EventEmitter is a Node.js core class that implements the observer (pub/sub) pattern. Objects that emit events extend EventEmitter. You register listeners with .on() and trigger them with .emit().

Many Node.js core objects extend EventEmitter: streams, http.Server, child processes, and more. Recognizing that pattern is what makes the rest of the Node.js API feel consistent rather than arbitrary.

Synchronous code executes on the main thread and blocks everything else until it finishes. Asynchronous code starts an operation, registers a callback, and returns immediately. Node.js moves on to other work and calls the callback when the operation completes.

The problem with blocking synchronous code is that Node.js is single-threaded. If your route handler calls fs.readFileSync() to read a 50MB log file, the entire server is frozen for the duration of that read. No other requests can be processed. Response times for every user spike at once.

Async correctness is where mid-level candidates separate from senior ones. Anyone can write an async function. Fewer people can explain why a particular pattern is wrong, or what happens when an awaited call rejects and nothing catches it.

Callback hell is the pattern that emerges when you nest multiple asynchronous callbacks to sequence operations. Each operation's result is available only inside its callback, so dependent operations nest deeper and deeper.

The problems: error handling is duplicated at every level, the code reads right-to-rightward rather than top-to-bottom, and refactoring is painful.

A Promise is an object representing the eventual result of an async operation. It has three states: pending, fulfilled, or rejected. async/await is syntax that makes Promise-based code read like synchronous code.

Interviewers probe for the same handful of mistakes over and over. If you've spent time on the front end too, these will look familiar: our guide to common async/await mistakes in JavaScript covers the same traps from the browser side, and the underlying reasoning carries over directly to Node.js.

All four accept an array of Promises and return a single Promise. They differ in how they handle rejections and when they resolve.

unhandledRejection fires when a Promise rejects and no .catch() or try/catch handles it. uncaughtException fires when a synchronous throw propagates outside any try/catch.

Error-first, also called errback or Node-style callback, is a convention for callback-based async functions. The first argument of every callback is an error object: null or undefined if the operation succeeded, an Error instance if it failed. The remaining arguments carry the result.

This pattern was established before Promises existed. It allowed consistent error handling across all async operations without exceptions. You will encounter it in many older Node.js APIs and npm packages. util.promisify() converts any error-first callback function into a Promise-based one.

Promise chaining calls .then() and .catch() in sequence. Each .then() handler receives the resolved value of the previous promise and returns a new promise.

async/await is preferred in most cases because it reads like synchronous code and handles errors with familiar try/catch. But there are cases where chaining is still cleaner: stream-style transformations where each .then() maps the value, situations where you want a single .catch() to handle errors from any step without wrapping the entire thing in try/catch, and utility functions that return Promises rather than being async themselves.

In practice, modern Node.js codebases use async/await for most logic and Promises directly when working with combinators like Promise.all, or when building library functions that hand a Promise back to the caller.

Streams come up whenever an interview turns to handling large files, proxying HTTP responses, or processing data that doesn't fit comfortably in memory. They're also a reliable way for an interviewer to check whether you've actually built something beyond CRUD endpoints.

Streams let you work with data as it arrives rather than loading everything into memory first. There are four types.

The pipe() method connects a readable to a writable and handles the data flow, including pausing the source when the destination is full. That pausing behavior is backpressure, covered in Q17.

There are two approaches: using the built-in factory functions, or creating a custom Readable by extending the class.

Backpressure occurs when a readable stream produces data faster than the writable stream can consume it. Without handling it, data accumulates in memory buffers until the process runs out of RAM and crashes.

pipe() handles backpressure automatically. When the writable stream's buffer is full, pipe() pauses the readable and resumes it when the buffer drains.

When you write manually without pipe(), you must check the return value of .write() and pause and resume accordingly.

The modern approach uses the pipeline() utility from stream/promises, which handles backpressure and cleans up all streams on error.

A Buffer is a fixed-size block of raw memory outside the V8 heap. It represents binary data, bytes, directly. Node.js uses Buffers for all network I/O, file I/O, and cryptographic operations because those work with binary data, not Unicode strings.

Use strings when the data is text and the encoding is known. Converting between Buffer and string has a cost, so avoid unnecessary back-and-forth in hot paths. Buffer.alloc() is safe because it zeroes the memory. Buffer.allocUnsafe() is faster but may contain old memory contents, so only use it when you will immediately overwrite every byte.

