Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added meeting minutes for 2023-07-20 #1056

Merged
merged 1 commit into from
Jul 21, 2023
Merged

Added meeting minutes for 2023-07-20 #1056

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions meetings/2023-07-20.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# Node.js Security team Meeting 2023-07-20

## Links

* **Recording**: https://www.youtube.com/watch?v=sZgy1FOco-g&ab_channel=node.js
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1052
* **Minutes Google Doc**: https://docs.google.com/document/d/1Da5hwSH-SjagwA4ClbJvH3SkKeJ71A48zC9oMH0Yfuk/edit

## Present

* Security wg team: @nodejs/security-wg
* Rafael Gonzaga: @RafaelGSS
* Michael Dawson: @mhdawson
* Ulises Gascon: @ulisesgascon

## Agenda

## Announcements

*Extracted from **security-wg-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting.

- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
* nvd API to database is currently broken, requests timeout.
* watching issue in the client use that is tracking progress

- [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
- Report details in https://github.com/nodejs/security-wg/pull/1055
- Quick discussion/review in the meetings.
- There is a plan to add a new diff view to improve the comparison (potentially shipped for the next meeting).
- Michael led changes in `nodejs-addons-api` repository in order to increase the scoring.
- Ulises will follow up on the `-1` score results

### nodejs/security-wg

* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
* no updates


* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953)
* We agreed to start working in the Gold standard
* Ulises will check offline the two missing questions and probably merge the PR
* Ulises will coordinate with Rod the update in the OpenSSF website and add a mention to this in the news related feed.
* Ulises will create a table to consolidate the reasons behind some technical decisions that we made, so other contributors are aware

* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898)
* a lot of fixes came out with the last security release
* some private work going on

* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
* Rafael did a lot of work for the last security release
* discussion around the funding for this task

* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859)
* No news

## Q&A, Other

## Upcoming Meetings

* **Node.js Project Calendar**: <https://nodejs.org/calendar>

Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.