doc: add 2024-12-05 meeting notes

meetings/2024-12-05.md

@@ -0,0 +1,76 @@
+# Node.js Security team Meeting 2024-12-05
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=bvE__vam0TA
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1407
+
+## Present
+
+* Michael Dawson (@mhdawson)
+* Rafael Gonzaga (@RafaelGSS)
+* Ulises Gascón (@UlisesGascon)
+* Georges Dugué (@GeorgesDugue)
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+- [x ] OpenSSF Scorecard Monitor Review
+  - https://github.com/nodejs/security-wg/pull/1411
+  - The Node.js has decreased 0.8 due a change in GitHub actions (tokens permissions) due the release automation initiative (https://github.com/nodejs/node/blob/556f1aece2c21e39fafae13d2cf1832f5d4fcd59/.github/workflows/create-release-proposal.yml#L26). report: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/nodejs/node/compare/6db7b2422dfee56af15ff6ca895587d36c6683c6/556f1aece2c21e39fafae13d2cf1832f5d4fcd59
+     - This is expected now, it will be fixed soon (PR on the way)
+  - Similar for Nodejs.org with `.github/workflows/translations-pr-lint-and-format.yml`. https://ossf.github.io/scorecard-visualizer/#/projects/github.com/nodejs/nodejs.org/compare/f116efe39e942f67b302b3e9853c823a9beff92d/39855a75a4b382d0fbc39c1f3b611860b91b12f7 and code review decreased
+     - @ulises: I will try to create an exception for this pipeline
+
+### nodejs/node
+
+* tools: update clang-format to v19 #55201
+  * We left a comment in the issue and removed from the agenda
+
+* src: add WDAC integration (Windows) #54364
+  * Skip - Waiting for rdw-msft to join the meeting
+
+### nodejs/security-wg
+
+* Add a warning on EOL versions #1401
+  * discussed that creating a CVE for EOL versions when doing a security release
+  * discussed issuing a single CVE for an EOL version, seems like we have agreement
+    in the issue.  
+  * Rafael, discussed Robin suggested we share via social to share our plan first, and then do
+    it. 
+  * Ulises, issuing CVEs will affect corporate environments but developers don’t really see that. Emitting a warning would help them to know when they are using an insecure version.
+  * Michael, what about hardcoding the EOL dates in Node.js and then when time passes we display the warning?
+  * Rafael, Ulises: offline environments or environments where the system clock isn’t correct will be affected. We think that is too risky and prone to several bugs
+
+* Audit build process for dependencies #1037
+  * all three deps with WASM now use common wasm-builder container
+  * next is to look at updaters for amaro and cjs-module lexer to make sure you can 
+    build from what is in nodejs/deps for the dep.
+
+* Extend security reporting for LTS lines beyond their lifetimes #1025
+  * wait for Marco to join, likely replaced by the issues to do CVE and warning for
+    EOL versions
+
+* Automate security release process #860
+  * good progress, including automation for regular releases as well
+  * updates to git node security --pre-announce and --post-announce
+  * planning video to show stewards how to use automation and to pull in a steward for
+    the next release so they can give feedback on the automation.
+
+* Abort when vulnerable flag #852
+  * going to remove from agenda as it's done
+
+* Node.js maintainers: Threat Model #1333
+  * Not enough time to dive in this week.
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.