🌍Haz clic aquí para leerlo en español

Open Source Doesn’t Fail Because of Code!

Written by Ulises Gascón

Nov 24, 20258 min read

Open source rarely collapses in one dramatic moment. It erodes. Quietly. You notice it when releases stall, when issues stack up with no replies, when the same two names keep showing up on every commit log. That is what happened with Express and Lodash. Two of the most used JavaScript projects in the world, and long-standing pillars of the Node.js ecosystem. And for a period of time, both were much closer to irrelevance or accidental self destruction than most people realize.

This article builds on my talk What Comes After Chaos? Lessons from Reviving Express and reimagining Lodash. If you prefer video, you can watch it here:

Express and Lodash have touched an enormous portion of the modern web, appearing directly or indirectly in millions of Node.js applications and production websites. Not because they were trendy but because they were everywhere. Express quietly powers millions of servers, spanning dozens of repositories and tens of billions of yearly downloads. Lodash sits inside production applications, build tools and frameworks with billions of weekly installs and dependencies. This is not “popular project” territory. This is infrastructure.

Slide titled “Express: The Invisible Backbone of the Web”. Minimalist text-only slide describing Express’s global scale: millions of servers, three GitHub organizations, over sixty npm packages, more than fifty million weekly downloads, and over fifty two billion downloads per year across its ecosystem.

Slide titled “Lodash: The Utility Belt of the JavaScript World” describing its scale: over 2.57 billion weekly downloads, used on more than 9.3 million live websites, powering roughly one third of the top 10,000 sites, and ranked as the most directly used version-agnostic npm package in production.

And yet, scale does not protect you from decay. Sometimes it accelerates it.

When the Backbone Starts Cracking

Before the turnaround, Express had all the symptoms of a project that had grown larger than its own structure. Deep architectural decisions from the early Node.js era were becoming a performance and maintenance liability. Monkey patching, compatibility with Node.js versions nobody should still be running, and a test suite that was not stable enough to be trusted by Node’s own integration systems. Express 5 had been “almost ready” for close to a decade. Meanwhile, the effective bus factor in practice hovered around one, governance was informal at best, and the backlog of issues and pull requests kept growing.

Slide titled “The Major Problems before 2024” listing Express’s main issues: performance limitations from early design choices, exclusion from Node.js CITGM due to unstable tests, a decade-long delay of Express 5, a bus factor of about one, a large backlog of unresolved issues, and an outdated security posture.

Lodash had a different kind of challenge. They carried an extraordinary burden for years, and the problem was never their commitment, but the structure around them. Alongside this, hundreds of variant packages and a fragmented CI system made progress harder and riskier than anyone would want. The community was asking for Lodash 5, while the project was still trying to survive Lodash 4 without collapsing under its own operational weight.

Slide titled “The Major Problems” describing Lodash’s key challenges: a single-maintainer BDFL model, hundreds of variant packages increasing complexity, fragmented CI infrastructure, expanded security attack surface, and years of delay for a stable Lodash 5 release.

Contributor dependency dashboard showing an extreme concentration of work. One individual is responsible for 54 percent of all contributions, while the remaining 1,297 contributors together account for 46 percent. In the “Top contributors” list, the same person appears twice under two identities, reinforcing how heavily the project relied on a single maintainer despite the large contributor count. A horizontal bar chart visually emphasizes this imbalance.

This is often the point where idealized views of open source meet reality. At this scale, burnout is not theoretical. It becomes visible and measurable in contribution patterns, response times, and maintainer availability. You could see it in contribution graphs, in response times, in the fact that two contributors carried more than half of Express for years. You could also see it in broader studies showing how close most maintainers are to walking away.

The important part is not that things were broken. It is that nobody had a sustainable way to fix them.

Chaos Is Organizational Before It Is Technical

People like to think that software collapses because of code. It does not. Code can be rewritten. Systems collapse when there is no structure around them to make decisions, handle conflict, and distribute power.

The first real change in Express was not a commit. It was governance. A proper Technical Committee. Defined roles like repository captains and committers. Transparent processes. Working groups with real responsibility instead of vague goodwill. Security was treated as a system, not a checklist: threat modeling, external audits, incident response playbooks, and a dedicated triage team. Releases were no longer wishful thinking. They were scheduled, maintained, and communicated.

Slide titled “The Plan” listing seven actions: establish governance, strengthen security, define an LTS schedule, release Express 5, lay groundwork for Express 6 and 7, re-engage with the Node.js ecosystem, and ensure long-term sustainability for maintainers and community.

This mattered because it rebuilt something more important than code: trust. Not just from users but from contributors, companies and the wider ecosystem. Express was reintegrated into Node.js infrastructure testing, got Impact Project status under the OpenJS Foundation, and finally shipped Express 5 with a roadmap beyond it.

Lodash is following a similar path but with its own constraints and culture. Moving from a BDFL model to a Technical Steering Committee. Deprecating large parts of the variation ecosystem to regain control of complexity. Rebuilding CI so releases are no longer heroic efforts. Focusing on stability, security and progressive modernization, rather than prioritizing new features.

Slide titled “The Goals” outlining five objectives for Lodash: move from a BDFL model to a Technical Steering Committee, simplify maintenance by consolidating packages, modernize CI infrastructure, improve security processes and incident response, and offer a clear, stable future focused on modern platforms and easier migration.

This is slower work. Less visible. Less exciting on social media. But this is what transformation looks like in mature infrastructure.

Not Everything That Looks Like Drama Is One

When projects as big as Express or Lodash make changes, the internet often frames it as a crisis or a scandal. Spam PR incidents. “Is this project dead?” blog posts. Threads about abandoning libraries for “lighter” alternatives. Most of that noise misses the point. Mature ecosystems will always generate friction because they have gravity. But not every moment of tension is a failure. Sometimes it is just the cost of moving from informal to intentional.

What matters is not whether conflict exists. It is whether the project has the structures to handle it without burning people out.

What Actually Survives After Chaos

Express today is not just a framework. It is an organization. Lodash is no longer just a utility library. It is a project learning how to scale its governance as much as its code. The invisible work behind that shift is often ignored: mentoring new maintainers, distributing decision making, documenting processes, creating safe spaces for disagreement, and making sure security and sustainability are treated as first-class concerns, not afterthoughts.

Slide titled “The Secret Sauce” listing key transformation factors: opening community communication channels, forming a Technical Committee, creating a clear backlog, using consensus-based decision making, fostering an inclusive environment, mentoring new maintainers, organizing work into teams, and establishing a dedicated security triage team.

Slide titled “The OpenJS Foundation” explaining that it provides a neutral home for critical JavaScript projects, enables cross-project technical governance through the CPC, and offers governance and security support through an established ecosystem body.

Open source does not survive on pull requests alone. It survives on structure, on shared ownership, and on the uncomfortable decision to stop being heroic and start being boring.

And that is what comes after chaos. Not perfection. Not a happy ending. Just transformation. Slow, deliberate, sometimes frustrating, and absolutely necessary. If you have ever typed npm install express or npm install lodash, you have already been part of that story whether you knew it or not.

It’s also worth saying the uncomfortable part out loud. We didn’t fix this because a magic pile of money appeared. Support does matter, and initiatives like the Sovereign Tech Fund have made a real difference in making this work possible. But funding alone does not solve structural problems. In most cases, the resources are still not enough. Structure, governance and shared ownership carried more weight than budget ever did. And even when projects are “rescued” and celebrated, their long-term sustainability is still fragile. Recovery is a phase, not a conclusion. It needs constant maintenance.

What Comes After Chaos… it’s just transformation.