I'm Ulises Gascon, and I'm a proud part of your software supply chain. Together with an amazing group of co-maintainers, we keep hundreds of npm packages you probably depend on running, ship Node.js releases, and coordinate security for many projects under the OpenJS Foundation. Over the years we've helped ship Express 5.0 after a decade of waiting, rebuilt Lodash's governance from scratch, co-authored many threat models including the Node.js one, and published 6 books on Node.js and security, among other remarkable adventures.
If you've typed npm install today, you've probably touched code I help maintain.
Open source maintenance is mostly invisible work. Reviewing security reports. Cutting releases. Writing threat models. Mentoring new contributors. Responding to incidents on weekends. Rebuilding governance for projects that outgrew their original structure. Security work is emotionally expensive and invisible, and sharing it makes it sustainable.
Most of this work is volunteer. When a critical vulnerability drops on one of the packages you depend on, it still needs someone to triage it, write the patch, and ship the fix. There is no company behind this. I share behind-the-scenes updates through my newsletter.
Security work · Community and governance · npm ecosystem impact
This work continues because some companies and individuals have chosen to invest in the infrastructure they depend on. Their support allows me to dedicate real time to security, releases, and governance instead of squeezing it into evenings and weekends.
When a critical React vulnerability dropped at 8:30 PM with a CVSS score of 10.0, sponsors had someone in their Slack coordinating the response while most companies were still finding out about it the next morning. That's the kind of access sponsorship provides.
"Information flows faster than coffee in our Slack when a critical CVE appears. And that's exactly what we're looking for." — Orbitant
Sponsored by:
Become a sponsor · Why sponsor? · Freelance & consulting
Node.js for Beginners · El Gran Libro de Node.js · Dominando o Node.js · Docker Seguro · Cybersecurity Handbook · JavaScript, Inspirate!
What Comes After Chaos? · Making Sense of Threat Models · Strengthening the Supply Chain · Publishing Securely on npm · All talks
Open Source Doesn't Fail Because of Code · The Future of Lodash · Decoding CVEs · What is a backdoor? Let's build one with Node.js · All posts