The team has been hard at work for the first half of 2025, focusing on critical security updates, compliance milestones, and automation improvements across OpenJS projects. 

These efforts are part of a broad commitment by the OpenJS Foundation, which champions Node.js and other ecosystem projects, to make the web safer and more secure. And a big thank you to our friends at Alpha Omega who are funding this work.

From vulnerability patching to release automation to better governance processes, here’s what’s been happening behind the scenes from January through June.

January: Kicking Off with Clarity and Control

The year started with a strong focus on security. We released patches across four active Node.js versions and handled CVEs for Node.js End-of-Life versions (v0.x–v17, v19, and v21). The CVE removal conversations with MITRE are still ongoing.

The Node.js Permission Model, introduced in v20.0.0, has matured and is now considered stable. This upgrade from 1.1 (Active Development) to 2.0 (Stable) marks a significant step forward in security controls within Node.js.

On the tooling side, Node.js releasers got a boost thanks to a new GitHub Action that  security release proposals following a standardized process. We published the first project-wide Threat Model—finally giving everyone a clear view of who has access to what. Bonus: is-my-node-vulnerable officially joined the Node.js org.

Building on the successful Compliance Dashboard proof-of-concept from late 2024, the team established OpenPathfinder to streamline security assessments. Work began on the v1.1 update of the Security Compliance Guide, incorporating feedback and lessons learned from test assessments and the dashboard POC.

February: Security Compliance Gets Real

Security compliance started ramping up with the OpenJS Security Compliance Checker being used to evaluate how well a project adheres to the best practices established by the OpenJS Security Compliance Guide. We also automated the creation of security vulnerability pull requests to reduce manual lift and move faster.

In preparation for the launch of the OpenJS CVE Numbering Authority (CNA) we held six virtual town halls around OpenJS’s CNA onboarding and released a guide for OpenJS maintainers to gather feedback and help them prepare for the launch of the CNA.

March: More Transparency, Fewer Surprises

March saw public response work around the Node.js MITRE CVE removals. The team stepped up with a statement and took part in OpenSSF’s Vulnerability Disclosure working group.

To address the implication, the Node.js team proposed a mitigation plan that includes

• Publishing a blog post to explain the situation and guidance to users: https://nodejs.org/en/blog/vulnerability/updates-cve-for-end-of-life
• Updating all Node.js CVE to include EOL versions as affected

On the release front, we wrapped up changelogs and coordinated release candidates for Node.js 24. Improvements to automation cleaned up changelogs and commit formatting for consistency across the board.

Our community-facing efforts progressed with the release of version 1.1 of the OpenJS Security Compliance Guide with usability improvements. An analysis of npm permissions and organizational structures was completed to inform an upcoming OpenJS npm continuity policy and Secure Releases Guide v2.

April: Strengthening the Infrastructure

April brought more security patches across Node.js 18, 20, and 22. Issues in Undici and c-ares were addressed. GitHub CodeQL is now enabled for static analysis, adding another layer of early warning.

The permission model got an upgrade with better error messaging and smarter flag suggestions. And after a CI security incident in March, we published a full disclosure and followed up with a practical blog post on hardening GitHub Actions.

Security Compliance Guide v1.1 continued to roll out including outreach to projects for assessment interviews and manual, external assessments of projects. We also finalized new tools: VisionBoard and FortSphere, aimed at supporting long-term compliance work. We’ve shared a demo here.

May: Node.js Shipping Season

Node.js 24 officially shipped on May 6. Along with the usual mix of new features and breaking changes, we continued to roll out security updates for versions 20, 22, 23, and 24.

More automation upgrades landed, including PR annotations and sync flags to streamline reviews. CVE metadata issues were resolved in coordination with HackerOne, and the first version of the Node.js Security Compliance Checker was released.
The Express.js team released Multer v2.0.0, addressing two high-severity vulnerabilities (CVE-2025-47935 and CVE-2025-47944) that could lead to denial-of-service attacks due to improper stream handling and malformed multipart requests. This update not only patches these issues but also raises the minimum supported Node.js version to 10.16.0, aligning with modern security standards. Developers are strongly encouraged to upgrade to Multer v2.0.0 or later to ensure their applications remain secure. 

The security and governance improvements aren’t limited to Node.js alone. In May, the Express.js project announced a major cleanup of legacy packages, deprecating csurf, connect-multiparty, and path-match. This work helps reduce ecosystem-level risk by steering developers toward actively maintained, more secure solutions, a great example of how OpenJS projects are evolving together.

June: Upgrades & Fixes

In June 2025, the project delivered new security enhancements, permission model upgrades, and more direct engagement with the community. Node.js 24.3.0 shipped with stability improvements and new features. Major changes to the permission model improved network controls, file system handling, and error reporting. The team also addressed CVE misattribution, resolved issues reported through HackerOne, and reviewed WDAC support to improve security posture on Windows.

The OpenJS CVE Numbering Authority (CNA) launched, supporting OpenJS hosted projects when coordinating public disclosure of security vulnerabilities. So far, the team has managed two escalations.

Express.js implemented a comprehensive overhaul of its vulnerability reporting process. This included establishing a formalized workflow, unifying security policies across all repositories, and enabling GitHub Security Advisories for secure and private reporting. With the OpenJS Foundation now serving as a CVE Numbering Authority (CNA), Express.js can assign official CVE identifiers to security vulnerabilities, improving transparency and coordination.

Manual, external assessments of 39 OpenJS Foundation projects using the draft v2 Guidelines completed, providing the Foundation its first comprehensive understanding of the security posture of its projects.

The release candidate for the substantially revamped v2 OpenJS Security Compliance Guidelines was released for final feedback before publication in early July. This change created a new, hierarchical structure to organize similar, tool-specific guidance, put it in alignment with VisionBoard and FortSphere’s data structure, and included per-guideline assessment methodology.

Moving Forward

Security, automation, transparency, and smart governance. That’s our goal for OpenJS so far in 2025. Plenty more to come in the second half of the year, but this progress report shows that the project isn’t just keeping up. It’s building smarter, faster, and more secure foundations for the whole ecosystem.

Despite our support for the JavaScript Ecosystem, our team is actively participating in security discussions through working groups and through initiatives like GitHub Secure Course. These steps significantly enhance the project's security posture and align with the OpenJS Foundation's commitment to robust governance and ecosystem-wide security improvements. 

Want to get involved? Check out our OpenJS Foundation Security Page.