Ulises Gascón / Community Impact
Code is the easy part. The hard part is everything around it: governance, security, releases, mentoring, and the slow work of turning fragile projects into sustainable ones. Most of this happens in working groups and committees that few people outside the ecosystem ever see. I've been deeply involved in this world for over a decade. Along the way I've also written books, spoken at dozens of conferences, and spent years mentoring new developers into open source. This is what that looks like.
Express is an ecosystem of 60+ packages spanning three GitHub organizations, powering millions of servers. I joined the triage team in 2020, but the real turning point came in 2024 when together with Wes Todd and Jean Burellier we put together the Express Forward Plan. The project had been in maintenance mode for years. Express 5 had been "almost ready" for close to a decade. We needed a concrete path forward: reformed governance, new Technical Committee seats, a release strategy, and a clear roadmap through Express 5, 6, and 7.
That work led to Express 5.0 shipping after a decade of waiting, Express 5.1 becoming the default on npm with the first-ever LTS plan, Impact Project status at the OpenJS Foundation, a full security audit coordinated with OSTIF, and a Security Working Group with a dedicated triage team and a bug bounty program. The Express security work was part of the GitHub Secure Open Source Fund, a program that collectively disclosed 50+ CVEs and remediated 1,100+ vulnerabilities across 71 projects.
Today I serve as repo captain for 28+ libraries across the Express, jshttp, and pillarjs organizations, plus the triage team, security WG, and archived packages. We also unified the security policy across all repositories, deprecated legacy packages to reduce attack surface, established the Express Performance WG, and adopted Never-Ending Support (NES) with HeroDevs for enterprise-grade EOL support.
"This mattered because it rebuilt something more important than code: trust." — Source
Learn more: Open Source Doesn't Fail Because of Code, A New Chapter for Express.js, and What Comes After Chaos? (talk)
Formal roles
- Member of the Express.js Technical Committee since 2024
- Repo captain for 28+ libraries across expressjs, jshttp, and pillarjs since 2024
- Founding member of the Express.js Security Working Group since 2024
- Founding member of the Express.js Security Triage Team since 2024
- Member of the Express.js Triage Team since 2020
Lodash is the #1 most directly used version-agnostic npm package in production. 2.4 billion weekly downloads. 9.3 million websites use it. One-third of the top 10,000 sites rely on it. And for years, one person carried the entire weight of maintaining it.
The problem was never commitment. It was structure. Hundreds of variant packages, a fragmented CI system, and a flood of invalid vulnerability reports that drained the maintainer's time. The community kept asking for Lodash 5 while the project was still trying to survive Lodash 4 without collapsing under its own operational weight.
We applied what we learned from Express. A Technical Steering Committee to distribute decisions. A Threat Model to define what counts as a vulnerability and what doesn't. An Incident Response Plan so security disclosures follow a process instead of panic. A major security overhaul to clear the backlog and reset the project's security posture. Rebuilding CI forced us to make many things explicit that had previously lived only in people's heads: supported environments, security boundaries, release criteria.
From the Lodash creator, John-David Dalton:
"The help around the project tech-debt... and help around process has been critical to achieve movement." — Source
Learn more: The Future of Lodash, Inside Lodash's Security Reset, and Lodash Rolls Out Major Security Overhaul
Formal roles
- Member of the Lodash Technical Steering Committee (TSC) since 2025
Node.js runs on hundreds of millions of machines. My involvement has evolved over the years depending on where the project needed help most: releases, build infrastructure, security, and performance. I have hosted dozens of meetings across these working groups.
Releases
I am one of a small group of people authorized to build, sign, and ship Node.js releases. Each release reaches hundreds of millions of environments.
Node.js Core Collaborator since 2024. Member of the Release WG since 2023. I have authored releases including v20.6.0, v20.7.0, v20.11.0, v20.19.1, and v22.15.0. I also participated in the initiative to evolve the Node.js release schedule, transitioning from two major releases per year to one annual release starting with Node.js 27.x. Beyond releases, I author commits, review and merge contributions, and help onboard new collaborators.
Build infrastructure
The Node.js Build Team manages the CI/CD infrastructure that tests Node.js across dozens of OS and architecture combinations. When machines go down, someone brings them back. When Apple changes their signing tools, someone migrates.
Some of the work I've contributed: recovering MacStadium and Windows machines after failures, transitioning to notarytool for macOS signing, introducing Terraform for Cloudflare, moving to ephemeral machines with Packer, and building the distribution system monitoring and R2 migration monitoring tools. Jenkins admin since 2023.
