From 547acac65a48302272fa455fadc0b1f69782671d Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Thu, 10 Oct 2024 12:01:40 -0300 Subject: [PATCH] doc: add 10-10-2024 meeting notes --- meetings/2024-10-10.md | 65 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 meetings/2024-10-10.md diff --git a/meetings/2024-10-10.md b/meetings/2024-10-10.md new file mode 100644 index 00000000..efcfccdd --- /dev/null +++ b/meetings/2024-10-10.md @@ -0,0 +1,65 @@ +# Node.js Security team Meeting 2024-10-10 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=pRbiKOqoCRs +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1389 +* **Minutes Google Doc**: https://docs.google.com/document/d/12oXkIdsOxSfv1Q5K4rkWTh-lkzr9LxwcZERCIvWYHOg/edit?tab=t.0 + +## Present + +* Security wg team: @nodejs/security-wg +* Rafael Gonzaga: @RafaelGSS +* Michael Dawson: @mhdawson +* UlisesGascón: @UlisesGascon +* Marco Ippolito: @marco-ippolito +* Richard Lau: @richadlau + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + - Nothing has changed since last week + - OpenSSL update coming in next regular releases + +- [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+ + - No action required from our side: https://github.com/nodejs/security-wg/pull/1393 + - Requested a feature to add threshold to the issues notification: https://github.com/ossf/scorecard-monitor/issues/88 + + + +### nodejs/node + +* src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364) + * Microsoft team working on updating the PR + +### nodejs/security-wg + +* Audit build process for dependencies #1037 + * Michael: made progress on building common container, and using in the deps that build + WASM + +* Automate security release process #860 + * Nothing has changed since last meeting + +* Abort when vulnerable flag #852 + * a bit complex to solve properly since it requires a remote call back to the vulnerability + database. + * Michael, would be good to PR into - https://github.com/nodejs/nodejs-ambassadors as + message to be amplified + +* Node.js maintainers: Threat Model #1333 + * We have created the Threats section + * Good progress so far + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. +