Ulises Gascón
@ulisesgascon.com
📤 579
📥 246
📝 111
#OpenSource
Maintainer (
@nodejs.org
,
@expressjs.bsky.social
...),
#TC39
Delegate and
#Maker
| He/Him
pinned post!
🌍 Hello, BlueSky! 🤠 I'm Ulises Gascón from Spain! Passionate about
#Nodejs
,
#Express
,
#JavaScript
, and the world of
#OpenSource
. I spend my days building, maintaining, and improving tools and libraries for our
#devCommunity
🫶 👉 Check out my projects and support my work:
github.com/sponsors/Uli...
11 months ago
4
15
1
Welcome
@rafaelgss.dev
to the
@openjsf.org
#CNA
team! 👏 👏 👏
github.com/openjs-found...
loading . . .
Nominate @rafaelgss as CNA Coordinator by UlisesGascon · Pull Request #297 · openjs-foundation/security-collab-space
@RafaelGSS has made outstanding contributions to the open source security ecosystem, particularly through his leadership in the Node.js project and related tooling. He brings deep expertise in vuln...
https://github.com/openjs-foundation/security-collab-space/pull/297
about 7 hours ago
1
5
3
reposted by
Ulises Gascón
Darcy Clarke
6 days ago
ℹ️ Don't know who needs to hear this but npm has had a --before=<date> flag since v6.9.0 (02/2019):
github.com/npm/cli/blob/v…
Setting a relative date is easy w/: $ npm install --before="$(date -v -7d)" # & only get registry deps that are over a week old
docs.npmjs.com/cli/v11/usin...
re
loading . . .
https://github.com/npm/cli/blob/v…
3
43
12
reposted by
Ulises Gascón
Wes
5 days ago
Lots of GREAT progress and discussion on our
@expressjs.bsky.social
Performance Working Group. Thanks everyone who is participating as I think this is the second most (security comes first) impactful thing we could be working on. For anyone interested in helping out:
github.com/expressjs/pe...
loading . . .
GitHub - expressjs/perf-wg: Performance Working Group
Performance Working Group. Contribute to expressjs/perf-wg development by creating an account on GitHub.
https://github.com/expressjs/perf-wg
0
11
3
Welcome
@bjohansebas.bsky.social
to the
@expressjs.bsky.social
Security Triage team! 👏 👏 👏
github.com/expressjs/se...
loading . . .
Nominate @bjohansebas to the Security Triage team by UlisesGascon · Pull Request #105 · expressjs/security-wg
I’d like to nominate @bjohansebas as a Security Triage Team member, based on his contributions across multiple project areas and his recent involvement in CVE-2025-48997. cc: @expressjs/express-tc ...
https://github.com/expressjs/security-wg/pull/105
5 days ago
0
5
2
🗞️ Exciting update:
#webpack
now has an official Threat Model! It sets clear boundaries, improves
#security
awareness, and strengthens our
#ecosystem
for everyone. 💪
github.com/webpack/security-wg/pull/9
loading . . .
doc: add a Threat Model by UlisesGascon · Pull Request #9 · webpack/security-wg
Heavily inspired in Express Threat model: https://github.com/expressjs/security-wg/blob/main/docs/ThreatModel.md Closes #8
https://github.com/webpack/security-wg/pull/9
9 days ago
0
2
0
🚩 Keep up to date with
@nodejs.org
by watching the
#Nodejs
Security Working Group's last meeting on YouTube!
www.youtube.com/watch?v=2_ex...
loading . . .
2025-09-11 - Security Team meeting
YouTube video by node.js
https://www.youtube.com/watch?v=2_exLrhF5YM
11 days ago
0
1
0
reposted by
Ulises Gascón
Express
14 days ago
The maintainer of one of our dependencies, debug, was the target of a phishing attack resulting in the release of
[email protected]
with malware. Supply chain security is all of our responsibilities. Be careful out there, and for today don't update your deps.
socket.dev/blog/npm-aut...
loading . . .
npm Author Qix Compromised via Phishing Email in Major Suppl...
npm author Qix’s account was compromised, with malicious versions of popular packages like chalk-template, color-convert, and strip-ansi published.
https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
1
12
6
🍿 Exciting news! The
@openjsf.org
Foundation
#AI
Collaboration Space holds its first meeting next week. A community hub where developers, maintainers and policy thinkers explore how
#JavaScript
connects billions of people to
#AI
.
github.com/openjs-found...
loading . . .
