Ulises Gascón
@ulisesgascon.com
#OpenSource Maintainer (@nodejs.org, @expressjs.bsky.social, Lodash, Yeoman...), #TC39 Delegate and #Maker | He/Him
Pinned
Ulises Gascón
@ulisesgascon.com
· Nov 11
🌍 Hello, BlueSky! 🤠
I'm Ulises Gascón from Spain! Passionate about #Nodejs, #Express, #JavaScript, and the world of #OpenSource.
I spend my days building, maintaining, and improving tools and libraries for our #devCommunity 🫶
👉 Check out my projects and support my work:
github.com/sponsors/Uli...
I'm Ulises Gascón from Spain! Passionate about #Nodejs, #Express, #JavaScript, and the world of #OpenSource.
I spend my days building, maintaining, and improving tools and libraries for our #devCommunity 🫶
👉 Check out my projects and support my work:
github.com/sponsors/Uli...
😊 It is now accessible on my blog: blog.ulisesgascon.com/newsletter-i...
Newsletter #011: Secure Publishing, Lodash Overhaul & Express Releases 🛡️
This month we tackle secure npm publishing, roll out a major security overhaul for Lodash, and continue the Express release train. Plus, updates on Node.js VFS and a new security guide for open source...
blog.ulisesgascon.com
February 5, 2026 at 8:32 AM
😊 It is now accessible on my blog: blog.ulisesgascon.com/newsletter-i...
🔖 The latest issue of my #newsletter is live, issue 011.
Secure publishing on #npm in 2026, major #Lodash security overhaul, updated security best practices, fresh #Express release backlog & ecosystem insights from talks, CVEs & community work ✨
blog.ulisesgascon.com/newsletter-i...
Secure publishing on #npm in 2026, major #Lodash security overhaul, updated security best practices, fresh #Express release backlog & ecosystem insights from talks, CVEs & community work ✨
blog.ulisesgascon.com/newsletter-i...
Newsletter #011: Secure Publishing, Lodash Overhaul & Express Releases 🛡️
This month we tackle secure npm publishing, roll out a major security overhaul for Lodash, and continue the Express release train. Plus, updates on Node.js VFS and a new security guide for open source...
blog.ulisesgascon.com
February 5, 2026 at 8:27 AM
🔖 The latest issue of my #newsletter is live, issue 011.
Secure publishing on #npm in 2026, major #Lodash security overhaul, updated security best practices, fresh #Express release backlog & ecosystem insights from talks, CVEs & community work ✨
blog.ulisesgascon.com/newsletter-i...
Secure publishing on #npm in 2026, major #Lodash security overhaul, updated security best practices, fresh #Express release backlog & ecosystem insights from talks, CVEs & community work ✨
blog.ulisesgascon.com/newsletter-i...
We talk constantly about the risks of unmaintained dependencies and supply chain vulnerabilities, but rarely about the complexity of fixing them when the project is as massive as Lodash.
This amazing article captures the reality of Open Source sustainability. Thanks @sarahgooding.bsky.social!
This amazing article captures the reality of Open Source sustainability. Thanks @sarahgooding.bsky.social!
"Security work is emotionally expensive and invisible, and sharing it makes it sustainable." - @ulisesgascon.com
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Lodash is critical #JavaScript infrastructure.
We spoke with maintainers about its first security release in years — and why sunsetting it was never a real option.
socket.dev/blog/inside-...
We spoke with maintainers about its first security release in years — and why sunsetting it was never a real option.
socket.dev/blog/inside-...
January 31, 2026 at 11:40 AM
We talk constantly about the risks of unmaintained dependencies and supply chain vulnerabilities, but rarely about the complexity of fixing them when the project is as massive as Lodash.
This amazing article captures the reality of Open Source sustainability. Thanks @sarahgooding.bsky.social!
This amazing article captures the reality of Open Source sustainability. Thanks @sarahgooding.bsky.social!
Reposted by Ulises Gascón
"Security work is emotionally expensive and invisible, and sharing it makes it sustainable." - @ulisesgascon.com
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Lodash is critical #JavaScript infrastructure.
We spoke with maintainers about its first security release in years — and why sunsetting it was never a real option.
socket.dev/blog/inside-...
We spoke with maintainers about its first security release in years — and why sunsetting it was never a real option.
socket.dev/blog/inside-...
Inside Lodash’s Security Reset and Maintenance Reboot - Sock...
