Skip to main content
All Posts By

OpenJS Foundation

From OpenJS World 2023: Advancing Web Runtime Interoperability with WinterCG – Ethan Arrowood, Vercel

By Blog, OpenJS World

Talk from Ethan Arrowood, Senior Software Engineer, Vercel at OpenJS World 2023 in Vancouver, Canada, May 10-12.

WinterCG is a community group dedicated to promoting web interoperability and advancing the development of web runtimes such as Node.js, Vercel Edge Runtime, Cloudflare Workers, and more. In this talk, Ethan discusses the challenges and opportunities facing web runtime interoperability and showcases the innovative solutions being developed by WinterCG. Ethan provides an overview of the group’s mission, values, and members. Additionally, he highlights achievements and summarizes ongoing projects. Finally, Ethan offers a glimpse into WinterCG’s aspirations for the future and the impact that interoperable web runtimes will have on shaping the web of tomorrow.

Full talk available here: Advancing Web Runtime Interoperability with WinterCG: Empowering the Future of the Web.

Ethan’s slide deck is available here.

Main Sections

0:00 Introduction

1:14 Why the group was formed

2:06 The goal of WinterCG

3:08 Non-goals

4:21 The process: collaborate, propose, implement 

10:53 Achievements 

11:45 Achievement: Fetch – Static response.json()

12:30 Work in progress – relax forbidden headers 

13:46 Work in progress – performance and web crypto streams

14:40 Work in progress – AsyncContext

15:00 Closer look – AsyncContext

19:01 Work in progress – “wintercg” common key

23:38 Get involved

25:00 Thank you and Q&A

OpenJS Resources

About the OpenJS Foundation

Join the OpenJS Foundation

Follow Us on Social

Node.js Security Progress Report – First Response Time Down to 8 Hours, New Security Release Announced

By Blog, Node.js, Node.js Security

Last month, we reported that the first response time in April was down to 18 hours. For May, it dropped again, down to 8 hours. Our established goal is a 48-hour response time, making an 8 hour response time excellent. Real-world response time will likely fluctuate up and down some moving forward as we work through improving our processes including our new Permission Model and automation of dependencies and build processes. 

Beyond that, 5 reports were created in April and 2 were closed from May. In April, 6 hackers participated. This type of outside participation is extremely encouraging, thank you for your contributions!

We completed the first initiative from 2023 for automating dependencies. This will go a long way to creating security sustainability and we’re  working hard on automating the security release process itself. 

Big thanks to OpenSSF and Project Alpha Omega for their continued support. Partnership details are outlined here: Security Support Role 2023.

Support for Security Releases

The next security release is scheduled for June 20, 2023, and we are actively working on multiple security fixes. OpenSSL Security Release 29/05 came out and will be integrated into this release and the c-ares security release. 14 reports affecting different active release lines came out in May. More information here.

Three regular releases came out (v20.1.0, v20.2.0 and v20.3.0) and we’ve been focusing on coordinating upcoming releases, making sure there is clear alignment with the Node.js team and releasers, and creating and backporting fixes.

What’s a backport? Many security fixes are for the most recent version since this is the focus of attention. The goal is to create backport pull requests for previous versions at the same time. So, if we fix something in Node.js 20, there are fixes available for older versions, like Node.js 16, when needed.


Node.js Security Working Group Initiatives

There was good discussion about supporting environment variables as part of the Permission Model. The idea is to know explicitly what resources an application is accessing when it runs.

The current proposal is to add variable names into an allowlist using the –allow-env flag as shown below. Any variables not included in the allowlist will be inaccessible through process.env.

Assessment against security best practices to make progress. We are actively monitoring undici, node, and security-wg repositories. And we are improving the OSSF Scorecard undici that helps in our assessment in comparison with best practices.


Node.js Security Sustainability

Check out all of our recent speaking engagements:

We’re meeting with the Google Open Source Security Team to discuss the Permission Model. They’ve participated in our recent Security WG sessions, and we believe this is a positive step forward in helping with security sustainability.

Are you interested in getting involved? The new Permission Model is still experimental, which makes it the right time for you to try it. 

Be sure to join us for this month’s meetings: https://github.com/nodejs/security-wg

Node.js Security Progress Report – Automation, Automation and more Automation

By Blog, Node.js, Node.js Security

Last month, the Security Working Group initiatives focused on the Permission Model and Automated Update Dependencies. 

There were 10 security reports in April with more people participating than the previous month. Response time in April was 18 hours before the first response back from us, which is less than our goal of a 48 hour response time.

As always, thank you to OpenSSF and Project Alpha Omega for their continued support. The exact details of the partnership are outlined here in the Security Support Role 2023 document.

Automation Update Dependencies

In total, 11 dependency update automation were completed this month, which included undici, openssl, v8, npm and more. There are only 2 more automations to go.

