- Recording: https://www.youtube.com/watch?v=fMfOVI4NLC0&ab_channel=node.js
- GitHub Issue: #849
- Minutes Google Doc: https://docs.google.com/document/d/16fixx6Xt3TwTeRgI3p4v2x0Q869i7x8upZrO-E6sSE0/edit
- Security wg team: @nodejs/security-wg
- Ulises Gascon: @ulisesgascon
- Rafael Gonzaga: @RafaelGSS
- Thomas GENTILHOMME: @fraxken
- Facundo Tuesca
*Extracted from security-wg-agenda labelled issues and pull requests from the nodejs org prior to the meeting.
- Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
-
Node.js Security WG Initiatives 2023 #846
- Ulises will update the Security WG README to include the next initiatives
- Currently, we have two well defined initiatives
- Permission Model
- Automate update dependencies
- There’s a consensus the checker when vulnerable is a good thing. However, we don’t know exactly in which place it would be better. Rafael will open an issue to discuss it with the TSC. We currently have two options: 1) work together with npm team to include this check when
npm install
2) behind a flag --abort-when-vulnerable
-
Automate updates of all dependencies #828
- OpenSSL automation was created nodejs/node#45605
- Discussion to keep 2 commits for OpenSSL update
- Currently, the action only accepts one commit, so if we really need two commits for OpenSSL update, we would need to rewrite a few things
- Rafael: I think we can try with one commit
- Base64, Acorn and Libuv update tools already merged
- OpenSSL automation was created nodejs/node#45605
-
Permission Model #791
- Very good progress
- non-permissive approach merged
- Fixed a bug on the RadixTree algorithm
- Next steps: Documentation/Symlink edge cases
- Recursive support on Node.js dependencies #89
- The npm dependency contains a node_modules without a package-lock, so when npm audit runs, it will download the latest dependency, therefore, showing a false-negative.
- Thomas suggested using arborist manually
- Node.js Project Calendar: https://nodejs.org/calendar
Click +GoogleCalendar
at the bottom right to add to your own Google calendar.