2024-05-23.md

Node.js Security team Meeting 2024-05-23

Links

• Recording: https://www.youtube.com/watch?v=btIW6eUqClw
• Minutes Google Doc: #1316

Present

• Rafael Gonzaga (@RafaelGSS)
• Marco Ippolito (@marco-ippolito)
• Michael Dawson (@mhdawson)

Agenda

Announcements

*Extracted from security-wg-agenda labelled issues and pull requests from the nodejs org prior to the meeting.

• Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
  • Nothing new, but low sev OpenSSL vuln has been announced that should show up at some point
• OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
  • Nothing to discuss this week

nodejs/security-wg

• Initiatives 2024 votes #1313

  • discussed results and updated initiatives on README.md

• OpenSSF Scorecard Report Updated #1312

  • will merge/close to pull in updates

• Node.js Security Initiatives 2024 #1255

  • covered under earlier discussion of #1313

• Proposed approach for build steps in deps which are not in make node #1236

  • Next step is likely PR into nodejs/node, Michael will open PR

• Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs #1159

  • waiting for the report
  • discussion is happening in TSC issue as well.

• Audit build process for dependencies #1037

  • nothing new, but plan to try building Undici with containers I built
  • should also see if I can pull more people into

• Brainstorm on maintainer threat model

  • Threats

    • Malicious code in Node.js codebase
    • Malicious use of infrastructure
    • Malicious links or content in website and/or documentation
    • Substitution of Node.js binaries
    • Malicious code in npm packages published by the project

  • Levels of access

    • external people
    • maintainers
    • Triagers
    • build members
    • TSC members
    • Releasers
    • Security stewards
    • Security triagers
    • different WG members
    • GitHub actions
    • Other external GitHub (other) plugins

  • Project resources

    • GitHub nodejs-private nodejs org pkgjs org
    • npm account
    • Youtube
    • zoom
    • Social media accounts
    • Build infra
      • Test machines
      • release machines
      • test CI
      • release CI
    • Website infra
    • HackerOne
    • Mitre
    • email (nodejs-sec)
    • email (iojs.org aliases)

Q&A, Other

Upcoming Meetings

• Node.js Project Calendar: https://nodejs.org/calendar

Click +GoogleCalendar at the bottom right to add to your own Google calendar.