Ulises Gascón
@ulisesgascon.com
#OpenSource Maintainer (@nodejs.org, @expressjs.bsky.social, Lodash, Yeoman...), #TC39 Delegate and #Maker | He/Him
Pinned
Ulises Gascón
@ulisesgascon.com
· Nov 11
🌍 Hello, BlueSky! 🤠
I'm Ulises Gascón from Spain! Passionate about #Nodejs, #Express, #JavaScript, and the world of #OpenSource.
I spend my days building, maintaining, and improving tools and libraries for our #devCommunity 🫶
👉 Check out my projects and support my work:
github.com/sponsors/Uli...
I'm Ulises Gascón from Spain! Passionate about #Nodejs, #Express, #JavaScript, and the world of #OpenSource.
I spend my days building, maintaining, and improving tools and libraries for our #devCommunity 🫶
👉 Check out my projects and support my work:
github.com/sponsors/Uli...
Reposted by Ulises Gascón
WHAT EVEN IS A CVE!!! ❓
@ulisesgascon.com breaks it down and explains what a CVE is and how it helps in our latest short.
You can view all of the shorts in our series on our YouTube Channel too for more security insights 👀 youtube.com/@OpenJSFound...
@ulisesgascon.com breaks it down and explains what a CVE is and how it helps in our latest short.
You can view all of the shorts in our series on our YouTube Channel too for more security insights 👀 youtube.com/@OpenJSFound...
February 11, 2026 at 8:22 PM
WHAT EVEN IS A CVE!!! ❓
@ulisesgascon.com breaks it down and explains what a CVE is and how it helps in our latest short.
You can view all of the shorts in our series on our YouTube Channel too for more security insights 👀 youtube.com/@OpenJSFound...
@ulisesgascon.com breaks it down and explains what a CVE is and how it helps in our latest short.
You can view all of the shorts in our series on our YouTube Channel too for more security insights 👀 youtube.com/@OpenJSFound...
✨ Keep up to date with @nodejs.org by watching the #Nodejs #Release Working Group's last meeting on YouTube!
www.youtube.com/watch?v=ulMh...
www.youtube.com/watch?v=ulMh...
2026-02-12- Node.js Release Working Group
YouTube video by node.js
www.youtube.com
February 12, 2026 at 3:55 PM
✨ Keep up to date with @nodejs.org by watching the #Nodejs #Release Working Group's last meeting on YouTube!
www.youtube.com/watch?v=ulMh...
www.youtube.com/watch?v=ulMh...
Reposted by Ulises Gascón
Seeing how quickly @npmx.dev came onto the scene and how many developers from different backgrounds came together to build it gives me hope for the future. The real value is always the people and the culture surrounding them.
February 10, 2026 at 8:39 PM
Seeing how quickly @npmx.dev came onto the scene and how many developers from different backgrounds came together to build it gives me hope for the future. The real value is always the people and the culture surrounding them.
Reposted by Ulises Gascón
We're more than 150 humans collaborating at repo.npmx.dev 🎉
February 10, 2026 at 10:37 PM
We're more than 150 humans collaborating at repo.npmx.dev 🎉
Reposted by Ulises Gascón
Awesome humans below 👇
February 11, 2026 at 11:03 AM
Awesome humans below 👇
Release v21.0.1 · onebeyond/rascal
Full Changelog: v21.0.0...v21.0.1
github.com
February 8, 2026 at 2:35 PM
🔖 The latest issue of my #newsletter is live, issue 011.
Secure publishing on #npm in 2026, major #Lodash security overhaul, updated security best practices, fresh #Express release backlog & ecosystem insights from talks, CVEs & community work ✨
blog.ulisesgascon.com/newsletter-i...
Secure publishing on #npm in 2026, major #Lodash security overhaul, updated security best practices, fresh #Express release backlog & ecosystem insights from talks, CVEs & community work ✨
blog.ulisesgascon.com/newsletter-i...
Newsletter #011: Secure Publishing, Lodash Overhaul & Express Releases 🛡️
This month we tackle secure npm publishing, roll out a major security overhaul for Lodash, and continue the Express release train. Plus, updates on Node.js VFS and a new security guide for open source...
blog.ulisesgascon.com
February 5, 2026 at 8:27 AM
🔖 The latest issue of my #newsletter is live, issue 011.
Secure publishing on #npm in 2026, major #Lodash security overhaul, updated security best practices, fresh #Express release backlog & ecosystem insights from talks, CVEs & community work ✨
blog.ulisesgascon.com/newsletter-i...
Secure publishing on #npm in 2026, major #Lodash security overhaul, updated security best practices, fresh #Express release backlog & ecosystem insights from talks, CVEs & community work ✨
blog.ulisesgascon.com/newsletter-i...
