diff --git a/meetings/2025-03-13.md b/meetings/2025-03-13.md new file mode 100644 index 00000000..0ff02ce0 --- /dev/null +++ b/meetings/2025-03-13.md @@ -0,0 +1,73 @@ +# Node.js Security team Meeting 2025-03-13 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=xzBqJSatnEs&ab_channel=node.js +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1444 + +## Present + +* Michael Dawson (@mhdawson) +* Nguyen Duc Thien (@iuuukhueeee) +* Ulises Gascón (@UlisesGascon) +* Marco Ippolito (@marco ippolito) +* Rafael Gonzaga (@RafaelGSS) + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + - Nothing new + +- [X] OpenSSF Scorecard Monitor Review + - Report: https://github.com/nodejs/security-wg/pull/1450 + - Ulises will work on a PR to patch the scoring in node-gyp + - Michael - recently created token as per - so maybe related, maybe we can add to docs to prevent in the future - https://github.com/nodejs/admin/blob/main/request-an-access-token.md + - Clean up the tracking list: https://github.com/nodejs/security-wg/pull/1451 + +### nodejs/node + +* src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364) + * PR is getting close to be ready + * Rafael, is being Windows only going to be an issue + * Michael, since ability for client code to run across platforms is not affected, less of a concern + in terms of Windows only implementation. + +### nodejs/security-wg + +* Remove nodejs-sec usage in favor of Node.js org RSS Feed [#1446](https://github.com/nodejs/security-wg/issues/1446) + * Discussion, seems like we need to keep sending messages on nodejs-sec. Need to figure out + how to automate. + +* Update on CVEs for EOL Release Lines – MITRE Removal & Next Steps [#1443](https://github.com/nodejs/security-wg/issues/1443) + * Have published blog post to explain next step + * Marco has PR to update database maintained in security-wg + * Marco talking to hacker 1 about how we update CVEs to include EOL versions . Going to + provide csv with the updates needed. Will match what we land in the PR mentioned. + +* OpenJS Security Compliance Checker [#1440](https://github.com/nodejs/security-wg/issues/1440) + * Created issue to analyse how the Node.js project is doing against + * Michael, Ulises has been working on tooling, should be try to use that? + * Ulises, have been working on openpathfinder + https://openpathfinder.com/docs/checklists/OpenJS-SCGv1.0-active + * Sounds like it still work in progress so going through the docs manually still makes sense + +* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333) + +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) + * Michael: Next step on my list is still to update amaro to ensure we can build from what is in + deps + +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. +