From f538ab7bddbdc65e8ebfc921fb421beb0274d0b5 Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Thu, 28 Mar 2024 21:18:03 +0100 Subject: [PATCH] chore: add minutes doc for 2024-03-28 meeting (#1268) * chore: add minutes doc for 2024-03-28 meeting * Update meetings/2024-03-28.md Co-authored-by: Thomas.G --------- Co-authored-by: Thomas.G --- meetings/2024-03-28.md | 69 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 meetings/2024-03-28.md diff --git a/meetings/2024-03-28.md b/meetings/2024-03-28.md new file mode 100644 index 00000000..3e70011b --- /dev/null +++ b/meetings/2024-03-28.md @@ -0,0 +1,69 @@ +# Node.js Security team Meeting 2024-03-28 + +## Links + +* **Recording**: +* **GitHub Issue**: + +## Present + +* Marco Ippolito: @marco-ippolito +* Thomas GENTILHOMME: @fraxken +* Michael Dawson (@mhdawson) +* Mert Can Altin + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +* Security release next week, announcement went out yesterday + +* [X] Vulnerability Review - + * Michael + * tweaked when the jobs run this seems to have helped + * changed to ignore closed issues, so new issues will be opened in case we close one that + should not have. + +* [X] OpenSSF Scorecard Monitor Review - + * From Ulises + * Scoring lower due to an issue with the action in terms of collecting some data + * Only actionable issue is undici, where it resorts issue on workflow tokens with excessive + Permissions + +* Some failures on undici, Thomas will ping the undici team. Issue: https://github.com/nodejs/undici/issues/3012 + +### nodejs/security-wg + +* Node.js Security Initiatives 2024 [#1255](https://github.com/nodejs/security-wg/issues/1255) + * Proposed initiatives for 2024: + * Permission Model (2 Phase) (Rafael) + * Assessment against best practices + * Automate Security release process (Marco/Rafael) + * Including SBOMs with Node.js (Marco) + * Audit and improving the build processes of the dependencies (Michael) + * Next meeting discuss with Ulisses about Assessment against best practices status + +* Proposed approach for build steps in deps which are not in make node [#1236](https://github.com/nodejs/security-wg/issues/1236) + +* Security initiative in December 2023: fuzzing Nodejs: [#1159](https://github.com/nodejs/security-wg/issues/1159) + * + * Waiting for follow up, maybe Rafael has some news + +* Audit build process for dependencies - [#1037](https://github.com/nodejs/security-wg/issues/1037) + * Waiting for @security-wg feedback, then moving on to collaborate and adding base principles to Node + +* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953) + * No update this week + +* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898) + * No update for this week + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.