Lmst

OpenJS Foundation Security Program: Annual Report 2025, by @openjsf:

https://openjsf.org/blog/openjs-security-annual-report-2025

#openjs

Lit Is Joining the OpenJS Foundation, by @lit.dev:

https://lit.dev/blog/2025-10-14-openjs/

#lit #openjs

🚀 Recent #Lodash updates focus on stronger #CI & #security posture!

✅ CI support expanded (Node 4 → 25)

🌐 New browser tests via #Playwright

📝 Docs now have dedicated CI

🔒 Added #OpenJS #CNA escalation policy

📊 Reporting #OSSF #Scorecard

🧯 New Incident Response Plan (#IRP)

🧠 Threat Model inspired by #Express & #Webpack

More details: https://blog.ulisesgascon.com/the-future-of-lodash

#Lit is now an OpenJS Foundation Impact Project, transitioning to an open governance model.
It's my go-to for web components and has been trusted by many large projects for years, check it out 🤠

https://lit.dev/blog/2025-10-14-openjs/

#OpenJS #WebComponents

Welcome Rafael Gonzaga to the #OpenJS #CNA team! 👏 👏 👏

https://github.com/openjs-foundation/security-collab-space/pull/297

🍿 Exciting news! The #OpenJS Foundation #AI Collaboration Space holds its first meeting next week.

A community hub where developers, maintainers and policy thinkers explore how #JavaScript connects billions of people to #AI.

https://github.com/openjs-foundation/ai-collab-space

🗞️ Exciting news: #webpack now has a Security Working Group!

We’ll:
👉 Define triage & policies
👉 Guide secure plugin development
👉 Improve report processes
👉 Promote best practices
👉 Support #OpenJS & #OpenSSF initiatives

https://github.com/webpack/security-wg

Member summit week. #openjs #opensource

I’ll be in #London tomorrow with some time to kill. Feels like a waste to just work in my hotel. If you want to meet up or have tips, let me know!

Attending the #OpenJS Vizualization Summit at the Microsoft offices Tuesday and Wednesday. Mostly as an excuse to meet my #MapLibre colleagues. 🙂

XZ 的後門事件，以及 OpenJS Foundations 也遇到類似的問題

XZ 的後門事件從暴發出來也已經一個多月了，大多數的證據也都分析的差不多了，是差不多可以回顧一下...

https://blog.gslin.org/archives/2024/05/12/11796/xz-%e7%9a%84%e5%be%8c%e9%96%80%e4%ba%8b%e4%bb%b6%ef%bc%8c%e4%bb%a5%e5%8f%8a-openjs-foundations-%e4%b9%9f%e9%81%87%e5%88%b0%e9%a1%9e%e4%bc%bc%e7%9a%84%e5%95%8f%e9%a1%8c/

#Computer #Murmuring #Security #Software #backdoor #community #engineering #foundations #maintainer #open #openjs #security #social #source #xz

Open sourcerers say suspected #xz-style attacks continue to target #maintainers
#SocialEngineering patterns spotted across range of popular projects
Higher-ups at the #OpenJS Foundation and #OpenSource Security Foundation (#OpenSSF) believe the attempt to plant a #backdoor into #Linux's xz data compression library "may not be an isolated incident" given their recent observations.
https://www.theregister.com/2024/04/16/xz_style_attacks_continue/

Following the XZ Utils attack, @openssf and @openjsf urge open source project maintainers to be alert for social engineering takeover attempts https://www.admin-magazine.com/News/OpenSSF-Issues-Guidance-to-Help-Prevent-Social-Engineering-Attacks #security #OpenSource #SocialEngineering #XZattack #OpenSFF #OpenJS #LinuxFoundation #2FA #MFA #phishing

Open Source Security (#OpenSSF) and #OpenJS Warn of Fake #Maintainers Targeting #JavaScript Projects
Alarming #socialengineering attacks target critical #opensource projects! Learn how to protect your project and the open-source community from takeovers. https://www.hackread.com/openssf-fake-maintainers-target-javascript-projects/ #itsec #cybersecurity #supplychain

Excellent summary by Solar Designer on oss-security of what's happened in the last two weeks in response to the #xz #backdoor:

https://www.openwall.com/lists/oss-security/2024/04/16/5

Noteworthy:
- #OpenSSH implemented systemd notification
- #systemd moves to dlopen(3) for some dependencies
- another detailed timeline at https://research.swtch.com/xz-timeline
- similar social engineering takeover attempts suspected in #OpenJS and #OpenSSF

#OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt in a manner similar to the recent XZ incident:
#SoftwareSupplyChainSecurity

https://thehackernews.com/2024/04/openjs-foundation-targeted-in-potential.html

Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects
https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/

#OpenSSF #OpenJS #SocialEngineering #FOSS #Projects #TakeOver

This exemplifies the unique network of human beings in and around Open Source that makes it so _resilient_.

With OSS, people are curious. They are empowered to take a peek under the hood. To share what they find with others. To ignore organizational and architectural boundaries.

#OpenSource #FreeSoftware #FOSS #OSS #InfoSec #XZ #OpenJS #OpenSSF #Linux #SOSSCommunity

https://twitter.com/postgresperf/status/1779948199119044940

Free and Open Source software communities are anything *but* “fragile” in light of recent failed attacks.

They are smart. They are vigilant. They are resilient.

But they also need support from institutions given the resources attackers may have.

#OpenSource #FreeSoftware #FOSS #OSS #InfoSec #XZ #OpenJS #OpenSSF #Linux #SOSSCommunity

Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects

XZ Utils cyberattack likely not an isolated incident

#OpenSource #FreeSoftware #FOSS #OSS #InfoSec #XZ #OpenJS #OpenSSF #Linux

https://openjsf.org/blog/openssf-openjs-alert-social-engineering-takeovers

How does Wikimedia approach security and performance?

We're quite selective in our dependencies and often audit the sources ourselves. Progressive enhancement makes for a blazing fast and accessible site, and, I argue, it's also the cheaper choice in the long run!

https://timotijhof.net/posts/2023/wikimedia-balances-security-and-openness/

#mediawiki #Wikipedia #OpenJS #infosec #webperf #foss #floss

#OpenJS

Client Info