Skip to main content
Category

Blog

Node.js Security Progress Report – Automation, Automation and more Automation

By Blog, Node.js, Node.js Security

Last month, the Security Working Group initiatives focused on the Permission Model and Automated Update Dependencies. 

There were 10 security reports in April with more people participating than the previous month. Response time in April was 18 hours before the first response back from us, which is less than our goal of a 48 hour response time.

As always, thank you to OpenSSF and Project Alpha Omega for their continued support. The exact details of the partnership are outlined here in the Security Support Role 2023 document.

Automation Update Dependencies

In total, 11 dependency update automation were completed this month, which included undici, openssl, v8, npm and more. There are only 2 more automations to go.

As a reminder, the Security Working Group started investigating dependencies in Node.js in November last year. They identified automated updates, and which ones should be prioritized: https://github.com/nodejs/security-wg/issues/828. We can already see the benefits of this work by looking at the increased number of pull requests for dependency updates automatically submitted to the project. 

Security Release Automation

The Security Working Group is focusing on implementing automation for the key dependencies in the build. This makes the overall process easier and less prone to error, and it makes it possible in the future for different stewards to complete the process. 

There are currently 26 steps in doing a Node.js security release.If greater automation works, it will be a big step forward. Please expect more information on this topic soon!

Permission Model

There have been over 10 months of work on building a new Permission Model. To help clarify next steps and guide the discussion, a roadmap issue (#898) was created to discuss the future of the Permission Model. 

Are you interested in getting involved? The new Permission Model is still experimental, which makes it the right time for you to try it. Any bugs are considered vulnerabilities because they are security features. 

JavaScriptLandia Awards: Pathfinder for Security 

Last week at OpenJS World 2023, the OpenJS Foundation held their second annual JavaScriptLandia awards and recognized Rafael Gonzaga from Nearform. 

Rafael has made significant contributions to Node.js security and has received positive feedback on his efforts to improve the security ecosystem. His contributions to reports and blogs have generated great visibility from social media, and he has personally trained and brought engineers into the Node.js Security Working Group to build the community towards self sufficiency. 

Congratulations, Rafael!

Join Us!

Be sure to join us for this month’s meetings: https://github.com/nodejs/security-wg

Meta Joins the OpenJS Foundation

By Announcement, Blog, Jest

The creator of popular open source projects like React, React-Native and Jest, joins the OpenJS Foundation

SAN FRANCISCO – May 10, 2023 – The OpenJS Foundation, providing vendor-neutral support for sustained growth within the open source JavaScript community, is announcing today that Meta has joined as a gold member. 

“Welcome Meta! Their positive effect on the JavaScript ecosystem has been amazing. Heavy users at scale of JavaScript itself, creators of React and React-Native, creators of multiple key open source projects,” said Robin Ginn, OpenJS Foundation Executive Director. “We look forward to working more with Meta’s leadership and expertise to increase support for the diverse open source communities at OpenJS.”

Meta Open Source has been key in creating and open sourcing many projects crucial to the JavaScript ecosystem, such as React, Jest, and Flow. Last year, Meta contributed its popular JavaScript testing project Jest to OpenJS, which garnered an enthusiastic response from developers for this community-led project.

As a global leader with a mission of creating community and bringing people closer together, Meta understands the importance of open collaboration to sustain and improve JavaScript development. Working collectively with other member companies and with the guidance of the OpenJS Foundation, Meta will continue to contribute and advocate in the community. 

“Open source has the potential to be more inclusive and more empowering than ever. Joining the OpenJS Foundation is a large step forward in supporting our open source communities. We hope to provide not only leadership, but to learn from the community,” said Killian Murphy, Sr. Engineering Director, Developer Experience & Platforms. 

“The broader JavaScript ecosystem benefits from Meta becoming an OpenJS Foundation member. In fact, we’ve already been working together in multiple different ways, and this makes official what has already been a great relationship,” said Shayne Boyer, OpenJS Foundation Board Director. “

To learn more about how you can be a part of the OpenJS Foundation, click here.

