From 2d7e2c9ecb1ba67d2a009e8613362855e01a335d Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Fri, 17 Jan 2025 10:01:46 -0300 Subject: [PATCH] doc: add 2025-01-16 meeting notes (#1427) --- meetings/2025-01-16.md | 73 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 meetings/2025-01-16.md diff --git a/meetings/2025-01-16.md b/meetings/2025-01-16.md new file mode 100644 index 00000000..343e84fb --- /dev/null +++ b/meetings/2025-01-16.md @@ -0,0 +1,73 @@ +# Node.js Security team Meeting 2025-01-16 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=sw7EtMdb5MU +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1420 + +## Present + +* Marco Ippolito: @marco-ippolito +* Ulises Gascón: @UlisesGascon +* Michael Dawson: @mhdawson +* Jack Camerano: @giacomocamerano +* Rafael Gonzaga: @RafaelGSS +* Zibby + +## Agenda + +## Announcements + +* Rafael - Security release next week, will also include CVE for old versions, so scanners will + report old versions as vulnerable. More reason to make sure you are updated to latest + versions. + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/193 is false positive, + and Node.js is not affected based on Node.js threat model so unlikely to be addressed in + older versions due to risk. +- [X] OpenSSF Scorecard Monitor Review + - PR: https://github.com/nodejs/security-wg/pull/1424 + - Analysis: Seems like some projects are rising due to good maintenance (removed permissions, ci + validation, etc...) 👍. So far seems like no action needed from our side + - Rafael need to run step security again on Node.js core since we’ve added some actions. Rafael + will do that. +Michael is it possible to automate to run once a month ? +Rafael, don’t think so but lets open an issue in the repo and then at mention them to ask if + That is possible. + +### nodejs/node + +* src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364) + * Issue being discussed/figured out is around synchronous checks + +### nodejs/security-wg + +* Add a warning on EOL versions [#1401](https://github.com/nodejs/security-wg/issues/1401) + * Plan is to wait to see impact of CVEs we have issued, and then re-evaluate if a warning makes sense + * Zibby was it discussed before to add a time at which warnings would be generated, as + upgrade to newer version with the warning is unlikely. + * Marco, Rafael, Michael, was discussed and discarded based on concerns. + +* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333) + * worked on it in doc + +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) + * Michael, all three deps use shared common wasm builder approach/containers + * Michael, next step is to work on updaters for cjs-module-lexer and amaro to ensure we can + build from what is in deps directory + +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + * Rafael, almost done, have been validated over last few security releases, just a few small + things left to be done. + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. +