Skip to main content
Category

Announcement

OpenJS Foundation Warns Consumer Privacy and Security at Risk in Three-Quarters of a Billion Websites

By Announcement, Blog, jQuery, jQuery Security

OpenJS Foundation reports poor security practices across industries in North America, UK and Europe

SAN FRANCISCO – November 1, 2023 – Global web infrastructure is in a precarious position based on new research by the OpenJS Foundation thanks to an OpenSSF grant.

The OpenJS Foundation is announcing the results of an end-user audit based on an IDC survey that shows three-quarters of a billion websites are running out of date software, with most capturing personal and financial information. Over one-third of respondents confirm having experienced a security incident in the last 24 months.

The OpenJS Foundation analyzed the IDC survey results of this end-user audit and other data points and estimated that of the 1.9 billion websites worldwide, almost 90% use the open source software jQuery, and one-third of those, over three-quarters of a billion sites, require an upgrade. Due to the size of the problem, the OpenJS Foundation suggests that a behavioral change to web security is required.

Key findings:

  • 89% of random survey respondents reported knowing the use of jQuery on their internet-facing websites
  • 80% of these organizations capture vital information such as personal identifiable information (PII), including payment information (52%) location (64%), contact information (80%)
  • Websites are essential or high priority for 85% of respondents
  • The business damage from security incidents is severe with 28% reporting loss of customers and 29% reporting loss of revenue. Additionally, 39% reported regulatory violations, and 45% reported brand damage
  • Better security is the #1 motivation for upgrading for 48% of respondents

The end-user audit conducted by IDC surveyed more than 500 people in 23 industries across North America, UK and Europe, representing small, medium and large organizations. 

It is the responsibility of business owners and developers to make their websites secure. Getting actionable information is a key part of the process. Keeping packages up to date is an important way to improve security. Any one package may not be a site’s main security issue and packages can be abused, or used in ways that open up security problems.

Al Gillen, group vice president, Software Development and Open Source IDC, IDC, in a blog post published today on the OpenJS Foundation blog, states: “The take-away from this study is simple: jQuery users have access to a robust, community-supported technology that is free from subscription costs for them to acquire or use, and this project is seeing continual investment and enhancement. Users are already enjoying considerable benefits from the technology, but if you are not using current versions, you owe it to your business to move forward to a supported version to maximize the benefit and minimize any potential risks.” Full IDC blog post is available here.

“There’s a big problem when three-quarters of a billion websites need an upgrade of just one open source project. It leads us to believe companies are using more outdated and unsupported technologies and potentially putting consumers at risk,” said Robin Bender Ginn, executive director of OpenJS Foundation. “To solve a problem of this scale, we need to start thinking about regular assessments of website technology, similar to how people visit their doctor every year for a physical medical checkup.” 

As a result of the study, the OpenJS Foundation is developing a free Healthy Web checkup tool. It will be provided widely to businesses and organizations around the world. The OpenJS Foundation is also seeking to partner with governments, businesses, and consumer advocacy organizations to better the health of the global web economy. 

jQuery made web page development approachable to everyone, but has led to millions of websites remaining on older, unsupported versions. Even as the jQuery Team releases security fixes, these sites often don’t update and remain vulnerable. 

The IDC survey, the Healthy Web checkup tool, and many security improvements were funded by an Alpha-Omega grant. As an associated project of the Open Source Security Foundation, Alpha-Omega’s mission is to catalyze sustained security improvements to the most critical open source software and ecosystems. 

“Many of our engagements start with an audit and then fund security fixes. This situation called for a different approach and we were keen to help,” said Bob Callaway, co-lead of the Alpha-Omega project and engineering manager of Google’s Open Source Security Team. “The Healthy Web checkup tool will be an innovative solution to a thorny problem,” he added. “This problem is not unique to jQuery. We’re hopeful this work can be extended to help everyone understand and mitigate the global risk.” 

“Secure open source software is a public good,” said Omkhar Arasaratnam, general manager of the Open Source Software Foundation (OpenSSF). “We applaud the OpenJS Foundation for making the web more secure through the OpenJS Healthy Web checkup.”

