Skip to main content
Category

Blog

From OpenJS World 2023: Advancing Web Runtime Interoperability with WinterCG – Ethan Arrowood, Vercel

By Blog, OpenJS World

Talk from Ethan Arrowood, Senior Software Engineer, Vercel at OpenJS World 2023 in Vancouver, Canada, May 10-12.

WinterCG is a community group dedicated to promoting web interoperability and advancing the development of web runtimes such as Node.js, Vercel Edge Runtime, Cloudflare Workers, and more. In this talk, Ethan discusses the challenges and opportunities facing web runtime interoperability and showcases the innovative solutions being developed by WinterCG. Ethan provides an overview of the group’s mission, values, and members. Additionally, he highlights achievements and summarizes ongoing projects. Finally, Ethan offers a glimpse into WinterCG’s aspirations for the future and the impact that interoperable web runtimes will have on shaping the web of tomorrow.

Full talk available here: Advancing Web Runtime Interoperability with WinterCG: Empowering the Future of the Web.

Ethan’s slide deck is available here.

Main Sections

0:00 Introduction

1:14 Why the group was formed

2:06 The goal of WinterCG

3:08 Non-goals

4:21 The process: collaborate, propose, implement 

10:53 Achievements 

11:45 Achievement: Fetch – Static response.json()

12:30 Work in progress – relax forbidden headers 

13:46 Work in progress – performance and web crypto streams

14:40 Work in progress – AsyncContext

15:00 Closer look – AsyncContext

19:01 Work in progress – “wintercg” common key

23:38 Get involved

25:00 Thank you and Q&A

OpenJS Resources

About the OpenJS Foundation

Join the OpenJS Foundation

Follow Us on Social

Node.js Security Progress Report – First Response Time Down to 8 Hours, New Security Release Announced

By Blog, Node.js, Node.js Security

Last month, we reported that the first response time in April was down to 18 hours. For May, it dropped again, down to 8 hours. Our established goal is a 48-hour response time, making an 8 hour response time excellent. Real-world response time will likely fluctuate up and down some moving forward as we work through improving our processes including our new Permission Model and automation of dependencies and build processes. 

Beyond that, 5 reports were created in April and 2 were closed from May. In April, 6 hackers participated. This type of outside participation is extremely encouraging, thank you for your contributions!

We completed the first initiative from 2023 for automating dependencies. This will go a long way to creating security sustainability and we’re  working hard on automating the security release process itself. 

Big thanks to OpenSSF and Project Alpha Omega for their continued support. Partnership details are outlined here: Security Support Role 2023.

Support for Security Releases

The next security release is scheduled for June 20, 2023, and we are actively working on multiple security fixes. OpenSSL Security Release 29/05 came out and will be integrated into this release and the c-ares security release. 14 reports affecting different active release lines came out in May. More information here.

Three regular releases came out (v20.1.0, v20.2.0 and v20.3.0) and we’ve been focusing on coordinating upcoming releases, making sure there is clear alignment with the Node.js team and releasers, and creating and backporting fixes.

What’s a backport? Many security fixes are for the most recent version since this is the focus of attention. The goal is to create backport pull requests for previous versions at the same time. So, if we fix something in Node.js 20, there are fixes available for older versions, like Node.js 16, when needed.


Node.js Security Working Group Initiatives

There was good discussion about supporting environment variables as part of the Permission Model. The idea is to know explicitly what resources an application is accessing when it runs.

The current proposal is to add variable names into an allowlist using the –allow-env flag as shown below. Any variables not included in the allowlist will be inaccessible through process.env.

Assessment against security best practices to make progress. We are actively monitoring undici, node, and security-wg repositories. And we are improving the OSSF Scorecard undici that helps in our assessment in comparison with best practices.


Node.js Security Sustainability

Check out all of our recent speaking engagements:

We’re meeting with the Google Open Source Security Team to discuss the Permission Model. They’ve participated in our recent Security WG sessions, and we believe this is a positive step forward in helping with security sustainability.

