Newsletter #011: Secure Publishing, Lodash Overhaul & Express Releases 🛡️ This month we tackle secure npm publishing, roll out a major security overhaul for Lodash, and continue the Express release train. Plus, updates on Node.js VFS and a new security guide for open source...

🔖 The latest issue of my #newsletter is live, issue 011.

Secure publishing on #npm in 2026, major #Lodash security overhaul, updated security best practices, fresh #Express release backlog & ecosystem insights from talks, CVEs & community work ✨

blog.ulisesgascon.com/newsletter-i...

Lodash Security & Maintenance Reboot

~Socket~
The Lodash project has been rebooted with new funding and governance, releasing its first security patch in years for a prototype pollution flaw.
-
IOCs: CVE-2025-134655
-
#CVE2025134655 #Lodash #SupplyChain #ThreatIntel

Screenshot of a GitHub Sponsors email update titled ‘Secure Publishing, Lodash Overhaul & Express Releases 🛡️.’ It shows the beginning of the newsletter: greeting, introduction, and the first section called ‘🎤 “Publishing JavaScript Securely in 2026”’ with a promotional image preview underneath.

Just shipped a new newsletter to Sponsors! 🎁

Includes the hard truths of #npm security, #Expressjs updates, and the #Lodash overhaul that put my code in space 🚀.

Get early access & support my OSS work here: github.com/sponsors/Uli...

Prototype pollution en JavaScript: sobre CVE-2025-13465 Prototype pollution en JavaScript analizada a través de CVE-2025-13465 en Lodash. Vulnerabilidad real, exploit y lecciones de seguridad práctica.

🛠️ Análisis en profundidad del parche de #seguridad para CVE-2025-13465 en #Lodash: causa raíz, mecánica de prototype pollution en _.unset/_.omit y detalles del parche.

orbitant.com/prototype-po...

🛠️ In-depth breakdown of the #security fix for CVE-2025-13465 in #Lodash: root cause, prototype pollution mechanics in _.unset/_.omit, and details of the patch.

orbitant.com/en/prototype...

🥹 Proud to have contributed to the #Lodash security overhaul. Strengthening governance, security processes, and infrastructure to keep the project healthy for the community 🛡️

Lodash - Open Collective A modern JavaScript utility library delivering modularity, performance & extras.

Big news 🚀! #Lodash is now on Open Collective!

Support the project and be among the first backers or sponsors 🙌

opencollective.com/lodash

Original post on mk.outv.im

How to import individual function from #lodash in #Deno:

In `deno.json`:



{
"imports": {
"lodash": "npm:lodash@4.17.21"
}
}


In your code:



import pick from 'lodash/pick.js'


The ways I tried that do **not** work:


import lodash from ' […]

Newsletter #010: Wrapping Up the Year with Talks, Security Work and Big Releases 🎁 This month brought a new talk, a deep dive into secure publishing, key Express releases, OSSF Scorecard updates, and several ecosystem improvements around security and governance.

🔖 The latest issue of my #newsletter is out, issue 010.

Stories from reviving #Expressjs & reimagining #Lodash, secure publishing on #npm, why #OSS doesn’t fail because of code, backlog updates & #OpenSSF #Scorecard ✨

blog.ulisesgascon.com/newsletter-i...

Some #lodash 🔥 methods that simplify a developer's life

`union()` and `without()` make it easier to keep unique items and add new

It could be useful in checkbox components

#JS tips

Use `difference` method form #lodash library to reduce the size of code and make it cleaner

#JS tip

Meet the most optimistic function ever - it ALWAYS returns true! 😄

Perfect for default callbacks & testing! 🧪✨
#JavaScript #Lodash #WebDev #Programming #Coding #DevHumor #100DaysOfCode 👨‍💻

El open source no falla por el código Nos gusta culpar al código cuando el open source se rompe. La realidad es más incómoda: gobernanza, burnout y trabajo invisible son las verdaderas líneas de fractura. Esto es lo que aprendí trabajando...

✍️ El open source no falla por el código.
Falla por problemas de gobernanza, burnout y trabajo invisible.

He escrito sobre lo que aprendí trabajando en #Expressjs y #Lodash:

blog.ulisesgascon.com/el-open-sour...

Open Source Doesn’t Fail Because of Code! We like to blame code when open source breaks. The reality is uglier: governance, burnout and invisible work are the real fault lines. This reflects what I learned during our work on Express and Lodas...

✍️ Open source doesn’t fail because of code.
It fails because of governance gaps, burnout, and invisible work.

I wrote down what I learned working on #Expressjs and #Lodash

blog.ulisesgascon.com/open-source-...

📺 ¿Qué viene después del caos?

Lecciones de revivir #Expressjs y reimaginar #Lodash.

www.youtube.com/watch?v=NHsI...

What Comes After Chaos? Lessons from Reviving Express and Reimagining Lodash

🍕 The slides for my talk “What Comes After Chaos?” are now available

Stories and lessons from reviving #ExpressJS and reimagining #Lodash.

