2023-10-26.md

Node.js Security team Meeting 2023-10-26

Links

• Recording: https://www.youtube.com/watch?v=-xzcxSaiYAE
• GitHub Issue: #1134
• Minutes Google Doc: https://docs.google.com/document/d/12aKt3F7EIiG3I3-k836rzN5lAAR4iy9Jy9zyNdl1TdM/edit

Present

• Security wg team: @nodejs/security-wg
• Ulises gascon: @ulisesGascon
• Marco Ippolito: @marco-ippolito
• Thomas GENTILHOMME @fraxken
• Rafael Gonzaga @RafaelGSS
• Carlos Espa @Ceres6
• Michael Dawson @mhdawson

Agenda

Announcements

New releases including security patches.

*Extracted from security-wg-agenda labelled issues and pull requests from the nodejs org prior to the meeting.

• Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
  • zlib vulnerability doesn’t affect Node.js
  • One of the OpenSSL vulnerabilities affects Windows users of Node.js. A assessment blog post will be published soon
• OpenSSF Scorecard Monitor Review
  • Details: #1140
  • The visualizer will get patched soon
  • Discussion about when we need to recommend pin dependencies or not in the organization
  • Would make sense to just monitor packages that we expose to the community (nodejs, undici)
  • Ulises to remove from the monitor the repos that are not relevant like (docs, archived..)

nodejs/security-wg

• Have a SBOM for Node.js? #1115

  • It requires a big machine (50G RAM) - v8 might take 17h of intensive computation
  • breakdown all of dependencies and start small
  • Discussions about how the package-lock.json should be used for npm SBOM

• License checker process/script #1104

  • Currently https://github.com/nodejs/node/blob/main/.github/workflows/license-builder.yml is checking the license changes in a reactive way

• Audit build process for dependencies #1037

  • working on the package lock as the next step on this

• Initiative for CII-Best-Practices for Nodejs Projects #953

  • Ulises to consolidate previous feedback and provide context for Gold level PR (discussion).
  • Let’s invite Jordan to help us with Gold level discussion and support for Silver in a date that works for most of us so we can focus the meeting into this topics.

• Permission Model - Roadmap #898

  • Carlos Espa is working on support relative paths
    • Rafael will review his work
    • Windows should be tested
  • Support to diagnostic channel is being evaluated

• Automate security release process #860

  • removed from the agenda eventually

• Assessment against best practices (OpenSSF Scorecards ...) #859

  • Rafael made 5 PRs to improve the scoring in the org
  • Removed from the agenda

Q&A, Other

Upcoming Meetings

• Node.js Project Calendar: https://nodejs.org/calendar

Click +GoogleCalendar at the bottom right to add to your own Google calendar.