GitHub - openjs-foundation/ai-collab-space: A community hub exploring how JavaScript powers the future of AI.
A community hub exploring how JavaScript powers the future of AI. - openjs-foundation/ai-collab-space
https://github.com/openjs-foundation/ai-collab-space
17 days ago
0
1
0
🔒 Securing
#OpenSource
projects is not an easy task. ✨ Here’s a great
#initiative
helping the
#maintainers
and community move forward: 👉
openjsf.org/blog/securit...
loading . . .
How OpenJS Hosted Projects Benefit from Security Support | OpenJS Foundation
Providing Hosted Projects with the Tools and Guidance to Manage Security Confidently
https://openjsf.org/blog/security-support-for-openjs-projects
18 days ago
0
3
2
🗞️ Exciting news:
#webpack
now has a Security Working Group! We’ll: 👉 Define triage & policies 👉 Guide secure plugin development 👉 Improve report processes 👉 Promote best practices 👉 Support
#OpenJS
&
#OpenSSF
initiatives
github.com/webpack/secu...
loading . . .
GitHub - webpack/security-wg: Webpack Security Working Group
Webpack Security Working Group. Contribute to webpack/security-wg development by creating an account on GitHub.
https://github.com/webpack/security-wg
20 days ago
0
1
0
reposted by
Ulises Gascón
Wes
about 1 month ago
The
@expressjs.bsky.social
project has helped transfer over iconv-lite (with the awesome effort of
@bjohansebas.bsky.social
). Hopefully we can be a good home for this package which adds another 446M monthly downloads to the projects scope.
github.com/pillarjs/ico...
loading . . .
GitHub - pillarjs/iconv-lite: Convert character encodings in pure javascript.
Convert character encodings in pure javascript. Contribute to pillarjs/iconv-lite development by creating an account on GitHub.
https://github.com/pillarjs/iconv-lite
1
7
2
Say hello to the newest member of the
@expressjs.bsky.social
family 👋 iconv-lite: Convert character encodings in pure
#javascript
. And yes… a new release is baking in the oven 🔥
github.com/pillarjs/ico...
loading . . .
release: 0.7.0 by bjohansebas · Pull Request #334 · pillarjs/iconv-lite
I plan to release this version on Wednesday, 8/20/2025 cc: @wesleytodd @ashtuchkin @UlisesGascon I’ll check if we already agree on moving this package to expressjs/pillarjs :) so I can update the m...
https://github.com/pillarjs/iconv-lite/pull/334
about 1 month ago
0
2
1
✨ The
#OSPO
Book is here!✨
github.com/todogroup/os...
loading . . .
Releases · todogroup/ospology
📖 OSPOlogy - The Study of OSPOs. Contribute to todogroup/ospology development by creating an account on GitHub.
https://github.com/todogroup/ospology/releases
about 1 month ago
0
0
0
🚀 One step closer to
#jQuery
4!
blog.jquery.com/2025/08/11/j...
loading . . .
jQuery 4.0.0 Release Candidate 1 | Official jQuery Blog
jQuery: The Write Less, Do More, JavaScript Library
https://blog.jquery.com/2025/08/11/jquery-4-0-0-release-candidate-1/
about 1 month ago
0
0
0
reposted by
Ulises Gascón
Augustin Mauroy
about 1 month ago
Want to see what we've accomplished with the node.js ‘userland-migrations’ initiative? Check out these awesome codemods
codemod.link/nodejs-offic...
I hope your depreciation is already supported. If not, go to
git.new/userland-mig...
loading . . .
