Skip to main content
Category

Blog

OpenJS Foundation and the Sovereign Tech Fund: Creating secure and modern technology and policy

OpenJS Foundation Receives Major Government Investment from Sovereign Tech Fund for Web Security and Stability

By Announcement, Blog

Read more details here: OpenJS Foundation Receives Largest One-Time Government Investment

We’re so excited to announce that the OpenJS Foundation has been selected to receive an investment from the Sovereign Tech Fund (STF) to help build the future of JavaScript infrastructure and security. 

The Sovereign Tech Fund, financed by the German Federal Ministry for Economic Affairs and Climate Action, is investing EUR 875,000 (USD 902,000) in the OpenJS Foundation. 

This is the largest one-time government support investment ever to a Linux Foundation project. We’re grateful to the STF team for supporting this initiative!

Our goal is to help our open source projects gain more secure and modern technologies and policies for the web. In collaboration with community leaders in our OpenJS Security Collaboration Space, and the Linux Foundation IT team, we developed a plan that we hope will scale across the JavaScript ecosystem.

We will do the following over the next two years:

  • Deliver infrastructure updates across our project portfolio through a single-scalable solution, while implementing a responsible sunset program for inactive projects.
  • Develop and deliver security and maintenance policies and practices for critical projects.

The OpenJS Foundation’s JavaScript technologies are widely used around the world, and building development infrastructure with longevity and stability remains a key function of the OpenJS Foundation. 

We want to continue to improve and build a JavaScript ecosystem that will continue to flourish over the next decade, and the support from the Sovereign Tech Fund will make that commitment a reality. 

Government support of open source

Governments, the private sector, and individuals all rely on JavaScript, and we pride ourselves on growing our security and trust in the web technologies they use. 

The Sovereign Tech Fund’s investment in the OpenJS Foundation will scale our hosted projects today and in the future. At the same time, it will help our projects adopt more secure and modern technologies and policies, with the goal of being self-sustaining in the future.

We hope that this will start to build a JavaScript ecosystem that will continue to flourish not only in Germany, but around the globe. It’s encouraging to see the German government taking this initiative to improve the lives of citizens by investing in the critical open source infrastructure that powers the web.

Expanding our security practices

We’ve been working to modernize and improve our security practices in other areas, with the help of the Open Source Security Foundation (OpenSSF) Alpha-Omega project. 

Earlier this year, jQuery received USD 350,000 to reduce potential security incidents by helping modernize its consumers and its code. This is also the second year that Alpha-Omega has funded Node.js – resulting in great progress improving Node.js security – which we’ve been reporting on monthly.

What’s next

We’re excited to begin, and have already engaged members of the Linux Foundation IT team to assist with the work. We’ll be sure to keep our OpenJS blog updated as we make progress!

Big thank you to the Sovereign Tech Fund and the German Ministry for their generous support of open source. We hope that their leadership will inspire governments around the world to follow suit!

The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 41 open source JavaScript projects including Appium, Dojo, Jest, jQuery, Node.js, and webpack and is supported by 30 corporate and end-user members, including GoDaddy, Google, IBM, Joyent, Netflix, and Microsoft. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value.

OpenJS World 2023, Part 2! Join us in Bilbao, Spain

By Blog, Event, OpenJS World

We are excited to announce that we’re hosting another OpenJS World in Bilbao, Spain, co-located with the Linux Foundation’s Open Source Summit Europe, September 19-23, 2023!

You can submit your OpenJS World talk here for Open Source Summit Europe. The deadline is May 2, 2023. If speaking isn’t your thing, registration is now open as well!

Please note that the CFP for Open Source Summit North America and OpenJS World  in Vancouver, Canada has closed and all speakers have been announced. There is still time to register as an attendee though.

About the Event

At OpenJS World, attendees collaborate, network, and learn how to use and contribute to JavaScript and web technologies. From frontend to backend, serverless to IoT, there are many opportunities for developers to level up their skills. The program will cover the broad spectrum of the JavaScript ecosystem, including OpenJS Foundation projects and more.

Open Source Summit is the Linux Foundation’s premier event for open source developers, technologists, and community leaders to collaborate, share information, solve problems, and gain knowledge.

Collaborator Summit

We’re also excited to share that we’ll host another OpenJS Collaborator Summit the day before the event on September 18, 2023. More information will be provided closer to the event, but we’ll be having another call for sessions for the summit. This event will be free with Open Source Summit EU registration and open to anyone who is interested.