Lodash 4.17.23 marks a security reset, with maintainers rebuilding governance and infrastructure to support long-term, sustainable maintenance.
socket.dev
January 31, 2026 at 3:51 AM
"Security work is emotionally expensive and invisible, and sharing it makes it sustainable." - @ulisesgascon.com
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Hungry now? Here is a snack from the last one: blog.ulisesgascon.com/newsletter-i...
Newsletter #010: Wrapping Up the Year with Talks, Security Work and Big Releases 🎁
This month brought a new talk, a deep dive into secure publishing, key Express releases, OSSF Scorecard updates, and several ecosystem improvements around security and governance.
blog.ulisesgascon.com
January 30, 2026 at 9:10 PM
Hungry now? Here is a snack from the last one: blog.ulisesgascon.com/newsletter-i...
Just shipped a new newsletter to Sponsors! 🎁
Includes the hard truths of #npm security, #Expressjs updates, and the #Lodash overhaul that put my code in space 🚀.
Get early access & support my OSS work here: github.com/sponsors/Uli...
Includes the hard truths of #npm security, #Expressjs updates, and the #Lodash overhaul that put my code in space 🚀.
Get early access & support my OSS work here: github.com/sponsors/Uli...
January 30, 2026 at 9:10 PM
Just shipped a new newsletter to Sponsors! 🎁
Includes the hard truths of #npm security, #Expressjs updates, and the #Lodash overhaul that put my code in space 🚀.
Get early access & support my OSS work here: github.com/sponsors/Uli...
Includes the hard truths of #npm security, #Expressjs updates, and the #Lodash overhaul that put my code in space 🚀.
Get early access & support my OSS work here: github.com/sponsors/Uli...
Reposted by Ulises Gascón
Happy Friday from our fresh collaboration page. 😎
Want to get involved in our collaboration spaces and projects? Check out the page to see what groups to join and what meetings are happening.
If you care about JavaScript, you belong here. ✌️
openjsf.org/collaboration
Want to get involved in our collaboration spaces and projects? Check out the page to see what groups to join and what meetings are happening.
If you care about JavaScript, you belong here. ✌️
openjsf.org/collaboration
January 30, 2026 at 5:38 PM
Happy Friday from our fresh collaboration page. 😎
Want to get involved in our collaboration spaces and projects? Check out the page to see what groups to join and what meetings are happening.
If you care about JavaScript, you belong here. ✌️
openjsf.org/collaboration
Want to get involved in our collaboration spaces and projects? Check out the page to see what groups to join and what meetings are happening.
If you care about JavaScript, you belong here. ✌️
openjsf.org/collaboration
Reposted by Ulises Gascón
Big year for security at OpenJS 👀
With support from Alpha Omega, we leveled up security across Node.js and the OpenJS ecosystem in 2025. Faster vulnerability response, automated releases, a new OpenJS CNA, stronger disclosure practices, and hands on support for over 10 projects.
hubs.la/Q040lXwL0
With support from Alpha Omega, we leveled up security across Node.js and the OpenJS ecosystem in 2025. Faster vulnerability response, automated releases, a new OpenJS CNA, stronger disclosure practices, and hands on support for over 10 projects.
hubs.la/Q040lXwL0
OpenJS Foundation Security Program: Annual Report 2025 | OpenJS Foundation
The OpenJS Foundation, supported by generous funding from Alpha-Omega, made significant progress strengthening security for Node.js and the wider OpenJS project ecosystem in 2025.
hubs.la
January 30, 2026 at 5:39 PM
Big year for security at OpenJS 👀
With support from Alpha Omega, we leveled up security across Node.js and the OpenJS ecosystem in 2025. Faster vulnerability response, automated releases, a new OpenJS CNA, stronger disclosure practices, and hands on support for over 10 projects.
hubs.la/Q040lXwL0
With support from Alpha Omega, we leveled up security across Node.js and the OpenJS ecosystem in 2025. Faster vulnerability response, automated releases, a new OpenJS CNA, stronger disclosure practices, and hands on support for over 10 projects.
hubs.la/Q040lXwL0
Publishing Securely on npm in 2026
YouTube video by Orbitant
www.youtube.com
January 29, 2026 at 4:21 PM
🛠️ Análisis en profundidad del parche de #seguridad para CVE-2025-13465 en #Lodash: causa raíz, mecánica de prototype pollution en _.unset/_.omit y detalles del parche.
orbitant.com/prototype-po...
orbitant.com/prototype-po...
