Providing Hosted Projects with the Tools and Guidance to Manage Security Confidently
Security is a constant challenge for open source maintainers. Vulnerabilities arise unexpectedly, disclosures can be confusing, and threats keep evolving. The OpenJS Security team provides the processes, tools, and support maintainers need to protect their projects, giving users and contributors confidence that the JavaScript tools they rely on are backed by professional, coordinated practices developed through the OpenJS Security Collaboration Space.
Let’s take a look at how our security team is benefiting our hosted projects like ESlint and Webpack.
Clear processes are essential when vulnerabilities arise. Hosted projects can adopt consistent security policies with escalation paths directly to OpenJS. Two of our projects are already up and running with this support:
As an official CVE Numbering Authority (CNA), OpenJS can assign CVEs directly for vulnerabilities in our hosted projects. Maintainers no longer need to navigate this process on their own. This provides a professional, trusted channel for reporting, tracking, and communicating vulnerabilities, which benefits both the projects themselves and the broader ecosystem.
Beyond policies, the Security team provides practical resources and real-time support:
These tools reduce the manual burden on maintainers while giving users confidence that projects are managed responsibly.
Security is more than patching code. We help projects identify and guard against social engineering attacks, account takeover attempts, and other emerging risks. By coordinating alerts and sharing red flags across projects, the Security team strengthens the resilience of the entire OpenJS ecosystem.
Through initiatives like the Ecosystem Sustainability Program (ESP), OpenJS connects projects with funding for long-term maintenance and security, even for older or end-of-life versions. This ensures that widely used packages remain secure and stable over time, supporting the millions of developers and organizations who depend on them.
For maintainers, engaging with the OpenJS Security team means having expert support when it matters most. For users and contributors, it means knowing the projects you rely on are backed by professional security processes. Projects like ESLint and webpack are already benefiting, and the result is stronger software and greater trust across the community.
By working together, we help ensure the open source projects at the heart of the JavaScript ecosystem remain secure, sustainable, and trustworthy. OpenJS doesn’t manage projects directly, but we remove friction, provide support, and give maintainers space to focus on development.
If you maintain a hosted project, we encourage you to connect with the OpenJS Security team today. Reach out at security@openjsf.org join the #security-help channel on Slack or join an upcoming Security Collaboration Space call to learn more.