Merge branch 'main' into core-index-updated

.github/workflows/ossf-scorecard-reporting.yml

@@ -22,7 +22,7 @@ jobs:
 
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v3.3.0
       - name: OpenSSF Scorecard Monitor
-        uses: UlisesGascon/openssf-scorecard-monitor@8551177324543b39670fe3c430012c946a937bd1 # v2.0.0-beta7
+        uses: ossf/scorecard-monitor@a3a9c4cfa0684480ec5f86fa178fc22c4394b69e # v2.0.0-beta8
         with:
           scope: tools/ossf_scorecard/scope.json
           database: tools/ossf_scorecard/database.json

.github/workflows/stale.yml

@@ -21,7 +21,7 @@ jobs:
     - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
-        stale-issue-message: 'This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.'
+        stale-issue-message: 'This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.'
         stale-issue-label: 'stale'
         exempt-issue-label: 'never stale'
         days-before-stale: 90

.github/workflows/test.yml

@@ -15,7 +15,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [16.x, 18.x, 20.x]
+        node-version: [18.x, 20.x, 22.x]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:

README.md

@@ -26,9 +26,9 @@ The program is managed through the HackerOne platform at [https://hackerone.com/
 
 | Initiative           | Champion                                         | Status                                   | Links
 |----------------------|--------------------------------------------------|------------------------------------------|-------------------------------------------------
-| Permission Model - 2 Phase | [@RafaelGSS](https://github.com/RafaelGSS) |  In Progress | [Issue #898](https://github.com/nodejs/security-wg/issues/898)
-| Automate Security release process | [@marco-ippolito](https://github.com/marco-ippolito) | In Progress | [Issue #860](https://github.com/nodejs/security-wg/issues/860)
-| Assessment against best practices | [@fraxken](https://github.com/fraxken)/[@ulisesGascon](https://github.com/ulisesgascon) | In Progress | [Issue #859](https://github.com/nodejs/security-wg/issues/859)
+| Automate Security release process | [@marco-ippolito](https://github.com/marco-ippolito) / [@RafaelGSS](https://github.com/RafaelGSS) | In Progress | [Issue #860](https://github.com/nodejs/security-wg/issues/860)
+| Node.js maintainers: Threat Model | Group effort | In Progress | [Issue #1333](https://github.com/nodejs/security-wg/issues/1333) |
+| Audit build process for dependencies | [@mhdawson](https://github.com/mhdawson) | TODO | [Issue #1037](https://github.com/nodejs/security-wg/issues/1037) |
 
 ## Current Project Team Members
 

meetings/2024-04-25.md

@@ -0,0 +1,76 @@
+# Node.js  Security team Meeting 2024-04-25
+
+## Links
+
+* **Recording**: https://www.youtube.com/watch?v=nOd0dit-t80
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1286
+
+## Present
+
+* Thomas GENTILHOMME (@fraxken)
+* Michael Dawson (@mhdawson)
+* Rafael Gonzaga (@RafaelGSS)
+* Ulises Gascon (@UlisesGascon)
+* Robert - Microsoft
+* Lee Holmes - Microsoft
+* Carlos Espa
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  * Nothing new to discuss this week. An issues were opened asking about V8 vulns but those
+    seem to be outside of the Node.js threat model.
+
+- [X] OpenSSF Scorecard Monitor Review
+  - PR: https://github.com/nodejs/security-wg/pull/1294 this includes the changes for 6w. Nothing actionable from the Security WG perspective.
+
+### nodejs/node
+
+* Remove --experimental-policy [#52575](https://github.com/nodejs/node/issues/52575)
+  * Have been receiving lots of reports
+  * Don’t have anybody who can maintain/keep up with the reports
+  * Are starting down the path to remove the feature as its experimental
+  * Lee Holmes, gave us an overview of why integrity is important.
+  * Rafael, seems like main part is file integrity is the important part
+
+* tools: change inactive limit to 9 months [#52459](https://github.com/nodejs/node/pull/52459)
+
+### nodejs/security-wg
+
+* Collaborators Inactivity Policy Review [#1282](https://github.com/nodejs/security-wg/issues/1282)
+  * Added to potential initiatives list
+
+* Can we have "unsecure" features in Node.js? [#1274](https://github.com/nodejs/security-wg/issues/1274)
+  * General consensus that we should not have it. Answered in the issue asking aduh95 to join us to discuss further
+
+* Discuss adding --security-revert to NODE_OPTIONS [#1262](https://github.com/nodejs/security-wg/issues/1262)
+  * Michael gave overview and we had some discussion
+
+* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953)
+  * Requested team review on https://github.com/nodejs/security-wg/pull/1185
+  * Waiting for ownership transfer: https://github.com/nodejs/security-wg/issues/953#issuecomment-2049698350
+  * We can reply “No” to the pending questions in gold and merge the PR: https://github.com/nodejs/security-wg/pull/956 ?
+  * Remove from the agenda for now?
+
+* Node.js Security Initiatives 2024 [#1255](https://github.com/nodejs/security-wg/issues/1255)
+
+-- end of the meeting --
+
+* Proposed approach for build steps in deps which are not in make node  [#1236](https://github.com/nodejs/security-wg/issues/1236)
+* Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs [#1159](https://github.com/nodejs/security-wg/issues/1159)
+* Audit build process for dependencies 
+[#1037](https://github.com/nodejs/security-wg/issues/1037)
+* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898)
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+

