Mastodawn

🔖 The latest issue of my #newsletter is live, issue 011.

Secure publishing on #npm in 2026, major #Lodash security overhaul, updated security best practices, fresh #Express release backlog & ecosystem insights from talks, CVEs & community work ✨

https://blog.ulisesgascon.com/newsletter-issue-11

Newsletter #011: Secure Publishing, Lodash Overhaul & Express Releases 🛡️

This month we tackle secure npm publishing, roll out a major security overhaul for Lodash, and continue the Express release train. Plus, updates on Node.js VFS and a new security guide for open source maintainers.

Ulises Gascon Jan 30

Just shipped a new newsletter to Sponsors! 🎁

Includes the hard truths of #npm security, #Expressjs updates, and the #Lodash overhaul that put my code in space 🚀.

Get early access & support my OSS work here: https://github.com/sponsors/UlisesGascon

Ulises Gascon Jan 22

🛠️ Análisis en profundidad del parche de #seguridad para CVE-2025-13465 en #Lodash: causa raíz, mecánica de prototype pollution en _.unset/_.omit y detalles del parche.

https://orbitant.com/prototype-pollution-javascript-cve-2025-13465/

Ulises Gascon Jan 22

🛠️ In-depth breakdown of the #security fix for CVE-2025-13465 in #Lodash: root cause, prototype pollution mechanics in _.unset/_.omit, and details of the patch.

https://orbitant.com/en/prototype-pollution-javascript-cve-2025-13465/

Ulises Gascon Jan 22

🥹 Proud to have contributed to the #Lodash security overhaul. Strengthening governance, security processes, and infrastructure to keep the project healthy for the community 🛡️

https://openjsf.org/blog/lodash-security-overhaul

Lodash Rolls Out Major Security Overhaul | OpenJS Foundation

With the release of Lodash 4.17.23 and the publication of CVE-2025-13466, the project is making visible progress in strengthening its security posture.

OpenJS Foundation

Ulises Gascon Jan 14

Big news 🚀! #Lodash is now on Open Collective!

Support the project and be among the first backers or sponsors 🙌

https://opencollective.com/lodash

Lodash - Open Collective

A modern JavaScript utility library delivering modularity, performance & extras.

Outvi V Dec 27

How to import individual function from #lodash in #Deno:

In deno.json:

{
   "imports": {
      "lodash": "npm:[email protected]"
    }
  }

In your code:
import pick from 'lodash/pick.js'
The ways I tried that do not work:

import lodash from 'https://deno.land/x/[email protected]'
import { pick } from 'https://deno.land/x/[email protected]/dist/lodash.js'
import { pick } from 'npm:[email protected]'
import { pick } from 'npm:[email protected]/pick.ts'

Ulises Gascon Dec 8

🔖 The latest issue of my #newsletter is out, issue 010.

Stories from reviving #Expressjs & reimagining #Lodash, secure publishing on #npm, why #OSS doesn’t fail because of code, backlog updates & #OpenSSF #Scorecard ✨

https://blog.ulisesgascon.com/newsletter-issue-10

Newsletter #010: Wrapping Up the Year with Talks, Security Work and Big Releases 🎁

This month brought a new talk, a deep dive into secure publishing, key Express releases, OSSF Scorecard updates, and several ecosystem improvements around security and governance.

Ulises Gascon Nov 24

✍️ El open source no falla por el código.
Falla por problemas de gobernanza, burnout y trabajo invisible.

He escrito sobre lo que aprendí trabajando en #Expressjs y #Lodash:

https://blog.ulisesgascon.com/el-open-source-no-falla-por-el-codigo

El open source no falla por el código

Nos gusta culpar al código cuando el open source se rompe. La realidad es más incómoda: gobernanza, burnout y trabajo invisible son las verdaderas líneas de fractura. Esto es lo que aprendí trabajando con Express y Lodash.

Ulises Gascon Nov 24

✍️ Open source doesn’t fail because of code.
It fails because of governance gaps, burnout, and invisible work.

I wrote down what I learned working on #Expressjs and #Lodash

https://blog.ulisesgascon.com/open-source-doesnt-fail-because-of-code

Open Source Doesn’t Fail Because of Code!

We like to blame code when open source breaks. The reality is uglier: governance, burnout and invisible work are the real fault lines. This reflects what I learned during our work on Express and Lodash.