The OpenJS Healthy Web checkup tool takes 5 seconds and currently only checks the version of jQuery. It is a great indicator of whether or not organizations have implemented security practices because of how ubiquitous it is and how easy it is to test.

“The first step to improve the health of your website is to find out if your technology stack needs to be upgraded,” said Michał Gołębiowski-Owczarek, jQuery Core Team member and Senior Staff Software Engineer at Sumo Logic. “We’re constantly improving the security and performance of jQuery and ask people to check the versions of software used on their sites either with the upcoming Healthy Web checkup tool from the OpenJS Foundation or their own assessment.” 

“It is everyone’s responsibility to make their own websites secure. That’s not always a simple task, but ensuring packages are up to date can be a good place to start,” said Timmy Willison, Team Lead for jQuery Core and Lead Front-End Engineer at worbler.ai. “The jQuery Team is pleased to work with the OpenJS Foundation as a part of this Healthy Web checkup campaign. Please join with us and the OpenJS Foundation to help improve the health of the consumer web.” 

“Consumer-facing software requires regular maintenance. Checking for updates from packages like jQuery and keeping your website secure is essential. The open web plays such an important role in modern life,” said Timo Tijhof, Infrastructure Lead for jQuery and Principal Engineer at the Wikimedia Foundation. “Like going to a doctor for regular checkups, auditing your website regularly is key to good web health. Please do your part!”

The OpenJS Foundation is assessing expanding the checkup tool to include additional open source JavaScript projects critical to the health of the web.

The OpenJS Healthy Web checkup tool is currently in beta and limited for use by technical evaluators and OpenJS members. General availability is planned for early 2024. OpenJS Foundation is actively seeking partner organizations to join in this important effort.

The new IDC study is freely available: The Benefit of Modernizing jQuery Deployments

OpenJS Resources

To learn more about how you could be a part of the OpenJS Foundation, click here.

About OpenJS Foundation

The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 35 open source JavaScript projects including Appium, Electron, Jest, jQuery, Node.js, and webpack and is supported by 26 corporate and end-user members, including GoDaddy, Google, IBM, Joyent, Microsoft, and the Sovereign Tech Fund. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value. 

About Alpha-Omega

Alpha-Omega is an associated project of the OpenSSF, established in February 2022, funded by Microsoft, Google, and Amazon, and with a mission to protect society by catalyzing sustainable security improvements to the most critical open source software projects and ecosystems, trying to build a world where critical open source projects are secure and that security vulnerabilities are found and fixed quickly. For more information please visit the Alpha-Omega website.

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org. 

About Linux Foundation

Founded in 2000, the Linux Foundation is supported by more than 1000 members and is the world’s leading home for collaboration on open source software, open standards, and open hardware. Linux Foundation projects like Linux, Kubernetes, Node.js and more are considered critical to the development of the world’s most important infrastructure. Its development methodology leverages established best practices and addresses the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit their website.

This post was originally published on PR Newswire.

Node.js 21 Available Now!

By Announcement, Blog, Node.js

The release of Node.js 21 is available now! Node.js 21 replaces Node.js 20 as our current release line, and Node.js 20 is being promoted to long-term support (LTS). 

What’s the difference between the two releases? Node.js 21 is great for early feature testing for your own specific environment, while Node.js 20 LTS is for production deployments. Node.js 21 will be ‘Current’ release for the next 6 months, until April 2024. Here is our full Node.js release schedule.

​​Highlights in Node.js 21 include updates of the V8 JavaScript engine to 11.8, stable WebStreams, a new experimental flag to flip module defaults (–experimental-default-type), many updates to our test runner, and more!

“If you’re interested in getting access to interesting new features early, Node.js 21 is a great way to test and see what’s coming. Our release schedule specifically covers this. If you’re already in active deployment or if you are planning for it, Node.js 20 and 18 LTS are for you,” said Rafael Gonzaga, Node.js Technical Steering Committee (TSC) Member. “Many thanks to our open source contributors for making Node.js better and better. Thanks also to OpenSSF and Project Alpha Omega for helping us improve Node.js security.”