Are you interested in getting involved? The new Permission Model is still experimental, which makes it the right time for you to try it. 

Be sure to join us for this month’s meetings: https://github.com/nodejs/security-wg

Node.js Security Progress Report – Automation, Automation and more Automation

By Blog, Node.js, Node.js Security

Last month, the Security Working Group initiatives focused on the Permission Model and Automated Update Dependencies. 

There were 10 security reports in April with more people participating than the previous month. Response time in April was 18 hours before the first response back from us, which is less than our goal of a 48 hour response time.

As always, thank you to OpenSSF and Project Alpha Omega for their continued support. The exact details of the partnership are outlined here in the Security Support Role 2023 document.

Automation Update Dependencies

In total, 11 dependency update automation were completed this month, which included undici, openssl, v8, npm and more. There are only 2 more automations to go.

As a reminder, the Security Working Group started investigating dependencies in Node.js in November last year. They identified automated updates, and which ones should be prioritized: https://github.com/nodejs/security-wg/issues/828. We can already see the benefits of this work by looking at the increased number of pull requests for dependency updates automatically submitted to the project. 

Security Release Automation

The Security Working Group is focusing on implementing automation for the key dependencies in the build. This makes the overall process easier and less prone to error, and it makes it possible in the future for different stewards to complete the process. 

There are currently 26 steps in doing a Node.js security release.If greater automation works, it will be a big step forward. Please expect more information on this topic soon!

Permission Model

There have been over 10 months of work on building a new Permission Model. To help clarify next steps and guide the discussion, a roadmap issue (#898) was created to discuss the future of the Permission Model. 

Are you interested in getting involved? The new Permission Model is still experimental, which makes it the right time for you to try it. Any bugs are considered vulnerabilities because they are security features. 

JavaScriptLandia Awards: Pathfinder for Security 

Last week at OpenJS World 2023, the OpenJS Foundation held their second annual JavaScriptLandia awards and recognized Rafael Gonzaga from Nearform. 

Rafael has made significant contributions to Node.js security and has received positive feedback on his efforts to improve the security ecosystem. His contributions to reports and blogs have generated great visibility from social media, and he has personally trained and brought engineers into the Node.js Security Working Group to build the community towards self sufficiency. 

Congratulations, Rafael!

Join Us!

Be sure to join us for this month’s meetings: https://github.com/nodejs/security-wg

Meta Joins the OpenJS Foundation

By Announcement, Blog, Jest

The creator of popular open source projects like React, React-Native and Jest, joins the OpenJS Foundation

SAN FRANCISCO – May 10, 2023 – The OpenJS Foundation, providing vendor-neutral support for sustained growth within the open source JavaScript community, is announcing today that Meta has joined as a gold member. 

“Welcome Meta! Their positive effect on the JavaScript ecosystem has been amazing. Heavy users at scale of JavaScript itself, creators of React and React-Native, creators of multiple key open source projects,” said Robin Ginn, OpenJS Foundation Executive Director. “We look forward to working more with Meta’s leadership and expertise to increase support for the diverse open source communities at OpenJS.”

Meta Open Source has been key in creating and open sourcing many projects crucial to the JavaScript ecosystem, such as React, Jest, and Flow. Last year, Meta contributed its popular JavaScript testing project Jest to OpenJS, which garnered an enthusiastic response from developers for this community-led project.

As a global leader with a mission of creating community and bringing people closer together, Meta understands the importance of open collaboration to sustain and improve JavaScript development. Working collectively with other member companies and with the guidance of the OpenJS Foundation, Meta will continue to contribute and advocate in the community. 

“Open source has the potential to be more inclusive and more empowering than ever. Joining the OpenJS Foundation is a large step forward in supporting our open source communities. We hope to provide not only leadership, but to learn from the community,” said Killian Murphy, Sr. Engineering Director, Developer Experience & Platforms. 

