Merge branch 'main' into core-index-updated

__mocks__/mockVuln/pass/core/1.json

@@ -7,5 +7,6 @@
   "patched": "^8.1.4 || ^7.10.1 || ^4.8.4 || ^6.11.1",
   "description": "mocked core vulnerability overview",
   "overview": "mocked core vulnerability overview",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": ["all"],
+  "severity": "medium"
 }

meetings/2024-07-18.md

@@ -0,0 +1,59 @@
+# Node.js  Security team Meeting 2024-07-18
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=53lm-l1gMJA&ab_channel=node.js
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1348
+* **Minutes Google Doc**: https://docs.google.com/document/d/1h7FO8GIipJYrSbINeq3N0d28FZZok8sHIwmKnpvaTh0/edit
+
+## Present
+
+* Michael Dawson: @mhdawson
+* Ulises Gascón: @ulisesgascon
+* Rafael Gonzaga: @RafaelGSS
+* Marco Ippolito
+* Richard Lau
+
+## Agenda
+
+## Announcements
+
+* The OSSF Scorecard Monitor is now an official OSSF Tool. See: https://github.com/ossf/scorecard-monitor/issues/79
+
+* Rafael, security release last week, please upgrade
+
+* Some CVE’s not yet published. - https://github.com/nodejs/nodejs-cve-checker
+
+*Extracted from **security-wg-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  * Failure on nvd database side resolved
+  * No new issues
+  * CVEs from last security release were not published yet
+
+- [X] OpenSSF Scorecard Monitor Review - 
+  - PR: https://github.com/nodejs/security-wg/pull/1351
+  - Actions: in nodejs/node-addon-api there is a new workflow that can be improved (decrease 0.9), details: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/nodejs/node-addon-api/compare/7e1aa06132558fcc3de4ef5f4f6b84ff10c32502/12ffe91b8f94c0b2491fcc5b15547a3ff23ceb07
+
+### nodejs/security-wg
+
+* Automate security release process #860
+  * Rafael is working on git node security –finish
+  * Tests added to security-release repository
+  * Opened https://github.com/nodejs/node/pull/53877
+
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+  * Michael, still on my list to work on WASM building side of things, just have not managed to
+    carve out time yet.
+
+* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333)
+  * Working on Access per Group table
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+

meetings/2024-08-01.md

@@ -0,0 +1,50 @@
+# Node.js  Security team Meeting 2024-08-01
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=uYjkIe3yhPE
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1355
+
+## Present
+
+* Security wg team: @nodejs/security-wg
+* Rafael Gonzaga: @Rafaelgss
+* Thomas Gentilhomme: @fraxken
+* Ulises Gascón: @UlisesGascon
+* Michael Dawson: @mhdawson
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [x] Vulnerability Review - 
+https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  * Nothing new this week
+
+- [x] OpenSSF Scorecard Monitor Review - 
+  - Seems like GH has some rate limits currently in our region https://github.com/nodejs/security-wg/actions/runs/10199208188/job/28215763563. Ulises will retry after the meeting.
+
+### nodejs/security-wg
+
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+  * Michael added PR for undici to get us one step closer to having everything we need in deps
+    to rebuild
+
+* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
+  * PR landed to update security release process to use the automated support
+  * PRs to update the security automation and move templates towards end goal
+  * Currently working on automating cleanup 
+
+* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333)
+  * Deep Dive session
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+

meetings/2024-08-29.md

@@ -0,0 +1,50 @@
+# Node.js  Security team Meeting 2024-08-29
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=w4zzH-otKNI
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1365
+
+## Present
+
+* Michael Dawson (@mhdawson)
+* Robert W - Microsoft
+* Lee Holmes - Microsoft
+* Rafael Gonzaga (@RafaelGSS)
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  * Some questions about 3 V8 CVEs, confirmed that they are not vulns in the context of the Node.js security model - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/191
+- [x] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
+
+### nodejs/node
+
+* src: add WDAC integration (Windows) #54364
+  * Robert W summarised this feature and what it intends to protect.
+  * Rafael asked if this is turned on by default
+  * Robert W explained this is turned on via system configuration, so for Windows users that don’t make use of catalogue policy, it won’t be enabled by default. 
+  * Some discussions about security expectations, running this on untrusted code
+  * The documentation will be aligned with Node.js threat model. This feature won’t prevent malicous code from bypassing it. This will serve as an extra layer of security for Node.js applications. 
+  * More discussion on implementation on Node.js
+
+### nodejs/security-wg
+
+* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333)
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
+
+
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+