Ulises Gascón / Sponsors
If your company runs JavaScript in production, some of my work is running in your infrastructure right now. I maintain hundreds of packages across the npm ecosystem, coordinate security for many OpenJS Foundation projects, ship Node.js releases, and help govern Express, Lodash, and Yeoman.
Most of this work is volunteer. Initiatives like the Sovereign Tech Fund and Alpha-Omega have provided critical support at key moments. But funding is temporary. The work isn't.
Looking to hire me instead? Jump to Working Together.
This is what your sponsorship sustains:
Security response. I triage vulnerability reports, write patches, and coordinate CVE disclosures for packages you probably depend on. When a CVE lands, it needs to be assessed, fixed, and shipped. Details.
Stable releases. I'm one of a small group of people authorized to ship Node.js releases. I also release across the Express ecosystem. Each release reaches hundreds of millions of environments.
Infrastructure. I maintain the CI/CD systems that build and test Node.js, the tools that monitor security posture across organizations (OSSF Scorecard Monitor, Scorecard Visualizer), and the Command Center that tracks compliance for the OpenJS Foundation.
Governance. I write threat models, incident response plans, and security policies. I coordinate across organizations that don't always agree. I mentor new maintainers. This is the work that keeps the ecosystem trustworthy. Details.
Every project I engage with, I try to build an ecosystem around it: governance, security processes, new maintainers, sustainable structures. But my time is finite. These packages don't maintain themselves. There is no company behind this. There are no employees.
"Node.js has no employees, nor does Express. Most of your favorite maintainers, the people who build and maintain the libraries we all use to keep the world running, still aren't paid in most cases." — Source
Sponsoring this work is a direct investment in the reliability and security of your own supply chain.
On December 3rd at 8:30 PM, a critical React Server Components vulnerability dropped with a CVSS score of 10.0. Within minutes, Orbitant (a Platinum sponsor) had someone in their Slack who understood the impact, helped assess exposure, and coordinated the response. By the next morning, they had full visibility and patches rolling out while most companies were still finding out about it.
"Information flows faster than coffee in our Slack when a critical CVE appears. And that's exactly what we're looking for." — Orbitant
When Express 5.0 shipped after a decade, sponsors understood the migration path from someone who helped build it. When Node.js changed its release schedule, sponsors understood the implications before the announcement went public.
Whether you're an individual developer, a startup, or a large organization, there's a tier for you:
| Tier | What you get |
|---|---|
| ☕ Supply Chain Supporter | Early access to my informal newsletter |
| 🥉 Bronze Sponsor | Logo on my GitHub and website + shout-out on social media |
| 🥈 Silver Sponsor | All Bronze perks + quarterly strategy call |
| 🥇 Gold Sponsor | All Silver perks + I join your team's Slack (or equivalent) for async ecosystem input |
| 💎 Platinum Sponsor | Custom agreements for larger orgs (compliance, ecosystem alignment, long-term support, NDAs, invoicing) |
Your company ships JavaScript in production. It depends on packages I maintain. You know this. Your manager probably doesn't. Here's a ready-to-send message you can forward to your engineering lead, OSPO, or CTO:
🔖 Copy this email and send it
Subject: Sponsoring a key open source maintainer we depend on
Hi [name],
I wanted to flag someone whose work directly affects our stack. Ulises Gascon is a Node.js core collaborator, Express TC member, and Lodash TSC member. He maintains hundreds of npm packages that we likely depend on, coordinates security disclosures for projects under the OpenJS Foundation, and ships Node.js releases that reach hundreds of millions of environments.
If our builds depend on Express or Node.js, they depend on his work.
Here's what his work looks like in practice:
- Security work: https://github.com/UlisesGascon/ulisesgascon/blob/main/security-work.md
- Community impact: https://github.com/UlisesGascon/ulisesgascon/blob/main/community-impact.md
- npm ecosystem impact: https://github.com/UlisesGascon/ulisesgascon/blob/main/npm-ecosystem-impact.md
Sponsorship starts at $5/month for individuals. Company tiers with logo placement and direct access are also available.
Sponsorship details: https://github.com/UlisesGascon/ulisesgascon/blob/main/sponsors.md
Happy to discuss if you'd like more context on how his work affects our projects.
I'm available for freelance and consulting work. My background spans security, supply chain, release engineering, and open source governance across projects like Node.js, Express, and Lodash. Companies like Google, IBM, and NodeSource have trusted me over the years, along with many startups.
While your engineers use the software I maintain, I can do much more from the inside: maintain your customized forks, ship the features you need, and fix the bugs that are blocking your team. I sit in the governance meetings where decisions about your dependencies get made. It's not every day you can have a voice inside your own supply chain and the ability to actually change things.