doc: add 2025-01-16 meeting notes

meetings/2025-01-16.md

@@ -0,0 +1,73 @@
+# Node.js  Security team Meeting 2025-01-16
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=sw7EtMdb5MU
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1420
+
+## Present
+
+* Marco Ippolito: @marco-ippolito
+* Ulises Gascón: @UlisesGascon
+* Michael Dawson: @mhdawson
+* Jack Camerano: @giacomocamerano
+* Rafael Gonzaga: @RafaelGSS
+* Zibby
+
+## Agenda
+
+## Announcements
+
+* Rafael - Security release next week, will also include CVE for old versions, so scanners will
+  report old versions as vulnerable. More reason to make sure you are updated to latest
+   versions.
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/193 is false positive,
+    and Node.js is not affected based on Node.js threat model so unlikely to be addressed in
+    older versions due to risk.
+- [X] OpenSSF Scorecard Monitor Review
+  - PR: https://github.com/nodejs/security-wg/pull/1424
+  - Analysis: Seems like some projects are rising due to good maintenance (removed permissions, ci
+    validation, etc...) 👍. So far seems like no action needed from our side
+  - Rafael need to run step security again on Node.js core since we’ve added some actions. Rafael
+     will do that.
+Michael is it possible to automate to run once a month ?
+Rafael, don’t think so but lets open an issue in the repo and then at mention them to ask if
+             That is possible.
+
+### nodejs/node
+
+* src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364)
+  * Issue being discussed/figured out is around synchronous checks
+
+### nodejs/security-wg
+
+* Add a warning on EOL versions [#1401](https://github.com/nodejs/security-wg/issues/1401)
+  * Plan is to wait to see impact of CVEs we have issued, and then re-evaluate if a warning makes sense
+  * Zibby was it discussed before to add a time at which warnings would be generated, as
+    upgrade to newer version with the warning is unlikely.
+    * Marco, Rafael, Michael, was discussed and discarded based on concerns.
+
+* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333)
+  * worked on it in doc
+
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+  * Michael, all three deps use shared common wasm builder approach/containers
+  * Michael, next step is to work on updaters for cjs-module-lexer and amaro to ensure we can
+    build from what is in deps directory
+
+* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
+  * Rafael, almost done, have been validated over last few security releases, just a few small
+     things left to be done.
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+