🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-4800 — lodash vulnerable to Code Injection via _.template imports key names github.com/lodash/lodas...

🚨 Medium-severity security fix in [email protected] just released! Patches CVE-2026-2950 — lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit github.com/lodash/lodas...

🔒 Security update: Check out the March 2026 Security Releases for Express Stay safe out there 🫡 expressjs.com/2026/03/30/s...

"The biggest supply-chain risk isn’t abandoned code. It’s unsupported ecosystems." At RSAC 2026, @rginn206.bsky.social outlined a consistent pattern across ecosystems: when maintainer capacity does not scale with dependency usage, security risk increases. Read more on the blog: bit.ly/3PzHKA0

🚨 Medium-severity security fix in [email protected] just released! Patches CVE-2026-4923 — path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards github.com/pillarjs/pat...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-4926 — path-to-regexp vulnerable to Denial of Service via sequential optional groups github.com/pillarjs/pat...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-4867 — regular Expression Denial of Service via multiple route parameters github.com/pillarjs/pat...

🚀 Just released [email protected] 📦 🍿 #release details: github.com/pillarjs/pat...

🚨 Moderate-severity security fix in [email protected] just released! Patches CVE-2026-3635 — vulnerable to request (protocol and host) spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function github.com/fastify/fast...

🔖 The latest issue of my #newsletter is live, issue 012. February in numbers: 5 CVEs patched across #Express & #Fastify, 5 releases shipped, and a hard conversation about whether #opensource security triage is still sustainable in the age of AI 🔐 blog.ulisesgascon.com/newsletter-i...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-1528 — vulnerable to Malicious WebSocket 64-bit frame length handling could crash the client. github.com/nodejs/undic...

🚨 Medium-severity security fix in [email protected] just released! Patches CVE-2026-1525 — vulnerable to Inconsistent interpretation of HTTP requests (request/response smuggling class issue). github.com/nodejs/undic...

🚨 Medium-severity security fix in [email protected] just released! Patches CVE-2026-2581 — vulnerable to Unbounded memory consumption in deduplication interceptor response buffering (DoS risk). github.com/nodejs/undic...

🚨 Medium-severity security fix in [email protected] just released! Patches CVE-2026-1527 — vulnerable to CRLF injection via the upgrade option. github.com/nodejs/undic...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-1526 — vulnerable to Unbounded memory consumption in WebSocket permessage-deflate decompression. github.com/nodejs/undic...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-2229 — vulnerable to Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation github.com/nodejs/undic...

Node.js 25.8.1 is out, fixing a Yargs 17 compatibility issue. Full changelog and download links at nodejs.org/en/blog/rele...

🔖 It is official now! Starting with 27.x, #Nodejs will move from two major releases per year to one. This post explains what's changing, why, and what it means for you and your projects nodejs.org/en/blog/anno...

Just shipped a new newsletter to Sponsors! 🎁 Covers the AI storm hitting #opensource security, the new #Nodejs release schedule, and a very heavy CVE month 🔐 Get early access & support my OSS work here: github.com/sponsors/Uli...

🚨 Moderate-severity security fix in [email protected] just released! Patches CVE-2026-3419 — Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation github.com/fastify/fast...

Via Node Weekly: 💡 A cute side effect of the change will be the latest LTS Node version will match the year. Node 28 will go LTS in 2028, and so on. nodeweekly.com/issues/614

Announcing the @nodejs.org LTS Upgrade and Modernization Program! 🚀 We're helping enterprises move safely off end-of-life Node.js versions to reduce security risks with our partnerNodeSource. Modern Node.js is safer Node.js. Details: openjsf.org/blog/nodejs-...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-3520 — vulnerable to Denial of Service via uncontrolled recursion github.com/expressjs/mu...

🚀 Just released [email protected] 📦 🍿 #release details: github.com/expressjs/mu...

🔒 Security update: Check out the February 2026 Security Releases for Express Stay safe out there 🫡 expressjs.com/2026/02/27/s...

🚨 High-severity security fix in @fastify/[email protected] just released! Patches CVE-2026-2880 — vulnerable to a path normalization inconsistency that can result in authentication/authorization bypass when using path-scoped middleware. github.com/fastify/midd...

