diff --git a/meetings/2023-08-17.md b/meetings/2023-08-17.md new file mode 100644 index 00000000..c5577437 --- /dev/null +++ b/meetings/2023-08-17.md @@ -0,0 +1,56 @@ +# Node.js Security team Meeting 2023-08-17 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=7MGcnoZW_cE&ab_channel=node.js +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1072 + +## Present + +* Michael Dawson (@mhdawson) +* Rafael Gonzaga (@RafaelGSS) +* Ulises Gascon (@ulisesGascon) +* Marco Ippolito (@marco-ippolito) + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + - closed all of the OpenSSL vulns as they were fixed in the last security release + - some discussion of how to get the llhttp reports fixed as problem in how levels affected were were reported as it does not apply to 16 or 18 + +- [x] OpenSSF Scorecard Monitor Review + - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+ + - Ulises will check with @ovflowd if a refactor can be done in one of the workflows for nodejs/nodejs.org + +### nodejs/security-wg + +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) + * Marco is looking to it + +* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953) + * Silver level is going to be merged, and then Ulises will coordinate the update in the website + * Gold level seems more related to organizational matters, we start to work offline on it to update the PR. + +* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898) + * Breaking change coming: https://github.com/nodejs/node/pull/49047 + * Discussion around config file support https://github.com/nodejs/security-wg/issues/1074 + * path.resolve implementation in stand-by + +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + * No updates. Waiting OpenJS response. + +* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859) + * Ulises will open PRs to increase the scoring in key projects within the org + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. +