Node.js official codemods
Facilitate automated migrations of userland code.
https://codemod.link/nodejs-official
4
12
7
✨ Proud to be one of the maintainers of
@expressjs.bsky.social
in the
@github.com
Secure Open Source Fund! Securing the
#OpenSource
#SupplyChain
is a team sport 💚
github.blog/open-source/...
loading . . .
Securing the supply chain at scale: Starting with 71 important open source projects
Learn how the GitHub Secure Open Source Fund helped 71 open source projects significantly improve their security posture.
https://github.blog/open-source/maintainers/securing-the-supply-chain-at-scale-starting-with-71-important-open-source-projects/
about 1 month ago
0
14
2
reposted by
Ulises Gascón
Sarah Drasner
about 2 months ago
JS Conf US is happening again! This is a big deal, it has not occurred for some time. I'm thrilled to keynote and speak alongside folks I deeply admire:
@devdevcharlie.com
@evanyou.me
@aysegul.bsky.social
, more My talk is on fundamentals! We'll go deep into plaforms and systems, using my drawings
4
85
12
🔒 Security update: Check out the July 2025 Security Releases for Express Stay safe out there 🫡
expressjs.com/2025/07/31/s...
loading . . .
July 2025 Security Releases
Security releases for Multer and On-headers has been published. We recommend that all users upgrade as soon as possible.
https://expressjs.com/2025/07/31/security-releases.html
about 2 months ago
0
1
0
reposted by
Ulises Gascón
TC39
about 2 months ago
ECMAScript Excitement 🎉 Today, TC39 advanced these proposals: 2️⃣.7️⃣
Intl Era and Month Code
2️⃣
Import Buffer
1️⃣
Module Global
0
22
5
reposted by
Ulises Gascón
Rob Palmer
about 2 months ago
ECMAScript excitement 😉 Congrats to
@michael.ficarra.me
on advancing the Iterator Sequencing proposal to Stage 3 at TC39 this week 🎉 let it = Iterator.concat(it1, it2, ...) It helps you create an iterator by stitching together a sequence of iterators 👍
github.com/tc39/proposa...
0
20
1
reposted by
Ulises Gascón
Rob Palmer
about 2 months ago
ECMAScript excitement 😉 Congrats to
@bakkot.com
on advancing Math.sumPrecise to Stage 4 at TC39 this week 🎉 let vals = [1e20, 0.1, -1e20]; Math.sumPrecise(vals); //👉 0.1 It lets you calculate the sum of an array of numbers. Manual addition in a loop can lose precision - use this API instead.
1
23
5
😏 The Great Monkey-Patch Safari in
@expressjs.bsky.social
has begun. Join the adventure with critical hacks and hotfixes ahead!
github.com/expressjs/ex...
loading . . .
The Great Monkey-Patch Safari · Issue #6669 · expressjs/express
We want to track down and document all instances of express and our core deps monkey-patching Node core, specifically it's the HTTP internals like IncomingMessage and ServerResponse where we do our...
https://github.com/expressjs/express/issues/6669
about 2 months ago
1
2
2
🏖️ The latest issue of my
#newsletter
is out, number 007. What started as a quiet summer turned into a season full of open source security work, big releases, and exciting milestones.
blog.ulisesgascon.com/newsletter-i...
loading . . .
Newsletter #007: Summer is a great time for making releases and working on security 🏖️
From CNA milestones to major security releases, updated threat models, and exciting book news. This summer has been packed with progress across open source security and the Node.js ecosystem.
https://blog.ulisesgascon.com/newsletter-issue-7
about 2 months ago
0
1
1
🗳️ I just cast my vote for the 2025 OWASP WASPY Awards Election! Proud to support the amazing contributors in the
@owasp.org
community. 🙌
2 months ago
0
0
0
🚀 New
#GitHub
Sponsorship tiers for companies I help maintain
#Nodejs
,
#Express
and 200+ npm packages Sponsorship is not charity. It is strategy for you: ✅ Early ecosystem insights ✅ Async collab with your team ✅ Sync on roadmap and priorities
github.com/sponsors/Uli...
loading . . .
