October brought strong progress on security across the OpenJS ecosystem and Node.js project, from community discussions to practical improvements in the runtime. Here’s the TLDR on our security work for October 2025.

Ecosystem Security Highlights

• The community explored npm Trusted Publishing risks and proposed mitigations for critical packages, ensuring maintainers have guidance for safer dependency management. Initial discussions took place in the OpenJS Security Collab Space (#296) with outcomes shared publicly (discussion 178140).

Node.js Security Work

• Backported --allow-inspector to the v24.x LTS line, enhancing the Permission Model (#60248).
• Triaged HackerOne reports and coordinated ecosystem-wide responses to ensure timely vulnerability handling.
• Reviewed the latest OpenSSL security release and assessed impacts on Node.js and dependent projects (#213), fixing reporting issues in the dependency assessment tool (#214).
• Node.js maintainers participated in the Collaborator Summit, including a joint security session with Express focused on incident coordination and secure dependency practices (#464).

OpenJS Project Support

The A-O team continues to support OpenJS-hosted projects with security expertise. Following is the latest update on their support for Lodash.

• Lodash strengthened its security posture by adopting a Threat Model and Incident Response Plan, following the example of Express and Webpack. 
• Led community discussions on npm Trusted Publishing security implications and proposed mitigations for critical risks.
• Initial meeting held by the OpenJS Security Collab Space: openjs-foundation/security-collab-space#296 
• Outcome documented and discussed publicly: community/discussions/178140
• Prepared a blog post titled “Rethinking Security: From Bugs to Threat Models”, which explains how maintainers can adopt threat models. It will be published in mid November as part of a series of blog posts promoting best practices across the JS ecosystem beyond the projects within the OpenJS Foundation.

Runtime and Feature Updates Supporting Security

• Dependabot improvements: added a cooldown property to reduce redundant dependency update PRs (#59978).
• Node.js v24.10.0 released as the final minor update in the 24.x line.
• Node.js v25.0.0 (Major) introduced:
• --allow-net in the Permission Model for secure-by-default apps
• Exposed global ErrorEvent for better error handling\
• Web Storage enabled by default
• V8 upgraded to 14.1
• --markdown flag for simplified major version listings (#60179)

Alpha-Omega supports the ongoing commitment of the OpenJS community to secure, reliable, and modern JavaScript development. Stay tuned for upcoming blog posts and updates on best practices across the ecosystem.

Get Involved

To learn more about the work being done in the Security Collaboration Space, join our meetings or follow along on GitHub. To get involved with the broader OpenJS Ecosystem, check out our collaboration page.