doc: add meeting minutes 2023-09-14 (#1105)

* doc: add meeting minutes 2023-09-14 * Update meetings/2023-09-14.md Co-authored-by: Ulises Gascón <[email protected]> * Update meetings/2023-09-14.md Co-authored-by: Ulises Gascón <[email protected]> --------- Co-authored-by: Ulises Gascón <[email protected]>
nodejs · Sep 14, 2023 · 50efc45 · 50efc45
1 parent 1212d73
commit 50efc45
Showing 1 changed file with 61 additions and 0 deletions.
diff --git a/meetings/2023-09-14.md b/meetings/2023-09-14.md
@@ -0,0 +1,61 @@
+# Node.js  Security team Meeting 2023-09-14
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=O3DJxVq5jeM
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1100
+
+## Present
+
+* Michael Dawson (@mhdawson)
+* Marco Ippolito (@marco-ippolito)
+* Ashish Kurmi (@ashishkurmi)
+* Thomas GENTILHOMME (@fraxken)
+* Ulises Gascon (@UlisesGascon)
+* Andrea Fassina (@fasenderos)
+* Carlos Espa (@Ceres6)
+
+## Agenda
+
+## Announcements
+
+Node.js 16.x went EOL this week, reminder UPGRADE!
+
+*Extracted from **security-wg-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [ ] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  - new CVE in npm, does affect npm, needs an updated version in 18.x, not going to be updated in 16.x since its EOL.
+
+- [ ] OpenSSF Scorecard Monitor Review 
+  - General discussion summary of what was discussed include:
+    - No big changes in the score for the organization: https://github.com/nodejs/security-wg/issues/1102
+    - New diff feature in the Scorecard Visualizer is Open for Feedback: https://github.com/KoolTheba/openssf-scorecard-api-visualizer/pull/163
+    - Relevant feedback regarding previous Scorecard visualizer errors with nodejs.org repo:  https://github.com/ossf/scorecard/issues/3438 
+    - Last report summary https://github.com/nodejs/security-wg/issues/1079
+
+### nodejs/security-wg
+
+* Audit build process for dependencies
+[#1037](https://github.com/nodejs/security-wg/issues/1037)
+  * Meeting today with Marco, Ashish, Michael brainstorming to get started. Came up with some things to start building the list of what to check (uses npm, pulls github release, etc.). Also need to agree on what we consider an immutable source, versus one that we might need to create a copy of.
+  * Ulises, discussion about scripts, good to have check for licenses.  Could add check for license in dependency update script. Ulises will open an issue in the repo to discuss adding it (Ref: https://github.com/nodejs/security-wg/issues/1104).
+
+* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953)
+  * No updates this week, working on releases which is a good amount of work.
+
+* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898)
+  * Carlos, ramping up and looking to contribute
+
+* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
+  * No update this week
+
+* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859)
+  * No updates for this week.
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.