The OpenJS Foundation, supported by generous funding from Alpha-Omega, made significant progress strengthening security for Node.js and the wider OpenJS project ecosystem in 2025.

The work centered on systematic improvements including how we respond to vulnerabilities and incidents, automating release processes, improving our documentation, providing hands-on support for more than 10 OpenJS-hosted projects, and fostering collaboration with our friends in the ecosystem. 

Several initiatives increased security maturity across all OpenJS projects, including the launch of the OpenJS CNA, updates to security compliance guidelines / coordinated disclosure practices, and completing security assessments for 6 projects and threat models for 2. 

In parallel, the Foundation worked with ecosystem partners like GitHub and npm to share secure publishing guidance and policy changes.

The team broadly communicated the work through blogs, talks, workshops, mentoring and live streams to educate the community.

Together, the results are a more predictable, more transparent, and more resilient security posture across the foundation and broader JS ecosystem.

Read on for our team’s accomplishments in 2025:

• Launch of OpenJS CVE Numbering Authority & Vulnerability Disclosure: The OpenJS Foundation became a CVE Numbering Authority (CNA) under the Red Hat Open Source Root CNA, enabling the Foundation to assign CVE identifiers directly for vulnerabilities in hosted projects. This provides a professional, trusted channel for vulnerability disclosure. The CNA launch included six virtual town halls, a guide for maintainers, and direct operational support to project maintainers. Projects like Express.js implemented comprehensive overhauls of their vulnerability reporting processes, including formalized workflows and GitHub Security Advisories. Both ESLint and webpack now have escalation paths directly to OpenJS.
• Securing End-Of-Life Node.js Versions: In 2025, the Node.js Security Team warned users that continuing to run end-of-life (EOL) versions of Node.js poses a critical security risk. As part of this effort, the team began issuing CVEs for EOL versions of Node.js and, in collaboration with MITRE and the OpenSSF, updated existing CVEs to explicitly include affected EOL releases. This initiative was driven by the finding that a significant portion of the Node.js ecosystem continues to rely on EOL versions for extended periods of time.
• Shaping npm and Github Security Practices: The OpenJS Security Collab space worked closely with Github and npm as npm implemented major authentication and token management changes. The team published comprehensive guidance on secure publishing to npm, covering local publishing with 2FA, hardened CI workflows, and trusted publishing considerations. An analysis of npm permissions and organizational structures was completed to inform the OpenJS npm continuity policy and Secure Releases Guide v2. The team contributed these resources to MDN Web Docs, adding links to OpenJS Security Collab Space guidance on supply chain attacks, secure releases, and npm security best practices to MDN's security documentation.
• Advancing Node.js Secure Release Practices: Ongoing work continued to refine Node.js release cadence, including efforts related to the long term support schedule. Notably, the team reduced complexity from releases by reducing the number of release steps from over 20 to 3 for each release line and included automations for the whole security release process. Improvements to release workflows included affected version selection, CVE tooling reliability, automated communication, pull request status checks, commit generation, changelog accuracy, CI annotations, and build cleanup tasks. These refinements reduced friction for maintainers and improved reliability for downstream consumers.
• Node.js Platform Improvements: Node.js version 24.0.0 introduced significant core updates, and version 25.0.0 emphasized alignment with modern web standards. Changes included expanded permission controls, global ErrorEvent support, default Web Storage, and a new V8 engine version. The Permission Model advanced to a stable state through version two, which strengthened the security expectations for application developers. A dedicated End of Life page created a clearer understanding of support timelines for all versions.
• Threat Modeling and Security Governance: Node.js published its first full maintainers threat model covering access controls and responsibilities. Additional threat models were completed or supported across webpack and Lodash. Security Working Groups for webpack and Express launched with assistance from the foundation, covering backlog organization, triage support, and planning for the Express bug bounty program.
• Direct Support for Foundation Projects: Foundation security staff worked directly with project maintainers to address vulnerabilities, strengthen policies, and improve release processes. NativeScript reduced supply chain risks and adopted OSSF Scorecard practices. ESLint updated its security policy and response expectations. Express delivered a security update for several packages and improved triage and release planning. Additional assessment and onboarding work supported Mocha, AMP, webpack, Lodash, Lit, Perspective, and GeoDa AI.
• Scaling OpenJS Security Expertise Across the Ecosystem: The Foundation launched several initiatives to connect JavaScript maintainers with OpenJS security expertise. A dedicated #security-help channel was created on the OpenJS Foundation Slack, giving maintainers a direct line to security experts for questions and project-specific guidance. Broader community channels (#security, #npm) foster open discussion and have sparked new collaborative initiatives across the ecosystem. The is-my-node-vulnerable package was donated to the Node.js organization, giving the community a more visible resource for risk assessment. Additionally, we created a Command Center for Security and compliance where projects can follow up with their security posture within the OpenJS Foundation.
• OpenJS Projects’ Incident Response Plans: Incident Response Plans were created for Node.js core and web infrastructure, with additional plans completed or reviewed for webpack, WebDriverIO, NativeScript, MessageFormat, Fastify, Express, and the OpenJS Foundation. 
  

In 2025, the OpenJS Foundation delivered major security improvements across Node.js and the wider JavaScript ecosystem. Key achievements included stabilizing the Node.js Permission Model, automating Node.js security release workflows, creating threat models and incident response plans for OpenJS projects, launching the OpenPathfinder compliance tooling, and establishing foundation-wide security standards. 

Direct support reached more than 10 OpenJS Foundation projects, while blogs, talks, and live streams helped educate the community. These efforts strengthened the ecosystem’s security posture and built sustainable processes and tools, laying the groundwork for continued progress in 2026.