doc: add 2024-04-25 meeting notes (#1295)

nodejs · Apr 25, 2024 · 4c5dadb · 4c5dadb
1 parent 93763ea
commit 4c5dadb
Showing 1 changed file with 76 additions and 0 deletions.
diff --git a/meetings/2024-04-25.md b/meetings/2024-04-25.md
@@ -0,0 +1,76 @@
+# Node.js  Security team Meeting 2024-04-25
+
+## Links
+
+* **Recording**: https://www.youtube.com/watch?v=nOd0dit-t80
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1286
+
+## Present
+
+* Thomas GENTILHOMME (@fraxken)
+* Michael Dawson (@mhdawson)
+* Rafael Gonzaga (@RafaelGSS)
+* Ulises Gascon (@UlisesGascon)
+* Robert - Microsoft
+* Lee Holmes - Microsoft
+* Carlos Espa
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  * Nothing new to discuss this week. An issues were opened asking about V8 vulns but those
+    seem to be outside of the Node.js threat model.
+
+- [X] OpenSSF Scorecard Monitor Review
+  - PR: https://github.com/nodejs/security-wg/pull/1294 this includes the changes for 6w. Nothing actionable from the Security WG perspective.
+
+### nodejs/node
+
+* Remove --experimental-policy [#52575](https://github.com/nodejs/node/issues/52575)
+  * Have been receiving lots of reports
+  * Don’t have anybody who can maintain/keep up with the reports
+  * Are starting down the path to remove the feature as its experimental
+  * Lee Holmes, gave us an overview of why integrity is important.
+  * Rafael, seems like main part is file integrity is the important part
+
+* tools: change inactive limit to 9 months [#52459](https://github.com/nodejs/node/pull/52459)
+
+### nodejs/security-wg
+
+* Collaborators Inactivity Policy Review [#1282](https://github.com/nodejs/security-wg/issues/1282)
+  * Added to potential initiatives list
+
+* Can we have "unsecure" features in Node.js? [#1274](https://github.com/nodejs/security-wg/issues/1274)
+  * General consensus that we should not have it. Answered in the issue asking aduh95 to join us to discuss further
+
+* Discuss adding --security-revert to NODE_OPTIONS [#1262](https://github.com/nodejs/security-wg/issues/1262)
+  * Michael gave overview and we had some discussion
+
+* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953)
+  * Requested team review on https://github.com/nodejs/security-wg/pull/1185
+  * Waiting for ownership transfer: https://github.com/nodejs/security-wg/issues/953#issuecomment-2049698350
+  * We can reply “No” to the pending questions in gold and merge the PR: https://github.com/nodejs/security-wg/pull/956 ?
+  * Remove from the agenda for now?
+
+* Node.js Security Initiatives 2024 [#1255](https://github.com/nodejs/security-wg/issues/1255)
+
+-- end of the meeting --
+
+* Proposed approach for build steps in deps which are not in make node  [#1236](https://github.com/nodejs/security-wg/issues/1236)
+* Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs [#1159](https://github.com/nodejs/security-wg/issues/1159)
+* Audit build process for dependencies 
+[#1037](https://github.com/nodejs/security-wg/issues/1037)
+* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898)
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+