“The broader JavaScript ecosystem benefits from Meta becoming an OpenJS Foundation member. In fact, we’ve already been working together in multiple different ways, and this makes official what has already been a great relationship,” said Shayne Boyer, OpenJS Foundation Board Director. “

To learn more about how you can be a part of the OpenJS Foundation, click here.

OpenJS Resources

The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 41 open source JavaScript projects including Appium, Dojo, Jest, jQuery, Node.js, and webpack and is supported by 30 corporate and end-user members, including GoDaddy, Google, IBM, Joyent, Microsoft and Netflix. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value.

About Meta

Meta builds technologies that help people connect, find communities, and grow businesses. First launching Facebook in 2004, it changed the way people connect. Meta brings apps like Messenger, Instagram and WhatsApp to further empower billions around the world. Now, Meta is moving beyond 2D screens toward immersive experiences like augmented and virtual reality to help build the next evolution in social technology.

About Meta Open Source

Meta has long been a supporter of open source software and the open source community. In addition to making a lot of our engineering work publicly available, including sharing our research, code, designs, and engineering work, we also invest in organizations that are important for the long-term sustainability of the open source ecosystem.

About Linux Foundation

Founded in 2000, the Linux Foundation and its projects are supported by more than 2,950 members. The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

OpenJS World 2023 – Celebrating Innovation in the JavaScript Ecosystem

By Blog, OpenJS World

It’s day one of OpenJS World, the OpenJS Foundation’s semi-annual event bringing together the JavaScript and web development communities! 

Want to network and find out how you can get more involved in JavaScript? OpenJS World covers the broad spectrum of the JavaScript ecosystem, including technical content from OpenJS Foundation open source projects and much more. Be sure to tune in virtually for the remaining sessions this week: Virtual registration here.

The full schedule is available here, including talks by the OpenJS Foundation’s executive director Robin Ginn, Ethan Arrowood from Vercel, Abby Cabunoc Mayes from GitHub, Kazuhito Yokoi from Hitachi and many more!

We’re excited to share the progress of our members and projects this week at OpenJS World, read on to find out what’s new this week!

Meta Joins the OpenJS Foundation

Meta has joined the OpenJS Foundation as a gold member! Meta Open Source has been key in creating and open sourcing many projects crucial to the JavaScript ecosystem, such as React, Jest, and Flow. Last year, Meta contributed its popular JavaScript testing project Jest to OpenJS, which garnered an enthusiastic response from developers for this community-led project.

More details are available in our blog post.

Major Commitment to Security and Stability

The OpenJS Foundation has achieved significant milestones this year focused on improving JavaScript security. Last week, we announced that the Sovereign Tech Fund, financed by the German Federal Ministry for Economic Affairs and Climate Action, awarded the OpenJS Foundation EUR 875,000 (USD 902,000). This largest ever government investment in a Linux Foundation project will allow us to deliver infrastructure updates across our project portfolio through a single-scalable solution and develop and deliver security and maintenance policies and practices for critical projects.

Additionally, our continued work with OpenSSF’s Project Alpha-Omega has granted funding for both Node.js and jQuery this year. Alpha-Omega is committing $300,000 to focus on improving supply chain security by improving Node.js security infrastructure. The funding is bolstering the Node.js security team and vulnerability remediation efforts, with a focus on supporting better open source security standards and practices. It was started in 2022 and renewed in 2023. Alpha-Omega is also committing another $350,000 to reduce potential security incidents for jQuery by helping modernize its consumers and its code. OpenJS, working with the jQuery maintainers and industry experts, will conduct an ecosystem risk audit, work on an expansion of its infrastructure modernization project, and build and promote a web modernization campaign for awareness and buy-in.

Championing our Community with Awards and Discounts!

At OpenJS World today, we are announcing our second annual JavaScriptLandia award members, showcasing an incredible array of creativity, diversity and energy – check them out in our blog post! Maybe you can be one of the winners next year!

