Newsletter #007: Summer is a great time for making releases and working on security 🏖️

Written by Ulises Gascón

Jul 22, 20254 min read

This post was originally shared with my GitHub Sponsors. If you’d like to get early access to updates like this and support my open source work, consider becoming a sponsor here. 🙌


Hola everyone! 🎉

Hope you’ve all been doing awesome since our last catch-up.

Phew… this summer has been quite a ride! I was expecting a calm and chill season, but I ended up diving deep into a ton of security work across our tech stack. Let’s jump into it ✨

🛡️ OpenJS is Now a CNA!

Yes! The OpenJS Foundation is now officially a CVE Numbering Authority (CNA) for all its projects 🎉

This means we have much better control over how CVEs are issued and tracked. We also act as an escalation path for vulnerability reports or disputes.

Being part of the CNA team has been an incredible learning experience. I’ve had to go deep into the Common Vulnerability Scoring System (CVSS) and learn how to properly fill in all the required details for CVE reports.

We’ve already issued our first CVEs and acted as the escalation team for few reports 🚀

🔐 Improving Security Reporting in Express

We’ve learned a lot from our community this year, and we’ve now formalized several improvements to our security process:

  • Established an Incident Response Plan (IRP)
  • Unified the security policy across all Express repositories
  • Enabled GitHub Security Advisories for all orgs and packages

🔗 Full details here

We’re also getting close to launching a bug bounty program where security researchers can receive rewards and recognition on the YesWeHack platform 💰

📦 Release Party!

We shipped several important security releases recently:

As part of our summer release efforts, I also published:

Many more to come... it’s a good time to contribute if you're up for it! 🙌

🧐 Node.js Maintainers Threat Model

A while ago, the Node.js Security WG created a threat model to help define boundaries, risks, and assumptions for security researchers, maintainers, and users.

Over the past few months, we’ve worked on mapping access levels across different groups in the org — from infra machines and repos to social media accounts — and how these could be exploited under different scenarios.

It’s been a major effort, and we hope to expand this work to other OpenJS projects soon to help strengthen overall posture across the foundation.

🔗 Read the Maintainers Threat Model

📅 Node.js LTS Schedule Might Change

There’s an open discussion about adjusting the Node.js release cadence. The proposal suggests:

  • Moving from biannual to yearly major releases
  • Reducing LTS from 30 to 24 months
  • Unifying odd/even release lines

This could significantly ease maintainer workload and simplify support.

🧵 Follow the discussion — and big thanks to @rafaelgss for leading the proposal!

📚 What Else?

I’m proud to share that my book "Node.js for Beginners" was included in the recent Modern Backend Web Development bundle, which supported the marine conservation nonprofit Coral Guardian 🪸

Also, my Spanish book "El gran libro de Node.js" was featured at the amazing Madrid Book Fair — always surreal to see it out in the wild 🤓

Over the past few months, I’ve been actively contributing to the Alpha-Omega initiative under the OpenJS Foundation. We recently shared a mid-year recap highlighting key milestones and areas of focus around open source security.

Separately, thanks to @tobie for inviting me to contribute input to the EU Commission’s consultation on the upcoming revision of the Cybersecurity Act, via the Open Regulatory Compliance Working Group (ORC WG). We highlighted the importance of strengthening ENISA’s technical and strategic role — especially in light of funding issues affecting the U.S. CVE program and the growing relevance of vulnerability management in EU legislation.
🔗 Read the submitted document

On another front, there’s been great progress on [email protected]: I’ve implemented a new REST API and migrated the CLI tooling. A dedicated blog post with all the technical details is coming soon!

Lastly, I’ve updated my GitHub Sponsorship model to include new tiers specifically designed for companies. If your team wants to support open source more sustainably — check it out!

🔗 Interesting Stuff

Some awesome reads from my network:

🙌 Thank You!

As always, your support as a sponsor makes all of this possible 💖

Whether you’re contributing code, giving feedback, or just following along — thank you!

Stay awesome,

Ulises Gascón