-
Notifications
You must be signed in to change notification settings - Fork 122
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
doc: add 2024-09-12 meeting notes (#1380)
* doc: add 2024-09-12 meeting notes * Update meetings/2024-09-12.md Co-authored-by: Ulises Gascón <[email protected]> --------- Co-authored-by: Ulises Gascón <[email protected]>
- Loading branch information
1 parent
dbc0cd0
commit 9b38e9f
Showing
1 changed file
with
61 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
# Node.js Security team Meeting 2024-09-12 | ||
|
||
## Links | ||
|
||
* **Recording**: https://www.youtube.com/watch?v=9xrNEZPBFD0 | ||
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1375 | ||
* **Minutes Google Doc**: https://docs.google.com/document/d/1eGBJFVcCE6pfRoWoBRjIgwehPl0SzxiNG70YiYeJw68/edit | ||
|
||
## Present | ||
|
||
* Security wg team: @nodejs/security-wg | ||
* Thomas GENTILHOMME: @fraxken | ||
* Marco Ippolito: @marco-ippolito | ||
* Rafael Gonzaga: @RafaelGSS | ||
* Michael Dawson: @mhdawson | ||
* Ulises Gascón: @UlisesGascon | ||
|
||
## Agenda | ||
|
||
## Announcements | ||
|
||
*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. | ||
|
||
* Express v5 came with security fixes to body-parser plugin | ||
* Node.js vulnerability database now includes a severity field | ||
* https://github.com/nodejs/nodejs-cve-checker - Rafael will double check if the scheduled CVE were now published | ||
|
||
- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues | ||
- V8 backport to Node.js v18 is unlikely to happen as there’s a risk to break users in general | ||
- [X] OpenSSF Scorecard Monitor Review | ||
- No action is needed from our side. PR: https://github.com/nodejs/security-wg/pull/1378 | ||
|
||
### nodejs/node | ||
|
||
* src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364) | ||
* no action this week | ||
|
||
### nodejs/security-wg | ||
|
||
* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333) | ||
* Team effort to fill all fields of access-per-group | ||
* Rafael will open a PR to TSC to ask for feedback | ||
* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) | ||
* no action this week | ||
|
||
* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) | ||
* no action this week | ||
* https://github.com/nodejs/node-core-utils/pull/835 this PR automates promotion step | ||
|
||
|
||
## Q&A, Other | ||
@Ulises: Let’s review https://github.com/nodejs/nodejs.org/pull/6979 (alternative: https://github.com/nodejs/nodejs.org/pull/7034) | ||
|
||
|
||
|
||
## Upcoming Meetings | ||
|
||
* **Node.js Project Calendar**: <https://nodejs.org/calendar> | ||
|
||
Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. | ||
|