Prototype pollution en JavaScript: sobre CVE-2025-13465
Prototype pollution en JavaScript analizada a través de CVE-2025-13465 en Lodash. Vulnerabilidad real, exploit y lecciones de seguridad práctica.
orbitant.com
January 22, 2026 at 6:40 PM
🛠️ Análisis en profundidad del parche de #seguridad para CVE-2025-13465 en #Lodash: causa raíz, mecánica de prototype pollution en _.unset/_.omit y detalles del parche.
orbitant.com/prototype-po...
orbitant.com/prototype-po...
🛠️ In-depth breakdown of the #security fix for CVE-2025-13465 in #Lodash: root cause, prototype pollution mechanics in _.unset/_.omit, and details of the patch.
orbitant.com/en/prototype...
orbitant.com/en/prototype...
orbitant.com
January 22, 2026 at 6:36 PM
🛠️ In-depth breakdown of the #security fix for CVE-2025-13465 in #Lodash: root cause, prototype pollution mechanics in _.unset/_.omit, and details of the patch.
orbitant.com/en/prototype...
orbitant.com/en/prototype...
Yeah! git blame myself… sorry for the Dependabot apocalypse 🔥
I’m buried under the PRs too 😅
I’m buried under the PRs too 😅
January 22, 2026 at 10:13 AM
Yeah! git blame myself… sorry for the Dependabot apocalypse 🔥
I’m buried under the PRs too 😅
I’m buried under the PRs too 😅
🥹 Proud to have contributed to the #Lodash security overhaul. Strengthening governance, security processes, and infrastructure to keep the project healthy for the community 🛡️
Lodash v4.17.23 is live and features a whole new look for security 😎🔥
Security fixes, stronger governance, and improved maintenance = safer and more reliable for your projects.
Check it out 👇
hubs.la/Q03_NX2J0
Security fixes, stronger governance, and improved maintenance = safer and more reliable for your projects.
Check it out 👇
hubs.la/Q03_NX2J0
Lodash Rolls Out Major Security Overhaul | OpenJS Foundation
With the release of Lodash 4.17.23 and the publication of CVE-2025-13466, the project is making visible progress in strengthening its security posture.
hubs.la
January 21, 2026 at 8:37 PM
🥹 Proud to have contributed to the #Lodash security overhaul. Strengthening governance, security processes, and infrastructure to keep the project healthy for the community 🛡️
Reposted by Ulises Gascón
Lodash v4.17.23 is live and features a whole new look for security 😎🔥
Security fixes, stronger governance, and improved maintenance = safer and more reliable for your projects.
Check it out 👇
hubs.la/Q03_NX2J0
Security fixes, stronger governance, and improved maintenance = safer and more reliable for your projects.
Check it out 👇
hubs.la/Q03_NX2J0
Lodash Rolls Out Major Security Overhaul | OpenJS Foundation
With the release of Lodash 4.17.23 and the publication of CVE-2025-13466, the project is making visible progress in strengthening its security posture.
hubs.la
January 21, 2026 at 8:23 PM
Lodash v4.17.23 is live and features a whole new look for security 😎🔥
Security fixes, stronger governance, and improved maintenance = safer and more reliable for your projects.
Check it out 👇
hubs.la/Q03_NX2J0
Security fixes, stronger governance, and improved maintenance = safer and more reliable for your projects.
Check it out 👇
hubs.la/Q03_NX2J0
🚨 Moderate-severity security fix in [email protected], [email protected] and [email protected] just released!
- Patches CVE-2025-13465 — vulnerable to prototype pollution in the _.unset and _.omit functions
github.com/lodash/lodas...
- Patches CVE-2025-13465 — vulnerable to prototype pollution in the _.unset and _.omit functions
github.com/lodash/lodas...
Prototype Pollution Vulnerability in Lodash `_.unset` and `_.omit` functions
### Impact
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete me...
github.com
January 21, 2026 at 7:23 PM
🚨 Moderate-severity security fix in [email protected], [email protected] and [email protected] just released!
- Patches CVE-2025-13465 — vulnerable to prototype pollution in the _.unset and _.omit functions
github.com/lodash/lodas...
- Patches CVE-2025-13465 — vulnerable to prototype pollution in the _.unset and _.omit functions
github.com/lodash/lodas...
Publicar de forma segura en #npm en 2026: qué se rompió, qué cambió y qué funciona de verdad
🎙️ Charla (en español) organizada por Orbitant
🗓️ 21 de Enero, 5:00 PM CET
🔑 El enlace se enviará el día del evento
🎟️ Gratis → docs.google.com/forms/d/e/1F...
