I’m happy to announce that Express.js documentation has a new look! 🎉 This was a huge team effort with more than a year of work behind it. Thanks to everyone involved for the support and dedication that made this launch possible. expressjs.com/en/blog/2026...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-8162 — multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing github.com/pillarjs/mul...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-8161 — multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception github.com/pillarjs/mul...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-8159 — multiparty vulnerable to ReDoS via filename parsing github.com/pillarjs/mul...

🚨 Medium-severity security fix in [email protected] just released! Patches CVE-2026-6402 — webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins github.com/webpack/webp...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-6322 — fast-uri vulnerable to host confusion via percent-encoded authority delimiters github.com/fastify/fast...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-6321 — fast-uri vulnerable to path traversal via percent-encoded dot segments github.com/fastify/fast...

🚨 High-severity security fix in @fastify/[email protected] just released! Patches CVE-2026-7768 — vulnerable to Denial of Service via Unbounded Accept Header Cache Growth github.com/fastify/fast...

Would love more feedback and input on: github.com/collective-f... We tried to summarize the best practices in how to use open source funds two years ago to enable Mocha etc to align with them.

pip 26.1 is an incredible release, thank you to the pip maintainers!! 💜 – Relative dependency cooldown support! – Installing from pylock.toml – Multiple security fixes Read the full blog post by Richard Si: ichard26.github.io/blog/2026/04... #python #pypi #pip #security #oss #opensource

🚀 The @openjsf.org #CNA now has an RSS feed! Subscribe to get notified about new CVEs across all OpenJS projects as they are published. cna.openjsf.org/feed.xml

🔐 The #Nodejs Collab Summit security session recording is online. We covered the AI-generated report surge, how it's reshaping vulnerability triage, and a proposal to rethink our disclosure process. Great session by @rafaelgss.dev 👏👏👏 youtube.com/watch?v=vXg6...

🔐 New updates landed on the Lodash threat model! We added exclusions for common report patterns we've been tracking. Saves everyone time and keeps the focus on real issues. github.com/lodash/lodas...

Do not unleash your AI-powered bot into people's GitHub repos without asking first. If you do that on any of the repos I maintain, your bot is likely to get banned. (I've already banned a few).

🚨 High-severity security fix in @fastify/[email protected] just released! Patches CVE-2026-33804 — middleware bypass via deprecated ignoreDuplicateSlashes option github.com/fastify/midd...

🚨 Critical-severity security fix in @fastify/[email protected] just released! Patches CVE-2026-6270 — middleware authentication bypass in child plugin scopes github.com/fastify/midd...

🚨 Medium-severity security fix in @fastify/[email protected] just released! Patches CVE-2026-6410 — path traversal in directory listing github.com/fastify/fast...

🚨 Medium-severity security fix in @fastify/[email protected] just released! Patches CVE-2026-6414 — route guard bypass via encoded path separators github.com/fastify/fast...

🚨 Medium-severity security fix in @fastify/[email protected] just released! Patches CVE-2026-6414 — route guard bypass via encoded path separators github.com/fastify/fast...

🚨 Critical-severity security fix in @fastify/[email protected] and @fastify/[email protected] just released! Patches CVE-2026-33805 — connection header abuse enables stripping of proxy-added headers github.com/fastify/fast...

🚨 Critical-severity security fix in @fastify/[email protected] just released! Patches CVE-2026-33807 — middleware path doubling causes authentication bypass in child plugin scopes github.com/fastify/fast...

🚨 Critical-severity security fix in @fastify/[email protected] just released! Patches CVE-2026-33808 — middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) github.com/fastify/fast...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-33806 — body schema validation bypass via leading space in Content-Type header github.com/fastify/fast...

🔖 The latest issue of my #newsletter is live, issue 013. March recap: 12 CVEs across #undici, #Fastify, #Lodash & #pathtoregexp, a state-actor supply chain attack on #axios, and the #Nodejs security bug bounty paused 🔐 blog.ulisesgascon.com/newsletter-i...