Security posture
Member of the Node.js Security WG since 2022. I co-authored the Official Threat Model, the Contributor Threat Model, and the Security Best Practices.
Adopting the OpenSSF Scorecard across the Node.js organization was one of the harder initiatives. No existing tooling could track scorecard results across dozens of repositories over time, so we built it. The OpenSSF Scorecard Monitor and the OpenSSF Scorecard Visualizer started as solutions for Node.js and ended up becoming official OSSF tools. We also helped achieve CII Best Practices Gold for Node.js. Full details in Security Work.
Shaping the future
Founding member of the Performance Team since 2022. Participant of the Next 10 Team, where I helped to kicked off the security model initiative that eventually led to the Permission Model API. Creator of the Node.js News Feeder.
Learn more: Evolving the Node.js Release Schedule, You should use the OpenSSF Scorecard, How does the Official Node.js News Feeder work?
Formal roles
- Node.js Core Collaborator since 2024
- Node.js Releaser since 2023
- Member of the Node.js Build Team since 2022
- Member of the Node.js Security WG since 2022
- Founding member of the Node.js Performance Team since 2022
The OpenJS Foundation hosts projects like Node.js, jQuery, webpack, Electron, and Express. I serve on its governance body and coordinate security across many of them.
Voting Member of the Cross Project Council since 2024. I serve as primary coordinator of the OpenJS Foundation CNA. Creator of the OpenJS Foundation Command Center for security and compliance monitoring. Author of the OpenJS Foundation Incident Response Plan.
As part of the OpenJS Security Working Group, I was in the emergency security meetings coordinating the response when the npm Shai-Hulud supply-chain attack and the axios compromise hit.
I also led the creation of a sustainability working group, co-authored research on secure npm publishing, contributed to the EU Commission consultation on the Cybersecurity Act via the ORC WG, and participated in the OpenJS AI Working Group. In 2024, I received the JavaScriptLandia Leading by Example award from the OpenJS Foundation.
Learn more: The OpenJS Foundation is now a CNA, OpenJS Foundation Security Program: Annual Report 2025, Publishing More Securely on npm
Formal roles
- Voting Member of the Cross Project Council since 2024
- Primary Coordinator of the OpenJS Foundation CNA since 2025
- Member of the OpenJS Security Working Group since 2024
- Member of the OpenJS AI Working Group since 2025
TC39 — Delegate for the OpenJS Foundation since 2024. TC39 is the standards body behind the JavaScript language. I focus on security through TG3 and help bring ecosystem feedback through the JS outreach groups.
Yeoman — Core Team since 2019 through my contributions to generator-webapp. Together with Josh Goldberg, we co-led the 2025 maintenance reboot and I led the security overhaul across the organization.
Webpack — Kicked off the Security WG in 2025 and authored the Threat Model. Part of the triage team since 2026.
OpenSSF — Maintainer of Scorecard Monitor and Scorecard Visualizer, tools that started as solutions for Node.js and became official OpenSSF projects.
OWASP — Member since 2022 and NodeGoat contributor since 2019.
One Beyond (previously Guidesmiths) — Built an Open Source Program Office (OSPO) from scratch as Head of Open Source. I keep maintaining many of the npm packages to this day.
Awards for community contributions: JavaScriptLandia, Leading by Example (2024) · Docker Captain (since 2023) · Google Developer Expert (since 2019) · Snyk Ambassador (2023-2026) · Microsoft MVP (2023-2025)
Formal roles
- TC39 Delegate (OpenJS Foundation) since 2024
- Participant of the TC39 TG3 (Security WG) since 2024
- Participant of the TC39 JS outreach groups since 2022
- Member of the Yeoman Core Team since 2019
- Maintainer of the OSSF Scorecard Monitor and the OSSF Scorecard Visualizer since 2023
- Member of the Webpack Security WG since 2025
- Member of the Webpack Security triage team since 2026
Most of what I do doesn't show up in a contribution graph. Mentoring new maintainers. Writing governance documents. Hosting dozens of meetings across working groups. Reviewing security reports at odd hours. Building consensus across organizations that don't always agree. I keep doing it because the ecosystem is worth it.
"This is slower work. Less visible. Less exciting on social media. But this is what transformation looks like in mature infrastructure." — Source
🔙 Back to profile · Become a sponsor · Freelance & consulting