Security is a constant challenge for open source maintainers. Vulnerabilities arise unexpectedly, disclosures can be confusing, and threats keep evolving. The OpenJS Security team provides the processes, tools, and support maintainers need to protect their projects, giving users and contributors confidence that the JavaScript tools they rely on are backed by professional, coordinated practices developed through the OpenJS Security Collaboration Space.

Let’s take a look at how our security team is benefiting our hosted projects like ESlint and Webpack.

Reliable Processes Maintainers Can Trust

Clear processes are essential when vulnerabilities arise. Hosted projects can adopt consistent security policies with escalation paths directly to OpenJS. Two of our projects are already up and running with this support:

• ESLint recently updated its policy to include escalation to the Security team if maintainers are unavailable, ensuring that reported vulnerabilities are never left unresolved. 
• Webpack has also partnered with us to define escalation paths and strengthen its security posture. These improvements mean faster responses and greater trust for everyone who uses these projects.

Official CVE Assignment Through OpenJS

As an official CVE Numbering Authority (CNA), OpenJS can assign CVEs directly for vulnerabilities in our hosted projects. Maintainers no longer need to navigate this process on their own. This provides a professional, trusted channel for reporting, tracking, and communicating vulnerabilities, which benefits both the projects themselves and the broader ecosystem.

Tools to Build Securely

Beyond policies, the Security team provides practical resources and real-time support:

• A Security Compliance Guide with proven best practices
• Secure Release Guides and disclosure templates
• The OpenPathFinder dashboard to automate compliance tracking
• Weekly Security Collaboration Space calls for peer support and guidance

These tools reduce the manual burden on maintainers while giving users confidence that projects are managed responsibly.

Proactive Protection Against Threats

Security is more than patching code. We help projects identify and guard against social engineering attacks, account takeover attempts, and other emerging risks. By coordinating alerts and sharing red flags across projects, the Security team strengthens the resilience of the entire OpenJS ecosystem.

Supporting Long-Term Sustainability

Through initiatives like the Ecosystem Sustainability Program (ESP), OpenJS connects projects with funding for long-term maintenance and security, even for older or end-of-life versions. This ensures that widely used packages remain secure and stable over time, supporting the millions of developers and organizations who depend on them.

Learn More

For maintainers, engaging with the OpenJS Security team means having expert support when it matters most. For users and contributors, it means knowing the projects you rely on are backed by professional security processes. Projects like ESLint and webpack are already benefiting, and the result is stronger software and greater trust across the community.

By working together, we help ensure the open source projects at the heart of the JavaScript ecosystem remain secure, sustainable, and trustworthy. OpenJS doesn’t manage projects directly, but we remove friction, provide support, and give maintainers space to focus on development. 

If you maintain a hosted project, we encourage you to connect with the OpenJS Security team today. Reach out at security@openjsf.org join the #security-help channel on Slack or join an upcoming Security Collaboration Space call to learn more.