Newsletter #006: Maintainer Month Chronicles: Bugs, Builds & Board Games 🦄

Written by Ulises Gascón

May 23, 2025 — 4 min read

This post was originally shared with my GitHub Sponsors. If you’d like to get early access to updates like this and support my open source work, consider becoming a sponsor here. 🙌

Hola everyone! 🎉

Hope you're all doing awesome! May is Maintainer Month — a time to reflect, ship, patch, and play — and I’ve got a stack of updates to share! From securing Multer and cleaning up legacy Express code to pushing VisionBoard forward (and even surviving a blackout with a unicorn card game 🦄), it's been a ride. Let's dive in ✨

What is a Vulnerability and What’s Not?

Yeah! Finally my talk What is a Vulnerability and What’s Not? Making Sense of Node.js and Express Threat Models at Node Congress 2025 is available!

Promotional image for a Node Congress 2025 talk titled "What Is a Vulnerability and What’s Not? Making Sense Of…" by a speaker from NodeSource. The image features a person speaking into a microphone with a background of security shield icons and a time label showing "17 min." The topic focuses on security.

In the talk, we explore

  • What actually counts as a vulnerability
  • Why context and threat models really matter
  • Some common misconceptions that waste everyone’s time (and maybe trigger unnecessary panic)

🎥 Watch the full talk on GitNation

Security Release: Multer v2.0.0

Security is a top priority — and we’ve just published a critical release of Multer, the middleware most commonly used for handling file uploads in Express.

Key vulnerabilities addressed:

These have been patched in [email protected], which now requires Node.js >=10.16.0. We also normalized branches and deprecated several versions (1.4.4-lts*, 1.4.5-lts*, 2.0.0-alpha*, etc.) (ref).

We even published [email protected]!. Upcoming: 2.1.0 and 3.0.0 releases (info).

Important

If you're using Multer, please upgrade ASAP. 🔗 May 2025 Security Releases

Spring Cleaning in Express

We’ve officially deprecated several outdated Express-related packages as part of a broader initiative to keep the ecosystem lean and maintainable.

What’s been deprecated:

  • csurf
  • connect-multiparty
  • path-match

These (and others) haven’t been actively maintained and don’t align with modern Express architecture. We're focusing on clarity and maintainability.

👉 Spring Cleaning in Express.js: Deprecations and the Path Ahead

Express Ecosystem: 30+ Library Updates Incoming!

The Express.js train is rolling this summer 🚂 — over 30 libraries getting updates! From cors, morgan, cookie, to multer, compress, and more...

If you’ve ever wanted to contribute, now’s a great time!

DM me if you want help onboarding.

👉 expressjs/discussions#380

#MaintainerMonth: Impact Report

As part of Maintainer Month, I finally compiled some vanity metrics 🫠

  • Maintaining over 200+ npm packages, including Express & Yeoman tools
  • Supporting projects with 1.4B+ weekly downloads
  • Not always the author, but always a steward

👉 Read the Impact Report

VisionBoard v1.0.0: May 2025 Update

I finally created a backlog for the v1.0.0 release (and yes, it keeps growing 😅). We're also planning support for the OpenJS Security Compliance Guide 2.0 and a new web UI, all while staying compatible with the existing CLI.

Technical improvements:

  • Express-based web server with scoped API routing and graceful startup/shutdown
  • Dynamic website rendering (EJS) for static/dynamic report generation
  • Hardened Docker workflows with health checks & non-root containers
  • CI with Playwright for end-to-end testing (integrated into GitHub Actions)

👉 VisionBoard v1.0.0 Milestone Progress

Spain Blackout & Startup Unicorns 🦄

Yep, I witnessed another historic event:

On April 28, 2025, a massive blackout hit mainland Portugal & Spain, knocking out power for up to 10 hours. 🔗 Wikipedia

I took it as an opportunity to finally unbox the amazing Startup Unicorns card game I backed on Kickstarter.

Start-Up Unicorns card game promo showing a cartoon unicorn with sunglasses holding a trophy, surrounded by cards in red, blue, green, yellow, and white sets. Includes game details: 2–5 players, ages 10+, 20 minutes playtime. Text indicates the game is available in English and Spanish and is currently on Kickstarter.

It's simple, balanced, fun — and yep, I managed to sell my unicorn startup and sabotage others 😈

👉 Get your copy!

🙌 Thank You!

As always, your support as a sponsor makes all of this possible 💖

Whether you’re contributing code, giving feedback, or just following along — thank you!

✨ New Sponsors

Since the last issue, a few awesome new folks have joined our sponsor community:

Stay awesome,

Ulises Gascón