✨ Thanks to #Orbitant for the invitation!

slides.ulisesgascon.com/what-comes-a...

Fondo oscuro con trazos luminosos rojos, amarillos y azules que se entrecruzan, evocando movimiento y caos. En el centro, un recuadro blanco contiene el texto “What comes after Chaos?” y, debajo, otro recuadro más pequeño con “by Ulises Gascón”.

¿Qué viene después del caos?

Lecciones de revivir #Expressjs y reimaginar #Lodash.

🎙️ Charla (en español) organizada por Orbitant
🗓️ 19 nov, 5 PM CET
🔑 El enlace se enviará el día del evento
🎟️ Gratis → docs.google.com/forms/d/e/1F...

Fondo oscuro con trazos luminosos rojos, amarillos y azules que se entrecruzan, evocando movimiento y caos. En el centro, un recuadro blanco contiene el texto “What comes after Chaos?” y, debajo, otro recuadro más pequeño con “by Ulises Gascón”.

¿Qué viene después del caos?

Lecciones de revivir #Expressjs y reimaginar #Lodash.

🎙️ Charla (en español) organizada por Orbitant
🗓️ 19 nov, 5 PM CET
🔑 El enlace se enviará el día del evento
🎟️ Gratis → docs.google.com/forms/d/e/1F...

Newsletter #009: Open Source Treats — Lodash, Yeoman & Express 🎃 This Halloween we exorcised some old code ghosts, patched vulnerabilities, and conjured new governance models. Lodash, Yeoman, and Express are looking more alive than ever!

🔧 The latest issue of my #newsletter is out, number 009.

It dives into the new #Lodash governance and #security era, the #Yeoman cleanup and reboot, the #Expressjs 6 modernization journey… and much more 🔥

blog.ulisesgascon.com/newsletter-i...

Screenshot of a GitHub Sponsors “Email updates” page showing a published update titled “Open Source Treats — Lodash, Yeoman & Express 🎃”. The message preview greets readers with “Hola everyone! 🎉” and mentions that October was full of open source treats, highlighting progress in Lodash, Yeoman, and Express. The page shows that the update has been published for 8 sponsor tiers.

I just sent my new Open Source Treats 🎃 newsletter to sponsors — packed with updates on #Lodash, #Yeoman & #Expressjs!

It’ll be public on my blog in a few days, but if you’d like early access and want to support my open source work:
👉 github.com/sponsors/Uli...

Add support for OSSF scorecard reporting by UlisesGascon · Pull Request #6030 · lodash/lodash Main Changes This pipeline will proactively report the status of the project (every day and when a push is done to master branch) including critical fields (CI-Tests, Contributors, Dependency-Updat...

#Lodash now proactively reports its @openssf.org #Scorecard metrics.

github.com/lodash/lodas...

🚀 #HappMonday!

Here’s a quick summary of all the recent changes in the #Lodash repo.

Let's improve #CI and #security posture 👇

The Future of Lodash Lodash begins a new stage with a more collaborative and sustainable model. This post outlines the plan to simplify its maintenance, strengthen security, and ensure its key role in the JavaScript ecosy...

#Lodash is evolving — shifting from BDFL to shared stewardship. The focus now is maintenance: stability, security & sustainability over new features. A great reminder that mature open source projects thrive when we share responsibility. #OpenSource

blog.ulisesgascon.com/the-future-o...

✨ Gracias al increíble trabajo de @jddalton.bsky.social, #Lodash sigue siendo una de las librerías más confiables de #JavaScript.

Ahora ampliamos la #colaboración, la #gobernanza y la #seguridad para garantizar su futuro.

blog.ulisesgascon.com/el-futuro-de...

✨ Thanks to @jddalton.bsky.social’s incredible work, #Lodash remains one of the most trusted libraries in #JavaScript.

We’re now expanding #collaboration, #governance, and #security to ensure its future.

blog.ulisesgascon.com/the-future-o...

React routine: That's what I call success #react #npm #lodash #downloads #frontend #backend #tarklab #airontark

Let's Build Some Lodash Helpers in PHP and Ease Our Work WordPress JS developers are quite used to Lodash. If you move to PHP, however, you might miss some of its functions... Let's build them!

If you're used to programming with #Lodash, you probably miss some of its helpers in #PHP. Why don't you implement those helpers in PHP? In this post, we'll show a few examples neliosoftware.com/blog/devtips-implement-l...

Let's Build Some Lodash Helpers in PHP and Ease Our Work WordPress JS developers are quite used to Lodash. If you move to PHP, however, you might miss some of its functions... Let's build them!

If you're used to programming with #Lodash, you probably miss some of its helpers in #PHP. Why don't you implement those helpers in PHP? In this post, we'll show a few examples neliosoftware.com/blog/devtips-implement-l...

Snap.js : The Copy-Paste Library https://thescottyjam.github.io/snap.js/#!/utils #javascript #lodash #native

Mmm, enjoying that sweet #lodash action. Where have you been all my life _.sum()?