🎙️ Charla (en español) organizada por Orbitant
🗓️ 21 de Enero, 5:00 PM CET
🔑 El enlace se enviará el día del evento
🎟️ Gratis → docs.google.com/forms/d/e/1F...
January 16, 2026 at 2:56 PM
Publicar de forma segura en #npm en 2026: qué se rompió, qué cambió y qué funciona de verdad
🎙️ Charla (en español) organizada por Orbitant
🗓️ 21 de Enero, 5:00 PM CET
🔑 El enlace se enviará el día del evento
🎟️ Gratis → docs.google.com/forms/d/e/1F...
🎙️ Charla (en español) organizada por Orbitant
🗓️ 21 de Enero, 5:00 PM CET
🔑 El enlace se enviará el día del evento
🎟️ Gratis → docs.google.com/forms/d/e/1F...
Reposted by Ulises Gascón
New Security Snapshot is live.
@ulisesgascon.com walks through how Express handles security reports, from first contact to shipped patch.
Clear steps, zero panic, just a solid process that keeps users safe. 👍
@ulisesgascon.com walks through how Express handles security reports, from first contact to shipped patch.
Clear steps, zero panic, just a solid process that keeps users safe. 👍
January 15, 2026 at 5:39 PM
New Security Snapshot is live.
@ulisesgascon.com walks through how Express handles security reports, from first contact to shipped patch.
Clear steps, zero panic, just a solid process that keeps users safe. 👍
@ulisesgascon.com walks through how Express handles security reports, from first contact to shipped patch.
Clear steps, zero panic, just a solid process that keeps users safe. 👍
Big news 🚀! #Lodash is now on Open Collective!
Support the project and be among the first backers or sponsors 🙌
opencollective.com/lodash
Support the project and be among the first backers or sponsors 🙌
opencollective.com/lodash
Lodash - Open Collective
A modern JavaScript utility library delivering modularity, performance & extras.
opencollective.com
January 14, 2026 at 10:29 PM
Big news 🚀! #Lodash is now on Open Collective!
Support the project and be among the first backers or sponsors 🙌
opencollective.com/lodash
Support the project and be among the first backers or sponsors 🙌
opencollective.com/lodash
Reposted by Ulises Gascón
ECMAScript excitement 😉
🚨🚨🚨 IT'S ABOUT TIME! 🚨🚨🚨
Congrats to @manishearth.bsky.social on shipping the Temporal API in Chrome 144 stable today 🎉
developer.chrome.com/blog/new-in-...
Temporal is the replacement for the Date API.
🚨🚨🚨 IT'S ABOUT TIME! 🚨🚨🚨
Congrats to @manishearth.bsky.social on shipping the Temporal API in Chrome 144 stable today 🎉
developer.chrome.com/blog/new-in-...
Temporal is the replacement for the Date API.
January 13, 2026 at 8:27 PM
ECMAScript excitement 😉
🚨🚨🚨 IT'S ABOUT TIME! 🚨🚨🚨
Congrats to @manishearth.bsky.social on shipping the Temporal API in Chrome 144 stable today 🎉
developer.chrome.com/blog/new-in-...
Temporal is the replacement for the Date API.
🚨🚨🚨 IT'S ABOUT TIME! 🚨🚨🚨
Congrats to @manishearth.bsky.social on shipping the Temporal API in Chrome 144 stable today 🎉
developer.chrome.com/blog/new-in-...
Temporal is the replacement for the Date API.
Reposted by Ulises Gascón
🎉 The codemods to migrate Express to version 5 are now available on codemod.com!
👉 Run the recipe: npx codemod@latest @expressjs/v5-migration-recipe
👉 More codemods here: codemod.link/express
#expressjs #codemods #javascript #nodejs
👉 Run the recipe: npx codemod@latest @expressjs/v5-migration-recipe
👉 More codemods here: codemod.link/express
#expressjs #codemods #javascript #nodejs
Enterprise code maintenance
Codemod is Mission Control for specialized coding agents, using compiler-aware code graphs to automate and orchestrate code maintenance at enterprise scale.
codemod.com
January 13, 2026 at 6:28 PM
🎉 The codemods to migrate Express to version 5 are now available on codemod.com!
👉 Run the recipe: npx codemod@latest @expressjs/v5-migration-recipe
👉 More codemods here: codemod.link/express
#expressjs #codemods #javascript #nodejs
👉 Run the recipe: npx codemod@latest @expressjs/v5-migration-recipe
👉 More codemods here: codemod.link/express
#expressjs #codemods #javascript #nodejs