From 2dfc5502a34f32e411bb4fec8bd5c7b76f999d23 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Thu, 17 Aug 2023 15:17:41 -0300 Subject: [PATCH 1/2] doc: add meeting minutes 2023-08-17 --- meetings/2023-08-17.md | 56 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 meetings/2023-08-17.md diff --git a/meetings/2023-08-17.md b/meetings/2023-08-17.md new file mode 100644 index 00000000..ba3830b1 --- /dev/null +++ b/meetings/2023-08-17.md @@ -0,0 +1,56 @@ +# Node.js Security team Meeting 2023-08-17 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=7MGcnoZW_cE&ab_channel=node.js +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1072 + +## Present + +* Michael Dawson (@mhdawson) +* Rafael Gonzaga (@RafaelGSS) +* Ulises Gascon (@ulisesGascon) +* Marco Ippolito (@marco-ippolito) + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + - closed all of the OpenSSL vulns as they were fixed in the last security release + - some discussion of how to get the llhttp reports fixed as problem in how levels affected were were reported as it does not apply to 16 or 18 + +- [x] OpenSSF Scorecard Monitor Review + - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+ + - Ulises will check with @Claudio if a refactor can be done in one of the workflows for nodejs/nodejs.org + +### nodejs/security-wg + +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) + * Marco is looking to it + +* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953) + * Silver level is going to be merged, and then Ulises will coordinate the update in the website + * Gold level seems more related to organizational matters, we start to work offline on it to update the PR. + +* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898) + * Breaking change coming: https://github.com/nodejs/node/pull/49047 + * Discussion around config file support https://github.com/nodejs/security-wg/issues/1074 + * path.resolve implementation in stand-by + +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + * No updates. Waiting OpenJS response. + +* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859) + * Ulises will open PRs to increase the scoring in key projects within the org + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. + From 3174e0dd8ef4c18442fab8fb1083d3171982afd8 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Fri, 18 Aug 2023 11:07:54 -0300 Subject: [PATCH 2/2] Update meetings/2023-08-17.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ulises Gascón --- meetings/2023-08-17.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meetings/2023-08-17.md b/meetings/2023-08-17.md index ba3830b1..c5577437 100644 --- a/meetings/2023-08-17.md +++ b/meetings/2023-08-17.md @@ -24,7 +24,7 @@ - [x] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+ - - Ulises will check with @Claudio if a refactor can be done in one of the workflows for nodejs/nodejs.org + - Ulises will check with @ovflowd if a refactor can be done in one of the workflows for nodejs/nodejs.org ### nodejs/security-wg