From 662bb569840610376b9d2c0719705fc435718a52 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Tue, 31 Oct 2023 08:20:19 -0300 Subject: [PATCH] doc: add 2023-10-26 meeting minutes (#1142) --- meetings/2023-10-26.md | 74 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 meetings/2023-10-26.md diff --git a/meetings/2023-10-26.md b/meetings/2023-10-26.md new file mode 100644 index 00000000..9a44ec2b --- /dev/null +++ b/meetings/2023-10-26.md @@ -0,0 +1,74 @@ +# Node.js Security team Meeting 2023-10-26 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=-xzcxSaiYAE +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1134 +* **Minutes Google Doc**: https://docs.google.com/document/d/12aKt3F7EIiG3I3-k836rzN5lAAR4iy9Jy9zyNdl1TdM/edit + +## Present + +* Security wg team: @nodejs/security-wg +* Ulises gascon: @ulisesGascon +* Marco Ippolito: @marco-ippolito +* Thomas GENTILHOMME @fraxken +* Rafael Gonzaga @RafaelGSS +* Carlos Espa @Ceres6 +* Michael Dawson @mhdawson + +## Agenda + +## Announcements + +New releases including security patches. + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + - zlib vulnerability doesn’t affect Node.js + - One of the OpenSSL vulnerabilities affects Windows users of Node.js. A assessment blog post will be published soon +- [X] OpenSSF Scorecard Monitor Review + - Details: https://github.com/nodejs/security-wg/issues/1140 + - The visualizer will get patched soon + - Discussion about when we need to recommend pin dependencies or not in the organization + - Would make sense to just monitor packages that we expose to the community (nodejs, undici) + - Ulises to remove from the monitor the repos that are not relevant like (docs, archived..) + +### nodejs/security-wg + +* Have a SBOM for Node.js? [#1115](https://github.com/nodejs/security-wg/issues/1115) + * It requires a big machine (50G RAM) - v8 might take 17h of intensive computation + * breakdown all of dependencies and start small + * Discussions about how the package-lock.json should be used for npm SBOM + +* License checker process/script [#1104](https://github.com/nodejs/security-wg/issues/1104) + * Currently https://github.com/nodejs/node/blob/main/.github/workflows/license-builder.yml is checking the license changes in a reactive way + +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) + * working on the package lock as the next step on this + +* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953) + * Ulises to consolidate previous feedback and provide context for Gold level PR (discussion). + * Let’s invite Jordan to help us with Gold level discussion and support for Silver in a date that works for most of us so we can focus the meeting into this topics. + +* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898) + * Carlos Espa is working on support relative paths + * Rafael will review his work + * Windows should be tested + * Support to diagnostic channel is being evaluated + +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + * removed from the agenda eventually +* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859) + - Rafael made 5 PRs to improve the scoring in the org + - Removed from the agenda + + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. +