OpenJS Resources

The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 41 open source JavaScript projects including Appium, Dojo, Jest, jQuery, Node.js, and webpack and is supported by 30 corporate and end-user members, including GoDaddy, Google, IBM, Joyent, Microsoft and Netflix. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value.

About Meta

Meta builds technologies that help people connect, find communities, and grow businesses. First launching Facebook in 2004, it changed the way people connect. Meta brings apps like Messenger, Instagram and WhatsApp to further empower billions around the world. Now, Meta is moving beyond 2D screens toward immersive experiences like augmented and virtual reality to help build the next evolution in social technology.

About Meta Open Source

Meta has long been a supporter of open source software and the open source community. In addition to making a lot of our engineering work publicly available, including sharing our research, code, designs, and engineering work, we also invest in organizations that are important for the long-term sustainability of the open source ecosystem.

About Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

OpenJS World 2023 – Celebrating Innovation in the JavaScript Ecosystem

By Blog, OpenJS World

It’s day one of OpenJS World, the OpenJS Foundation’s semi-annual event bringing together the JavaScript and web development communities! 

Want to network and find out how you can get more involved in JavaScript? OpenJS World covers the broad spectrum of the JavaScript ecosystem, including technical content from OpenJS Foundation open source projects and much more. Be sure to tune in virtually for the remaining sessions this week: Virtual registration here.

The full schedule is available here, including talks by the OpenJS Foundation’s executive director Robin Ginn, Ethan Arrowood from Vercel, Abby Cabunoc Mayes from GitHub, Kazuhito Yokoi from Hitachi and many more!

We’re excited to share the progress of our members and projects this week at OpenJS World, read on to find out what’s new this week!

Meta Joins the OpenJS Foundation

Meta has joined the OpenJS Foundation as a gold member! Meta Open Source has been key in creating and open sourcing many projects crucial to the JavaScript ecosystem, such as React, Jest, and Flow. Last year, Meta contributed its popular JavaScript testing project Jest to OpenJS, which garnered an enthusiastic response from developers for this community-led project.

More details are available in our blog post.

Major Commitment to Security and Stability

The OpenJS Foundation has achieved significant milestones this year focused on improving JavaScript security. Last week, we announced that the Sovereign Tech Fund, financed by the German Federal Ministry for Economic Affairs and Climate Action, awarded the OpenJS Foundation EUR 875,000 (USD 902,000). This largest ever government investment in a Linux Foundation project will allow us to deliver infrastructure updates across our project portfolio through a single-scalable solution and develop and deliver security and maintenance policies and practices for critical projects.

Additionally, our continued work with OpenSSF’s Project Alpha-Omega has granted funding for both Node.js and jQuery this year. Alpha-Omega is committing $300,000 to focus on improving supply chain security by improving Node.js security infrastructure. The funding is bolstering the Node.js security team and vulnerability remediation efforts, with a focus on supporting better open source security standards and practices. It was started in 2022 and renewed in 2023. Alpha-Omega is also committing another $350,000 to reduce potential security incidents for jQuery by helping modernize its consumers and its code. OpenJS, working with the jQuery maintainers and industry experts, will conduct an ecosystem risk audit, work on an expansion of its infrastructure modernization project, and build and promote a web modernization campaign for awareness and buy-in.

Championing our Community with Awards and Discounts!

At OpenJS World today, we are announcing our second annual JavaScriptLandia award members, showcasing an incredible array of creativity, diversity and energy – check them out in our blog post! Maybe you can be one of the winners next year!

Also, if you’re interested in improving your technical skills and understanding how you do on vendor-neutral certification tests, we have a OpenJS World-only discount available for you. We’re offering 60% off Node.js Training and Certification bundles with code OPENJSWORLD2023.

