|
| 1 | +# Node.js Security team Meeting 2025-01-16 |
| 2 | + |
| 3 | +## Links |
| 4 | + |
| 5 | +* **Recording**: https://www.youtube.com/watch?v=sw7EtMdb5MU |
| 6 | +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1420 |
| 7 | + |
| 8 | +## Present |
| 9 | + |
| 10 | +* Marco Ippolito: @marco-ippolito |
| 11 | +* Ulises Gascón: @UlisesGascon |
| 12 | +* Michael Dawson: @mhdawson |
| 13 | +* Jack Camerano: @giacomocamerano |
| 14 | +* Rafael Gonzaga: @RafaelGSS |
| 15 | +* Zibby |
| 16 | + |
| 17 | +## Agenda |
| 18 | + |
| 19 | +## Announcements |
| 20 | + |
| 21 | +* Rafael - Security release next week, will also include CVE for old versions, so scanners will |
| 22 | + report old versions as vulnerable. More reason to make sure you are updated to latest |
| 23 | + versions. |
| 24 | + |
| 25 | +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. |
| 26 | + |
| 27 | +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues |
| 28 | + - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/193 is false positive, |
| 29 | + and Node.js is not affected based on Node.js threat model so unlikely to be addressed in |
| 30 | + older versions due to risk. |
| 31 | +- [X] OpenSSF Scorecard Monitor Review |
| 32 | + - PR: https://github.com/nodejs/security-wg/pull/1424 |
| 33 | + - Analysis: Seems like some projects are rising due to good maintenance (removed permissions, ci |
| 34 | + validation, etc...) 👍. So far seems like no action needed from our side |
| 35 | + - Rafael need to run step security again on Node.js core since we’ve added some actions. Rafael |
| 36 | + will do that. |
| 37 | +Michael is it possible to automate to run once a month ? |
| 38 | +Rafael, don’t think so but lets open an issue in the repo and then at mention them to ask if |
| 39 | + That is possible. |
| 40 | + |
| 41 | +### nodejs/node |
| 42 | + |
| 43 | +* src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364) |
| 44 | + * Issue being discussed/figured out is around synchronous checks |
| 45 | + |
| 46 | +### nodejs/security-wg |
| 47 | + |
| 48 | +* Add a warning on EOL versions [#1401](https://github.com/nodejs/security-wg/issues/1401) |
| 49 | + * Plan is to wait to see impact of CVEs we have issued, and then re-evaluate if a warning makes sense |
| 50 | + * Zibby was it discussed before to add a time at which warnings would be generated, as |
| 51 | + upgrade to newer version with the warning is unlikely. |
| 52 | + * Marco, Rafael, Michael, was discussed and discarded based on concerns. |
| 53 | + |
| 54 | +* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333) |
| 55 | + * worked on it in doc |
| 56 | + |
| 57 | +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) |
| 58 | + * Michael, all three deps use shared common wasm builder approach/containers |
| 59 | + * Michael, next step is to work on updaters for cjs-module-lexer and amaro to ensure we can |
| 60 | + build from what is in deps directory |
| 61 | + |
| 62 | +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) |
| 63 | + * Rafael, almost done, have been validated over last few security releases, just a few small |
| 64 | + things left to be done. |
| 65 | + |
| 66 | +## Q&A, Other |
| 67 | + |
| 68 | +## Upcoming Meetings |
| 69 | + |
| 70 | +* **Node.js Project Calendar**: <https://nodejs.org/calendar> |
| 71 | + |
| 72 | +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. |
| 73 | + |
0 commit comments