|
| 1 | +# Node.js Security team Meeting 2023-10-26 |
| 2 | + |
| 3 | +## Links |
| 4 | + |
| 5 | +* **Recording**: https://www.youtube.com/watch?v=-xzcxSaiYAE |
| 6 | +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1134 |
| 7 | +* **Minutes Google Doc**: https://docs.google.com/document/d/12aKt3F7EIiG3I3-k836rzN5lAAR4iy9Jy9zyNdl1TdM/edit |
| 8 | + |
| 9 | +## Present |
| 10 | + |
| 11 | +* Security wg team: @nodejs/security-wg |
| 12 | +* Ulises gascon: @ulisesGascon |
| 13 | +* Marco Ippolito: @marco-ippolito |
| 14 | +* Thomas GENTILHOMME @fraxken |
| 15 | +* Rafael Gonzaga @RafaelGSS |
| 16 | +* Carlos Espa @Ceres6 |
| 17 | +* Michael Dawson @mhdawson |
| 18 | + |
| 19 | +## Agenda |
| 20 | + |
| 21 | +## Announcements |
| 22 | + |
| 23 | +New releases including security patches. |
| 24 | + |
| 25 | +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. |
| 26 | + |
| 27 | +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues |
| 28 | + - zlib vulnerability doesn’t affect Node.js |
| 29 | + - One of the OpenSSL vulnerabilities affects Windows users of Node.js. A assessment blog post will be published soon |
| 30 | +- [X] OpenSSF Scorecard Monitor Review |
| 31 | + - Details: https://github.com/nodejs/security-wg/issues/1140 |
| 32 | + - The visualizer will get patched soon |
| 33 | + - Discussion about when we need to recommend pin dependencies or not in the organization |
| 34 | + - Would make sense to just monitor packages that we expose to the community (nodejs, undici) |
| 35 | + - Ulises to remove from the monitor the repos that are not relevant like (docs, archived..) |
| 36 | + |
| 37 | +### nodejs/security-wg |
| 38 | + |
| 39 | +* Have a SBOM for Node.js? [#1115](https://github.com/nodejs/security-wg/issues/1115) |
| 40 | + * It requires a big machine (50G RAM) - v8 might take 17h of intensive computation |
| 41 | + * breakdown all of dependencies and start small |
| 42 | + * Discussions about how the package-lock.json should be used for npm SBOM |
| 43 | + |
| 44 | +* License checker process/script [#1104](https://github.com/nodejs/security-wg/issues/1104) |
| 45 | + * Currently https://github.com/nodejs/node/blob/main/.github/workflows/license-builder.yml is checking the license changes in a reactive way |
| 46 | + |
| 47 | +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) |
| 48 | + * working on the package lock as the next step on this |
| 49 | + |
| 50 | +* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953) |
| 51 | + * Ulises to consolidate previous feedback and provide context for Gold level PR (discussion). |
| 52 | + * Let’s invite Jordan to help us with Gold level discussion and support for Silver in a date that works for most of us so we can focus the meeting into this topics. |
| 53 | + |
| 54 | +* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898) |
| 55 | + * Carlos Espa is working on support relative paths |
| 56 | + * Rafael will review his work |
| 57 | + * Windows should be tested |
| 58 | + * Support to diagnostic channel is being evaluated |
| 59 | + |
| 60 | +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) |
| 61 | + * removed from the agenda eventually |
| 62 | +* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859) |
| 63 | + - Rafael made 5 PRs to improve the scoring in the org |
| 64 | + - Removed from the agenda |
| 65 | + |
| 66 | + |
| 67 | +## Q&A, Other |
| 68 | + |
| 69 | +## Upcoming Meetings |
| 70 | + |
| 71 | +* **Node.js Project Calendar**: <https://nodejs.org/calendar> |
| 72 | + |
| 73 | +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. |
| 74 | + |
0 commit comments