Certification is an important component of building and strengthening the JavaScript ecosystem. Certified developers can quickly establish credibility and value in the job market. Certification also allows companies to locate and hire high-quality teams to support their growth.

We hope you’ll tune in virtually to our event this week! After OpenJS World is over, we’ll have the videos up on our YouTube page to view on demand.

Happy OpenJS World!

JavaScriptLandia Community Awards Showcase Creativity, Diversity and Energy

By Blog, JavaScriptLandia

From OpenJS World 2023 – The OpenJS Foundation is celebrating 6 key community leaders, honoring them with our second annual JavaScriptLandia Awards for contributions to education, standards, security and more. Award Winners were recognized at OpenJS World on Wednesday, May 10, and received a plaque and digital badge.

JavaScriptLandia is the home of the OpenJS Foundation’s individual supporter program, where community members can pledge support for OpenJS projects, maintainers, and get more involved in the community while earning badges and other perks.

The nominations for the awards opened in March and were sourced from the broader JavaScript community. Nominations were reviewed by OpenJS Foundation CPC members, board members, and staff and were chosen by consensus.

There are 6 awards available: 

  • Unsung Hero
  • Leading By Example
  • Outstanding Contribution from a New Arrival
  • Pathfinder Awards
    • for Standards
    • for Education
    • for Security 

Unsung Hero nominees are recognized for their willingness to do things that aren’t high profile, glamorous, or even fun, but are important for a well-functioning project and community. Unsung Heroes often do this work with a smile, even if they aren’t being recognized regularly for their contributions. 

Leading by Example nominees are known for demonstrating leadership qualities in their communities that reflect OpenJS Foundation values, like being humble, helpful and hopeful. Exemplary leaders embody open source in spirit and in practice, and inspire others to do the same.

Outstanding Contribution from a New Arrival nominees are new participants in our project spaces who are making a big difference – from contributing new ideas, new leadership on a project workstream, helping with project operations, to community building and more. These individuals are rising stars who help bring fresh energy to our projects.

Pathfinder Awards nominees are people from across the JavaScript ecosystem who have made significant contributions in key areas for OpenJS, including Education, Standards, and Security. These individuals not only move things forward, they bring people along with them as they go, helping to light the way for all. 

The 2023 JavaScriptLandia Awards recipients are:

Unsung Hero

Richard Lau, Red Hat

Richard has been consistently doing an amazing job taking care of the infrastructure that powers the Node.js project while also contributing to both the TSC and the Release Working Group. His dedication is an inspiration to all collaborators.

Leading by Example

Danielle Adams, AWS

Danielle volunteers her time as a Node.js releaser and TSC member. She is smart, reliable, and always positive in the large undertaking of a Node.js release. She also educates the industry on the Node.js release cycles to better prepare developers around the world, like presenting at NodeConf EU 2022 on The Life and Times of a Node.js Release. Danielle is a champion for underrepresented communities. Last year, she helped lead the Grace Hopper Open Source Day Node.js hackathon, mentoring women and nonbinary developers on their first successful PRs to the Node.js project.

Outstanding Contribution from a New Arrival

Claudio Wunder, HubSpot

Claudio has made significant contributions to the Node.js website and plans to improve the project’s documentation generation to help generate metadata needed for the TypeScript ecosystem. Both of these projects are complex, requiring working with many project members, getting buy-in and doing consistent work. His enthusiasm and determination to move things forward is great to see. Claudio has ramped up and contributed in record time.

Pathfinder Award for Education

Erick Wendel

Erick has done a lot of work to promote Node.js to developers. Erick has done over 115 conference presentations and talks around the world to help developers learn about Node.js. Anything from his YouTube video channel that covers advanced JavaScript to his courses on Node.js Streams to his recent experiments on building the Node.js runtime from scratch to engage developers in a fun way.

