Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: add 2024-12-19 meeting notes #1417

Merged
merged 4 commits into from
Dec 21, 2024
Merged

doc: add 2024-12-19 meeting notes #1417

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a52642e
doc: add 2024-12-19 meeting notes
RafaelGSS Dec 19, 2024
8bfa45b
Update meetings/2024-12-19.md
RafaelGSS Dec 21, 2024
67908a3
Update meetings/2024-12-19.md
RafaelGSS Dec 21, 2024
8c6b5fe
Update meetings/2024-12-19.md
RafaelGSS Dec 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 57 additions & 0 deletions meetings/2024-12-19.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# Node.js Security Team Meeting 2024-12-19

## Links

* **Recording**: https://www.youtube.com/watch?v=euPfJNY6Pyo
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1415
* **Minutes Google Doc**: https://docs.google.com/document/d/1c5qAEwlC6yI174oDO3eXVW4NHNGkurSqEZp7y5OpA88/edit?tab=t.0

## Present

* Security wg team: @nodejs/security-wg
* Rafael Gonzaga: @RafaelGSS
* Ulises Gascón: @UlisesGascon
* Robert W

## Agenda

## Announcements

- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
- No relevant vulnerabilities that affects Node.js
- Add dont-believe-affect-nodejs label to npm 10 warn
- [x] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
- No actions pending for the team
### nodejs/node

* src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364)
* Robert is working on it (isolation building on windows only) and will keep working on it.
* Discussion around the feedback collected on the PR:
* Request to work using snapshotable API (seems like use a separate scope is the way to go) for better testing
* Rafael, I don’t believe we need to use the snapshotable API for this POC yet

### nodejs/security-wg

* Add a warning on EOL versions #1401
* There is a blog post ready that will be published after the holidays
* CVEs will be published (2w after the announcement)
* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333)
* Skip due forum. PR opened to the Node.js Security repository: https://github.com/nodejs/security-wg/pull/1414
* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
* No updates
* Extend security reporting for LTS lines beyond their lifetimes [#1025](https://github.com/nodejs/security-wg/issues/1025)
* Dropped from agenda
* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
* Work is ongoing (2 PRs are open now).
* Great progress is made.

## Q&A, Other

Thanks for this amazing year working together! ✨

## Upcoming Meetings

* **Node.js Project Calendar**: <https://nodejs.org/calendar>

Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.

Loading