meetings/2024-05-09.md

@@ -0,0 +1,65 @@
+# Node.js  Security team Meeting 2024-05-09
+
+## Links
+
+* **Recording**: https://www.youtube.com/watch?v=17Ccg-rix-M&ab_channel=node.js
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1302
+
+## Present
+
+* Michael Dawson (@mhdawson)
+* Thomas GENTILHOMME (@fraxken)
+* Carlos Espa (@Ceres6)
+* Marco Ippolito: @marco-ippolito 
+* Ulises Gascon (@UlisesGascon)
+* Italo José (@italojs_)
+* Rafael Gonzaga (@RafaelGSS)
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  * Michael - Tooling is running ok, and no new issues to discuss
+
+- [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
+  * Ulises - some issues with tooling. [ref](https://github.com/nodejs/security-wg/actions/runs/9018519638/job/24779366504)
+
+### nodejs/node
+
+* Remove --experimental-policy [#52575](https://github.com/nodejs/node/issues/52575)
+  * Has been removed in main
+
+### nodejs/security-wg
+
+* Discuss adding --security-revert to NODE_OPTIONS [#1262](https://github.com/nodejs/security-wg/issues/1262)
+  * We discussed and the consensus of those at the meeting was to proceed with the Env variable AND cveRevert API call being needed to revert as an additional option to the command line. Michael will summarize in the issue and then we can figure out how to create a PR that incorporates the approach.
+
+* Node.js Security Initiatives 2024 [#1255](https://github.com/nodejs/security-wg/issues/1255)
+
+* Proposed approach for build steps in deps which are not in make node  [#1236](https://github.com/nodejs/security-wg/issues/1236)
+  * Michael experimenting with building wasm build containers in https://github.com/mhdawson/node-wasm-build, looking good so far in terms of implementing the proposed approach.
+    * built GitHub action to build container and push to ghcr.io
+    * Based on what undici was doing to build container
+
+* Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs 
+[#1159](https://github.com/nodejs/security-wg/issues/1159)
+  * waiting on the report from OSTIF to be shared with TSC
+
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+
+
+
+## Q&A, Other
+
+Best Practices badge update:
+- Ulises has created two PRs that require some work to justify our responses (https://github.com/nodejs/security-wg/pull/1306 and https://github.com/nodejs/security-wg/pull/956)
+- Currently, the Scoring is not correct, as after the edition the responses were deleted by the application (seems like a bug)
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.

