From 3ae9475eec59ce0de4bc7de80f193e4aa7f2cad9 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Fri, 20 Dec 2024 23:16:09 -0300 Subject: [PATCH] doc: add 2024-12-19 meeting notes (#1417) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * doc: add 2024-12-19 meeting notes * Update meetings/2024-12-19.md Co-authored-by: Ulises Gascón * Update meetings/2024-12-19.md Co-authored-by: Ulises Gascón * Update meetings/2024-12-19.md Co-authored-by: Ulises Gascón --------- Co-authored-by: Ulises Gascón --- meetings/2024-12-19.md | 57 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 meetings/2024-12-19.md diff --git a/meetings/2024-12-19.md b/meetings/2024-12-19.md new file mode 100644 index 00000000..cdbaeb1c --- /dev/null +++ b/meetings/2024-12-19.md @@ -0,0 +1,57 @@ +# Node.js Security Team Meeting 2024-12-19 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=euPfJNY6Pyo +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1415 +* **Minutes Google Doc**: https://docs.google.com/document/d/1c5qAEwlC6yI174oDO3eXVW4NHNGkurSqEZp7y5OpA88/edit?tab=t.0 + +## Present + +* Security wg team: @nodejs/security-wg +* Rafael Gonzaga: @RafaelGSS +* Ulises Gascón: @UlisesGascon +* Robert W + +## Agenda + +## Announcements + +- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + - No relevant vulnerabilities that affects Node.js + - Add dont-believe-affect-nodejs label to npm 10 warn +- [x] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+ + - No actions pending for the team +### nodejs/node + +* src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364) + * Robert is working on it (isolation building on windows only) and will keep working on it. + * Discussion around the feedback collected on the PR: + * Request to work using snapshotable API (seems like use a separate scope is the way to go) for better testing + * Rafael, I don’t believe we need to use the snapshotable API for this POC yet + +### nodejs/security-wg + +* Add a warning on EOL versions #1401 + * There is a blog post ready that will be published after the holidays + * CVEs will be published (2w after the announcement) +* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333) + * Skip due forum. PR opened to the Node.js Security repository: https://github.com/nodejs/security-wg/pull/1414 +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) + * No updates +* Extend security reporting for LTS lines beyond their lifetimes [#1025](https://github.com/nodejs/security-wg/issues/1025) + * Dropped from agenda +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + * Work is ongoing (2 PRs are open now). + * Great progress is made. + +## Q&A, Other + +Thanks for this amazing year working together! ✨ + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. +