docs: add meeting notes 2023-12-21

nodejs · Dec 21, 2023 · e25bd40 · e25bd40
1 parent 50963d0
commit e25bd40
Showing 1 changed file with 78 additions and 0 deletions.
diff --git a/meetings/2023-12-21.md b/meetings/2023-12-21.md
@@ -0,0 +1,78 @@
+# Node.js  Security Team Meeting 2023-12-21
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=WTwi31mH8ec
+* **GitHub Issue**: https://github.com/nodejs/security-wg/pull/1173
+* **Minutes Google Doc**: https://docs.google.com/document/d/1sG2PxLhiHZw0U4PLwa6amlpbmLSCydqAi0PHrMBGVLI/edit
+
+## Present
+
+* Security wg team: @nodejs/security-wg
+* Marco Ippolito: @marco-ippolito
+* GENTILHOMME Thomas: @fraxken
+* Rafael Gonzaga: @RafaelGSS
+* Ulises Gascon: @UlisesGascon
+* Anton Bauhofer: @antonbauhofer (spdx)
+* Robert: @rdw-msft (Microsoft)
+* Maximilian Huber: @maxhbr (spdx)
+* Amir Montazery: @Amir-Montazery (ostif)
+* Lee Homes (Microsoft)
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+- [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
+Some interface failures have been fixed
+nodejs.org increased 1.4 
+
+### nodejs/security-wg
+
+* Have a SBOM for Node.js? [#1115](https://github.com/nodejs/security-wg/issues/1115)
+  * spdx folks joined the conversation
+  * Discussion async in the issue with cdxgen
+  * A lib showcase would be appreciate
+
+* NodeJS Code integrity on Windows [#1149](https://github.com/nodejs/security-wg/issues/1149)
+  * Rafael to ping the relevant people to provide feedback to the PR (https://github.com/nodejs/node/pull/50644)
+  * Robert to provide examples of the threat and how this PR addresses it.
+
+
+* Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs
+[#1159](https://github.com/nodejs/security-wg/issues/1159)
+  * no updates apart from the 3 PRs Adam has created
+
+* Amir from ostif.org - Discuss possibility of consulting engagement with security expert in November/December at 2023-11-09 3pm Security-WG meeting  [#1145](https://github.com/nodejs/security-wg/issues/1145)
+  * Closed
+
+* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898)
+  * Rafael created some PRs to address some issues and include a new CLI flag: –allow-addons
+  * https://github.com/nodejs/node/pull/51183
+  * https://github.com/nodejs/node/pull/51184
+  * https://github.com/nodejs/node/pull/50758
+  * https://github.com/nodejs/node/pull/51209
+  * https://github.com/nodejs/node/pull/51211
+  * https://github.com/nodejs/node/pull/51212
+  * https://github.com/nodejs/node/pull/51213
+
+* License checker process/script [#1104](https://github.com/nodejs/security-wg/issues/1104)
+  * removing from the agenda until we find someone to work on it
+
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+  * Marco will research if nodejs core still needs to use minimatch
+
+* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953)
+  * Some updates from CII-Silver level that require our attention
+  * Rafael suggested to perform a deep dive on it in the next meeting
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.