Skip to content

Commit 2d7e2c9

Browse files
authored
doc: add 2025-01-16 meeting notes (#1427)
1 parent 67997b9 commit 2d7e2c9

File tree

1 file changed

+73
-0
lines changed

1 file changed

+73
-0
lines changed

meetings/2025-01-16.md

+73
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
# Node.js Security team Meeting 2025-01-16
2+
3+
## Links
4+
5+
* **Recording**: https://www.youtube.com/watch?v=sw7EtMdb5MU
6+
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1420
7+
8+
## Present
9+
10+
* Marco Ippolito: @marco-ippolito
11+
* Ulises Gascón: @UlisesGascon
12+
* Michael Dawson: @mhdawson
13+
* Jack Camerano: @giacomocamerano
14+
* Rafael Gonzaga: @RafaelGSS
15+
* Zibby
16+
17+
## Agenda
18+
19+
## Announcements
20+
21+
* Rafael - Security release next week, will also include CVE for old versions, so scanners will
22+
report old versions as vulnerable. More reason to make sure you are updated to latest
23+
versions.
24+
25+
*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
26+
27+
- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
28+
- https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/193 is false positive,
29+
and Node.js is not affected based on Node.js threat model so unlikely to be addressed in
30+
older versions due to risk.
31+
- [X] OpenSSF Scorecard Monitor Review
32+
- PR: https://github.com/nodejs/security-wg/pull/1424
33+
- Analysis: Seems like some projects are rising due to good maintenance (removed permissions, ci
34+
validation, etc...) 👍. So far seems like no action needed from our side
35+
- Rafael need to run step security again on Node.js core since we’ve added some actions. Rafael
36+
will do that.
37+
Michael is it possible to automate to run once a month ?
38+
Rafael, don’t think so but lets open an issue in the repo and then at mention them to ask if
39+
That is possible.
40+
41+
### nodejs/node
42+
43+
* src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364)
44+
* Issue being discussed/figured out is around synchronous checks
45+
46+
### nodejs/security-wg
47+
48+
* Add a warning on EOL versions [#1401](https://github.com/nodejs/security-wg/issues/1401)
49+
* Plan is to wait to see impact of CVEs we have issued, and then re-evaluate if a warning makes sense
50+
* Zibby was it discussed before to add a time at which warnings would be generated, as
51+
upgrade to newer version with the warning is unlikely.
52+
* Marco, Rafael, Michael, was discussed and discarded based on concerns.
53+
54+
* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333)
55+
* worked on it in doc
56+
57+
* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
58+
* Michael, all three deps use shared common wasm builder approach/containers
59+
* Michael, next step is to work on updaters for cjs-module-lexer and amaro to ensure we can
60+
build from what is in deps directory
61+
62+
* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
63+
* Rafael, almost done, have been validated over last few security releases, just a few small
64+
things left to be done.
65+
66+
## Q&A, Other
67+
68+
## Upcoming Meetings
69+
70+
* **Node.js Project Calendar**: <https://nodejs.org/calendar>
71+
72+
Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
73+

0 commit comments

Comments
 (0)