The past two months have been packed with important progress across the Node.js and OpenJS ecosystems. From critical security updates to improved automation, policy updates, and major release planning, this post covers the highlights from March and April 2025.

Building on the best practices from Node.js and the security enhancements previously funded by the Sovereign Tech Fund (which concluded in 2024), the OpenJS Security Collaboration Space is excited to expand project resourcing beyond Node.js in 2025 with support from the Alpha-Omega program.

Read below to learn more about:

• Security Updates for Node.js
• Automation & Tooling Improvements
• CI Security Incident & Transparency
• OpenJS Foundation Security Initiatives

Security Updates Across Node.js

In April, Node.js shipped coordinated security releases for versions 18, 20, 22, and 24 addressing Node.js vulnerabilities and updates to the following dependencies:

• Undici received important security fixes
• c-ares patches were integrated across all supported release lines

Check it out: https://nodejs.org/en/blog/vulnerability/may-2025-security-releases

Restoring CVEs for EOL Versions

The Node.js Security Team responded to MITRE’s removal of CVEs for end-of-life (EOL) Node.js versions (v17 and earlier, v19, v21). This work ensures continued transparency and risk awareness for unsupported versions.

To address this:

• Node.js proposed a plan to restore CVEs for these versions
• A blog post was published to clarify the situation and provide user guidance
• A tracking issue was opened to coordinate community follow-up

Automation & Tooling Improvements

The Node.js team continues to reduce manual effort and boost security reliability:

• Commit and changelog automation logic was fixed to improve accuracy
• GitHub CodeQL static analysis is now enabled in the Node.js codebase for early detection of vulnerabilities
• The experimental Permission Model now offers flag suggestions when throwing ERR_ACCESS_DENIED, improving developer UX

CI Security Incident & Transparency

In March, the Node.js test infrastructure was affected by a security breach. The team published a full disclosure post, outlining:

• A detailed incident timeline
• Remediation efforts
• Long-term prevention measures

Additionally, lessons learned from GitHub’s Secure Open Source course about CI were turned into a small blog post on hardening GitHub Actions, which has been shared widely within the ecosystem.

OpenJS Foundation Security Initiatives

Security Compliance Guide

The Security Compliance Guide is being frequently updated as it undergoes initial use. In the Guide's first v1.1 update in March, we focused primarily on adding new and more purposeful guidance for using npm. Work continues on a larger 2.0 update that will:

• Incorporate feedback from the Node.js team, who were the first big adopters of the Guide.
• Assess each guideline for automated testability and determine a guideline strategy that balances security best practices and automated control testing and monitoring.

With the completion of v1.1 of the Compliance Guide, broader outreach to Projects for compliance surveying is planned to begin in early May.

Secure Releases Guide and npm Continuity Policy

Work is underway to update the OpenJS Secure Releases Guide. This release will:

• Focus on secure npm publishing practices
• Align with the OpenSSF npm Best Practices Guide
• Help shape the proposed npm Continuity Policy, designed to ensure long-term package accessibility and project maintainability
  

Get Involved

To learn more about the work being done in the Security Collaboration Space, join our meetings or follow along on GitHub. To get involved with the broader OpenJS Ecosystem, check out our collaboration page.