As a reminder, the Security Working Group started investigating dependencies in Node.js in November last year. They identified automated updates, and which ones should be prioritized: https://github.com/nodejs/security-wg/issues/828. We can already see the benefits of this work by looking at the increased number of pull requests for dependency updates automatically submitted to the project. 

Security Release Automation

The Security Working Group is focusing on implementing automation for the key dependencies in the build. This makes the overall process easier and less prone to error, and it makes it possible in the future for different stewards to complete the process. 

There are currently 26 steps in doing a Node.js security release.If greater automation works, it will be a big step forward. Please expect more information on this topic soon!

Permission Model

There have been over 10 months of work on building a new Permission Model. To help clarify next steps and guide the discussion, a roadmap issue (#898) was created to discuss the future of the Permission Model. 

Are you interested in getting involved? The new Permission Model is still experimental, which makes it the right time for you to try it. Any bugs are considered vulnerabilities because they are security features. 

JavaScriptLandia Awards: Pathfinder for Security 

Last week at OpenJS World 2023, the OpenJS Foundation held their second annual JavaScriptLandia awards and recognized Rafael Gonzaga from Nearform. 

Rafael has made significant contributions to Node.js security and has received positive feedback on his efforts to improve the security ecosystem. His contributions to reports and blogs have generated great visibility from social media, and he has personally trained and brought engineers into the Node.js Security Working Group to build the community towards self sufficiency. 

Congratulations, Rafael!

Join Us!

Be sure to join us for this month’s meetings: https://github.com/nodejs/security-wg

Meta Joins the OpenJS Foundation

By Announcement, Blog, Jest

The creator of popular open source projects like React, React-Native and Jest, joins the OpenJS Foundation

SAN FRANCISCO – May 10, 2023 – The OpenJS Foundation, providing vendor-neutral support for sustained growth within the open source JavaScript community, is announcing today that Meta has joined as a gold member. 

“Welcome Meta! Their positive effect on the JavaScript ecosystem has been amazing. Heavy users at scale of JavaScript itself, creators of React and React-Native, creators of multiple key open source projects,” said Robin Ginn, OpenJS Foundation Executive Director. “We look forward to working more with Meta’s leadership and expertise to increase support for the diverse open source communities at OpenJS.”

Meta Open Source has been key in creating and open sourcing many projects crucial to the JavaScript ecosystem, such as React, Jest, and Flow. Last year, Meta contributed its popular JavaScript testing project Jest to OpenJS, which garnered an enthusiastic response from developers for this community-led project.

As a global leader with a mission of creating community and bringing people closer together, Meta understands the importance of open collaboration to sustain and improve JavaScript development. Working collectively with other member companies and with the guidance of the OpenJS Foundation, Meta will continue to contribute and advocate in the community. 

“Open source has the potential to be more inclusive and more empowering than ever. Joining the OpenJS Foundation is a large step forward in supporting our open source communities. We hope to provide not only leadership, but to learn from the community,” said Killian Murphy, Sr. Engineering Director, Developer Experience & Platforms. 

“The broader JavaScript ecosystem benefits from Meta becoming an OpenJS Foundation member. In fact, we’ve already been working together in multiple different ways, and this makes official what has already been a great relationship,” said Shayne Boyer, OpenJS Foundation Board Director. “

To learn more about how you can be a part of the OpenJS Foundation, click here.

OpenJS Resources

The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 41 open source JavaScript projects including Appium, Dojo, Jest, jQuery, Node.js, and webpack and is supported by 30 corporate and end-user members, including GoDaddy, Google, IBM, Joyent, Microsoft and Netflix. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value.

About Meta

Meta builds technologies that help people connect, find communities, and grow businesses. First launching Facebook in 2004, it changed the way people connect. Meta brings apps like Messenger, Instagram and WhatsApp to further empower billions around the world. Now, Meta is moving beyond 2D screens toward immersive experiences like augmented and virtual reality to help build the next evolution in social technology.

About Meta Open Source

Meta has long been a supporter of open source software and the open source community. In addition to making a lot of our engineering work publicly available, including sharing our research, code, designs, and engineering work, we also invest in organizations that are important for the long-term sustainability of the open source ecosystem.

About Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

JavaScriptLandia Community Awards Showcase Creativity, Diversity and Energy

By Blog, JavaScriptLandia

From OpenJS World 2023 – The OpenJS Foundation is celebrating 6 key community leaders, honoring them with our second annual JavaScriptLandia Awards for contributions to education, standards, security and more. Award Winners were recognized at OpenJS World on Wednesday, May 10, and received a plaque and digital badge.

JavaScriptLandia is the home of the OpenJS Foundation’s individual supporter program, where community members can pledge support for OpenJS projects, maintainers, and get more involved in the community while earning badges and other perks.

