Newsletter #011: Secure Publishing, Lodash Overhaul & Express Releases 🛡️

Written by Ulises Gascón

Feb 05, 20268 min read

This post was originally shared with my GitHub Sponsors. If you’d like to get early access to updates like this and support my open source work, consider becoming a sponsor here. 🙌

Hola everyone! 🎉

Hope you’ve all been doing awesome since our last catch-up. This month has been a deep dive into security and maintenance. From defining how to publish securely on npm in 2026 to overhauling Lodash's security posture and clearing the Express backlog, we are building a stronger foundation for the ecosystem.

Let’s dive in! ✨

🎤 “Publishing JavaScript Securely in 2026”

What Broke, What Changed, and What Actually Works

This month I gave a talk titled “Publishing Securely on npm in 2026”, where I explored the recent supply chain attacks like Shai-Hulud and made it clear that publishing to npm is no longer just a boring release step. Thanks to Orbitant for the invitation.

In this session we covered:

  • What actually broke: How recent attacks exposed long-standing flaws in npm workflows.
  • The Trade-offs: Why npm is changing its approach to 2FA, tokens, and permissions.
  • The Reality Check: What maintainers and companies should realistically be doing today to publish safely, versus implementations that aren't quite ready for critical projects.

This talk builds on the research we did in the OpenJS Security Collab Space. Where one of the biggest claims was that:

We believe Trusted Publishing represents the future, but it’s not yet ready for adoption in critical projects, as in its current state it wouldn’t prevent attacks such as Shai-Hulud and other recent ones.

You can read the full context in our report: Publishing More Securely on npm.

If you want to watch it, here are the links:

🔐 Lodash Rolls Out Major Security Overhaul

We have been incredibly busy at Lodash since the last quarter, and we’ve just rolled out a significant security overhaul. We detailed the new policies, threat models, and triage processes in Lodash Rolls Out Major Security Overhaul.

For a deeper dive into the "why" and "how," check out my post on The Future of Lodash (also available in Spanish).

As part of the security triage work we also addressed CVE-2025-13465. I took the opportunity to write a breakdown of what this specific vulnerability teaches us about Prototype Pollution in 2025 and how this patch is different from previous one on Lodash. You can read the article here.

👩‍🚀 Fun Fact: As part of this work, I discovered that NASA is using Lodash. So, technically... I can now say my code is shipped to the stars?

🛡️ Extend Security Best Practices for everyone

I’m really happy to share that my PR to the opensource.guide has been merged!

We’ve completely updated the page Security Best Practices for Your Project guide. It now includes modern essentials that were missing:

  • License risk checks & SBOMs
  • Threat Modeling basics
  • Incident Response planning
  • Stronger roles & security culture

If you maintain a project, this is the checklist you should be looking at in 2026.

📦 Release Backlog Updates

The Express release train keeps moving. We are coordinating the release work for Express packages and libraries to clear out the backlog (Context).

Here is what I released recently:

We have many more releases in early stages. If you’ve been looking for a way to get involved in Open Source, now is the perfect time to jump in and help us push these over the line.

Also I had the opportunity to release @onebeyond/[email protected] (Release notes) that includes a new feature --ignoreRootPackageLicense to prevent misleading reports for closed source usage.

📚 What Else?

If you missed it, we did a deep dive at Orbitant on the Critical React Server Components Vulnerability (CVE-2025-55182) including how we reacted to the event and what we learned from it.

Promotional banner for the Humble Tech Book Bundle 'JavaScript and TypeScript Mastery' by Packt. The image features a lineup of book covers including 'Responsive Web Design with HTML5 and CSS', 'Mastering TypeScript', 'JavaScript from Beginner to Professional', 'Learning Angular', and 'React with TypeScript'. The Humble Bundle logo is visible on the left, and the bundle title is displayed in bold orange and white text on the right. Image from humblebundle.com

My book Node.js for Beginners was included in the Humble Bundle JavaScript & TypeScript Mastery. I’m incredibly proud to be listed there, especially since I built my own digital library via Humble Bundle years ago. But more importantly, together we raised €7,954 for Safe In Our World, an initiative fostering mental health awareness in the video game industry:

The main goal of Safe In Our World is to create and foster worldwide mental health awareness within the video game industry; to eliminate the stigma surrounding mental health, to make it a natural topic of discussion, and to promote the dialogue surrounding mental health so people are not afraid to reach out for help if they need it. Safe In Our World

2025 was a big year for security at OpenJS with support from Alpha-Omega, we leveled up security across Node.js and the OpenJS ecosystem in 2025. Faster vulnerability response, automated releases, a new OpenJS CNA, stronger disclosure practices, and hands on support for over 10 projects. Read the OpenJS Foundation Security Program: Annual Report 2025. I also dropped some new shorts for OpenJS: How Express Handles Security and How to Get Involved.

Following the curl team's frustration and Node.js raising the bar for reports, it is time we seriously rethink how we participate in these programs. The noise-to-signal ratio is becoming unsustainable for maintainers.

I’ve officially joined the Webpack Security Triage team to help manage incoming reports and also we plan to do an external audit following the steps of Express in 2024

Lodash is now on Open Collective!. Support the project and be among the first backers or sponsors 🙌

Also we have seen advanced/withdrew in several proposals during the 112th Meeting of the TC39. I am currently focused on Regular Expression Atomic Operators for ECMAScript and Regular Expression Buffer Boundaries for ECMAScript as the security implications are meaningful.

🎖️ Awesome People Doing Awesome Things

Kevin Martínez gave a great talk on Testing While Developing (TWD). Check out the recording and his guide.

The Open Regulatory Compliance Working Group (ORCWG) made an incredible job by converting the Cyber Resilience Act (CRA) 60+ page FAQ document into a wonderful website with a great UX!

Josh Goldberg released an experimental linter, Flint, and shared his hypothesis-driven approach on his blog.

Matteo Collina is making a great effort to include a Virtual File System (VFS) in the Node.js Core. The current PR is including a potential usage example that will definitely make our lives easier in a long waited feature:

const vfs = require('node:vfs');
const fs = require('node:fs');

// Create a VFS with default MemoryProvider
const myVfs = vfs.create();

// Use standard fs-like API
myVfs.mkdirSync('/app');
myVfs.writeFileSync('/app/config.json', '{"debug": true}');
myVfs.writeFileSync('/app/module.js', 'module.exports = "hello"');

// Mount to make accessible via fs module
myVfs.mount('/virtual');

// Works with standard fs APIs
const config = JSON.parse(fs.readFileSync('/virtual/app/config.json', 'utf8'));
const mod = require('/virtual/app/module.js');

// Cleanup
myVfs.unmount();

🔗 Interesting Stuff

Some awesome reads from my network:

🙌 Thank You!

As always, your support as a sponsor makes all of this possible 💖

Whether you’re contributing code, giving feedback, or just following along — thank you!

✨ New Sponsors

Since the last issue, a few awesome new folks have joined our sponsor community:

  • Joan León (@nucliweb) thanks for the awesome work you do every day to make Web Performance achievable for many of us ✨

Stay awesome,

Ulises Gascón