From 8a70f330304094b4906530aaba09ef0b9538cedd Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Sun, 8 Dec 2024 17:31:16 -0300 Subject: [PATCH] doc: add 2024-12-05 meeting notes (#1412) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * doc: add 2024-12-05 meeting notes * Update meetings/2024-12-05.md Co-authored-by: Ulises Gascón --------- Co-authored-by: Ulises Gascón --- meetings/2024-12-05.md | 76 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 meetings/2024-12-05.md diff --git a/meetings/2024-12-05.md b/meetings/2024-12-05.md new file mode 100644 index 00000000..ff9c2cb3 --- /dev/null +++ b/meetings/2024-12-05.md @@ -0,0 +1,76 @@ +# Node.js Security team Meeting 2024-12-05 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=bvE__vam0TA +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1407 + +## Present + +* Michael Dawson (@mhdawson) +* Rafael Gonzaga (@RafaelGSS) +* Ulises Gascón (@UlisesGascon) +* Georges Dugué (@GeorgesDugue) + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues +- [x] OpenSSF Scorecard Monitor Review + - https://github.com/nodejs/security-wg/pull/1411 + - The Node.js has decreased 0.8 due a change in GitHub actions (tokens permissions) due the release automation initiative (https://github.com/nodejs/node/blob/556f1aece2c21e39fafae13d2cf1832f5d4fcd59/.github/workflows/create-release-proposal.yml#L26). report: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/nodejs/node/compare/6db7b2422dfee56af15ff6ca895587d36c6683c6/556f1aece2c21e39fafae13d2cf1832f5d4fcd59 + - This is expected now, it will be fixed soon (PR on the way) + - Similar for Nodejs.org with `.github/workflows/translations-pr-lint-and-format.yml`. https://ossf.github.io/scorecard-visualizer/#/projects/github.com/nodejs/nodejs.org/compare/f116efe39e942f67b302b3e9853c823a9beff92d/39855a75a4b382d0fbc39c1f3b611860b91b12f7 and code review decreased + - @ulises: I will try to create an exception for this pipeline + +### nodejs/node + +* tools: update clang-format to v19 #55201 + * We left a comment in the issue and removed from the agenda + +* src: add WDAC integration (Windows) #54364 + * Skip - Waiting for rdw-msft to join the meeting + +### nodejs/security-wg + +* Add a warning on EOL versions #1401 + * discussed that creating a CVE for EOL versions when doing a security release + * discussed issuing a single CVE for an EOL version, seems like we have agreement + in the issue. + * Rafael, discussed Robin suggested we share via social to share our plan first, and then do + it. + * Ulises, issuing CVEs will affect corporate environments but developers don’t really see that. Emitting a warning would help them to know when they are using an insecure version. + * Michael, what about hardcoding the EOL dates in Node.js and then when time passes we display the warning? + * Rafael, Ulises: offline environments or environments where the system clock isn’t correct will be affected. We think that is too risky and prone to several bugs + +* Audit build process for dependencies #1037 + * all three deps with WASM now use common wasm-builder container + * next is to look at updaters for amaro and cjs-module lexer to make sure you can + build from what is in nodejs/deps for the dep. + +* Extend security reporting for LTS lines beyond their lifetimes #1025 + * wait for Marco to join, likely replaced by the issues to do CVE and warning for + EOL versions + +* Automate security release process #860 + * good progress, including automation for regular releases as well + * updates to git node security --pre-announce and --post-announce + * planning video to show stewards how to use automation and to pull in a steward for + the next release so they can give feedback on the automation. + +* Abort when vulnerable flag #852 + * going to remove from agenda as it's done + +* Node.js maintainers: Threat Model #1333 + * Not enough time to dive in this week. + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.