The nominations for the awards opened in March and were sourced from the broader JavaScript community. Nominations were reviewed by OpenJS Foundation CPC members, board members, and staff and were chosen by consensus.

There are 6 awards available: 

  • Unsung Hero
  • Leading By Example
  • Outstanding Contribution from a New Arrival
  • Pathfinder Awards
    • for Standards
    • for Education
    • for Security 

Unsung Hero nominees are recognized for their willingness to do things that aren’t high profile, glamorous, or even fun, but are important for a well-functioning project and community. Unsung Heroes often do this work with a smile, even if they aren’t being recognized regularly for their contributions. 

Leading by Example nominees are known for demonstrating leadership qualities in their communities that reflect OpenJS Foundation values, like being humble, helpful and hopeful. Exemplary leaders embody open source in spirit and in practice, and inspire others to do the same.

Outstanding Contribution from a New Arrival nominees are new participants in our project spaces who are making a big difference – from contributing new ideas, new leadership on a project workstream, helping with project operations, to community building and more. These individuals are rising stars who help bring fresh energy to our projects.

Pathfinder Awards nominees are people from across the JavaScript ecosystem who have made significant contributions in key areas for OpenJS, including Education, Standards, and Security. These individuals not only move things forward, they bring people along with them as they go, helping to light the way for all. 

The 2023 JavaScriptLandia Awards recipients are:

Unsung Hero

Richard Lau, Red Hat

Richard has been consistently doing an amazing job taking care of the infrastructure that powers the Node.js project while also contributing to both the TSC and the Release Working Group. His dedication is an inspiration to all collaborators.

Leading by Example

Danielle Adams, AWS

Danielle volunteers her time as a Node.js releaser and TSC member. She is smart, reliable, and always positive in the large undertaking of a Node.js release. She also educates the industry on the Node.js release cycles to better prepare developers around the world, like presenting at NodeConf EU 2022 on The Life and Times of a Node.js Release. Danielle is a champion for underrepresented communities. Last year, she helped lead the Grace Hopper Open Source Day Node.js hackathon, mentoring women and nonbinary developers on their first successful PRs to the Node.js project.

Outstanding Contribution from a New Arrival

Claudio Wunder, HubSpot

Claudio has made significant contributions to the Node.js website and plans to improve the project’s documentation generation to help generate metadata needed for the TypeScript ecosystem. Both of these projects are complex, requiring working with many project members, getting buy-in and doing consistent work. His enthusiasm and determination to move things forward is great to see. Claudio has ramped up and contributed in record time.

Pathfinder Award for Education

Erick Wendel

Erick has done a lot of work to promote Node.js to developers. Erick has done over 115 conference presentations and talks around the world to help developers learn about Node.js. Anything from his YouTube video channel that covers advanced JavaScript to his courses on Node.js Streams to his recent experiments on building the Node.js runtime from scratch to engage developers in a fun way.

Pathfinder Award for Security

Rafael Gonzaga, NearForm

Rafael has made significant contributions to the Alpha-Omega project jointly with the OpenJS Foundation and the OpenSSF and received very positive feedback on his efforts to improve the Node Security ecosystem. His contributions to reports and blogs have generated great visibility from social media, and he has personally trained and brought engineers into the Security Working Group to build the community towards self sufficiency. 

Pathfinder Award for Standards 

Brian Kardell, Igalia

Brian has been instrumental in bringing web developers into standards throughout his career. He has an abiding interest in bettering the future web. He has been dedicated in the past year to MathML and bringing more features to the web platform.

OpenJS World 2023 – Celebrating Innovation in the JavaScript Ecosystem

By Blog, OpenJS World

It’s day one of OpenJS World, the OpenJS Foundation’s semi-annual event bringing together the JavaScript and web development communities! 

Want to network and find out how you can get more involved in JavaScript? OpenJS World covers the broad spectrum of the JavaScript ecosystem, including technical content from OpenJS Foundation open source projects and much more. Be sure to tune in virtually for the remaining sessions this week: Virtual registration here.

The full schedule is available here, including talks by the OpenJS Foundation’s executive director Robin Ginn, Ethan Arrowood from Vercel, Abby Cabunoc Mayes from GitHub, Kazuhito Yokoi from Hitachi and many more!

We’re excited to share the progress of our members and projects this week at OpenJS World, read on to find out what’s new this week!

Meta Joins the OpenJS Foundation

Meta has joined the OpenJS Foundation as a gold member! Meta Open Source has been key in creating and open sourcing many projects crucial to the JavaScript ecosystem, such as React, Jest, and Flow. Last year, Meta contributed its popular JavaScript testing project Jest to OpenJS, which garnered an enthusiastic response from developers for this community-led project.