“Node.js demand among developers continues to grow as the need for reliable and scalable web applications rises. With Node.js 21, you can evaluate the current state of Node.js features directly,” said Michaël Zasso, member of the Node.js TSC. “As just one example, Node.js has had a stable test runner since Node.js 20. There’s no need to install a third-party module, and you can create test scripts easily. Node.js 21 includes many improvements to the test runner. Try it out!” 

Main updates for Node.js 21

  • V8 JavaScript engine updated to 11.8
  • Stable WebStreams which helps to process data in small sizes for browser applications
  • A new experimental flag to flip module defaults (–experimental-default-type) – Node.js has two module systems: CommonJS modules and ECMAScript modules. Node.js treats files with a .js extension by default as CommonJS modules. This can now more easily be flipped.
  • Many updates to test runner which allows users to run functional tests and export results
  • Full changes and commits here

Download Node.js 21 here and get started testing right away! More details can be found in the Node.js blog.

Appium 2.0 Officially Released: Extensible Ecosystem for Automation Makes It Easy to Add Your Specific Tests

By Announcement, Appium, Blog, Project Update

We’re delighted to share that Appium 2.0 is now available

Appium is an open source test automation framework for use with native, hybrid, and mobile web apps. Appium is an Impact project under the OpenJS Foundation ecosystem.

Appium drives iOS and Android apps using the WebDriver protocol. Appium can be used for testing native mobile applications (iOS or Android), mobile web applications (Safari or Chrome) and hybrid mobile applications that combine both. This makes it a versatile tool that can be used for a variety of projects. Appium is used by companies like GEICO, Charles Schwab, Walmart, and many more.

“Appium’s vision has always been larger than being a mobile app automation tool. The WebDriver paradigm was a good fit for the web, and it turned out to be a good fit for mobile too. With Appium 2, we wanted testers to be able to reach for a single tool to accomplish all their automation tasks across multiple platforms,” said Jonathan Lipps, Senior Director, Automation Technologies at Headspin, Inc., and the project lead for Appium. “Thank you to all Appium collaborators and contributors. This is a major milestone!”

2.0 reenvisions Appium as a platform where drivers and plugins can be easily created and shared. With a more friendly and standard interface, Appium 2.0 offers:

  • A new system for developing and sharing Appium drivers to facilitate automation of new platforms
  • Plugins that extend or modify any of Appium’s behaviors
  • The ability to install drivers and plugins from across the ecosystem with a single command

Interested in learning more? Join Appium Project Lead Jonathan Lipps for a free webinar on July 11, 9:00-10:00 AM PDT. Register now!

Congratulations to all of the collaborators and contributors on this major launch. Try out Appium 2.0 today!

Meta Joins the OpenJS Foundation

By Announcement, Blog, Jest

The creator of popular open source projects like React, React-Native and Jest, joins the OpenJS Foundation

SAN FRANCISCO – May 10, 2023 – The OpenJS Foundation, providing vendor-neutral support for sustained growth within the open source JavaScript community, is announcing today that Meta has joined as a gold member. 

“Welcome Meta! Their positive effect on the JavaScript ecosystem has been amazing. Heavy users at scale of JavaScript itself, creators of React and React-Native, creators of multiple key open source projects,” said Robin Ginn, OpenJS Foundation Executive Director. “We look forward to working more with Meta’s leadership and expertise to increase support for the diverse open source communities at OpenJS.”

Meta Open Source has been key in creating and open sourcing many projects crucial to the JavaScript ecosystem, such as React, Jest, and Flow. Last year, Meta contributed its popular JavaScript testing project Jest to OpenJS, which garnered an enthusiastic response from developers for this community-led project.

As a global leader with a mission of creating community and bringing people closer together, Meta understands the importance of open collaboration to sustain and improve JavaScript development. Working collectively with other member companies and with the guidance of the OpenJS Foundation, Meta will continue to contribute and advocate in the community. 

“Open source has the potential to be more inclusive and more empowering than ever. Joining the OpenJS Foundation is a large step forward in supporting our open source communities. We hope to provide not only leadership, but to learn from the community,” said Killian Murphy, Sr. Engineering Director, Developer Experience & Platforms. 

