- Recording: https://www.youtube.com/watch?v=-xzcxSaiYAE
- GitHub Issue: #1134
- Minutes Google Doc: https://docs.google.com/document/d/12aKt3F7EIiG3I3-k836rzN5lAAR4iy9Jy9zyNdl1TdM/edit
- Security wg team: @nodejs/security-wg
- Ulises gascon: @ulisesGascon
- Marco Ippolito: @marco-ippolito
- Thomas GENTILHOMME @fraxken
- Rafael Gonzaga @RafaelGSS
- Carlos Espa @Ceres6
- Michael Dawson @mhdawson
New releases including security patches.
*Extracted from security-wg-agenda labelled issues and pull requests from the nodejs org prior to the meeting.
- Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
- zlib vulnerability doesn’t affect Node.js
- One of the OpenSSL vulnerabilities affects Windows users of Node.js. A assessment blog post will be published soon
- OpenSSF Scorecard Monitor Review
- Details: #1140
- The visualizer will get patched soon
- Discussion about when we need to recommend pin dependencies or not in the organization
- Would make sense to just monitor packages that we expose to the community (nodejs, undici)
- Ulises to remove from the monitor the repos that are not relevant like (docs, archived..)
-
Have a SBOM for Node.js? #1115
- It requires a big machine (50G RAM) - v8 might take 17h of intensive computation
- breakdown all of dependencies and start small
- Discussions about how the package-lock.json should be used for npm SBOM
-
License checker process/script #1104
- Currently https://github.com/nodejs/node/blob/main/.github/workflows/license-builder.yml is checking the license changes in a reactive way
-
Audit build process for dependencies #1037
- working on the package lock as the next step on this
-
Initiative for CII-Best-Practices for Nodejs Projects #953
- Ulises to consolidate previous feedback and provide context for Gold level PR (discussion).
- Let’s invite Jordan to help us with Gold level discussion and support for Silver in a date that works for most of us so we can focus the meeting into this topics.
-
Permission Model - Roadmap #898
- Carlos Espa is working on support relative paths
- Rafael will review his work
- Windows should be tested
- Support to diagnostic channel is being evaluated
- Carlos Espa is working on support relative paths
-
Automate security release process #860
- removed from the agenda eventually
-
Assessment against best practices (OpenSSF Scorecards ...) #859
- Rafael made 5 PRs to improve the scoring in the org
- Removed from the agenda
- Node.js Project Calendar: https://nodejs.org/calendar
Click +GoogleCalendar
at the bottom right to add to your own Google calendar.