Minutes notes from Vancouver Node+JS Interactive Security WG summit

[lirantal]

Security WG Agenda minutes

General notes that came up

• jasnell: For Node.js Core security program we want more people to join so that it will be easier to handle the load and work on that (due to some Node core members signing off from work there)

• Node.js policies issue #22112 - if you have opinions or ideas please get involved on the PR; bengl: there’s also another security implementation by bradley mack that we should consider

• Open an issue on the repo to find a good time for everyone to attend the monthly

• Can we create more exposure and awareness of Node.js Security related topics, tools and practices using a dedicated page/repo

What does broad community believe security-wg should be working on?

• jasnell: having a set of security related test suites
• davisjam: adding as part of CI scanning for regexes
• vladimir: creating best practices for the Node.js platform
• trott: its worth checking with the docs team about the security best practices
• davisjam: can we have a list of known security tools or guides in the ecosystem
• jasnell: can we facilitate the vulnerability database in such a way that it is a single hub that vulnerabilities are being funneled to and the ecosystem, including commercial companies (i.e: snyk/npm/sqreen), can work on it together with the same shared guidelines, processes, etc.

Debugger issue

We have consensus on issuing a CVE for the node core debugger issue where the debugger defaults to listening on all ports. alejandro and jasnell: we should probably do better at communicating this such as a blog post. we can document the change in the node docs too.

P.S.

• I tagged it with agenda so we can review status and take further action items if required.
• Related Create issue to propose session at JSInteractive collaborator summit #358

[mhdawson]

I'm thinking we should PR this into the repo along with our regular minutes as opposed to having it as an issue?

[lirantal]

Yep, I'll take it.