Pathfinder Award for Security

Rafael Gonzaga, NearForm

Rafael has made significant contributions to the Alpha-Omega project jointly with the OpenJS Foundation and the OpenSSF and received very positive feedback on his efforts to improve the Node Security ecosystem. His contributions to reports and blogs have generated great visibility from social media, and he has personally trained and brought engineers into the Security Working Group to build the community towards self sufficiency. 

Pathfinder Award for Standards 

Brian Kardell, Igalia

Brian has been instrumental in bringing web developers into standards throughout his career. He has an abiding interest in bettering the future web. He has been dedicated in the past year to MathML and bringing more features to the web platform.

OpenJS Foundation and the Sovereign Tech Fund: Creating secure and modern technology and policy

OpenJS Foundation Receives Major Government Investment from Sovereign Tech Fund for Web Security and Stability

By Announcement, Blog

Read more details here: OpenJS Foundation Receives Largest One-Time Government Investment

We’re so excited to announce that the OpenJS Foundation has been selected to receive an investment from the Sovereign Tech Fund (STF) to help build the future of JavaScript infrastructure and security. 

The Sovereign Tech Fund, financed by the German Federal Ministry for Economic Affairs and Climate Action, is investing EUR 875,000 (USD 902,000) in the OpenJS Foundation. 

This is the largest one-time government support investment ever to a Linux Foundation project. We’re grateful to the STF team for supporting this initiative!

Our goal is to help our open source projects gain more secure and modern technologies and policies for the web. In collaboration with community leaders in our OpenJS Security Collaboration Space, and the Linux Foundation IT team, we developed a plan that we hope will scale across the JavaScript ecosystem.

We will do the following over the next two years:

  • Deliver infrastructure updates across our project portfolio through a single-scalable solution, while implementing a responsible sunset program for inactive projects.
  • Develop and deliver security and maintenance policies and practices for critical projects.

The OpenJS Foundation’s JavaScript technologies are widely used around the world, and building development infrastructure with longevity and stability remains a key function of the OpenJS Foundation. 

We want to continue to improve and build a JavaScript ecosystem that will continue to flourish over the next decade, and the support from the Sovereign Tech Fund will make that commitment a reality. 

Government support of open source

Governments, the private sector, and individuals all rely on JavaScript, and we pride ourselves on growing our security and trust in the web technologies they use. 

The Sovereign Tech Fund’s investment in the OpenJS Foundation will scale our hosted projects today and in the future. At the same time, it will help our projects adopt more secure and modern technologies and policies, with the goal of being self-sustaining in the future.

We hope that this will start to build a JavaScript ecosystem that will continue to flourish not only in Germany, but around the globe. It’s encouraging to see the German government taking this initiative to improve the lives of citizens by investing in the critical open source infrastructure that powers the web.

Expanding our security practices

We’ve been working to modernize and improve our security practices in other areas, with the help of the Open Source Security Foundation (OpenSSF) Alpha-Omega project. 

Earlier this year, jQuery received USD 350,000 to reduce potential security incidents by helping modernize its consumers and its code. This is also the second year that Alpha-Omega has funded Node.js – resulting in great progress improving Node.js security – which we’ve been reporting on monthly.

What’s next

We’re excited to begin, and have already engaged members of the Linux Foundation IT team to assist with the work. We’ll be sure to keep our OpenJS blog updated as we make progress!

Big thank you to the Sovereign Tech Fund and the German Ministry for their generous support of open source. We hope that their leadership will inspire governments around the world to follow suit!

The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 41 open source JavaScript projects including Appium, Dojo, Jest, jQuery, Node.js, and webpack and is supported by 30 corporate and end-user members, including GoDaddy, Google, IBM, Joyent, Netflix, and Microsoft. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value.

OpenJS World 2023, Part 2! Join us in Bilbao, Spain

By Blog, Event, OpenJS World

We are excited to announce that we’re hosting another OpenJS World in Bilbao, Spain, co-located with the Linux Foundation’s Open Source Summit Europe, September 19-23, 2023!