🚨 High-severity security fix in [email protected] just released! Patches CVE-2026-3304 — vulnerable denial of service (DOS) via incomplete cleanup github.com/expressjs/mu...

🚨 High-severity security fix in [email protected] just released! - Patches CVE-2026-2359 — vulnerable denial of Service via resource exhaustion github.com/expressjs/mu...

🚀 Just released [email protected] 📦 🍿 #release details: github.com/expressjs/mu...

☕ Something's brewing for @nodejs.org releases starting with 27.x. Official announcement coming soon! 👀 Sneak peek: github.com/nodejs/nodej...

Node.js release day! @ruyadorno.com and I just released Node.js 24.14.0 and 25.7.0, full changelog and download links at nodejs.org/en/blog/rele... and nodejs.org/en/blog/rele...

"Many maintainers report they're underpaid or, all too often, not paid at all, despite the enormous downstream value they create. That often means holding a day job and then maintaining critical infrastructure at night. All of which leads to 60-80 hour weeks." www.theregister.com/2026/02/23/o...

WHAT EVEN IS A CVE!!! ❓ @ulisesgascon.com breaks it down and explains what a CVE is and how it helps in our latest short. You can view all of the shorts in our series on our YouTube Channel too for more security insights 👀 youtube.com/@OpenJSFound...

✨ Keep up to date with @nodejs.org by watching the #Nodejs #Release Working Group's last meeting on YouTube! www.youtube.com/watch?v=ulMh...

Seeing how quickly @npmx.dev came onto the scene and how many developers from different backgrounds came together to build it gives me hope for the future. The real value is always the people and the culture surrounding them.

We're more than 150 humans collaborating at repo.npmx.dev 🎉

Awesome humans below 👇

🚀 Just released [email protected] 📦 🍿 #release details: github.com/onebeyond/sy...

🚀 Just released [email protected] 📦 🍿 #release details: github.com/onebeyond/ra...

🚀 Just released [email protected] 📦 🍿 #release details: github.com/onebeyond/ra...

🔖 The latest issue of my #newsletter is live, issue 011. Secure publishing on #npm in 2026, major #Lodash security overhaul, updated security best practices, fresh #Express release backlog & ecosystem insights from talks, CVEs & community work ✨ blog.ulisesgascon.com/newsletter-i...

We talk constantly about the risks of unmaintained dependencies and supply chain vulnerabilities, but rarely about the complexity of fixing them when the project is as massive as Lodash. This amazing article captures the reality of Open Source sustainability. Thanks @sarahgooding.bsky.social!

"Security work is emotionally expensive and invisible, and sharing it makes it sustainable." - @ulisesgascon.com Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚

Just shipped a new newsletter to Sponsors! 🎁 Includes the hard truths of #npm security, #Expressjs updates, and the #Lodash overhaul that put my code in space 🚀. Get early access & support my OSS work here: github.com/sponsors/Uli...

Happy Friday from our fresh collaboration page. 😎 Want to get involved in our collaboration spaces and projects? Check out the page to see what groups to join and what meetings are happening. If you care about JavaScript, you belong here. ✌️ openjsf.org/collaboration

Big year for security at OpenJS 👀 With support from Alpha Omega, we leveled up security across Node.js and the OpenJS ecosystem in 2025. Faster vulnerability response, automated releases, a new OpenJS CNA, stronger disclosure practices, and hands on support for over 10 projects. hubs.la/Q040lXwL0

🎙️ Publicar paquetes de forma segura en 2026 www.youtube.com/watch?v=tBQw...

🛠️ Análisis en profundidad del parche de #seguridad para CVE-2025-13465 en #Lodash: causa raíz, mecánica de prototype pollution en _.unset/_.omit y detalles del parche. orbitant.com/prototype-po...

🛠️ In-depth breakdown of the #security fix for CVE-2025-13465 in #Lodash: root cause, prototype pollution mechanics in _.unset/_.omit, and details of the patch. orbitant.com/en/prototype...

🚀 Just released [email protected] 📦 🍿 #release details: github.com/expressjs/se...