Lodash Forward Roadmap #6040
Description
The OpenJS Foundation has announced a community-led effort to ensure Lodash’s long-term reliability by opening up its governance, improving its security posture, reducing its issue backlog, modernizing its infrastructure, and planning for the future. The Sovereign Tech Agency (STA) has commissioned work to support this transition. @jdalton, Lodash’s original creator, is fully involved in this effort.
In the upcoming months, we plan to tackle the following items:
1. Establish open governance & transition to Feature-Complete maturity stage
Formalize Lodash’s new open governance model through the creation of a Technical Steering Committee (TSC) and transition into the Feature-Complete maturity stage. This will ensure transparent stewardship, continuity with the project’s origins, and a durable commitment to stable, secure maintenance.
- Empower the upcoming TSC to start working on the project as soon as possible. (See Account for governance and maturity stage transition #6036).
- Set up project governance including a new project charter. Request a charter review from the OpenJS Cross Project Council (CPC).
- Formalize the new TSC, elect a Chair, and kick off regular CPC public calls.
- Request CPC approval to transition Lodash to Feature-Complete maturity stage. This stage is not a sunsetting or archival, it represents a long-term commitment to stable, secure, and sustainable maintenance.
2. Address backlog & adopt security best practices
Strengthen the security of the Lodash ecosystem by addressing the backlog of vulnerabilities, aligning with industry standards, and improving community trust. The work will include a comprehensive review and resolution of known security issues, enhancements to security processes, and long-term planning for sustainability in this critical area.
- Triage and prioritize the backlog of all outstanding security reports, implementing patches and security updates.
- File appropriate Common Vulnerabilities and Exposures (CVE) filings through the OpenJS Foundation’s CNA (CVE Numbering Authority).
- Establishing a robust and documented security vulnerability reporting process using GitHub Security Advisories, enabling timely follow-ups and consistent handling by the Security Team. (See: Backlog: Adopt Security Best Practices #6027)
3. CI/CD restoration & plan future feature deprecation and release automation
Reduce Lodash’s code and packaging complexity and long-term maintenance burden to increase vulnerability-patching velocity and lower maintenance cost.
- Restoring and modernizing the Continuous Integration (CI) system to ensure that all changes are tested efficiently and reliably.
- Restore and modernize lodash.com's CI/CD pipeline to simplify website updates and leverage it to communicate API deprecation notices, EOL dates for legacy versions, security updates, etc.
- Develop a feature deprecation plan to reduce Lodash’s overall attack surface and maintenance overhead.
- Develop a plan to support secure, multi-version publishing of Lodash packages across all versions available on npm, helping to minimize manual intervention and release risk.