Node.js Homepage Adds Paid Support Link, Prompting Contributor Pushback

Over the past week, the Node.js project found itself caught in a heated governance debate and public controversy sparked by a new button on its homepage. The discussion was amplified over the weekend when Node.js TSC member Yagiz Nizipli highlighted the issue in a series of now-deleted tweets that called Node.js governance into question.

The button promotes paid extended security support for older Node.js versions, offered by the third-party vendor HeroDevs. While the intention is to help fund the project’s infrastructure, the way it was added, and how prominently it appears, has divided core maintainers and raised bigger questions about process, transparency, and open source sustainability.

The tweet that initially drew attention to the issue was deleted after being reported by multiple individuals to the Node.js moderation team. According to people familiar with the situation, the moderation team requested its removal, citing a governance clause that some interpret as discouraging public criticism of Node.js. While the moderation process is not public, the deletion has added tension and a chilling effect to an already sensitive discussion about how contributors can voice concerns.

Node.js Homepage Now Links to Third-Party Paid Support for EOL Versions#

Late last week, the Node.js website quietly launched the new call-to-action under the install button, designed to bring more visibility to EOL support services: “Get security support for Node.js 18 and below.”

The button directs users to HeroDevs, a commercial provider selling security support for Node versions that are officially End-of-Life (EOL). HeroDevs, a Gold member of the OpenJS Foundation, returns a share of that revenue back to Node.js, helping fund the project’s essential release and build infrastructure as part of the Ecosystem Sustainability Program (ESP).

Critics quickly pointed out that the new support button was not only large and eye-catching but it is also bigger than the main “Install Node.js” button itself. In his tweets and on GitHub, Nizipli and others questioned both the design and the way the decision appeared to have been made behind the scenes.

"This shouldn't have progressed without a formal TSC meeting and a vote (if required) since I have an explicit -1 comment here," Nizipli commented on the related GitHub issue.

Meanwhile, others felt they had a green light from the OpenJS Foundation leadership to ship the change urgently. In a now-locked discussion TSC member James Snell argued:

The HeroDevs work is not just some arbitrary third-party reference. It helps to bring in critical funds needed to support things like our release infrastructure. The Foundation alone has ownership over all fundraising efforts and has zero obligation to share any of the contractual details with the project.

How the Decision to Add the Security Support Button Landed#

Node.js Web Infrastructure Team member Matt Cowley added more context in the GitHub discussion on how the decision landed.

"Apologies if my comment on moving forward skipped process here -- in the meeting, the Foundation made it clear to us (or at least, that's how it came across to me) that this must happen and urgently, hence this has now been shipped over the weekend," Cowley commented.

"A few of us just met in a call to discuss how we move forward here. After some discussion, it was agreed that we do need to move forward with promoting this ESP as the situation with folks using EOL versions is a significant security problem for the ecosystem (for example, Node.js 12 is getting ~25 million downloads per month still), and with the agreement that's in place with the ESP, it will also help bring in some additional cash into Node.js."

Node.js TSC member Matteo Collina added additional context around the decision, and indicated that this is the first iteration.

"The rationale behind this change is that this is a test to see if it can bring this program up to the level of funding for the project we need," Collina commented. "None of this is set in stone either, we need to verify with data if this works.

"There is a more subtle way of doing this that we would be working on in the next few weeks, but that will take more time and iterations."

Earlier in the discussion, Collina had advocated for raising the visibility of upgrading Node.js to supported versions by linking to the support page, as the use of older versions still remains widespread.

In short: some saw it as necessary fundraising, others saw it as a breach of process and a bad user experience.

Calls for More Transparency#

Amid the confusion about communication and the decision-making process, one theme echoed from many sides: governance needs to be clearer, and major funding or branding decisions should be discussed more openly.

“I also think it would've been better for the discussion to happen in public before landing the changes," TSC member Joyee Cheung commented.

"The lesson that we need to learn, once again, is that TSC meeting - especially the private section - is the wrong venue to get consensus, at most it can be used for getting a sense of the temperature in the room. Asynchronous communication would work much better for people to evaluate a decision and think it through, and avoid ignoring standing objections.”

Cheung also proposed considering an approach similar to Vue.js, where EOL announcements live on a project page with context first and then mention paid options for those who truly need them.

Others also questioned whether a direct link to a paid vendor was the best way to inform users about EOL versions.

"No one in the security space looks at the website," Node.js contributor Brian Muenzenmeyer commented. "It's for end users, and tooling increasingly keeps them in their IDE anyway.