“The broader JavaScript ecosystem benefits from Meta becoming an OpenJS Foundation member. In fact, we’ve already been working together in multiple different ways, and this makes official what has already been a great relationship,” said Shayne Boyer, OpenJS Foundation Board Director. “

To learn more about how you can be a part of the OpenJS Foundation, click here.

OpenJS Resources

The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 41 open source JavaScript projects including Appium, Dojo, Jest, jQuery, Node.js, and webpack and is supported by 30 corporate and end-user members, including GoDaddy, Google, IBM, Joyent, Microsoft and Netflix. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value.

About Meta

Meta builds technologies that help people connect, find communities, and grow businesses. First launching Facebook in 2004, it changed the way people connect. Meta brings apps like Messenger, Instagram and WhatsApp to further empower billions around the world. Now, Meta is moving beyond 2D screens toward immersive experiences like augmented and virtual reality to help build the next evolution in social technology.

About Meta Open Source

Meta has long been a supporter of open source software and the open source community. In addition to making a lot of our engineering work publicly available, including sharing our research, code, designs, and engineering work, we also invest in organizations that are important for the long-term sustainability of the open source ecosystem.

About Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

OpenJS Foundation and the Sovereign Tech Fund: Creating secure and modern technology and policy

OpenJS Foundation Receives Major Government Investment from Sovereign Tech Fund for Web Security and Stability

By Announcement, Blog

Read more details here: OpenJS Foundation Receives Largest One-Time Government Investment

We’re so excited to announce that the OpenJS Foundation has been selected to receive an investment from the Sovereign Tech Fund (STF) to help build the future of JavaScript infrastructure and security. 

The Sovereign Tech Fund, financed by the German Federal Ministry for Economic Affairs and Climate Action, is investing EUR 875,000 (USD 902,000) in the OpenJS Foundation. 

This is the largest one-time government support investment ever to a Linux Foundation project. We’re grateful to the STF team for supporting this initiative!

Our goal is to help our open source projects gain more secure and modern technologies and policies for the web. In collaboration with community leaders in our OpenJS Security Collaboration Space, and the Linux Foundation IT team, we developed a plan that we hope will scale across the JavaScript ecosystem.

We will do the following over the next two years:

  • Deliver infrastructure updates across our project portfolio through a single-scalable solution, while implementing a responsible sunset program for inactive projects.
  • Develop and deliver security and maintenance policies and practices for critical projects.

The OpenJS Foundation’s JavaScript technologies are widely used around the world, and building development infrastructure with longevity and stability remains a key function of the OpenJS Foundation. 

We want to continue to improve and build a JavaScript ecosystem that will continue to flourish over the next decade, and the support from the Sovereign Tech Fund will make that commitment a reality. 

Government support of open source

Governments, the private sector, and individuals all rely on JavaScript, and we pride ourselves on growing our security and trust in the web technologies they use. 

The Sovereign Tech Fund’s investment in the OpenJS Foundation will scale our hosted projects today and in the future. At the same time, it will help our projects adopt more secure and modern technologies and policies, with the goal of being self-sustaining in the future.

We hope that this will start to build a JavaScript ecosystem that will continue to flourish not only in Germany, but around the globe. It’s encouraging to see the German government taking this initiative to improve the lives of citizens by investing in the critical open source infrastructure that powers the web.

Expanding our security practices

We’ve been working to modernize and improve our security practices in other areas, with the help of the Open Source Security Foundation (OpenSSF) Alpha-Omega project. 

Earlier this year, jQuery received USD 350,000 to reduce potential security incidents by helping modernize its consumers and its code. This is also the second year that Alpha-Omega has funded Node.js – resulting in great progress improving Node.js security – which we’ve been reporting on monthly.

What’s next

We’re excited to begin, and have already engaged members of the Linux Foundation IT team to assist with the work. We’ll be sure to keep our OpenJS blog updated as we make progress!

Big thank you to the Sovereign Tech Fund and the German Ministry for their generous support of open source. We hope that their leadership will inspire governments around the world to follow suit!

The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 41 open source JavaScript projects including Appium, Dojo, Jest, jQuery, Node.js, and webpack and is supported by 30 corporate and end-user members, including GoDaddy, Google, IBM, Joyent, Netflix, and Microsoft. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value.