This category is where senior interviews really begin. Anyone can build a working API. These questions check whether you can keep one running under load, across cores, and over months of uptime without leaking memory or freezing under traffic.

Node.js runs on a single thread. On a server with 8 CPU cores, a single Node.js process uses only one of them. The cluster module solves this by forking the main process into multiple worker processes, each running its own event loop on its own CPU core. All workers share the same server port.

Each worker has its own memory space. They do not share variables. Shared state such as sessions or caches must live in an external store like Redis. The primary process distributes incoming connections to workers using round-robin scheduling by default.

Both allow Node.js to use multiple CPU cores, but they solve different problems and have different architectures.

A memory leak is when objects are retained in memory after they are no longer needed, preventing garbage collection. In Node.js, the heap grows over time and the process eventually runs out of memory and crashes.

The event loop is single-threaded. If your JavaScript code runs for a long time without returning control, the event loop cannot process other callbacks: no new requests, no timers, no I/O completions. The entire server freezes.

Common culprits: JSON.parse() or JSON.stringify() on very large payloads (over roughly 1MB), synchronous file, crypto, or zlib operations like fs.readFileSync, long-running loops or recursive computations, and complex regular expressions run against untrusted input, which opens the door to ReDoS attacks.

V8 uses a generational garbage collector. Memory is divided into two regions. New space, the young generation, is small and fast. New objects are allocated here, and most objects die young: created in a request handler, used, then discarded. V8 runs a minor GC called Scavenge frequently and quickly to collect dead objects in new space.

Old space, the old generation, is larger. Objects that survive two minor GCs are promoted there. The major GC, Mark-Sweep-Compact, runs less frequently and is more expensive: it marks all live objects, sweeps the dead ones, and optionally compacts memory to reduce fragmentation. V8 also uses incremental and concurrent marking, running GC work on background threads, to reduce pause times.

Graceful shutdown means stopping the server cleanly: stop accepting new connections, finish processing in-flight requests, close database connections and file handles, then exit. Without it, an abrupt exit drops active requests and can corrupt database state.

The final stretch covers the operational layer: the headers, limits, and conventions that keep an API safe and observable once it's serving real traffic. These questions are common in interviews for roles that own a service end to end, not just its feature code.

Security headers are the first line of defense against a class of HTTP-based attacks. The standard approach in Express is the helmet package, which sets sane defaults for the most important headers.

For APIs that do not serve HTML, CSP is less critical, but the other headers still apply. Customize Content-Security-Policy if you serve a frontend from the same origin.

Rate limiting prevents abuse by capping how many requests a client can make in a time window. For Express, express-rate-limit is the standard solution.

For distributed systems running multiple Node.js instances, the default in-memory store does not share state across processes. Use a Redis store instead so every instance enforces the same limit.

Environment variables keep secrets out of your source code. The standard local development tool is dotenv.

CORS, Cross-Origin Resource Sharing, is a browser security mechanism. When a browser makes a request to a different origin (protocol, domain, and port) than the page it's on, it adds an Origin header. If the server does not explicitly allow that origin, the browser blocks the response.

For APIs, the cors npm package handles this cleanly.

console.log() is not sufficient for production. It has no log levels, no structured output, and no way to query or aggregate logs at scale. The standard libraries for production logging are Winston, and Pino when you need maximum throughput.

JSON log format makes logs queryable in aggregators like Datadog, CloudWatch, or the ELK stack. Never log sensitive data: passwords, tokens, or personally identifiable information. Use a correlation ID, a request ID, in every log line so you can trace a single request across services.

HTTP/2 is the second major version of the HTTP protocol. Node.js supports it natively via the http2 module. The main advantages over HTTP/1.1 are multiplexing, where multiple requests and responses share a single TCP connection simultaneously, eliminating the head-of-line blocking that forces browsers to open six connections per domain in HTTP/1.1; header compression via HPACK, which reduces overhead for APIs that send many repeated headers like Authorization and Content-Type; server push, where the server can proactively send resources to the client before they're requested; and stream prioritization, which lets clients signal which responses matter most.

HTTP/2 requires HTTPS (TLS). In production, HTTP/2 is typically terminated at the reverse proxy, nginx, Caddy, or AWS ALB, rather than in Node.js directly. That simplifies certificate management and lets you take advantage of the proxy's optimized HTTP/2 implementation.

Use this as a final scan the night before an interview. If any row makes you pause, jump back up to that question's full answer.