If your company runs JavaScript in production, some of this work is running in your infrastructure right now. Together with an amazing group of co-maintainers, we keep hundreds of npm packages running across the ecosystem, coordinate security for projects under the OpenJS Foundation, ship Node.js releases, and help govern Express, Lodash, and Yeoman.

Most of this work is volunteer. There is no company behind it. There are no employees.

✨ What your sponsorship sustains

Keeping your dependencies secure. When a vulnerability hits a package with 100M+ weekly downloads, someone needs to assess it, coordinate the fix, and ship a patch. I triage vulnerability reports, write patches, coordinate CVE disclosures, and author threat models and incident response plans for packages you probably depend on (Read more).

Shipping the releases you depend on. Hundreds of packages. All of them need someone to keep the lights on. I'm one of a small group authorized to sign and ship Node.js releases. I also ship dozens of releases every year across the Express, Lodash, and Yeoman ecosystems (Read more).

Turning fragile into sustainable. Code is the easy part. The hard part is everything around it. I helped ship Express 5.0 after a decade of waiting and rebuilt Lodash's governance from scratch. I reform governance structures, mentor new maintainers, and build the foundations that turn one-person projects into sustainable ecosystems (Read more).

🎁 What sponsors actually get

On December 3rd at 8:30 PM, a critical React Server Components vulnerability dropped with a CVSS score of 10.0. Within minutes, Orbitant had someone in their Slack who understood the impact, helped assess exposure, and coordinated the response. By the next morning, they had full visibility and patches rolling out while most companies were still finding out about it.

"Information flows faster than coffee in our Slack when a critical CVE appears. And that's exactly what we're looking for." — Orbitant

When Express 5.0 shipped after a decade, sponsors understood the migration path from someone who helped build it. When Node.js changed its release schedule, sponsors understood the implications before the announcement went public.

🏷️ Sponsorship Tiers

Whether you're an individual developer, a startup, or a large organization, there's a tier for you:

• ☕ Supply Chain Supporter — Early access to my informal newsletter
• 🥉 Bronze Sponsor — Logo on my GitHub and website + shout-out on social media
• 🥈 Silver Sponsor — All Bronze perks + quarterly strategy call
• 🥇 Gold Sponsor — All Silver perks + I join your team's Slack for real-time ecosystem intelligence
• 💎 Platinum Sponsor — Custom agreements for larger orgs (compliance, ecosystem alignment, long-term support, NDAs, invoicing)

I reserve the right to decline sponsorships that conflict with my values or the integrity of the open source ecosystem.