meetings/2024-05-23.md

@@ -0,0 +1,94 @@
+# Node.js  Security team Meeting 2024-05-23
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=btIW6eUqClw
+* **Minutes Google Doc**: https://github.com/nodejs/security-wg/issues/1316
+
+## Present
+
+* Rafael Gonzaga (@RafaelGSS)
+* Marco Ippolito (@marco-ippolito)
+* Michael Dawson (@mhdawson)
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  * Nothing new, but low sev OpenSSL vuln has been announced that should show up at some point
+- [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
+  * Nothing to discuss this week
+
+### nodejs/security-wg
+
+* Initiatives 2024 votes [#1313](https://github.com/nodejs/security-wg/pull/1313)
+  * discussed results and updated initiatives on README.md
+
+* OpenSSF Scorecard Report Updated [#1312](https://github.com/nodejs/security-wg/pull/1312)
+  * will merge/close to pull in updates
+
+* Node.js Security Initiatives 2024 [#1255](https://github.com/nodejs/security-wg/issues/1255)
+  * covered under earlier discussion of #1313
+
+* Proposed approach for build steps in deps which are not in make node  [#1236](https://github.com/nodejs/security-wg/issues/1236)
+  * Next step is likely PR into nodejs/node, Michael will open PR
+* Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs [#1159](https://github.com/nodejs/security-wg/issues/1159)
+  * waiting for the report
+  * discussion is happening in TSC issue as well.
+
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+  * nothing new, but plan to try building Undici with containers I built
+  * should also see if I can pull more people into
+
+* Brainstorm on maintainer threat model
+  * Threats
+    * Malicious code in Node.js codebase
+    * Malicious use of infrastructure
+    * Malicious links or content in website and/or documentation
+    * Substitution of Node.js binaries
+    * Malicious code in npm packages published by the project
+
+  * Levels of access
+    * external people
+    * maintainers
+    * Triagers
+    * build members
+    * TSC members
+    * Releasers
+    * Security stewards
+    * Security triagers
+    * different WG members
+    * GitHub actions
+    * Other external GitHub (other)  plugins
+
+  * Project resources
+    * GitHub
+            nodejs-private
+	nodejs org
+	pkgjs org
+    * npm account
+    * Youtube
+    * zoom
+    * Social media accounts
+    * Build infra
+      * Test machines
+      * release machines
+      * test CI
+      * release CI
+    * Website infra
+    * HackerOne
+    * Mitre
+    * email (nodejs-sec)
+    * email (iojs.org aliases)
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+

meetings/2024-06-06.md

@@ -0,0 +1,46 @@
+# Node.js  Security team Meeting 2024-06-06
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=30pO2bXGxhk
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1322
+* **Minutes Google Doc**: https://docs.google.com/document/d/1PSyaM70E_abF_9Ya35JB0cvamM0sALxZwjD_P0T0N0I/edit
+
+## Present
+
+* Ulises Gascon (@UlisesGascon)
+* Marco Ippolito (@marco-ippolito)
+* Thomas GENTILHOMME (@fraxken)
+* Michael Dawson (@mhdawson)
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting.
+
+* No announcements this week
+
+- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  - Seems like some OpenSSL low level vulnerabilities are not detected by the automation, probably as they are not yet registered in NIST
+
+- [x] OpenSSF Scorecard Monitor Review - 
+  - Report updated in https://github.com/nodejs/security-wg/pull/1327, seems like we decreased in Node.js due vulnerabilities (more details: https://github.com/nodejs/security-wg/pull/1327#issuecomment-2151671450). This might be an error as it is the first time that is reported and the CVEs are from 2022
+
+### nodejs/security-wg
+
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+  * Michael
+    * has action to PR in approach into core repo (from last meeting)
+    * still have on my list more experimentation with building WASM, documenting possible
+      implementation
+
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+

meetings/2024-06-20.md

@@ -0,0 +1,47 @@
+# Node.js  Security team Meeting 2024-06-20
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=MoGb7bk2RuI
+* **GitHub Issue**: $GITHUB_ISSUE$
+
+## Present
+
+* Security wg team: @nodejs/security-wg
+* Thomas GENTILHOMME: @fraxken
+* Michael Dawson (@mhdawson)
+* Marco Ippolito @marco-ippolito
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+* No announcements this week
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  * Nothing new reporting since the last meeting
+  * CI is red because of a llhttp v6 report.
+
+- [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
+
+### nodejs/security-wg
+
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+  * Michael: Nothing new to report on this, still on the list, hope for it to get to the top of the list soon to spend some more time on the approach for building WASM.
+
+* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
+  * 5 PRs were merged to automate the security release process
+  * New flag: git node security –sync
+  * Suggestion from Marco to create a CI to keep the next-security-release branch up to date
+  * We are integrating PR_URL from custom H1 field to the vulnerabilities.json
+  * A test workflow has been created for the security-release repository guaranteeing the structure of vulnerabilities.json
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.