🔐 7 out of 10 of #security reports for #Lodash and #Express are invalid. The current spike is LLM-generated noise eating volunteers' time that should go to releases, features, and real bugs.

Just shipped a new newsletter to Sponsors! 🎁 Covers the phishing campaign targeting #opensource maintainers (including myself), Scorecard v6, 12 CVEs patched, and the Node.js bounty program pause 🔐 Get early access & support my OSS work here: github.com/sponsors/Uli...

Same here. Open source maintainers are unsung heroes. We need better funding and protection for them. #OpenSource

This campaign is massive and a great reminder that behind your favorite Open Source dependencies are humans too! I was also targeted, lucky that it takes me years to check my inbox 💀

The #Nodejs project's security bug bounty program is being paused due to the discontinuation of its external funding source 😞 nodejs.org/en/blog/anno...

🚀 Just released [email protected] 📦 🍿 #release details: github.com/pillarjs/hbs...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-4800 — lodash vulnerable to Code Injection via _.template imports key names github.com/lodash/lodas...

🚨 Medium-severity security fix in [email protected] just released! Patches CVE-2026-2950 — lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit github.com/lodash/lodas...

🔒 Security update: Check out the March 2026 Security Releases for Express Stay safe out there 🫡 expressjs.com/2026/03/30/s...

"The biggest supply-chain risk isn’t abandoned code. It’s unsupported ecosystems." At RSAC 2026, @rginn206.bsky.social outlined a consistent pattern across ecosystems: when maintainer capacity does not scale with dependency usage, security risk increases. Read more on the blog: bit.ly/3PzHKA0

🚨 Medium-severity security fix in [email protected] just released! Patches CVE-2026-4923 — path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards github.com/pillarjs/pat...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-4926 — path-to-regexp vulnerable to Denial of Service via sequential optional groups github.com/pillarjs/pat...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-4867 — regular Expression Denial of Service via multiple route parameters github.com/pillarjs/pat...

🚀 Just released [email protected] 📦 🍿 #release details: github.com/pillarjs/pat...

🚨 Moderate-severity security fix in [email protected] just released! Patches CVE-2026-3635 — vulnerable to request (protocol and host) spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function github.com/fastify/fast...

🔖 The latest issue of my #newsletter is live, issue 012. February in numbers: 5 CVEs patched across #Express & #Fastify, 5 releases shipped, and a hard conversation about whether #opensource security triage is still sustainable in the age of AI 🔐 blog.ulisesgascon.com/newsletter-i...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-1528 — vulnerable to Malicious WebSocket 64-bit frame length handling could crash the client. github.com/nodejs/undic...

🚨 Medium-severity security fix in [email protected] just released! Patches CVE-2026-1525 — vulnerable to Inconsistent interpretation of HTTP requests (request/response smuggling class issue). github.com/nodejs/undic...

🚨 Medium-severity security fix in [email protected] just released! Patches CVE-2026-2581 — vulnerable to Unbounded memory consumption in deduplication interceptor response buffering (DoS risk). github.com/nodejs/undic...

🚨 Medium-severity security fix in [email protected] just released! Patches CVE-2026-1527 — vulnerable to CRLF injection via the upgrade option. github.com/nodejs/undic...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-1526 — vulnerable to Unbounded memory consumption in WebSocket permessage-deflate decompression. github.com/nodejs/undic...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-2229 — vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation github.com/nodejs/undic...

Node.js 25.8.1 is out, fixing a Yargs 17 compatibility issue. Full changelog and download links at nodejs.org/en/blog/rele...

🔖 It is official now! Starting with 27.x, #Nodejs will move from two major releases per year to one. This post explains what's changing, why, and what it means for you and your projects nodejs.org/en/blog/anno...

Just shipped a new newsletter to Sponsors! 🎁 Covers the AI storm hitting #opensource security, the new #Nodejs release schedule, and a very heavy CVE month 🔐 Get early access & support my OSS work here: github.com/sponsors/Uli...

🚨 Moderate-severity security fix in [email protected] just released! Patches CVE-2026-3419 — Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation github.com/fastify/fast...