Node.js Security WorkGroup Meeting 2022-12-08

Links

Recording: https://www.youtube.com/watch?v=fMfOVI4NLC0&ab_channel=node.js
GitHub Issue: #849
Minutes Google Doc: https://docs.google.com/document/d/16fixx6Xt3TwTeRgI3p4v2x0Q869i7x8upZrO-E6sSE0/edit

*Extracted from security-wg-agenda labelled issues and pull requests from the nodejs org prior to the meeting.

Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues

Node.js Security WG Initiatives 2023 #846
- Ulises will update the Security WG README to include the next initiatives
- Currently, we have two well defined initiatives
  - Permission Model
  - Automate update dependencies
- There’s a consensus the checker when vulnerable is a good thing. However, we don’t know exactly in which place it would be better. Rafael will open an issue to discuss it with the TSC. We currently have two options: 1) work together with npm team to include this check when npm install 2) behind a flag --abort-when-vulnerable
Automate updates of all dependencies #828
- OpenSSL automation was created nodejs/node#45605
  - Discussion to keep 2 commits for OpenSSL update
  - Currently, the action only accepts one commit, so if we really need two commits for OpenSSL update, we would need to rewrite a few things
  - Rafael: I think we can try with one commit
- Base64, Acorn and Libuv update tools already merged
Permission Model #791
- Very good progress
- non-permissive approach merged
- Fixed a bug on the RadixTree algorithm
- Next steps: Documentation/Symlink edge cases

Recursive support on Node.js dependencies #89
- The npm dependency contains a node_modules without a package-lock, so when npm audit runs, it will download the latest dependency, therefore, showing a false-negative.
- Thomas suggested using arborist manually

Click +GoogleCalendar at the bottom right to add to your own Google calendar.