-
Notifications
You must be signed in to change notification settings - Fork 122
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
doc: add meeting minutes 2023-02-02 (#875)
Co-authored-by: Ulises Gascon <[email protected]>
- Loading branch information
1 parent
506e2ac
commit 8ac7264
Showing
1 changed file
with
66 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| # Node.js Security WorkGroup Meeting 2023-02-02 | ||
|
|
||
| ## Links | ||
|
|
||
| * **Recording**: https://www.youtube.com/watch?v=iRQAqWghPJM | ||
| * **GitHub Issue**: https://github.com/nodejs/security-wg/issues/872 | ||
|
|
||
| ## Present | ||
|
|
||
| * Security wg team: @nodejs/security-wg | ||
| * Ulises Gascon: @ulisesGascon | ||
| * Michael Dawson: @mhdawson | ||
| * Darcy Clarke @darcyclarke | ||
| * Rafael Gonzaga: @RafaelGSS | ||
| * Thomas GENTILHOMME: @fraxken | ||
|
|
||
| ## Agenda | ||
|
|
||
| ## Announcements | ||
|
|
||
| *Extracted from **security-wg-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting. | ||
|
|
||
| - [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues | ||
| - Potential malware packet (named as v8 in Npm) (https://github.com/advisories/GHSA-qrvq-xhqr-7ppq), seems like it was removed and not a thread at the moment. | ||
| Seems like a typosquatting attack for the community users. | ||
|
|
||
| ### nodejs/security-wg | ||
|
|
||
| * Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) | ||
| * No updates | ||
|
|
||
| * Add OSSF Scorecard [#851](https://github.com/nodejs/security-wg/issues/851) | ||
| * Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859) | ||
| * We are waiting for dependabot activation | ||
| * Turn on scorecard is required | ||
| * We agree to try the github action setup for scorecard in the security-wg (lead by Thomas) -> PR | ||
| * Build a little script to collect the scorecard metrics for multiple projects in a single file/output (lead by Ulises) | ||
|
|
||
| * Discussion about policy-integrity integration on Windows [#856](https://github.com/nodejs/security-wg/issues/856) | ||
| * The reporter didn't join the meeting so we decided to move it to next meeting. | ||
| * It will the first topic in the next meeting | ||
|
|
||
| * Automate updates of all dependencies [#828](https://github.com/nodejs/security-wg/issues/828) | ||
| * We want to involve new members to support us with this initiative | ||
|
|
||
| * Permission Model [#791](https://github.com/nodejs/security-wg/issues/791) | ||
| * No major updates | ||
| * There is need to add native addons, symlinks (the most challenging part currently) and windows support, see: https://github.com/nodejs/node/pull/44004#pullrequestreview-1248772698 | ||
|
|
||
| ### nodejs/nodejs-dependency-vuln-assessments | ||
|
|
||
| * Recursive support on Node.js dependencies [#89](https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/89) | ||
| * No major progress, but we want to keep this initiative | ||
| * Rafael will chair this initiative | ||
| * For reference: https://github.com/nodejs/nodejs-dependency-vuln-assessments/tree/main/dep_checker | ||
|
|
||
| ## Q&A, Other | ||
|
|
||
| * Update charter / remove references to Node Security Project? (@darcyclarke) | ||
| * Darcy will update the repository to remove all references | ||
|
|
||
| ## Upcoming Meetings | ||
|
|
||
| * **Node.js Project Calendar**: <https://nodejs.org/calendar> | ||
|
|
||
| Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. |