Sponsor @UlisesGascon on GitHub Sponsors
FOSS Maintainer (Node.js, Express, Yeoman). I maintain 200+ OSS packages, patch CVEs, and keep critical JavaScript infrastructure secure stable and evolving. I'm part of your supply chain and that’...
https://github.com/sponsors/UlisesGascon
2 months ago
0
2
0
🔒 Security update: Check out the June 2025 Security Releases for Express Sorry for the delay in the blog publication — stay safe out there 🫡
expressjs.com/2025/07/18/s...
loading . . .
June 2025 Security Releases
Security update for Multer released. All users are encouraged to upgrade.
https://expressjs.com/2025/07/18/security-releases.html
2 months ago
0
0
0
🚀 Just released
[email protected]
📦 🍿
#release
details:
github.com/expressjs/ti...
loading . . .
Release v1.9.1 · expressjs/timeout
What's Changed docs(readme): remove gratipay by @hongbo-miao in #41 ci: apply OSSF Scorecard security best practices by @UlisesGascon in #47 deps:
[email protected]
by @UlisesGascon in #62 🔖 v1.9.1...
https://github.com/expressjs/timeout/releases/tag/v1.9.1
2 months ago
0
0
0
🚀 Just released
[email protected]
📦 🍿
#release
details:
github.com/expressjs/se...
loading . . .
Release v1.18.2 · expressjs/session
What's Changed fix: Resolve test failure - Refresh server.crt with existing key extending expiry to Nov 21 03:28:10 2034 GMT by @BaileyFirman in #1003 feat: gencert script to regenerate the test s...
https://github.com/expressjs/session/releases/tag/v1.18.2
2 months ago
0
1
0
🚀 Just released
[email protected]
📦 🍿
#release
details:
github.com/expressjs/re...
loading . . .
Release v2.3.4 · expressjs/response-time
What's Changed ci: add CodeQL (SAST) by @bjohansebas in #34 ci: limit the scope to main branch by @UlisesGascon in #33 [StepSecurity] Apply security best practices by @step-security-bot in #37 bui...
https://github.com/expressjs/response-time/releases/tag/v2.3.4
2 months ago
0
1
0
🚀 Just released
[email protected]
📦 🍿
#release
details:
github.com/expressjs/co...
loading . . .
Release v2.1.1 · expressjs/cookie-session
What's Changed chore: add support for OSSF scorecard reporting by @inigomarquinez in #180 chore: upgrade scorecard workflow pinned action versions by @carpasse in #184 docs: Fix typo in README.md ...
https://github.com/expressjs/cookie-session/releases/tag/v2.1.1
2 months ago
0
1
0
🚀 Just released
[email protected]
📦 🍿
#release
details:
github.com/expressjs/co...
loading . . .
Release v1.8.1 · expressjs/compression
What's Changed fix(docs): update multiple links from http to https by @Phillip9587 in #222 ci: add dependabot for github actions by @bjohansebas in #207 build(deps): bump github/codeql-action from...
https://github.com/expressjs/compression/releases/tag/v1.8.1
2 months ago
0
1
0
🚀 Just released
[email protected]
📦 🍿
#release
details:
github.com/expressjs/mo...
loading . . .
Release 1.10.1 · expressjs/morgan
What's Changed renaming simple to sample in readme by @ryhinchey in #237 adding installation instructions to readme by @ryhinchey in #233 chore: add support for OSSF scorecard reporting by @inigom...
https://github.com/expressjs/morgan/releases/tag/1.10.1
2 months ago
0
0
0
🚨 Low-severity security fix in
[email protected]
just released! - Patches CVE-2025-7339 — vulnerable to http response header manipulation
github.com/jshttp/on-he...
loading . . .
Release 1.1.0 · jshttp/on-headers
Important Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q) What's Changed Migrate CI pipeline to GitHub actions by @carpasse in #12 fix README.md badges by @carpasse in #13 add OSSF scorecard action by @...
https://github.com/jshttp/on-headers/releases/tag/v1.1.0
2 months ago
0
1
0
🚨 High-severity security fix in
[email protected]
just released! - Patches CVE-2025-7338 — Denial of Service via unhandled exception from malformed request - All users should upgrade immediately: npm i multer@latest
github.com/expressjs/mu...
loading . . .
