OpenJS Foundation Is Now a CNA for 40+ JavaScript Projects Under Its Umbrella

The OpenJS Foundation can now assign CVE identifiers for vulnerabilities in more than 40 JavaScript projects it hosts, including popular tools like ESLint, Express, webpack, Fastify, and Electron. The foundation was approved as a CVE Numbering Authority (CNA) under Red Hat’s open source root on May 28.

While each project remains responsible for managing its own vulnerability disclosures, OpenJS can now act as an intermediary for CVE assignment, helping projects navigate reporting and publication.

The move is part of a broader push to improve security infrastructure across the open source JavaScript ecosystem, particularly for projects maintained by volunteers.

OpenJS CNA Scope#

OpenJS' CNA scope is limited. It only applies to projects hosted by the foundation, and specifically excludes:

• Non-OpenJS open source projects
• Project infrastructure (like websites, CI/CD pipelines, etc.)
• Vulnerable dependencies used by a hosted project without evidence of exploitability

As of the latest update (May 28, 2025), 40 projects fall under this CNA’s scope:

• Impact Projects (8): Appium, Dojo, Electron, Express, jQuery, Node.js, webpack
• At Large Projects (26): AMP, Architect, ESLint, Esprima, Fastify, Globalize, Grunt, Interledger, Intern, JerryScript, Jest, LoopBack, Lodash, Marko, messageformat, Mocha, Moment, Node-RED, nvm, QUnit, WebdriverIO, webhint
• Incubating Projects (3): kepler.gl, vis.gl, Cosmos.gl
• Emeritus Projects (5): Chassis, HospitalRun, jQuery Mobile, jQuery UI, Pointer Events Polyfill, RequireJS, Sizzle

Node.js is notably listed but continues to operate its own CNA for now. While the announcement mentions that Node.js may consider transitioning under the OpenJS CNA, no changes have yet been made.

The CNA Is a Facilitator, Not a Security Hotline#

It’s important to note that, according to its security policy, the foundation’s role is limited to CVE assignment and coordination support:

The OpenJS Foundation does not provide a central technical security function and thus does not directly receive, triage, or remediate security vulnerabilities on behalf of its hosted projects.

OpenJS does not triage or patch vulnerabilities itself. Instead, it supports maintainers in doing so. Each project is still independently responsible for its vulnerability disclosure process, meaning security researchers must:

1. Check the project’s specific security.md or listed disclosure policy
2. Use the communication channel provided there
3. Only escalate to the CNA if:
   • The maintainer doesn’t respond within 14 days
   • The maintainer refuses to assign a CVE despite acknowledging and patching the vulnerability
   • You can’t find the contact information
   • You believe a valid report was wrongly rejected

This ensures the CNA acts more like an escalation and coordination layer, rather than a front-line vulnerability response team.

Building Out Disclosure Support#

By establishing a CNA, OpenJS aims to reduce friction in CVE issuance for hosted projects, particularly for under-resourced or volunteer-maintained ones that lack structured security response workflows. This could help:

• Normalize CVE usage across the JavaScript ecosystem
• Increase trust in remediation timelines
• Improve downstream visibility for software that uses affected packages

It also helps OpenJS projects participate more fully in the broader CVE ecosystem without maintainers needing to directly engage with MITRE or go through third-party CNAs like GitHub or HackerOne.

The CNA designation complements OpenJS’ ongoing work in the Security Collaboration Space, backed by Alpha-Omega, which provides templates, disclosure guides, and weekly community meetings. This new CNA designation has the potential to streamline how JavaScript maintainers handle vulnerability reports and reduce friction for security researchers.

Maintainers can request help not only with CVE assignment but also with improving their disclosure workflows, drafting advisories, or navigating coordinated release timelines.