We talk constantly about the risks of unmaintained dependencies and supply chain vulnerabilities, but rarely about the complexity of fixing them when the project is as massive as Lodash.
This amazing article captures the reality of Open Source sustainability. Thanks @sarahgooding.bsky.social!
This amazing article captures the reality of Open Source sustainability. Thanks @sarahgooding.bsky.social!
"Security work is emotionally expensive and invisible, and sharing it makes it sustainable." - @ulisesgascon.com
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Lodash is critical #JavaScript infrastructure.
We spoke with maintainers about its first security release in years — and why sunsetting it was never a real option.
socket.dev/blog/inside-...
We spoke with maintainers about its first security release in years — and why sunsetting it was never a real option.
socket.dev/blog/inside-...
January 31, 2026 at 11:40 AM
We talk constantly about the risks of unmaintained dependencies and supply chain vulnerabilities, but rarely about the complexity of fixing them when the project is as massive as Lodash.
This amazing article captures the reality of Open Source sustainability. Thanks @sarahgooding.bsky.social!
This amazing article captures the reality of Open Source sustainability. Thanks @sarahgooding.bsky.social!
Reposted by Ulises Gascón
"Security work is emotionally expensive and invisible, and sharing it makes it sustainable." - @ulisesgascon.com
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Lodash is critical #JavaScript infrastructure.
We spoke with maintainers about its first security release in years — and why sunsetting it was never a real option.
socket.dev/blog/inside-...
We spoke with maintainers about its first security release in years — and why sunsetting it was never a real option.
socket.dev/blog/inside-...
Inside Lodash’s Security Reset and Maintenance Reboot - Sock...
Lodash 4.17.23 marks a security reset, with maintainers rebuilding governance and infrastructure to support long-term, sustainable maintenance.
socket.dev
January 31, 2026 at 3:51 AM
"Security work is emotionally expensive and invisible, and sharing it makes it sustainable." - @ulisesgascon.com
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Just shipped a new newsletter to Sponsors! 🎁
Includes the hard truths of #npm security, #Expressjs updates, and the #Lodash overhaul that put my code in space 🚀.
Get early access & support my OSS work here: github.com/sponsors/Uli...
Includes the hard truths of #npm security, #Expressjs updates, and the #Lodash overhaul that put my code in space 🚀.
Get early access & support my OSS work here: github.com/sponsors/Uli...
January 30, 2026 at 9:10 PM
Just shipped a new newsletter to Sponsors! 🎁
Includes the hard truths of #npm security, #Expressjs updates, and the #Lodash overhaul that put my code in space 🚀.
Get early access & support my OSS work here: github.com/sponsors/Uli...
Includes the hard truths of #npm security, #Expressjs updates, and the #Lodash overhaul that put my code in space 🚀.
Get early access & support my OSS work here: github.com/sponsors/Uli...
Reposted by Ulises Gascón
Happy Friday from our fresh collaboration page. 😎
Want to get involved in our collaboration spaces and projects? Check out the page to see what groups to join and what meetings are happening.
If you care about JavaScript, you belong here. ✌️
openjsf.org/collaboration
Want to get involved in our collaboration spaces and projects? Check out the page to see what groups to join and what meetings are happening.
If you care about JavaScript, you belong here. ✌️
openjsf.org/collaboration
January 30, 2026 at 5:38 PM
Happy Friday from our fresh collaboration page. 😎
Want to get involved in our collaboration spaces and projects? Check out the page to see what groups to join and what meetings are happening.
If you care about JavaScript, you belong here. ✌️
openjsf.org/collaboration
Want to get involved in our collaboration spaces and projects? Check out the page to see what groups to join and what meetings are happening.
If you care about JavaScript, you belong here. ✌️
openjsf.org/collaboration
Reposted by Ulises Gascón
Big year for security at OpenJS 👀
With support from Alpha Omega, we leveled up security across Node.js and the OpenJS ecosystem in 2025. Faster vulnerability response, automated releases, a new OpenJS CNA, stronger disclosure practices, and hands on support for over 10 projects.
hubs.la/Q040lXwL0
With support from Alpha Omega, we leveled up security across Node.js and the OpenJS ecosystem in 2025. Faster vulnerability response, automated releases, a new OpenJS CNA, stronger disclosure practices, and hands on support for over 10 projects.
hubs.la/Q040lXwL0
OpenJS Foundation Security Program: Annual Report 2025 | OpenJS Foundation
The OpenJS Foundation, supported by generous funding from Alpha-Omega, made significant progress strengthening security for Node.js and the wider OpenJS project ecosystem in 2025.
hubs.la
January 30, 2026 at 5:39 PM
Big year for security at OpenJS 👀
With support from Alpha Omega, we leveled up security across Node.js and the OpenJS ecosystem in 2025. Faster vulnerability response, automated releases, a new OpenJS CNA, stronger disclosure practices, and hands on support for over 10 projects.