Also, if you’re interested in improving your technical skills and understanding how you do on vendor-neutral certification tests, we have a OpenJS World-only discount available for you. We’re offering 60% off Node.js Training and Certification bundles with code OPENJSWORLD2023.

Certification is an important component of building and strengthening the JavaScript ecosystem. Certified developers can quickly establish credibility and value in the job market. Certification also allows companies to locate and hire high-quality teams to support their growth.

We hope you’ll tune in virtually to our event this week! After OpenJS World is over, we’ll have the videos up on our YouTube page to view on demand.

Happy OpenJS World!

JavaScriptLandia Community Awards Showcase Creativity, Diversity and Energy

By Blog, JavaScriptLandia

From OpenJS World 2023 – The OpenJS Foundation is celebrating 6 key community leaders, honoring them with our second annual JavaScriptLandia Awards for contributions to education, standards, security and more. Award Winners were recognized at OpenJS World on Wednesday, May 10, and received a plaque and digital badge.

JavaScriptLandia is the home of the OpenJS Foundation’s individual supporter program, where community members can pledge support for OpenJS projects, maintainers, and get more involved in the community while earning badges and other perks.

The nominations for the awards opened in March and were sourced from the broader JavaScript community. Nominations were reviewed by OpenJS Foundation CPC members, board members, and staff and were chosen by consensus.

There are 6 awards available: 

  • Unsung Hero
  • Leading By Example
  • Outstanding Contribution from a New Arrival
  • Pathfinder Awards
    • for Standards
    • for Education
    • for Security 

Unsung Hero nominees are recognized for their willingness to do things that aren’t high profile, glamorous, or even fun, but are important for a well-functioning project and community. Unsung Heroes often do this work with a smile, even if they aren’t being recognized regularly for their contributions. 

Leading by Example nominees are known for demonstrating leadership qualities in their communities that reflect OpenJS Foundation values, like being humble, helpful and hopeful. Exemplary leaders embody open source in spirit and in practice, and inspire others to do the same.

Outstanding Contribution from a New Arrival nominees are new participants in our project spaces who are making a big difference – from contributing new ideas, new leadership on a project workstream, helping with project operations, to community building and more. These individuals are rising stars who help bring fresh energy to our projects.

Pathfinder Awards nominees are people from across the JavaScript ecosystem who have made significant contributions in key areas for OpenJS, including Education, Standards, and Security. These individuals not only move things forward, they bring people along with them as they go, helping to light the way for all. 

The 2023 JavaScriptLandia Awards recipients are:

Unsung Hero

Richard Lau, Red Hat

Richard has been consistently doing an amazing job taking care of the infrastructure that powers the Node.js project while also contributing to both the TSC and the Release Working Group. His dedication is an inspiration to all collaborators.

Leading by Example

Danielle Adams, AWS

Danielle volunteers her time as a Node.js releaser and TSC member. She is smart, reliable, and always positive in the large undertaking of a Node.js release. She also educates the industry on the Node.js release cycles to better prepare developers around the world, like presenting at NodeConf EU 2022 on The Life and Times of a Node.js Release. Danielle is a champion for underrepresented communities. Last year, she helped lead the Grace Hopper Open Source Day Node.js hackathon, mentoring women and nonbinary developers on their first successful PRs to the Node.js project.

Outstanding Contribution from a New Arrival

Claudio Wunder, HubSpot

Claudio has made significant contributions to the Node.js website and plans to improve the project’s documentation generation to help generate metadata needed for the TypeScript ecosystem. Both of these projects are complex, requiring working with many project members, getting buy-in and doing consistent work. His enthusiasm and determination to move things forward is great to see. Claudio has ramped up and contributed in record time.

Pathfinder Award for Education

Erick Wendel

Erick has done a lot of work to promote Node.js to developers. Erick has done over 115 conference presentations and talks around the world to help developers learn about Node.js. Anything from his YouTube video channel that covers advanced JavaScript to his courses on Node.js Streams to his recent experiments on building the Node.js runtime from scratch to engage developers in a fun way.

