Newsletter #010: Wrapping Up the Year with Talks, Security Work and Big Releases 🎁

This post was originally shared with my GitHub Sponsors. If you’d like to get early access to updates like this and support my open source work, consider becoming a sponsor here. 🙌

Hola everyone! 🎉

Hope you’ve all been doing awesome since our last catch-up. This month has been packed with talks, research on secure publishing, many Express releases, and some exciting improvements across the ecosystem. Lots to share, so let’s dive in!

🎤 “What Comes After Chaos?”

Stories and lessons from reviving ExpressJS and reimagining Lodash

This month I gave a talk titled “What Comes After Chaos?”, where I shared the story behind the work of reviving Express.js and rethinking the future of Lodash. Thanks to Orbitant for the invitation.

The session covered the transition from single-maintainer projects to collaborative governance, the challenges caused by technical debt and long-term popularity, and the lessons learned while making both projects more sustainable and secure.

If you want to watch it, here are the links:

🧠 Reflections on Open Source Sustainability

This month I published a blog post titled Open Source Doesn’t Fail Because of Code. It looks at why projects usually struggle due to governance issues, burnout, unclear responsibilities, or a lack of structure rather than technical problems.

Using the experiences with Express and Lodash as examples, the post explains how long-term stability comes from shared ownership, clear processes, and sustainable maintenance work. It is a summary of many lessons learned while helping recover and modernize both projects.

What Comes After Chaos… it’s just transformation.

🔐 Secure Publishing on npm: Research, Risks, and What’s Next

Over the past few months we’ve spent a significant amount of time researching how we publish packages on npm and working within the OpenJS Security Collab Space to understand the risks behind different approaches. This work resulted in a blog post on the OpenJS blog: Publishing More Securely on npm: Guidance from the OpenJS Security Collaboration Space, which reviews local publishing, CI-based publishing, and Trusted Publishing, along with the trade-offs of each model.

In short, it comes down to this:

We believe Trusted Publishing represents the future, but it’s not yet ready for adoption in critical projects, as in its current state it wouldn’t prevent attacks such as Shai-Hulud and other recent ones.

Only a few days later, the ecosystem was hit again by Shai-Hulud 2.0, confirming how fast attackers continue to iterate and how important it is to understand the implications of trusting CI pipelines.

In January I’ll be giving a talk on how to publish securely on npm in 2026. The session will review the current state of npm’s trusted model, the risks for maintainers, and practical strategies for different environments — from solo maintainers to large organizations. The exact date and link will be shared soon on social media.

Thanks again to the Orbitant team for providing the space to discuss these topics.

📦 Express Release Backlog Updates

Back in Newsletter #006, we talked about the summer release efforts and the long backlog of packages waiting for updates across the Express ecosystem. I’ve now taken another pass at that backlog and refreshed the plan so we can keep moving forward with regular maintenance and security work.

You can find all the details in expressjs/discussions#380. We have many releases in progress and a few more at an early stage. Here is a summary of the latest published releases:

Non-Security Releases

Security Releases

[email protected] (Release notes) addressing CVE-2025-13466

The latest security release information is available in November 2025 Security Releases

Context regarding CVE-2024-51999

The releases [email protected] and [email protected] included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in [email protected] and [email protected].

🚀 OSSF Scorecard Website Improvements

I’ve invested some time helping improve the OSSF Scorecard website, starting with fixes to the preview deployments and the deployment process itself (ossf/scorecard-webapp#881).

The work continues with a few broader improvements to the project. I am modernizing parts of the stack and adding E2E testing to make the website easier to maintain and to simplify onboarding for new contributors (ossf/scorecard-webapp#900).

We are also preparing to integrate the OSSF Scorecard Visualizer directly into the official website (ossf/scorecard-webapp#901).

If you want to get involved, this is a great moment. There are several help-wanted and good-first-issue tasks available at the repo:
https://github.com/ossf/scorecard-webapp/issues?q=sort%3Aupdated-desc+state%3Aopen+label%3A%22help+wanted%22

Next year I plan to invest more time working on the OSSF Scorecard Monitor and the OSSF Scorecard Visualizer as well.

📚 What Else?

An initial version of the OpenJS Foundation Incident Response Plan is now available. This is the first step toward a more consistent and predictable response process across all foundation projects, and I’ll continue iterating on it over the next few weeks.

Thanks to Rafael Gonzaga for updating Node.js security best practices (nodejs/nodejs.org#8374) to match the current threat model, including guidance on malicious dependencies, prototype pollution, the Permission Model, and updated policy recommendations.

We’ve also started a discussion about selecting Astro as the new foundation for the Express.js website (expressjs/discussions#451). The goal is to simplify the documentation setup, improve internationalization, make contributions easier, and ensure long-term stability. Big shoutout to the Orama team for their incredible support this year and for being our partner in this migration ✨.

The OpenJS Foundation, in collaboration with Alpha Omega and NodeSource, has started the “JavaScript Security Snapshot” series. These short videos feature Rafael Gonzaga and me discussing key security concepts and best practices.

Recent episodes include:

Sebastian Beltrán has stepped in as the new Triage Captain for Express.js. This role is essential for keeping the issue tracker organized and helping the project stay responsive as we continue modernizing the ecosystem.

Phillip Barta will be joining the Express.js Security Triage Team. This follows his contributions across several areas of the project and his recent involvement in addressing CVE-2025-13466. Nomination details

Thanks to Marco Ippolito for taking the lead on exploring the adoption of VEX within the Node.js project (nodejs/security-wg#1517). VEX (Vulnerability Exploitability eXchange) provides a structured way to state whether specific CVEs actually affect a project. This can help reduce false positives from security scanners and simplify compliance for organizations using Node.js.

I started to explore the Test While Developing (TWD) universe, and it looks quite promising. Thanks to Kevin for sharing the principles and the tools. I am looking forward to your talk: Testing While Developing: A New Way to Test Frontend Apps on December 17th.

🔗 Interesting Stuff

Some awesome reads from my network:

🙌 Thank You!

As always, your support as a sponsor makes all of this possible 💖

Whether you’re contributing code, giving feedback, or just following along — thank you!

Stay awesome,

Ulises Gascón