Newsletter #009: Open Source Treats — Lodash, Yeoman & Express 🎃

This post was originally shared with my GitHub Sponsors. If you’d like to get early access to updates like this and support my open source work, consider becoming a sponsor here. 🙌

Hola everyone! 🎉

Hope you’ve all been doing awesome since our last catch-up. October was full of open source treats — no tricks this time! 🎃

From Lodash’s new governance model and Yeoman’s maintenance reboot to Express 6’s modernization journey, this spooky season turned out to be packed with progress, collaboration, and a lot of positive energy across the ecosystem.

Let’s dive in! ✨

🧩 Lodash’s Next Chapter

Over the past few weeks, we’ve been working hard to shape the future of Lodash — one of the most widely used libraries in the JavaScript ecosystem, powering over 9 million websites and billions of weekly npm downloads. ✨

Thanks to the incredible foundation built by John-David Dalton (JDD), Lodash has been a cornerstone of JavaScript development for years. Now, with the support of the Sovereign Tech Agency (STA) and the OpenJS Foundation, we’re expanding collaboration, governance, and security to ensure Lodash continues to thrive for the long run.

🔒 Security & Governance Enhancements
We’ve aligned Lodash’s security escalation policy with the OpenJS CNA process for coordinated disclosure, introduced a new Threat Model inspired by Express and Webpack, and published an Incident Response Plan to help the community respond quickly to future issues.

We’ve also added OpenSSF Scorecard reporting to make Lodash’s security posture transparent and measurable.

⚙️ CI & Infrastructure Upgrades
We’re modernizing the project’s pipelines too — Lodash now runs tests across Node.js v4 → v25, features dedicated browser tests powered by Playwright, and even has its own documentation CI workflow for consistent validation and publishing.

🧭 Governance Transition
The transition toward a Technical Steering Committee (TSC) is also well underway, marking a move from a single-maintainer model to a shared, community-driven governance structure — similar to what we’ve successfully implemented in Express.

👉 Read more in my blog post: The Future of Lodash

🎩 Yeoman Maintenance Reboot

It’s been a busy month for Yeoman — the classic scaffolding toolkit is getting some well-deserved maintenance love! 💛

We’re preparing a detailed blog post summarizing all the recent security and modernization work, but a few highlights are already live:

🚀 New Releases

• [email protected]
• [email protected]
• [email protected]

These updates improve compatibility with modern Node.js versions, refresh dependencies, and enhance long-term maintainability.

🧹 Autumn Cleanup & Deprecations
As part of the ongoing Yeoman maintenance reboot, we’ve been archiving and deprecating several legacy packages that no longer fit today’s workflows.

The following repositories have now been archived: generator-commonjs, generator-gruntfile, generator-gruntplugin, generator-jasmine, generator-jquery, generator-karma, generator-mocha, Hackathons, yeoman-app, yeoman-assert, and yeoman-generator-list.

This cleanup helps focus efforts on the tools that matter most to current developers and clears the path for future improvements. I already shared more about the early stages of this reboot back in Newsletter #003, where we discussed the project’s direction and the first infrastructure fixes.

💬 Call to Action
We’re also re-evaluating the direction of generator-webapp — one of Yeoman’s most popular generators. Should we deprecate it or rebuild it for 2025?

If you’ve used or contributed to it, we’d love your input!

🚀 Express 6 and the Path to Modernization

The journey toward Express 6 is officially underway — and it’s shaping up to be one of the most important evolutions in the framework’s 15-year history. ✨

As covered in NodeSource’s recent article, this new chapter focuses on modernizing the Express codebase, improving performance, and evolving its governance model for the long term.

Express has come a long way from its early days as a one-maintainer project. With a fully established Technical Committee, improved infrastructure, and stronger collaboration with Node.js core, the framework is now better equipped to adapt and grow sustainably.

Performance is a big part of this story too. The team at NodeSource is helping us implement automated benchmarking pipelines and advanced profiling tools to identify bottlenecks and track performance regressions in real time — all part of a broader effort to make Express faster, leaner, and more transparent.

After Express 5 brought modern middleware, async/await support, and simplified APIs, this next phase is about deep optimization and reducing legacy complexity — including the “monkey-patch safari” 🐒 that many of you have heard about!

This modernization work will ensure Express remains a reliable and secure foundation for the next generation of Node.js applications.

👉 Check out the full story on NodeSource’s blog.

💖 Platinum Sponsor & Community Talk with Orbitant

I’m thrilled to share that Orbitant has joined as a Platinum Sponsor on my GitHub Sponsors page! 🙌

Their support helps make my open source work more sustainable, and it truly means a lot to have partners who believe in the impact of community-driven software.

As part of this collaboration, I’ll also be giving a talk (in Spanish) on November 19th, titled “¿Qué viene después del caos?” — “What Comes After Chaos?”

The session explores the journey of reviving Express and reimagining Lodash — how projects that once relied on a handful of maintainers are now embracing broader collaboration, shared leadership, and a focus on sustainability and security.

We’ll discuss how values, community, and resilience can turn chaos into an opportunity to build something stronger and more human.

👉 Join the event on LinkedIn

📚 What Else?

A new Bundlers Collaboration Space under the OpenJS Foundation is bringing together maintainers from projects like Webpack, Rollup and others to improve interoperability and tooling best practices.

Also — huge congratulations to the winners of the JavaScriptLandia Awards 2025! From unsung heroes to new arrivals, the award-winners remind us why community effort and leadership matter so much in open source. 🙌

Here are some of the reads and talks I’ve enjoyed recently 👇

🔗 Interesting Stuff

Some awesome reads from my network:

• 90% by Armin Ronacher
• Platformatic | Launching @platformatic/python: Bring Python ASGI to Your Node.js Applications
• Node.js 2025: What's new and what's next by Ruy Adorno
• NodeBooks by julian Duque
• Simple sabotage for software by Erik Bernhardsson
• JSConf'25 videos
• How I Almost Got Hacked By A 'Job Interview'
• TANSTACK | Directives and the Platform Boundary
• Official Node.js migration guides
• The Life and Times of a Node.js Release - Danielle Adams | NodeConf EU 2022
• Introducing the React Foundation – React
• Open Social by Dan Abramov

🙌 Thank You!

As always, your support as a sponsor makes all of this possible 💖

Whether you’re contributing code, giving feedback, or just following along — thank you!

✨ New Sponsors

Since the last issue, a few awesome new folks have joined our sponsor community:

• Andrew Vorobyov (@vorandrew)
• Guillermo Rauch (@rauchg) thanks for including me in your 1,000 USD grants for foundational OSS initiative ✨

Stay awesome,

Ulises Gascón