Newsletter #006: Maintainer Month Chronicles: Bugs, Builds & Board Games 🦄
Written by Ulises Gascón
May 23, 2025 — 4 min readThis post was originally shared with my GitHub Sponsors. If you’d like to get early access to updates like this and support my open source work, consider becoming a sponsor here. 🙌
Hola everyone! 🎉
Hope you're all doing awesome! May is Maintainer Month — a time to reflect, ship, patch, and play — and I’ve got a stack of updates to share! From securing Multer and cleaning up legacy Express code to pushing VisionBoard forward (and even surviving a blackout with a unicorn card game 🦄), it's been a ride. Let's dive in ✨
What is a Vulnerability and What’s Not?
Yeah! Finally my talk What is a Vulnerability and What’s Not? Making Sense of Node.js and Express Threat Models at Node Congress 2025 is available!
In the talk, we explore
- What actually counts as a vulnerability
- Why context and threat models really matter
- Some common misconceptions that waste everyone’s time (and maybe trigger unnecessary panic)
🎥 Watch the full talk on GitNation
Security Release: Multer v2.0.0
Security is a top priority — and we’ve just published a critical release of Multer, the middleware most commonly used for handling file uploads in Express.
Key vulnerabilities addressed:
- CVE-2025-47935 (GHSA-44fp-w29j-9vj5) → memory leak via stream mishandling
- CVE-2025-47944 (GHSA-4pg4-qvpc-4q3h) → unhandled exceptions from malformed multipart requests
These have been patched in [email protected]
, which now requires Node.js >=10.16.0
. We also normalized branches and deprecated several versions (1.4.4-lts*
, 1.4.5-lts*
, 2.0.0-alpha*
, etc.) (ref).
We even published [email protected]
!. Upcoming: 2.1.0
and 3.0.0
releases (info).
Important
If you're using Multer, please upgrade ASAP. 🔗 May 2025 Security Releases
Spring Cleaning in Express
We’ve officially deprecated several outdated Express-related packages as part of a broader initiative to keep the ecosystem lean and maintainable.
What’s been deprecated:
csurf
connect-multiparty
path-match
These (and others) haven’t been actively maintained and don’t align with modern Express architecture. We're focusing on clarity and maintainability.
👉 Spring Cleaning in Express.js: Deprecations and the Path Ahead
Express Ecosystem: 30+ Library Updates Incoming!
The Express.js train is rolling this summer 🚂 — over 30 libraries getting updates!
From cors
, morgan
, cookie
, to multer
, compress
, and more...
If you’ve ever wanted to contribute, now’s a great time!
DM me if you want help onboarding.
👉 expressjs/discussions#380
#MaintainerMonth: Impact Report
As part of Maintainer Month, I finally compiled some vanity metrics ðŸ«
- Maintaining over 200+ npm packages, including Express & Yeoman tools
- Supporting projects with 1.4B+ weekly downloads
- Not always the author, but always a steward
VisionBoard v1.0.0: May 2025 Update
I finally created a backlog for the v1.0.0 release (and yes, it keeps growing 😅). We're also planning support for the OpenJS Security Compliance Guide 2.0 and a new web UI, all while staying compatible with the existing CLI.
Technical improvements:
- Express-based web server with scoped API routing and graceful startup/shutdown
- Dynamic website rendering (EJS) for static/dynamic report generation
- Hardened Docker workflows with health checks & non-root containers
- CI with Playwright for end-to-end testing (integrated into GitHub Actions)
👉 VisionBoard v1.0.0 Milestone Progress
Spain Blackout & Startup Unicorns 🦄
Yep, I witnessed another historic event:
On April 28, 2025, a massive blackout hit mainland Portugal & Spain, knocking out power for up to 10 hours. 🔗 Wikipedia
I took it as an opportunity to finally unbox the amazing Startup Unicorns card game I backed on Kickstarter.
It's simple, balanced, fun — and yep, I managed to sell my unicorn startup and sabotage others 😈
👉 Get your copy!
🙌 Thank You!
As always, your support as a sponsor makes all of this possible 💖
Whether you’re contributing code, giving feedback, or just following along — thank you!
✨ New Sponsors
Since the last issue, a few awesome new folks have joined our sponsor community:
- Drew Jaynes (@DrewAPicture)
- Steven de Salas (@sdesalas)
Stay awesome,
Ulises Gascón