Release v2.0.2 · expressjs/multer
Important Fix CVE-2025-7338 (GHSA-fjgf-rc76-4x9p) Full Changelog: v2.0.1...v2.0.2
https://github.com/expressjs/multer/releases/tag/v2.0.2
2 months ago
0
0
0
🚩 Keep up to date with
@nodejs.org
by watching the
#Nodejs
Security Working Group's last meeting on YouTube!
www.youtube.com/watch?v=_YmV...
loading . . .
2025-07-17 - Security Team meeting
YouTube video by node.js
https://www.youtube.com/watch?v=_YmVz6tyYFc
2 months ago
0
2
1
reposted by
Ulises Gascón
Axel Rauschmayer (also on 🦣)
2 months ago
My books on
#JavaScript
and
#TypeScript
are free to read online: – Exploring JavaScript (ES2025 edition) – Deep JavaScript – Exploring TypeScript (TS 5.8 edition) – Shell scripting with Node.js 🦋 Reposts appreciated!
exploringjs.com
0
9
5
📣 Follow the discussion:
#Nodejs
may move from biannual to yearly major releases to simplify support and ease maintainer workload. 📆 LTS could go from 30 to 24 months 🧩 Odd/even release lines may be unified 🙏 Thanks to
@rafaelgss.dev
for the proposal!
github.com/nodejs/Relea...
loading . . .
Proposal - Shift Node.js to Annual Major Releases and Shorten LTS Duration · Issue #1113 · nodejs/Release
Background Currently, Node.js operates on a biannual major release schedule. Even-numbered releases enter Long-Term Support (LTS), providing extended maintenance, while odd-numbered releases typica...
https://github.com/nodejs/Release/issues/1113
2 months ago
1
5
1
reposted by
Ulises Gascón
Philip Chimento
2 months ago
The recording of my talk about Temporal from JSNation last month is published!
gitnation.com/contents/tem...
loading . . .
Temporal: The Curious Incident of the Wrong Nighttime by Philip Chimento
Speaker's involvement in Temporal proposal and TC39 meetings for JavaScript standardization. Date conversion challenges faced in development. Addressing time zone discrepancies with Temporal to preven...
https://gitnation.com/contents/temporal-the-curious-incident-of-the-wrong-nighttime
0
15
6
reposted by
Ulises Gascón
OpenJS Foundation
3 months ago
What’s our security team been up to in 2025? Just shipping security patches, launching new tools, and leveling up compliance like pros 💪 In 2025, we've been putting in serious work across our projects to improve security, automate releases, and streamline compliance. 📖
openjsf.org/blog/openjs-...
loading . . .
OpenJS Security Checkpoint: 2025 So Far | OpenJS Foundation
From vulnerability patching to release automation to better governance processes, here’s what’s been happening behind the scenes from January through June.
https://openjsf.org/blog/openjs-security-checkpoint-2025-so-far
0
9
3
😱 My book Node.js for Beginners is part of the
@humblebundle.com
+ Packt Modern Back-End Web Dev bundle — but it's ending soon! ⏳ Just 1 day left! 📚 Learn
#Nodejs
,
#Python
,
#Go
& more. Support charity while you skill up!
www.humblebundle.com/books/modern...
loading . . .
Humble Tech Book Bundle: Modern Back End Web Development by Packt
Modernize your understanding of frameworks including node.js, asp.net, and GraphQL. Pay what you want & support Coral Guardian!
https://www.humblebundle.com/books/modern-back-end-web-development-packt-books
3 months ago
1
4
0
What started as a
#POC
is now featured on the official
@openjs.bsky.social
Security page! 🎉 🚀
#OpenPathFinder
helps
#JavaScript
&
#NodeJS
projects automate security & compliance — and I’m working on exciting updates for
[email protected]
!
openjsf.org/security
loading . . .
