Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: add meeting minutes 2023-02-02 #875

Merged
merged 1 commit into from
Feb 2, 2023
Merged

doc: add meeting minutes 2023-02-02 #875

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions meetings/2023-02-02.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# Node.js Security WorkGroup Meeting 2023-02-02

## Links

* **Recording**: https://www.youtube.com/watch?v=iRQAqWghPJM
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/872

## Present

* Security wg team: @nodejs/security-wg
* Ulises Gascon: @ulisesGascon
* Michael Dawson: @mhdawson
* Darcy Clarke @darcyclarke
* Rafael Gonzaga: @RafaelGSS
* Thomas GENTILHOMME: @fraxken

## Agenda

## Announcements

*Extracted from **security-wg-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting.

- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
- Potential malware packet (named as v8 in Npm) (https://github.com/advisories/GHSA-qrvq-xhqr-7ppq), seems like it was removed and not a thread at the moment.
Seems like a typosquatting attack for the community users.

### nodejs/security-wg

* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
* No updates

* Add OSSF Scorecard [#851](https://github.com/nodejs/security-wg/issues/851)
* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859)
* We are waiting for dependabot activation
* Turn on scorecard is required
* We agree to try the github action setup for scorecard in the security-wg (lead by Thomas) -> PR
* Build a little script to collect the scorecard metrics for multiple projects in a single file/output (lead by Ulises)

* Discussion about policy-integrity integration on Windows [#856](https://github.com/nodejs/security-wg/issues/856)
* The reporter didn't join the meeting so we decided to move it to next meeting.
* It will the first topic in the next meeting

* Automate updates of all dependencies [#828](https://github.com/nodejs/security-wg/issues/828)
* We want to involve new members to support us with this initiative

* Permission Model [#791](https://github.com/nodejs/security-wg/issues/791)
* No major updates
* There is need to add native addons, symlinks (the most challenging part currently) and windows support, see: https://github.com/nodejs/node/pull/44004#pullrequestreview-1248772698

### nodejs/nodejs-dependency-vuln-assessments

* Recursive support on Node.js dependencies [#89](https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/89)
* No major progress, but we want to keep this initiative
* Rafael will chair this initiative
* For reference: https://github.com/nodejs/nodejs-dependency-vuln-assessments/tree/main/dep_checker

## Q&A, Other

* Update charter / remove references to Node Security Project? (@darcyclarke)
* Darcy will update the repository to remove all references

## Upcoming Meetings

* **Node.js Project Calendar**: <https://nodejs.org/calendar>

Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.