We’re excited to announce that the Sovereign Tech Agency has commissioned work to support the Lodash transition. While Lodash remains widely used, the OpenJS Foundation is supporting a structured transition toward native solutions to improve security and resilience. 

Lodash has been a cornerstone of JavaScript development since 2012 and has a massive reach. It appears in frontend and backend code, cloud functions, CMS platforms, build tools, and CI pipelines. Over 9.3 million live websites use it, including a third of the top 10,000 global sites, and npm downloads exceed 2.57 billion per week. Many developers depend on it indirectly through frameworks like React, webpack, and more, making it a critical digital infrastructure that hasn’t always been actively maintained.

The contract from the Sovereign Tech Agency allows the OpenJS Foundation to:

• Reinforce Lodash’s security foundation by resolving known vulnerabilities, adopting industry best practices, and establishing transparent security processes.
• Modernize project infrastructure with restored continuous integration, automated testing, and secure, reproducible publishing workflows.
• Streamline the codebase by deprecating outdated utilities and reducing overall maintenance complexity.
• Guide the ecosystem forward by integrating native JavaScript functionality into Lodash and providing clear, well-documented migration paths for developers.

Leading up to this work, Lodash is rebooting its governance under the OpenJS Foundation. A new, broader Technical Committee, bringing together long-time JavaScript contributors, security experts, and community leaders, will guide the project’s next chapter. John-David Dalton, Lodash’s original creator, is part of this transition to help ensure continuity and knowledge transfer. This new governance model will emphasize transparency and shared stewardship, following the successful examples set by projects like Express within OpenJS.

“Lodash has essentially become JavaScript’s standards library,” said OpenJS Foundation Board Director and Cross Project Council Vice Chair Tobie Langel. “While many of Lodash’s functionalities have now made it into JavaScript, Lodash will remain a cornerstone of the ecosystem for the foreseeable future. With support from the Sovereign Tech Agency, we can ensure Lodash stays stable, secure, and sustainable long-term, and sets an example of responsible open source stewardship.”

“This investment, both from the Sovereign Tech Agency and from our open source community, is about securing the future of Lodash and the broader JavaScript ecosystem,” said Robin Bender Ginn, executive director of the OpenJS Foundation. “By combining community-led governance with targeted public funding, we’re demonstrating how critical digital infrastructure can evolve safely, sustainably, and in the open.”

“I have joined foundations since they have been available. From the Dojo and jQuery foundations of the past to the OpenJS foundation of today. I am grateful for the Sovereign Tech Agency, the OpenJS foundation, and the JavaScript community,” said John-David Dalton, creator of Lodash. “Life can get really big. Having the help and support of others, even in this small corner of it, is so welcomed. Thank you!”

This effort refocuses Lodash as a model for responsible stewardship of critical open source infrastructure. By investing in this work, we aim to protect software ecosystems and ensure that widely used libraries remain safe, reliable, and maintainable.

We want to extend our sincere thanks to the Sovereign Tech Agency for their support. Their investment makes it possible to safeguard critical digital infrastructure, help developers transition to modern JavaScript, and ensure the continued security and resilience of widely relied-upon software.