From 121d70edb8ddddaeddbe66bf1f8ad8130fb3629b Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Thu, 31 Aug 2023 11:50:57 -0300 Subject: [PATCH] doc: add meeting minutes 2023-08-31 --- meetings/2023-08-31.md | 64 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 meetings/2023-08-31.md diff --git a/meetings/2023-08-31.md b/meetings/2023-08-31.md new file mode 100644 index 00000000..2dbe8796 --- /dev/null +++ b/meetings/2023-08-31.md @@ -0,0 +1,64 @@ +# Node.js Security team Meeting 2023-08-31 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=IygHE0xCz6Q&ab_channel=node.js +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1085 + +## Present + +* Ulises Gascon: @ulisesGascon +* Marco Ippolito: @marco-ippolito +* Michael Dawson: @mhdawson +* Thomas GENTILHOMME: @fraxken +* Ashish Kurmi: @ashishkurmi +* Rafael Gonzaga: @RafaelGSS + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + * discussing a v8 issue which we don’t think is within the Node.js threat model + * need to go back and figure out why we don’t have v8 checks + * llhttp report, GHSA report is incorrect and needs to be updated + * Rafael will update the affected version. + +- [X] OpenSSF Scorecard Monitor Review + - Details: https://github.com/nodejs/security-wg/issues/1092 + - There is a bug with the OSSF API: https://github.com/ossf/scorecard/issues/3438 + - New PRs created to improve nodejs.org scoring: https://github.com/nodejs/nodejs.org/issues/5659 + +### nodejs/security-wg + +* Load permission settings from config files [#1074](https://github.com/nodejs/security-wg/issues/1074) + * With addition of node env which is in process, may be able to pass through that file instead of a separate file. However, env variables have limits and so may not be a general answer. At this point options are limited so limitations may not be an issue. + +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) + * No updates this week. + * Possibly, we'll have a brainstorming next week with interested people + +* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953) + * Review Gold Level: https://github.com/nodejs/security-wg/pull/956 + * Fixes for Silver update: https://github.com/nodejs/security-wg/pull/1087 + * Issue to discuss the security review of the Node.js project + * We might get a talk from companies founded by sovereign tech fund + +* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898) + * No updates + +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + * OpenJS will create the form for managing the sponsored initiative + +* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859) + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. +