Newsletter #004: Open Source security moves & Stage time 🎙️

Written by Ulises Gascón

Mar 21, 20252 min read

This post was originally shared with my GitHub Sponsors. If you’d like to get early access to updates like this and support my open source work, consider becoming a sponsor here. 🙌

Hola everyone! 🎉

I hope you’re all doing great. I just wanted to drop a quick note to share some awesome updates from the past few weeks!

Here’s what’s been going on:

  • Yeoman Security Boost: As part of the Yeoman Security Reboot, we’ve now defined a security policy to improve how we handle vulnerabilities and encourage responsible disclosure.
  • Node Congress 2025: I’m thrilled to be speaking at this year’s NodeCongress! I’ll be diving into an important (and often confusing) topic: what actually is a vulnerability? The talk covers real-world examples from Node.js and Express.js, and explores why threat models are so important in defining security boundaries.
  • Security Reporting in Express: I recently opened a public PR walking through how we handle vulnerability disclosures in Express, and why we approach them the way we do. The PR is open to feedback—feel free to jump into the discussion!
  • Strengthening the Software Supply Chain: I’m excited to be speaking at DevSecCon, a live event on March 27 at 12PM ET / 6PM CET, where we’ll be discussing how to improve open source security and build a more resilient software supply chain. Join me alongside other maintainers for a live chat + Q&A!.

I'm also planning to create a dedicated repository for sponsors, where we can have focused discussions and keep an archive of this newsletter. Let me know what you think! 😄

Stay awesome,

Ulises Gascón