|
| 1 | +# Node.js Security team Meeting 2025-11-06 |
| 2 | + |
| 3 | +## Links |
| 4 | + |
| 5 | +* **Recording**: https://www.youtube.com/watch?v=a7zV2sdSTEU |
| 6 | +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1530 |
| 7 | +* **Minutes**: https://hackmd.io/@openjs-nodejs/HyClNtW1Ze |
| 8 | + |
| 9 | +## Present |
| 10 | + |
| 11 | +* Security wg team: @nodejs/security-wg |
| 12 | +* Rafael Gonzaga: @RafaelGSS |
| 13 | +* Ulises Gascón: @ulisesGascon |
| 14 | +* Marco Ippolito: @marco-ippolito |
| 15 | +* Wes Todd: @wesleytodd |
| 16 | + |
| 17 | +## Agenda |
| 18 | + |
| 19 | +## Announcements |
| 20 | + |
| 21 | +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. |
| 22 | + |
| 23 | +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues |
| 24 | + - We have reviewed the https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/213 and we don't believe those CVEs affects Node.js |
| 25 | +- [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/pull/1532 |
| 26 | + - No meaningful updates |
| 27 | + - Good improvement on CITGM - Updated dependencies. |
| 28 | + |
| 29 | +### nodejs/security-wg |
| 30 | + |
| 31 | +- Reduce meeting frequency to monthly [#1527](https://github.com/nodejs/security-wg/issues/1527) |
| 32 | + - Active discussions are happening on OpenJS Security Collab Space |
| 33 | + |
| 34 | +* Create a VEX file for Node.js [#1517](https://github.com/nodejs/security-wg/issues/1517) |
| 35 | + - +1 from the team |
| 36 | + - Marco will create a PR to move forward with this initiative |
| 37 | + |
| 38 | +### nodejs/node |
| 39 | + |
| 40 | +* Auditing permissions [#59935](https://github.com/nodejs/node/issues/59935) |
| 41 | + - Draft PR has been created |
| 42 | + - Rafael, currently the feature is emitting a warning to the console, but I don't think this is good. It would be much better to send the warning through a place where users can consume, like diagnostics_channel, however, there's no native implementation of dc yet, so we'll need to create one from scratch. Non-trivial work. |
| 43 | + |
| 44 | +* src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364) |
| 45 | + - TOCTOU issues |
| 46 | + - Removed from the agenda as its stale |
| 47 | + |
| 48 | +## Q&A, Other |
| 49 | + |
| 50 | +- OpenJS Blog Post - Publishing Packages via CI |
| 51 | + - We have set up https://github.com/npm-pub-2025 |
| 52 | + - We need to consolitate step 2 and step 3 into just one |
| 53 | + - https://expressjs/ci-workflows |
| 54 | + - Proposal to have this action available for users to re-use |
| 55 | + - We'll compare our strategy with npm recent changes |
| 56 | + - Package Maintenance Working Group will set up a meeting to work technically on these actions - https://github.com/nodejs/package-maintenance |
| 57 | + - Next actions: Schedule the meeting, |
| 58 | + - Propose the action to the pkgjs organization, |
| 59 | + - Reduce the GOVERNANCE from pkgjs to handle small groups of maintainers - e.g 1 - 2 approvals for PRs |
| 60 | + |
| 61 | +## Upcoming Meetings |
| 62 | + |
| 63 | +* **Node.js Project Calendar**: <https://nodejs.org/calendar> |
| 64 | + |
| 65 | +Click `Add to Google Calendar` at the bottom left to add to your own Google calendar. |
0 commit comments