The Scale

Express

• Powers millions of servers worldwide.

• Spans 3 GitHub organizations and maintains 60+ npm packages.

• Receives over 50 million weekly downloads in npm.

• Altogether, its ecosystem exceeds 52 billion downloads per year.

The Invisible Backbone of the Web

source: BuiltWith​

Powers millions of servers worldwide.

Lodash

• Over 2.57 billion weekly downloads, across npm packages in various distributions.

• Used on 9.3 million+ live websites, including ~33% of the top 10,000 sites (BuiltWith).

• The #1 most directly used version-agnostic npm package in production applications (The Census II report).

The Utility Belt of the JavaScript World

source: BuiltWith​

Powers millions of websites worldwide.

The Chaos

When Open Source Breaks

The Major Problems before 2024

• Performance limitations due to early architectural choices (e.g. monkey patching) and legacy Node.js support (as far back as [email protected]).
• Not part of Node.js CITGM (Canary in the Gold Mine) due to unstable tests.
• Express 5 has been in development for nearly a decade, awaiting final release.
• Limited bus factor (≈1) and no clear governance model for long-term sustainability.
• Large backlog of open issues and pull requests awaiting review and release.
• Security posture could benefit from modernization and more active triage resources.
   

The Human Side

Express represents about $6.2M in development effort...
And this is the team that made it possible from 2010 to 2023

Burnout is very real...
Maintaining a popular Open Source project is really hard.

The Turning Point

From Chaos… to Collaboration

The Plan

• Establish effective governance — a Technical Committee (TC), repository captains, and committers; plus community-driven working groups.

• Strengthen security with a threat model, external audit, a clear incident-response plan, and a dedicated security triage team.

• Announce and maintain an LTS release schedule

• Rework and release Express 5

• Lay the groundwork for Express 6 and Express 7, focusing on removing monkey-patching and legacy constraints.

• Re-engage with the Node.js core ecosystem

• Ensure long-term sustainability for the maintainers and the community.

The Rebirth of Express

Having a plan is just the beginning...
We needed to rebuild trust by delivering on our promises.

The Main Achievements

• Launched a new governance structure: formed a fresh Technical Committee and defined transparent processes. 

• Established a dedicated Security Working Group and triage team, adopted a formal threat model and rapid-response framework for vulnerabilities.

• Delivered Express 5.0, the long-awaited major release, laying out the roadmap for future versions (Express 6.0 and beyond).

• Re-integrated Express.js into the broader Node.js ecosystem (including the CITGM) to solidify compatibility and ecosystem trust.

• Received Impact Project status under the OpenJS Foundation

Not everything is a drama...
even if it looks like it.

What makes Express… Express?

The Vision

Express is a minimal, scalable, and stable web framework for Node.js with a welcoming community that empowers developers of all levels.

The Mission

Our mission is to make it easier for developers to build great software by clearing away the complexity of server-side development in Node.js

Our values...
guide us through the chaos.

Established

Developers already know Express. It's widely adopted, deeply familiar, and always in the conversation when choosing a web framework. People don't ask "Why use Express?" — they ask "Why not?"

Express is the default choice, not a question mark

Dependable

Express is professional, stable and responsibly maintained. What you learn today stays relevant tomorrow. We avoid breaking changes, and when things go wrong, our scale means we notice — and fix — it fast.

Build to last, trusted to work.

Approchable

Express is easy to pick up and effortless to adopt. With minimal concepts and lightweight documentation, anyone can get going quickly — whether you're prototyping or building something serious

Start fast, stay flexible.

The Invisible Work

The Secret Sauce

• Opened multiple communication channels with our community (Slack, social media, blog posts, YouTube, etc.).

• Formed a Technical Committee (TC) to guide and lead the project.

• Built a clear backlog for every major goal

• Adopted consensus-based decision making and documented every step.

• Created a safe and inclusive environment

• Invested in mentoring and training the next generation of maintainers.

• Organized work into teams and working groups, empowering contributors to lead.

• Established a dedicated security triage team and strengthened defenses through best practices

The OpenJS Foundation

• The OpenJS Foundation provides a neutral home for critical JavaScript projects, ensuring long-term sustainability, open governance and ecosystem collaboration.
• Through the Cross Project Council (CPC), the Foundation enables technical governance, coordination between projects and shared best-practices.
• For me, this means access to governance frameworks, security guidance and the backing of a recognized ecosystem body

Echoes in Lodash

Lodash worth $3.7M...
Here is the team that made that possible from 2012 to 2025

The Major Problems

• Maintenance model: one maintainer doing the heavy lifting under a BDFL (Benevolent Dictator For Life) approach.

• Hundreds of variant packages, significantly increasing maintenance complexity.

• Fragmented CI infrastructure with many pending changes that couldn’t be easily tested or landed.

• Some utilities increase Lodash’s security attack surface, requiring frequent reviews and triage effort.

• The community has been waiting for Lodash 5 for several years, with no stable release yet delivere

The Future of Lodash

The Goals

• Establish a governance structure: transition from the BDFL model to a Technical Steering Committee (TSC) that shares decision-making and seeks consensus.

• Simplify maintenance by deprecating variant packages and consolidating them into the main library.

• Restore and modernize CI infrastructure so changes can land reliably and releases are centralized.

• Improve security posture: adopt a threat model, formalize triage, request CVEs via CNA, build an Incident Response Plan (IRP), and conduct an external audit.

• Offer a clear future: prioritize stability over new features, progressively rewrite using native functions, limit compatibility to modern platforms, and simplify migration for users.