Mastodawn

🔖 The latest issue of my #newsletter is live, issue 013.

March recap: 12 CVEs across #undici, #Fastify, #Lodash & #pathtoregexp, a state-actor supply chain attack on #axios, and the #Nodejs security bug bounty paused 🔐

https://blog.ulisesgascon.com/newsletter-issue-13

Newsletter #013: Large Phishing Operations Against Maintainers 🎯

A coordinated phishing campaign is targeting high-impact open source maintainers. Plus: Scorecard v6 evolving into a security evidence engine, 12 CVEs patched across undici, fastify, path-to-regexp and lodash, and a conversation about Node.js in production.

Ulises Gascon Apr 8

🔐 7 out of 10 of #security reports for #Lodash and #Express are invalid.

The current spike is LLM-generated noise eating volunteers' time that should go to releases, features, and real bugs.

Our tooling wasn't designed for this volume. Every report still needs to be read, cross-referenced, and responded to. We need better tooling and support to sustain this.

Ulises Gascon Feb 5

🔖 The latest issue of my #newsletter is live, issue 011.

Secure publishing on #npm in 2026, major #Lodash security overhaul, updated security best practices, fresh #Express release backlog & ecosystem insights from talks, CVEs & community work ✨

https://blog.ulisesgascon.com/newsletter-issue-11

Newsletter #011: Secure Publishing, Lodash Overhaul & Express Releases 🛡️

This month we tackle secure npm publishing, roll out a major security overhaul for Lodash, and continue the Express release train. Plus, updates on Node.js VFS and a new security guide for open source maintainers.

Ulises Gascon Jan 30

Just shipped a new newsletter to Sponsors! 🎁

Includes the hard truths of #npm security, #Expressjs updates, and the #Lodash overhaul that put my code in space 🚀.

Get early access & support my OSS work here: https://github.com/sponsors/UlisesGascon

Ulises Gascon Jan 22

🛠️ Análisis en profundidad del parche de #seguridad para CVE-2025-13465 en #Lodash: causa raíz, mecánica de prototype pollution en _.unset/_.omit y detalles del parche.

https://orbitant.com/prototype-pollution-javascript-cve-2025-13465/

Ulises Gascon Jan 22

🛠️ In-depth breakdown of the #security fix for CVE-2025-13465 in #Lodash: root cause, prototype pollution mechanics in _.unset/_.omit, and details of the patch.

https://orbitant.com/en/prototype-pollution-javascript-cve-2025-13465/

Ulises Gascon Jan 22

🥹 Proud to have contributed to the #Lodash security overhaul. Strengthening governance, security processes, and infrastructure to keep the project healthy for the community 🛡️

https://openjsf.org/blog/lodash-security-overhaul

Lodash Rolls Out Major Security Overhaul | OpenJS Foundation

With the release of Lodash 4.17.23 and the publication of CVE-2025-13466, the project is making visible progress in strengthening its security posture.

OpenJS Foundation

Ulises Gascon Jan 14

Big news 🚀! #Lodash is now on Open Collective!

Support the project and be among the first backers or sponsors 🙌

https://opencollective.com/lodash

Lodash - Open Collective

A modern JavaScript utility library delivering modularity, performance & extras.

Outvi V Dec 27

How to import individual function from #lodash in #Deno:

In deno.json:

{
   "imports": {
      "lodash": "npm:[email protected]"
    }
  }

In your code:
import pick from 'lodash/pick.js'
The ways I tried that do not work:

import lodash from 'https://deno.land/x/[email protected]'
import { pick } from 'https://deno.land/x/[email protected]/dist/lodash.js'
import { pick } from 'npm:[email protected]'
import { pick } from 'npm:[email protected]/pick.ts'

Ulises Gascon Dec 8

🔖 The latest issue of my #newsletter is out, issue 010.

Stories from reviving #Expressjs & reimagining #Lodash, secure publishing on #npm, why #OSS doesn’t fail because of code, backlog updates & #OpenSSF #Scorecard ✨

https://blog.ulisesgascon.com/newsletter-issue-10

Newsletter #010: Wrapping Up the Year with Talks, Security Work and Big Releases 🎁

This month brought a new talk, a deep dive into secure publishing, key Express releases, OSSF Scorecard updates, and several ecosystem improvements around security and governance.