hubs.la/Q040lXwL0
With support from Alpha Omega, we leveled up security across Node.js and the OpenJS ecosystem in 2025. Faster vulnerability response, automated releases, a new OpenJS CNA, stronger disclosure practices, and hands on support for over 10 projects.
hubs.la/Q040lXwL0
Publishing Securely on npm in 2026
YouTube video by Orbitant
www.youtube.com
January 29, 2026 at 4:21 PM
🛠️ Análisis en profundidad del parche de #seguridad para CVE-2025-13465 en #Lodash: causa raíz, mecánica de prototype pollution en _.unset/_.omit y detalles del parche.
orbitant.com/prototype-po...
orbitant.com/prototype-po...
Prototype pollution en JavaScript: sobre CVE-2025-13465
Prototype pollution en JavaScript analizada a través de CVE-2025-13465 en Lodash. Vulnerabilidad real, exploit y lecciones de seguridad práctica.
orbitant.com
January 22, 2026 at 6:40 PM
🛠️ Análisis en profundidad del parche de #seguridad para CVE-2025-13465 en #Lodash: causa raíz, mecánica de prototype pollution en _.unset/_.omit y detalles del parche.
orbitant.com/prototype-po...
orbitant.com/prototype-po...
🛠️ In-depth breakdown of the #security fix for CVE-2025-13465 in #Lodash: root cause, prototype pollution mechanics in _.unset/_.omit, and details of the patch.
orbitant.com/en/prototype...
orbitant.com/en/prototype...
orbitant.com
January 22, 2026 at 6:36 PM
🛠️ In-depth breakdown of the #security fix for CVE-2025-13465 in #Lodash: root cause, prototype pollution mechanics in _.unset/_.omit, and details of the patch.
orbitant.com/en/prototype...
orbitant.com/en/prototype...
🥹 Proud to have contributed to the #Lodash security overhaul. Strengthening governance, security processes, and infrastructure to keep the project healthy for the community 🛡️
Lodash v4.17.23 is live and features a whole new look for security 😎🔥
Security fixes, stronger governance, and improved maintenance = safer and more reliable for your projects.
Check it out 👇
hubs.la/Q03_NX2J0
Security fixes, stronger governance, and improved maintenance = safer and more reliable for your projects.
Check it out 👇
hubs.la/Q03_NX2J0
Lodash Rolls Out Major Security Overhaul | OpenJS Foundation
With the release of Lodash 4.17.23 and the publication of CVE-2025-13466, the project is making visible progress in strengthening its security posture.
hubs.la
January 21, 2026 at 8:37 PM
🥹 Proud to have contributed to the #Lodash security overhaul. Strengthening governance, security processes, and infrastructure to keep the project healthy for the community 🛡️
Reposted by Ulises Gascón
Lodash v4.17.23 is live and features a whole new look for security 😎🔥
Security fixes, stronger governance, and improved maintenance = safer and more reliable for your projects.
Check it out 👇
hubs.la/Q03_NX2J0
Security fixes, stronger governance, and improved maintenance = safer and more reliable for your projects.
Check it out 👇
hubs.la/Q03_NX2J0
Lodash Rolls Out Major Security Overhaul | OpenJS Foundation
With the release of Lodash 4.17.23 and the publication of CVE-2025-13466, the project is making visible progress in strengthening its security posture.
hubs.la
January 21, 2026 at 8:23 PM
Lodash v4.17.23 is live and features a whole new look for security 😎🔥
Security fixes, stronger governance, and improved maintenance = safer and more reliable for your projects.
Check it out 👇
hubs.la/Q03_NX2J0
Security fixes, stronger governance, and improved maintenance = safer and more reliable for your projects.
Check it out 👇
hubs.la/Q03_NX2J0
🚨 Moderate-severity security fix in lodash@4.17.23, lodash-es@4.17.23 and lodash-amd@4.17.23 just released!
- Patches CVE-2025-13465 — vulnerable to prototype pollution in the _.unset and _.omit functions
github.com/lodash/lodas...
- Patches CVE-2025-13465 — vulnerable to prototype pollution in the _.unset and _.omit functions
github.com/lodash/lodas...
Prototype Pollution Vulnerability in Lodash `_.unset` and `_.omit` functions
### Impact
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete me...
github.com
January 21, 2026 at 7:23 PM
🚨 Moderate-severity security fix in lodash@4.17.23, lodash-es@4.17.23 and lodash-amd@4.17.23 just released!
- Patches CVE-2025-13465 — vulnerable to prototype pollution in the _.unset and _.omit functions
github.com/lodash/lodas...
- Patches CVE-2025-13465 — vulnerable to prototype pollution in the _.unset and _.omit functions
github.com/lodash/lodas...