Security at the OpenJS Foundation | OpenJS Foundation
The OpenJS Foundation supports its projects by improving their security through guidance, engineering support, and structured programs.
https://openjsf.org/security
3 months ago
0
3
0
reposted by
Ulises Gascón
Michael Dawson
3 months ago
In my continued exploration of using Llama Stack with
#nodejs
this post looks at observability -
developers.redhat.com/articles/202...
loading . . .
How to implement observability with Node.js and Llama Stack | Red Hat Developer
Enhance your Node.js AI applications with distributed tracing. Discover how to use Jaeger and OpenTelemetry for insights into Llama Stack interactions
https://developers.redhat.com/articles/2025/06/12/how-implement-observability-nodejs-and-llama-stack
0
3
1
🚀 Just released
[email protected]
📦 🍿
#release
details:
github.com/expressjs/se...
loading . . .
Release 2.5.1 · expressjs/serve-favicon
What's Changed chore: add support for OSSF scorecard reporting by @inigomarquinez in #49 ci: replace travis with github action by @inigomarquinez in #48 chore: upgrade scorecard workflow pinned ac...
https://github.com/expressjs/serve-favicon/releases/tag/2.5.1
3 months ago
0
2
0
"It's a reminder that the underlying processes of computers are still made by humans"
#save418
save418.com
loading . . .
Save Error Code 418
https://save418.com/
4 months ago
0
4
0
🚀 Just released
[email protected]
📦 🍿
#release
details:
github.com/jshttp/statu...
loading . . .
Release v2.0.2 · jshttp/statuses
What's Changed Ci/add missing node versions by @carpasse in #32 chore: add support for OSSF scorecard reporting by @inigomarquinez in #24 chore: pin dependencies and specify permissions in the pip...
https://github.com/jshttp/statuses/releases/tag/v2.0.2
4 months ago
0
3
0
npx-safe 👏 👏 👏
www.youtube.com/watch?v=aJNU...
loading . . .
Stop using npx and uses npx-safe
YouTube video by Rafael Gonzaga
https://www.youtube.com/watch?v=aJNUSHWsa58
4 months ago
0
1
0
🚩 Keep up to date with
@nodejs.org
by watching the
#Nodejs
Security Working Group's last meeting on YouTube!
www.youtube.com/watch?v=x0KM...
loading . . .
2025-06-05 - Node.js Security Team meeting
YouTube video by node.js
https://www.youtube.com/watch?v=x0KMcmXM42k
4 months ago
0
0
1
🔐 We've overhauled how
#ExpressJS
handles vulnerability reports! New unified policies, GitHub Security Advisories, and a clear workflow—backed by the
#SovereignTechFund
&
@openjs.bsky.social
.
expressjs.com/2025/06/05/v...
loading . . .
How Express.js Rebuilt Its Vulnerability Reporting Process
Express.js has overhauled its vulnerability reporting workflow with a unified process, consolidated documentation, and GitHub Security Advisories enabled across all repositories.
https://expressjs.com/2025/06/05/vulnerability-reporting-process-overhaul.html
4 months ago
0
4
1
📚 ¡El gran libro de
#Nodejs
está en la
#FeriadelLibroMadrid
! 📍
#Caseta365
– ARTCOMBO / SENTIR / MARCOMBO 🗓️ Hasta el 15 de junio 🔖 10% de descuento Una guía moderna para dominar
#Nodejs
desde cero. ¡Pásate! 🚀
4 months ago
0
0
0
🚨 High-severity security fix in
[email protected]
just released! - Patches CVE-2025-48997 — a crash triggered by empty field names in multipart uploads - All users should upgrade immediately: npm i multer@latest
github.com/expressjs/mu...
loading . . .
Release v2.0.1 · expressjs/multer
Important Fix CVE-2025-48997 (GHSA-g5hg-p3ph-g8qg) What's Changed add Arabic translation for README .. by @3imed-jaberi in #762 Update README.md to fix issue #1114 by @Mohamed-Abdelfattah in #1...
https://github.com/expressjs/multer/releases/tag/v2.0.1
4 months ago
0
1
0
Load more
feeds!
log in