You can submit your OpenJS World talk here for Open Source Summit Europe. The deadline is May 2, 2023. If speaking isn’t your thing, registration is now open as well!

Please note that the CFP for Open Source Summit North America and OpenJS World  in Vancouver, Canada has closed and all speakers have been announced. There is still time to register as an attendee though.

About the Event

At OpenJS World, attendees collaborate, network, and learn how to use and contribute to JavaScript and web technologies. From frontend to backend, serverless to IoT, there are many opportunities for developers to level up their skills. The program will cover the broad spectrum of the JavaScript ecosystem, including OpenJS Foundation projects and more.

Open Source Summit is the Linux Foundation’s premier event for open source developers, technologists, and community leaders to collaborate, share information, solve problems, and gain knowledge.

Collaborator Summit

We’re also excited to share that we’ll host another OpenJS Collaborator Summit the day before the event on September 18, 2023. More information will be provided closer to the event, but we’ll be having another call for sessions for the summit. This event will be free with Open Source Summit EU registration and open to anyone who is interested.

Guidelines for Call for Proposals (CFPs)

Quality content is an essential priority for the OpenJS World program committee, and we want to foster the submission of thoughtful and relevant topics.

Three guidelines to consider before submitting your proposal:

  • What are you hoping to get from your presentation?
  • What do you expect the audience to gain from your presentation?
  • How will your presentation help better the open source ecosystem?

We hope these general guidelines will help you craft the best submission possible! Remember these tips when writing your proposal as a simple guide for yourself.

Open to All

There are plenty of ways to present projects and technologies without focusing on company-specific efforts. Try to think of ways to connect your topic to attendees’ interests while still giving yourself room to share your experiences, educate the community about an issue, or generate interest in a project. 

Here are some of the topics we are interested in this year:

  • Testing
  • Automation / CI/CD
  • Security
  • Development
  • Community Building
  • Performance
  • Open Visualization
  • General

OpenJS World is a great way to get to know the community and share your ideas and the work that you are doing, and we strongly encourage first-time speakers to submit talks. 

If you’re not sure about your abstract, please check out the #cfp-mentorship channel in the OpenJS Foundation Slack Channel. You can join the slack channel here: https://slack-invite.openjsf.org 

We can’t wait to hear from you! Follow this link if you’re ready to submit: https://events.linuxfoundation.org/open-source-summit-europe/program/cfp/ 

We hope to see you at OpenJS World in Spain!

OpenJS Collaborator Summit – Join us in Vancouver + Virtual on May 9!

By Blog, Event

Join us in Vancouver, Canada, and virtually on May 9, 2023, for the OpenJS Collaborator Summit! The Collab Summit is a great time to connect with peers from other projects and learn more about what they are doing and how OpenJS Foundation community members can support your work.

Why you should attend

  • Meet OpenJS project contributors, share feedback and talk about the future of the projects
  • Dive into and participate in technical discussions
  • Learn how to contribute to the projects and become part of the project team
  • Make friends and get to know the community

The details

The team has put together a guide on what to expect out of the event here on GitHub. Additionally, you can join the conversation with other folks that are attending on our #collabsummit Slack channel

  • Venue: Vancouver Convention Center
  • Time: 9am PT-5pm PT

Please note that the event will take place the day prior to OpenJS World, which is co-located with the Linux Foundation’s Open Source Summit North America.

Call for sessions now open

Have a talk you’d like to submit? We’re looking for contributors and collaborators to speak at the summit. Check out the GitHub repo for more information on submission. Submissions will be accepted until April 2, 2023.

Submit here: https://github.com/openjs-foundation/summit/issues/344 

Register today

To attend this event, please register through the Open Source Summit North America portal and select “OpenJS Collaborator Summit.” Please note that you will need to attend the Open Source Summit Conference to receive free access to the collaborator summit. If you have any questions about this, please reach out to info@openjsf.org.

We hope to see you there!