Pathfinder Award for Security

Rafael Gonzaga, NearForm

Rafael has made significant contributions to the Alpha-Omega project jointly with the OpenJS Foundation and the OpenSSF and received very positive feedback on his efforts to improve the Node Security ecosystem. His contributions to reports and blogs have generated great visibility from social media, and he has personally trained and brought engineers into the Security Working Group to build the community towards self sufficiency. 

Pathfinder Award for Standards 

Brian Kardell, Igalia

Brian has been instrumental in bringing web developers into standards throughout his career. He has an abiding interest in bettering the future web. He has been dedicated in the past year to MathML and bringing more features to the web platform.

OpenJS Foundation and the Sovereign Tech Fund: Creating secure and modern technology and policy

OpenJS Foundation Receives Major Government Investment from Sovereign Tech Fund for Web Security and Stability

By Announcement, Blog

Read more details here: OpenJS Foundation Receives Largest One-Time Government Investment

We’re so excited to announce that the OpenJS Foundation has been selected to receive an investment from the Sovereign Tech Fund (STF) to help build the future of JavaScript infrastructure and security. 

The Sovereign Tech Fund, financed by the German Federal Ministry for Economic Affairs and Climate Action, is investing EUR 875,000 (USD 902,000) in the OpenJS Foundation. 

This is the largest one-time government support investment ever to a Linux Foundation project. We’re grateful to the STF team for supporting this initiative!

Our goal is to help our open source projects gain more secure and modern technologies and policies for the web. In collaboration with community leaders in our OpenJS Security Collaboration Space, and the Linux Foundation IT team, we developed a plan that we hope will scale across the JavaScript ecosystem.

We will do the following over the next two years:

  • Deliver infrastructure updates across our project portfolio through a single-scalable solution, while implementing a responsible sunset program for inactive projects.
  • Develop and deliver security and maintenance policies and practices for critical projects.

The OpenJS Foundation’s JavaScript technologies are widely used around the world, and building development infrastructure with longevity and stability remains a key function of the OpenJS Foundation. 

We want to continue to improve and build a JavaScript ecosystem that will continue to flourish over the next decade, and the support from the Sovereign Tech Fund will make that commitment a reality. 

Government support of open source

Governments, the private sector, and individuals all rely on JavaScript, and we pride ourselves on growing our security and trust in the web technologies they use. 

The Sovereign Tech Fund’s investment in the OpenJS Foundation will scale our hosted projects today and in the future. At the same time, it will help our projects adopt more secure and modern technologies and policies, with the goal of being self-sustaining in the future.

We hope that this will start to build a JavaScript ecosystem that will continue to flourish not only in Germany, but around the globe. It’s encouraging to see the German government taking this initiative to improve the lives of citizens by investing in the critical open source infrastructure that powers the web.

Expanding our security practices

We’ve been working to modernize and improve our security practices in other areas, with the help of the Open Source Security Foundation (OpenSSF) Alpha-Omega project. 

Earlier this year, jQuery received USD 350,000 to reduce potential security incidents by helping modernize its consumers and its code. This is also the second year that Alpha-Omega has funded Node.js – resulting in great progress improving Node.js security – which we’ve been reporting on monthly.

What’s next

We’re excited to begin, and have already engaged members of the Linux Foundation IT team to assist with the work. We’ll be sure to keep our OpenJS blog updated as we make progress!

Big thank you to the Sovereign Tech Fund and the German Ministry for their generous support of open source. We hope that their leadership will inspire governments around the world to follow suit!

The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 41 open source JavaScript projects including Appium, Dojo, Jest, jQuery, Node.js, and webpack and is supported by 30 corporate and end-user members, including GoDaddy, Google, IBM, Joyent, Netflix, and Microsoft. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value.