diff --git a/meetings/2024-04-25.md b/meetings/2024-04-25.md new file mode 100644 index 00000000..49f10242 --- /dev/null +++ b/meetings/2024-04-25.md @@ -0,0 +1,76 @@ +# Node.js Security team Meeting 2024-04-25 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=nOd0dit-t80 +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1286 + +## Present + +* Thomas GENTILHOMME (@fraxken) +* Michael Dawson (@mhdawson) +* Rafael Gonzaga (@RafaelGSS) +* Ulises Gascon (@UlisesGascon) +* Robert - Microsoft +* Lee Holmes - Microsoft +* Carlos Espa + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + * Nothing new to discuss this week. An issues were opened asking about V8 vulns but those + seem to be outside of the Node.js threat model. + +- [X] OpenSSF Scorecard Monitor Review + - PR: https://github.com/nodejs/security-wg/pull/1294 this includes the changes for 6w. Nothing actionable from the Security WG perspective. + +### nodejs/node + +* Remove --experimental-policy [#52575](https://github.com/nodejs/node/issues/52575) + * Have been receiving lots of reports + * Don’t have anybody who can maintain/keep up with the reports + * Are starting down the path to remove the feature as its experimental + * Lee Holmes, gave us an overview of why integrity is important. + * Rafael, seems like main part is file integrity is the important part + +* tools: change inactive limit to 9 months [#52459](https://github.com/nodejs/node/pull/52459) + +### nodejs/security-wg + +* Collaborators Inactivity Policy Review [#1282](https://github.com/nodejs/security-wg/issues/1282) + * Added to potential initiatives list + +* Can we have "unsecure" features in Node.js? [#1274](https://github.com/nodejs/security-wg/issues/1274) + * General consensus that we should not have it. Answered in the issue asking aduh95 to join us to discuss further + +* Discuss adding --security-revert to NODE_OPTIONS [#1262](https://github.com/nodejs/security-wg/issues/1262) + * Michael gave overview and we had some discussion + +* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953) + * Requested team review on https://github.com/nodejs/security-wg/pull/1185 + * Waiting for ownership transfer: https://github.com/nodejs/security-wg/issues/953#issuecomment-2049698350 + * We can reply “No” to the pending questions in gold and merge the PR: https://github.com/nodejs/security-wg/pull/956 ? + * Remove from the agenda for now? + +* Node.js Security Initiatives 2024 [#1255](https://github.com/nodejs/security-wg/issues/1255) + +-- end of the meeting -- + +* Proposed approach for build steps in deps which are not in make node [#1236](https://github.com/nodejs/security-wg/issues/1236) +* Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs [#1159](https://github.com/nodejs/security-wg/issues/1159) +* Audit build process for dependencies +[#1037](https://github.com/nodejs/security-wg/issues/1037) +* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898) + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. +