🚨 Moderate-severity security fix in fastify@5.8.1 just released!
Patches CVE-2026-3419 — Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation
github.com/fastify/fast...
Via Node Weekly:
💡 A cute side effect of the change will be the latest LTS Node version will match the year. Node 28 will go LTS in 2028, and so on.
nodeweekly.com/issues/614
Announcing the @nodejs.org LTS Upgrade and Modernization Program! 🚀
We're helping enterprises move safely off end-of-life Node.js versions to reduce security risks with our partnerNodeSource.
Modern Node.js is safer Node.js. Details:
openjsf.org/blog/nodejs-...
🚨 High-severity security fix in multer@2.1.1 just released!
Patches CVE-2026-3520 — vulnerable to Denial of Service via uncontrolled recursion
github.com/expressjs/mu...
🚀 Just released multer@2.1.1 📦
🍿 #release details: github.com/expressjs/mu...
🔒 Security update: Check out the February 2026 Security Releases for Express
Stay safe out there 🫡
expressjs.com/2026/02/27/s...
🚨 High-severity security fix in @fastify/middie@9.2.0 just released!
Patches CVE-2026-2880 — vulnerable to a path normalization inconsistency that can result in authentication/authorization bypass when using path-scoped middleware.
github.com/fastify/midd...
🚨 High-severity security fix in multer@2.1.0 just released!
Patches CVE-2026-3304 — vulnerable denial of service (DOS) via incomplete cleanup
github.com/expressjs/mu...
🚨 High-severity security fix in multer@2.1.0 just released!
- Patches CVE-2026-2359
— vulnerable denial of Service via resource exhaustion
github.com/expressjs/mu...
🚀 Just released multer@2.1.0 📦
🍿 #release details: github.com/expressjs/mu...
☕ Something's brewing for @nodejs.org releases starting with 27.x. Official announcement coming soon!
👀 Sneak peek: github.com/nodejs/nodej...
Node.js release day! @ruyadorno.com and I just released Node.js 24.14.0 and 25.7.0, full changelog and download links at nodejs.org/en/blog/rele... and nodejs.org/en/blog/rele...
GitHub Publish advisory confirmation dialog warning that publishing will delete the temporary private fork. The only options are Delete fork and publish or Cancel.
Also worth adding to your list: publishing an advisory forces deletion of the temporary private fork, so you lose all the context on how the patch was made. When a reporter follows up or you need to re-patch, all the context is gone. PR comments, discussions, everything 🫠
"Many maintainers report they're underpaid or, all too often, not paid at all, despite the enormous downstream value they create. That often means holding a day job and then maintaining critical infrastructure at night. All of which leads to 60-80 hour weeks."
www.theregister.com/2026/02/23/o...
libuv logo featuring a bright green unicorn dinosaur head with a spiraled horn, open mouth showing teeth, against a dark circular background, next to the word "libuv" in gray text
I want so much to see the libuv logo in crochet 🤩
WHAT EVEN IS A CVE!!! ❓
@ulisesgascon.com breaks it down and explains what a CVE is and how it helps in our latest short.
You can view all of the shorts in our series on our YouTube Channel too for more security insights 👀 youtube.com/@OpenJSFound...
✨ Keep up to date with @nodejs.org by watching the #Nodejs #Release Working Group's last meeting on YouTube!
www.youtube.com/watch?v=ulMh...
Seeing how quickly @npmx.dev came onto the scene and how many developers from different backgrounds came together to build it gives me hope for the future. The real value is always the people and the culture surrounding them.
contributors to repo.npmx.dev, 150+ human beings!
We're more than 150 humans collaborating at repo.npmx.dev 🎉
Awesome humans below 👇
🚀 Just released systemic@5.0.0 📦
🍿 #release details: github.com/onebeyond/sy...
🚀 Just released rascal@21.0.1 📦
🍿 #release details: github.com/onebeyond/ra...
🚀 Just released rascal@21.0.0 📦
🍿 #release details: github.com/onebeyond/ra...
😊 It is now accessible on my blog: blog.ulisesgascon.com/newsletter-i...
🔖 The latest issue of my #newsletter is live, issue 011.
Secure publishing on #npm in 2026, major #Lodash security overhaul, updated security best practices, fresh #Express release backlog & ecosystem insights from talks, CVEs & community work ✨
blog.ulisesgascon.com/newsletter-i...
We talk constantly about the risks of unmaintained dependencies and supply chain vulnerabilities, but rarely about the complexity of fixing them when the project is as massive as Lodash.
This amazing article captures the reality of Open Source sustainability. Thanks @sarahgooding.bsky.social!
"Security work is emotionally expensive and invisible, and sharing it makes it sustainable." - @ulisesgascon.com
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Hungry now? Here is a snack from the last one: blog.ulisesgascon.com/newsletter-i...
Screenshot of a GitHub Sponsors email update titled ‘Secure Publishing, Lodash Overhaul & Express Releases 🛡️.’ It shows the beginning of the newsletter: greeting, introduction, and the first section called ‘🎤 “Publishing JavaScript Securely in 2026”’ with a promotional image preview underneath.
Just shipped a new newsletter to Sponsors! 🎁
Includes the hard truths of #npm security, #Expressjs updates, and the #Lodash overhaul that put my code in space 🚀.
Get early access & support my OSS work here: github.com/sponsors/Uli...
Happy Friday from our fresh collaboration page. 😎
Want to get involved in our collaboration spaces and projects? Check out the page to see what groups to join and what meetings are happening.
If you care about JavaScript, you belong here. ✌️
openjsf.org/collaboration
