We’re donating the Node Security Project to the Node.js Foundation

Adam Baldwin
^Lift Security
Published in
3 min readNov 29, 2016


We are excited to announce that today ^Lift Security and &yet are donating the Node Security Project and its data to the Node Foundation.

In adopting the Node Security Project, the Node.js foundation will create a vendor neutral, open, canonical place to manage incoming advisory reports, licensing, and distribution of that security data.

It was a lot of hard work breaking new ground

It’s been four years since the ^Lift team started the Node Security Project, with the goal of helping the Node.js ecosystem improve its overall security posture and make security a core value of the Node community. We had no idea just how ambitious that effort was when we started.

Over that time it involved building communication channels, bridging the security and development communities, creating tools, auditing hundreds of thousands of modules, and getting sore throats talking about security at all the conferences that would have us.

The whole time we had tremendous support from npm, developers, and other community members. And it’s because of the community we did it and we didn’t do it alone.

Why donate the project?

^Lift isn’t a typical security team and &yet isn’t a typical company. We try to take a positive approach in whatever we do — and for ^Lift, that means being directly engaged with developers where they’re actively doing the hard and often thankless work of open source development and maintenance.

Contributing the Node Security Project to the Node Foundation is a perfect opportunity for us to even more directly live out our values. We believe in investing in the commons and in sharing what we know and what we have, as others have shared with us. As longtime members of the Node.js community, it’s exciting to get to see the Node Foundation grow to the point where it can take on ownership of projects like the Node Security Project.

The security side of the Node ecosystem is in full bloom

We love that more and more vendors have started to make security a part of their thinking and that there are other existing and new security-focused vendors have begun to focus on Node. We believe a rising boat lifts all tides. And if you are for a more secure Node.js ecosystem, we are for you.

With ^Lift offering our own security product that provides continuous security monitoring for Node applications and other vendors wanting to build on top of the same Node Security Project data, it makes sense for us to have clearer separation of those concerns as good citizens of the community.

We’re thrilled that doing this opens the door for all security-focused members of the community to be able to contribute to one common repository of public vulnerability disclosures.

What’s next for ^Lift?

The ^Lift Security team will continue to aggressively contribute to this data set as we do independent security research as we have done for years, well ahead of any other vendor.

This transition allows us to focus on providing solutions beyond known vulnerable dependencies — a solved problem with good tooling.

We’ll continue to:

  • build and extend the Node Security Platform, a set of tools and APIs that allow you to quickly and easily add Node Security intelligence to your products
  • offer nsp tools that give developers continuous security monitoring
  • provide first-rate security assessments and consulting
  • deliver deeply integrated security code reviews (via pull requests)

Thank you

From everyone at ^Lift Security, thank you again for your support over the years.

Let’s keep making security a core value of the Node community!



Adam Baldwin
^Lift Security

VP of Security at npm. Previously founded @liftsecurity, Founder @nodesecurity acquired by npm, inc