"The surefire way to get attention and actually enact change is to issue CVEs." Node.js issuing CVEs for EOL versions was a controversial decision but Muenzenmeyer reports that it got the attention of his security partners within days of issuance.

"IMO linking to https://nodejs.org/en/blog/announcements/node-18-eol-support is better than redirecting to a third party website in the homepage directly," Cheung suggested. "We do want people to upgrade to reduce support burden, but we should be careful not to create an image of [the] project constantly reeking serious and impactful vulnerabilities that can lead to disasters to all use cases."

OpenJS Is Tracking a 50% Shortfall in ESP Partnership Budget#

In the most recent TSC meeting held today, OpenJS Executive Director Robin Ginn joined to discuss the ESP program. She shed some light on the current financial status, noting that the foundation is tracking a 50% shortfall in the ESP Partnership budget.

Ginn highlighted the fact that ESP is opt-in for OpenJS-hosted projects. It is structured to deliver a 15% revenue share, where 10% goes to the project and 5% to the foundation, with payments made every six months. Although from an outside perspective it may appear that Node.js is going all-in on HeroDevs as the sole vendor, the program is non-exclusive and seeking additional partners, so it is not limited to HeroDevs.

Cheung, in attendance at the meeting, asked what type of return OpenJS expects to see based on the traffic. Ginn said it’s too early to tell but expects that the return will be higher with a more prominent link. Cheung also pressed to find out if the direct link is required by the contract, and Ginn confirmed that it is.

“We all want to implement the program in the spirit of the agreement,” Ginn said.

“HeroDevs can do this without a link, just like many companies across the world that offer support for Node. This revenue share is a very creative way to support sustainaiblity. HeroDevs also announced a $20M investment for maintainers on Monday… so I think it’s a collaboration. They’re all about community and so are we.

“We need to figure out how we can implement it in the spirt of the agreement in a way that works for the community, and again how much revenue you all want to bring in as a project.”

OpenJS provided us with the following statement from the foundation regarding the matter:

The OpenJS Foundation manages the official channels and trademarks in collaboration with our project maintainers to ensure consistent, community-driven communications that reflect the values of its global contributor base. Through initiatives like the Ecosystem Sustainability Program (ESP), we’re building strategic partnerships for the long-term health of the project by supporting essential infrastructure, maintainers, and contributors. Our goal is to amplify the work of the Node.js community while safeguarding and growing the trusted brand we’ve built together.

Node.js TSC to Revisit the Decision#

Right now, the new support button remains on the Node.js homepage but it's ironically being blocked by major browser ad blockers, which now treat it as an advertisement. Maintainers are weighing whether to keep it, revert it, or redesign it to link first to a Node.js-branded EOL page instead of directly to HeroDevs.

A PR to change the homepage link to a Node.js blog post is open and includes a great deal of discussion. It is currently blocked until contributors confirm TSC consensus on making the change.

During today's TSC meeting, Michael Dawson proposed if the consensus is to change the link to the blog, one way forward is to email the other TSC members to make sure nobody objects. Collina recommended they wait a week to see how much traffic the button will drive to get a more informed decision, given the goal of the program is to maximize the results. Cheung noted that while traffic may be increased due to current curiosity, with ad blockers hiding the link, it may not perform well long-term and the project needs conversion data from HeroDevs in order to understand the impact.

They decided to wait a week to see how the button performs and ensure the TSC reaches a consensus, and then land the PR changing the link to the blog post. Following this they will explore working on a dedicated page for the ESP partner(s).

In the meantime, contributors stress that the original motivation remains valid: many businesses still run outdated Node.js versions, with millions of downloads each month, and finding ways to fund extended support is vital for sustainability.

"People/businesses have been asking the project for over a decade to provide a paid-for option for extended LTS support that goes beyond our regular LTS cycle. It's not always possible for businesses to update on our LTS schedule," James Snell posted on Bluesky.

"The project's current Long term support schedule has always been mostly limited by the fact that all Node.js contributors are volunteers and it's impossible for unpaid volunteers to provide reliable LTS for indefinitely long periods of time."

This controversy highlights a tough challenge in open source sustainability: while most projects avoid promoting third-party vendors, Node.js must weigh that norm against the real need to fund its infrastructure, especially as millions still rely on unsupported versions, creating a growing security risk.

Snell contends the project has long maintained that extended LTS was best provided through paid third-party efforts, given the resource constraints.

"The fact that Herodevs (who also happen to be Gold-level Members of the OpenJS Foundation) are able to provide such support in a way that feeds funds back to the project makes it even better," he said.

"The support that the OpenJS Foundation provides to the project to keep things running is often unrecognized and underappreciated."