doc: add 2023-10-26 meeting minutes (#1142)

meetings/2023-10-26.md

@@ -0,0 +1,74 @@
+# Node.js  Security team Meeting 2023-10-26
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=-xzcxSaiYAE
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1134
+* **Minutes Google Doc**: https://docs.google.com/document/d/12aKt3F7EIiG3I3-k836rzN5lAAR4iy9Jy9zyNdl1TdM/edit
+
+## Present
+
+* Security wg team: @nodejs/security-wg
+* Ulises gascon: @ulisesGascon
+* Marco Ippolito: @marco-ippolito
+* Thomas GENTILHOMME @fraxken
+* Rafael Gonzaga @RafaelGSS
+* Carlos Espa @Ceres6
+* Michael Dawson @mhdawson
+
+## Agenda
+
+## Announcements
+
+New releases including security patches.
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  - zlib vulnerability doesn’t affect Node.js
+  - One of the OpenSSL vulnerabilities affects Windows users of Node.js. A assessment blog post will be published soon
+- [X] OpenSSF Scorecard Monitor Review
+  - Details: https://github.com/nodejs/security-wg/issues/1140
+  - The visualizer will get patched soon
+  - Discussion about when we need to recommend pin dependencies or not in the organization
+  - Would make sense to just monitor packages that we expose to the community (nodejs, undici)
+  - Ulises to remove from the monitor the repos that are not relevant like (docs, archived..)
+
+### nodejs/security-wg
+
+* Have a SBOM for Node.js? [#1115](https://github.com/nodejs/security-wg/issues/1115)
+  * It requires a big machine (50G RAM) - v8 might take 17h of intensive computation
+  * breakdown all of dependencies and start small
+  * Discussions about how the package-lock.json should be used for npm SBOM
+
+* License checker process/script [#1104](https://github.com/nodejs/security-wg/issues/1104)
+  * Currently https://github.com/nodejs/node/blob/main/.github/workflows/license-builder.yml is checking the license changes in a reactive way
+
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+  * working on the package lock as the next step on this
+
+* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953)
+  * Ulises to consolidate previous feedback and provide context for Gold level PR (discussion).
+  * Let’s invite Jordan to help us with Gold level discussion and support for Silver in a date that works for most of us so we can focus the meeting into this topics.
+
+* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898)
+  * Carlos Espa is working on support relative paths
+    * Rafael will review his work
+    * Windows should be tested
+  * Support to diagnostic channel is being evaluated
+
+* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
+  * removed from the agenda eventually
+* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859)
+  - Rafael made 5 PRs to improve the scoring in the org
+  - Removed from the agenda
+
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+