From 8ac726462532b921f5753c658fdc7afb6270fa93 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Thu, 2 Feb 2023 17:16:40 -0300 Subject: [PATCH] doc: add meeting minutes 2023-02-02 (#875) Co-authored-by: Ulises Gascon --- meetings/2023-02-02.md | 66 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 meetings/2023-02-02.md diff --git a/meetings/2023-02-02.md b/meetings/2023-02-02.md new file mode 100644 index 00000000..5197b0c7 --- /dev/null +++ b/meetings/2023-02-02.md @@ -0,0 +1,66 @@ +# Node.js Security WorkGroup Meeting 2023-02-02 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=iRQAqWghPJM +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/872 + +## Present + +* Security wg team: @nodejs/security-wg +* Ulises Gascon: @ulisesGascon +* Michael Dawson: @mhdawson +* Darcy Clarke @darcyclarke +* Rafael Gonzaga: @RafaelGSS +* Thomas GENTILHOMME: @fraxken + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting. + +- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues +- Potential malware packet (named as v8 in Npm) (https://github.com/advisories/GHSA-qrvq-xhqr-7ppq), seems like it was removed and not a thread at the moment. +Seems like a typosquatting attack for the community users. + +### nodejs/security-wg + +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + * No updates + +* Add OSSF Scorecard [#851](https://github.com/nodejs/security-wg/issues/851) +* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859) + * We are waiting for dependabot activation + * Turn on scorecard is required + * We agree to try the github action setup for scorecard in the security-wg (lead by Thomas) -> PR + * Build a little script to collect the scorecard metrics for multiple projects in a single file/output (lead by Ulises) + +* Discussion about policy-integrity integration on Windows [#856](https://github.com/nodejs/security-wg/issues/856) + * The reporter didn't join the meeting so we decided to move it to next meeting. + * It will the first topic in the next meeting + +* Automate updates of all dependencies [#828](https://github.com/nodejs/security-wg/issues/828) + * We want to involve new members to support us with this initiative + +* Permission Model [#791](https://github.com/nodejs/security-wg/issues/791) + * No major updates + * There is need to add native addons, symlinks (the most challenging part currently) and windows support, see: https://github.com/nodejs/node/pull/44004#pullrequestreview-1248772698 + +### nodejs/nodejs-dependency-vuln-assessments + +* Recursive support on Node.js dependencies [#89](https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/89) + * No major progress, but we want to keep this initiative + * Rafael will chair this initiative + * For reference: https://github.com/nodejs/nodejs-dependency-vuln-assessments/tree/main/dep_checker + +## Q&A, Other + +* Update charter / remove references to Node Security Project? (@darcyclarke) + * Darcy will update the repository to remove all references + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.