From 9b38e9f267ff6a906da5135e08619d04f47622dc Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Wed, 25 Sep 2024 17:26:06 -0300 Subject: [PATCH] doc: add 2024-09-12 meeting notes (#1380) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * doc: add 2024-09-12 meeting notes * Update meetings/2024-09-12.md Co-authored-by: Ulises Gascón --------- Co-authored-by: Ulises Gascón --- meetings/2024-09-12.md | 61 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 meetings/2024-09-12.md diff --git a/meetings/2024-09-12.md b/meetings/2024-09-12.md new file mode 100644 index 00000000..bd8af79f --- /dev/null +++ b/meetings/2024-09-12.md @@ -0,0 +1,61 @@ +# Node.js Security team Meeting 2024-09-12 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=9xrNEZPBFD0 +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1375 +* **Minutes Google Doc**: https://docs.google.com/document/d/1eGBJFVcCE6pfRoWoBRjIgwehPl0SzxiNG70YiYeJw68/edit + +## Present + +* Security wg team: @nodejs/security-wg +* Thomas GENTILHOMME: @fraxken +* Marco Ippolito: @marco-ippolito +* Rafael Gonzaga: @RafaelGSS +* Michael Dawson: @mhdawson +* Ulises Gascón: @UlisesGascon + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +* Express v5 came with security fixes to body-parser plugin +* Node.js vulnerability database now includes a severity field +* https://github.com/nodejs/nodejs-cve-checker - Rafael will double check if the scheduled CVE were now published + +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + - V8 backport to Node.js v18 is unlikely to happen as there’s a risk to break users in general +- [X] OpenSSF Scorecard Monitor Review + - No action is needed from our side. PR: https://github.com/nodejs/security-wg/pull/1378 + +### nodejs/node + +* src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364) + * no action this week + +### nodejs/security-wg + +* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333) + * Team effort to fill all fields of access-per-group + * Rafael will open a PR to TSC to ask for feedback +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) + * no action this week + +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + * no action this week + * https://github.com/nodejs/node-core-utils/pull/835 this PR automates promotion step + + +## Q&A, Other +@Ulises: Let’s review https://github.com/nodejs/nodejs.org/pull/6979 (alternative: https://github.com/nodejs/nodejs.org/pull/7034) + + + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. +