|
| 1 | +# Node.js Security team Meeting 2024-10-10 |
| 2 | + |
| 3 | +## Links |
| 4 | + |
| 5 | +* **Recording**: https://www.youtube.com/watch?v=pRbiKOqoCRs |
| 6 | +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1389 |
| 7 | +* **Minutes Google Doc**: https://docs.google.com/document/d/12oXkIdsOxSfv1Q5K4rkWTh-lkzr9LxwcZERCIvWYHOg/edit?tab=t.0 |
| 8 | + |
| 9 | +## Present |
| 10 | + |
| 11 | +* Security wg team: @nodejs/security-wg |
| 12 | +* Rafael Gonzaga: @RafaelGSS |
| 13 | +* Michael Dawson: @mhdawson |
| 14 | +* UlisesGascón: @UlisesGascon |
| 15 | +* Marco Ippolito: @marco-ippolito |
| 16 | +* Richard Lau: @richadlau |
| 17 | + |
| 18 | +## Agenda |
| 19 | + |
| 20 | +## Announcements |
| 21 | + |
| 22 | +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. |
| 23 | + |
| 24 | +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues |
| 25 | + - Nothing has changed since last week |
| 26 | + - OpenSSL update coming in next regular releases |
| 27 | + |
| 28 | +- [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+ |
| 29 | + - No action required from our side: https://github.com/nodejs/security-wg/pull/1393 |
| 30 | + - Requested a feature to add threshold to the issues notification: https://github.com/ossf/scorecard-monitor/issues/88 |
| 31 | + |
| 32 | + |
| 33 | + |
| 34 | +### nodejs/node |
| 35 | + |
| 36 | +* src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364) |
| 37 | + * Microsoft team working on updating the PR |
| 38 | + |
| 39 | +### nodejs/security-wg |
| 40 | + |
| 41 | +* Audit build process for dependencies #1037 |
| 42 | + * Michael: made progress on building common container, and using in the deps that build |
| 43 | + WASM |
| 44 | + |
| 45 | +* Automate security release process #860 |
| 46 | + * Nothing has changed since last meeting |
| 47 | + |
| 48 | +* Abort when vulnerable flag #852 |
| 49 | + * a bit complex to solve properly since it requires a remote call back to the vulnerability |
| 50 | + database. |
| 51 | + * Michael, would be good to PR into - https://github.com/nodejs/nodejs-ambassadors as |
| 52 | + message to be amplified |
| 53 | + |
| 54 | +* Node.js maintainers: Threat Model #1333 |
| 55 | + * We have created the Threats section |
| 56 | + * Good progress so far |
| 57 | + |
| 58 | +## Q&A, Other |
| 59 | + |
| 60 | +## Upcoming Meetings |
| 61 | + |
| 62 | +* **Node.js Project Calendar**: <https://nodejs.org/calendar> |
| 63 | + |
| 64 | +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. |
| 65 | + |
0 commit comments