Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: add meeting minutes 2023-08-17 #1081

Merged
merged 2 commits into from
Aug 18, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions meetings/2023-08-17.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# Node.js Security team Meeting 2023-08-17

## Links

* **Recording**: https://www.youtube.com/watch?v=7MGcnoZW_cE&ab_channel=node.js
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1072

## Present

* Michael Dawson (@mhdawson)
* Rafael Gonzaga (@RafaelGSS)
* Ulises Gascon (@ulisesGascon)
* Marco Ippolito (@marco-ippolito)

## Agenda

## Announcements

*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.

- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
- closed all of the OpenSSL vulns as they were fixed in the last security release
- some discussion of how to get the llhttp reports fixed as problem in how levels affected were were reported as it does not apply to 16 or 18

- [x] OpenSSF Scorecard Monitor Review
- https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
- Ulises will check with @ovflowd if a refactor can be done in one of the workflows for nodejs/nodejs.org

### nodejs/security-wg

* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
* Marco is looking to it

* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953)
* Silver level is going to be merged, and then Ulises will coordinate the update in the website
* Gold level seems more related to organizational matters, we start to work offline on it to update the PR.

* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898)
* Breaking change coming: https://github.com/nodejs/node/pull/49047
* Discussion around config file support https://github.com/nodejs/security-wg/issues/1074
* path.resolve implementation in stand-by

* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
* No updates. Waiting OpenJS response.

* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859)
* Ulises will open PRs to increase the scoring in key projects within the org

## Q&A, Other

## Upcoming Meetings

* **Node.js Project Calendar**: <https://nodejs.org/calendar>

Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.