More details are available in our blog post.

Major Commitment to Security and Stability

The OpenJS Foundation has achieved significant milestones this year focused on improving JavaScript security. Last week, we announced that the Sovereign Tech Fund, financed by the German Federal Ministry for Economic Affairs and Climate Action, awarded the OpenJS Foundation EUR 875,000 (USD 902,000). This largest ever government investment in a Linux Foundation project will allow us to deliver infrastructure updates across our project portfolio through a single-scalable solution and develop and deliver security and maintenance policies and practices for critical projects.

Additionally, our continued work with OpenSSF’s Project Alpha-Omega has granted funding for both Node.js and jQuery this year. Alpha-Omega is committing $300,000 to focus on improving supply chain security by improving Node.js security infrastructure. The funding is bolstering the Node.js security team and vulnerability remediation efforts, with a focus on supporting better open source security standards and practices. It was started in 2022 and renewed in 2023. Alpha-Omega is also committing another $350,000 to reduce potential security incidents for jQuery by helping modernize its consumers and its code. OpenJS, working with the jQuery maintainers and industry experts, will conduct an ecosystem risk audit, work on an expansion of its infrastructure modernization project, and build and promote a web modernization campaign for awareness and buy-in.

Championing our Community with Awards and Discounts!

At OpenJS World today, we are announcing our second annual JavaScriptLandia award members, showcasing an incredible array of creativity, diversity and energy – check them out in our blog post! Maybe you can be one of the winners next year!

Also, if you’re interested in improving your technical skills and understanding how you do on vendor-neutral certification tests, we have a OpenJS World-only discount available for you. We’re offering 60% off Node.js Training and Certification bundles with code OPENJSWORLD2023.

Certification is an important component of building and strengthening the JavaScript ecosystem. Certified developers can quickly establish credibility and value in the job market. Certification also allows companies to locate and hire high-quality teams to support their growth.

We hope you’ll tune in virtually to our event this week! After OpenJS World is over, we’ll have the videos up on our YouTube page to view on demand.

Happy OpenJS World!

OpenJS World 2023, Part 2! Join us in Bilbao, Spain

By Blog, Event, OpenJS World

We are excited to announce that we’re hosting another OpenJS World in Bilbao, Spain, co-located with the Linux Foundation’s Open Source Summit Europe, September 19-23, 2023!

You can submit your OpenJS World talk here for Open Source Summit Europe. The deadline is May 2, 2023. If speaking isn’t your thing, registration is now open as well!

Please note that the CFP for Open Source Summit North America and OpenJS World  in Vancouver, Canada has closed and all speakers have been announced. There is still time to register as an attendee though.

About the Event

At OpenJS World, attendees collaborate, network, and learn how to use and contribute to JavaScript and web technologies. From frontend to backend, serverless to IoT, there are many opportunities for developers to level up their skills. The program will cover the broad spectrum of the JavaScript ecosystem, including OpenJS Foundation projects and more.

Open Source Summit is the Linux Foundation’s premier event for open source developers, technologists, and community leaders to collaborate, share information, solve problems, and gain knowledge.

Collaborator Summit

We’re also excited to share that we’ll host another OpenJS Collaborator Summit the day before the event on September 18, 2023. More information will be provided closer to the event, but we’ll be having another call for sessions for the summit. This event will be free with Open Source Summit EU registration and open to anyone who is interested.

Guidelines for Call for Proposals (CFPs)

Quality content is an essential priority for the OpenJS World program committee, and we want to foster the submission of thoughtful and relevant topics.

Three guidelines to consider before submitting your proposal:

  • What are you hoping to get from your presentation?
  • What do you expect the audience to gain from your presentation?
  • How will your presentation help better the open source ecosystem?

We hope these general guidelines will help you craft the best submission possible! Remember these tips when writing your proposal as a simple guide for yourself.

Open to All

There are plenty of ways to present projects and technologies without focusing on company-specific efforts. Try to think of ways to connect your topic to attendees’ interests while still giving yourself room to share your experiences, educate the community about an issue, or generate interest in a project. 

Here are some of the topics we are interested in this year:

  • Testing
  • Automation / CI/CD
  • Security
  • Development
  • Community Building
  • Performance
  • Open Visualization
  • General

OpenJS World is a great way to get to know the community and share your ideas and the work that you are doing, and we strongly encourage first-time speakers to submit talks. 

If you’re not sure about your abstract, please check out the #cfp-mentorship channel in the OpenJS Foundation Slack Channel. You can join the slack channel here: https://slack-invite.openjsf.org 

We can’t wait to hear from you! Follow this link if you’re ready to submit: https://events.linuxfoundation.org/open-source-summit-europe/program/cfp/ 

We hope to see you at OpenJS World in Spain!