Guidelines for Call for Proposals (CFPs)

Quality content is an essential priority for the OpenJS World program committee, and we want to foster the submission of thoughtful and relevant topics.

Three guidelines to consider before submitting your proposal:

  • What are you hoping to get from your presentation?
  • What do you expect the audience to gain from your presentation?
  • How will your presentation help better the open source ecosystem?

We hope these general guidelines will help you craft the best submission possible! Remember these tips when writing your proposal as a simple guide for yourself.

Open to All

There are plenty of ways to present projects and technologies without focusing on company-specific efforts. Try to think of ways to connect your topic to attendees’ interests while still giving yourself room to share your experiences, educate the community about an issue, or generate interest in a project. 

Here are some of the topics we are interested in this year:

  • Testing
  • Automation / CI/CD
  • Security
  • Development
  • Community Building
  • Performance
  • Open Visualization
  • General

OpenJS World is a great way to get to know the community and share your ideas and the work that you are doing, and we strongly encourage first-time speakers to submit talks. 

If you’re not sure about your abstract, please check out the #cfp-mentorship channel in the OpenJS Foundation Slack Channel. You can join the slack channel here: https://slack-invite.openjsf.org 

We can’t wait to hear from you! Follow this link if you’re ready to submit: https://events.linuxfoundation.org/open-source-summit-europe/program/cfp/ 

We hope to see you at OpenJS World in Spain!

OpenJS Collaborator Summit – Join us in Vancouver + Virtual on May 9!

By Blog, Event

Join us in Vancouver, Canada, and virtually on May 9, 2023, for the OpenJS Collaborator Summit! The Collab Summit is a great time to connect with peers from other projects and learn more about what they are doing and how OpenJS Foundation community members can support your work.

Why you should attend

  • Meet OpenJS project contributors, share feedback and talk about the future of the projects
  • Dive into and participate in technical discussions
  • Learn how to contribute to the projects and become part of the project team
  • Make friends and get to know the community

The details

The team has put together a guide on what to expect out of the event here on GitHub. Additionally, you can join the conversation with other folks that are attending on our #collabsummit Slack channel

  • Venue: Vancouver Convention Center
  • Time: 9am PT-5pm PT

Please note that the event will take place the day prior to OpenJS World, which is co-located with the Linux Foundation’s Open Source Summit North America.

Call for sessions now open

Have a talk you’d like to submit? We’re looking for contributors and collaborators to speak at the summit. Check out the GitHub repo for more information on submission. Submissions will be accepted until April 2, 2023.

Submit here: https://github.com/openjs-foundation/summit/issues/344 

Register today

To attend this event, please register through the Open Source Summit North America portal and select “OpenJS Collaborator Summit.” Please note that you will need to attend the Open Source Summit Conference to receive free access to the collaborator summit. If you have any questions about this, please reach out to info@openjsf.org.

We hope to see you there!

Node.js Security Progress Report –  Permission Model Merged

By Blog, Node.js, Node.js Security

February included several major steps forward in improving Node.js security. We merged the Permission Model which we built over the past 8 months. This will make Node.js more secure by allowing the user to restrict machine resources, such as file system. More information will be provided on Node.js v19.9.0 release. We also merged the security support role, fixed and triaged issues and engaged with multiple working groups. Which means more resources and more clear processes for making Node.js secure.

As always, thank you to OpenSSF and Project Alpha Omega for their continued support.

Permission Model landed in the main branch

The Permission Model was merged into the main branch. There was over 8 months of work leading up to this point. This final month leading up to the merge required a lot of time and effort and discussion. To help clarify next steps and guide the discussion, a roadmap issue (#898) was created to discuss the future of the Permission Model. https://github.com/nodejs/security-wg/issues/898 

The Security Support Role 2023 was also merged last month. There are 6 focus areas that show the goals of this work.

  • Fix and Triage Security Issues
  • Support for Security Releases
  • Node.js Security WG Initiatives
  • Node.js Security Sustainability
  • Improving Security Processes
  • Ecosystem Adoption

More details can be found here: https://github.com/ossf/alpha-omega/blob/main/alpha/engagements/2023/node.js/security-support-role.md 

Node.js database automatic updates

We’ve improved the Node.js database to now automatically update. When there is a new CVE or vulnerability, the database will be updated and anyone has access to that information.

