Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: add 2024-01-04 notes #1183

Merged
merged 3 commits into from
Jan 4, 2024
Merged

doc: add 2024-01-04 notes #1183

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
deeeb9f
doc: add 2024-01-04 notes
RafaelGSS Jan 4, 2024
03ffcc1
Update meetings/2024-01-04.md
RafaelGSS Jan 4, 2024
d249f99
Update meetings/2024-01-04.md
RafaelGSS Jan 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions meetings/2024-01-04.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# Node.js Security team Meeting 2024-01-04

## Links

* **Recording**: https://www.youtube.com/watch?v=0g6fJw11KrI
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1175
* **Minutes Google Doc**: https://docs.google.com/document/d/1qNM01Xw0S_U4JTtJcoF1m5PQQUl9PkyVRGjxcetz8eY/edit

## Present

* Security wg team: @nodejs/security-wg
* Rafael Gonzaga (@RafaelGSS)
* Ulises Gascon (@ulisesGascon)
* Marco Ippolito (@marco-ippolito)
* Michael Dawson (@mhdawson)
* Carlos Espa (@Ceres6)

## Agenda

## Announcements

*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.

- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
- [X] OpenSSF Scorecard Monitor Review
- [Issue details](https://github.com/nodejs/security-wg/issues/1179)
- [Pr Details](https://github.com/nodejs/security-wg/pull/1180)
- Undici increased 0.1 due Code Review. [see](https://kooltheba.github.io/openssf-scorecard-api-visualizer/#/projects/github.com/nodejs/undici/compare/c5c6648a7d2097f9be4d1f7d06df9f158eff049d/990b96ebb138ecf9fb93fea0f2a832ae322c939f)
- Node.js decreased 0.3 due Code Review. [see](https://kooltheba.github.io/openssf-scorecard-api-visualizer/#/projects/github.com/nodejs/node/compare/f9675e104e25ae7da5215f338f5e2609c85025a2/515b007faedf529861b22823f8a722eebed837fa)

### nodejs/security-wg

* Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs
* Skipped - OSTIF didn’t join

[#1159](https://github.com/nodejs/security-wg/issues/1159)
* NodeJS Code integrity on Windows
* Skipped - Microsoft folks didn’t join

[#1149](https://github.com/nodejs/security-wg/issues/1149)
* Have a SBOM for Node.js? [#1115](https://github.com/nodejs/security-wg/issues/1115)
* Skipped - no progress since the last meeting

* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
* Stopped until SBOMs resolution

* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898)
* Several fixes coming with the 21.6.0 release
* two new features - support for relative paths and –allow-addons flag

* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953)
* Recap
* Deep dive

## Q&A, Other

## Upcoming Meetings

* **Node.js Project Calendar**: <https://nodejs.org/calendar>

Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.