|
| 1 | +# Node.js Security Team Meeting 2024-12-19 |
| 2 | + |
| 3 | +## Links |
| 4 | + |
| 5 | +* **Recording**: https://www.youtube.com/watch?v=euPfJNY6Pyo |
| 6 | +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1415 |
| 7 | +* **Minutes Google Doc**: https://docs.google.com/document/d/1c5qAEwlC6yI174oDO3eXVW4NHNGkurSqEZp7y5OpA88/edit?tab=t.0 |
| 8 | + |
| 9 | +## Present |
| 10 | + |
| 11 | +* Security wg team: @nodejs/security-wg |
| 12 | +* Rafael Gonzaga: @RafaelGSS |
| 13 | +* Ulises Gascón: @UlisesGascon |
| 14 | +* Robert W |
| 15 | + |
| 16 | +## Agenda |
| 17 | + |
| 18 | +## Announcements |
| 19 | + |
| 20 | +- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues |
| 21 | + - No relevant vulnerabilities that affects Node.js |
| 22 | + - Add dont-believe-affect-nodejs label to npm 10 warn |
| 23 | +- [x] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+ |
| 24 | + - No actions pending for the team |
| 25 | +### nodejs/node |
| 26 | + |
| 27 | +* src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364) |
| 28 | + * Robert is working on it (isolation building on windows only) and will keep working on it. |
| 29 | + * Discussion around the feedback collected on the PR: |
| 30 | + * Request to work using snapshotable API (seems like use a separate scope is the way to go) for better testing |
| 31 | + * Rafael, I don’t believe we need to use the snapshotable API for this POC yet |
| 32 | + |
| 33 | +### nodejs/security-wg |
| 34 | + |
| 35 | +* Add a warning on EOL versions #1401 |
| 36 | + * There is a blog post ready that will be published after the holidays |
| 37 | + * CVEs will be published (2w after the announcement) |
| 38 | +* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333) |
| 39 | + * Skip due forum. PR opened to the Node.js Security repository: https://github.com/nodejs/security-wg/pull/1414 |
| 40 | +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) |
| 41 | + * No updates |
| 42 | +* Extend security reporting for LTS lines beyond their lifetimes [#1025](https://github.com/nodejs/security-wg/issues/1025) |
| 43 | + * Dropped from agenda |
| 44 | +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) |
| 45 | + * Work is ongoing (2 PRs are open now). |
| 46 | + * Great progress is made. |
| 47 | + |
| 48 | +## Q&A, Other |
| 49 | + |
| 50 | +Thanks for this amazing year working together! ✨ |
| 51 | + |
| 52 | +## Upcoming Meetings |
| 53 | + |
| 54 | +* **Node.js Project Calendar**: <https://nodejs.org/calendar> |
| 55 | + |
| 56 | +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. |
| 57 | + |
0 commit comments