Working group progress

We participated directly with working groups, 9 sessions total. There was excellent attendance for the February Security Working Group meeting. This month, Microsoft joined us and expressed interest in helping with policy around Single Executable Applications.


Be sure to join us for this month’s meetings as well: https://github.com/nodejs/security-wg.

Node.js Security Progress Report – OpenSSF Grant Renewed for 2023, New Ecosystem Focus

By Blog, Node.js, Node.js Security

January was busy with HackerOne reports, vulnerability fixes for OpenSSL and Node.js and security updates due to the upcoming Node.js security release.

In 2022, we started receiving assistance from the Open Source Security Foundation (OpenSSF) Project Alpha-Omega grant to support more resources to help with Node.js security. The grant has been renewed at just under $300,000 for the calendar year. OpenJS Foundation works with NearForm to fulfill the grant goals. 

With so much accomplished last year, we look forward to further improving Node.js security in 2023. Thank you to OpenSSF for their continued support.

Fixing and Triaging 21 Issues

There were 5 new HackerOne reports in January along with 8 vulnerabilities to fix from OpenSSL, and 8 for Node.js due to the upcoming security release. The improved Threat Model is helping to assess priority.

New Node.js CVE Database

Security Working Group initiatives have been making progress. CVEs are now stored in a database that is accessible by all. CVEs had been stored in the Security Working Group repo, but the repo was not perfectly up-to-date. The Node.js database fixes this issue and can be used by vendors.

Google Open Source Security Team (GOSST) Participation

The Google Open Source Security Team (GOSST) participated in the January 19, 2023, Security Working Group meeting. GOSST contributes to OpenSSF Scorecards, and they brought a lot of helpful discussion topics. OpenSSF Scorecards are a cross-industry initiative to improve open source software security, with a focus on metrics, tooling, best practices, developer identity validation and vulnerability disclosures best practices. 

Expanded Ecosystem Focus

Ecosystem adoption is a key component to Node.js security. We are finalizing the Permission Model, and will be looking to increase participation on GitHub when it is finalized and ready for use. The end goal is a smooth process for installing a package with the correct tag.

Most recently, we reviewed and fixed a bug for Fastify that will be released with the Node.js security release. We also did fixes for Undici, an HTTP/1.1 client. 

Early Work on is-my-node-vulnerable

We created a package called is-my-node-vulnerable to make it easy to test your own implementation of Node.js. It helps ensure the security of your Node.js installation by checking for known vulnerabilities. It compares the version of Node.js you have installed (process.version) to the Node.js Security Database and alerts you if a vulnerability is found. So far, we are getting good feedback from the community. We are currently thinking about how to show to vendors and how to get more involvement. 

Join Us!

We had one Security Working Group meeting in December and three Technical Steering Committee meetings. https://github.com/nodejs/security-wg 

Node.js Security Progress Report – More Successful December Outcomes

By Blog, Node.js, Node.js Security

December was a busy month! We handled more reports and more fixes than ever. In fact, we spent most of our time working on fixes, which is exactly as it should be. We are also starting work on ecosystem issues, which will be an important improvement to Node.js security in 2023.

In 2022, we started receiving assistance from the Open Source Security Foundation (OpenSSF) Project Alpha-Omega grant to support more resources to help with Node.js security at the OpenJS Foundation. As always, we are very grateful for this support of open source software. 

We finished the year on a strong note – check out these tweets on @nodejs to see the progress made!

Fixing and triaging 9 issues

5 HackerOne reports were fixed or triaged, 2 previous reports had the fixes disclosed, and 2 ecosystem issues were handled with one having a fix approved and one fixed and released.

Starting new work on ecosystem issues

Ecosystem adoption is a key component to Node.js security. We are finishing the permission model, and will be looking to increase participation on GitHub when it is finalized and ready for use. The end goal is a smooth process for installing a package with the correct tag.

In December, we fixed 2 vulnerabilities for Fastify and one has already been disclosed: https://github.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh.

OpenSSL update 

OpenSSL announced a low vulnerability issue that affects OpenSSL 3.x users which means Node.js v18+. We evaluated the issue and disclosed our assessment. This vulnerability doesn’t affect Node.js and will be fixed in regular releases.

Node.js releases

There were 3 regular releases in December. We hope to have the next security release out by the end of January 2023. Stay tuned!

Join us!

We had one Security Working Group meeting in December and three Technical Steering Committee meetings. If you want to get involved, let us know!