-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: added meeting notes for 2023-03-30 (#941)
* docs: added meeting notes for 2023-03-30 Related nodejs/security-wg#932 * Apply suggestions from code review Co-authored-by: Tobias Nießen <[email protected]> Co-authored-by: Michael Dawson <[email protected]> --------- Co-authored-by: Rafael Gonzaga <[email protected]> Co-authored-by: Tobias Nießen <[email protected]> Co-authored-by: Michael Dawson <[email protected]>
- Loading branch information
4 people
committed
Apr 1, 2023
1 parent
63ff89a
commit f6ea1b4
Showing
1 changed file
with
77 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| # Node.js Security WorkGroup Meeting 2023-03-30 | ||
|
|
||
| ## Links | ||
|
|
||
| * **Recording**: https://www.youtube.com/watch?v=e0quCriJFEw | ||
| * **GitHub Issue**: https://github.com/nodejs/security-wg/issues/932 | ||
|
|
||
| ## Present | ||
|
|
||
| * Michael Dawson (@mhdawson) | ||
| * Marco Ippolito (@marco-ippolito) | ||
| * Rafael Gonzaga (@RafaelGSS) | ||
| * Ulises Gascon (@ulisesGascon) | ||
| * Thomas GENTILHOMME (@fraxken) | ||
| * Ashish Kurmi | ||
|
|
||
| ## Agenda | ||
|
|
||
| ## Announcements | ||
| N/A | ||
|
|
||
| *Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. | ||
|
|
||
| - [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues | ||
| - turns out action was disabled because there was no activity in the repo | ||
|
|
||
| ### nodejs/security-wg | ||
|
|
||
| * Nominate Marco Ippolito [#923](https://github.com/nodejs/security-wg/issues/923) | ||
| * no concerns, next step is to submit PR to add to member list | ||
| * See: https://github.com/nodejs/security-wg/pull/938 | ||
|
|
||
| * Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898) | ||
| * Rafael covered some issues related to case sensitivity | ||
| * Going to drop `.deny` functionality to avoid attack vectors due the way the OS are managing case sensitivity in folders/files | ||
|
|
||
| * Improve SecurityWG Scorecard [#884](https://github.com/nodejs/security-wg/issues/884) | ||
| * There were some PRs done | ||
| * Fuzzing will be a challenge for the team, so we will ask help from the community. | ||
| * Code Review will be patched as soon as we achieve 30 Code reviews. | ||
| * Token permissions is a challenge for us, as we have some github actions that require write access to the repo. The action item for this is to modify the Github actions to create PRs and not to write directly in main branch. | ||
| * Ashish (from stepsecurity) confirmed that the stepsecurity will support now the Nodejs/Node repository | ||
| * Created a pull request to include harden runner in Github Actions for nodejs/security-wg. See: https://github.com/nodejs/security-wg/pull/936 | ||
|
|
||
|
|
||
| * Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) | ||
| * Rafael will work with Matteo to lead the next security release and apply the automations that he created in the last weeks | ||
|
|
||
| * Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859) | ||
| * PRs made by the community for Nodes/node and Nodejs/undici to include the scorecard | ||
| * Rafael has open this actions to the community and it is working good, new faces contributing | ||
|
|
||
| * Discussion about policy-integrity integration on Windows [#856](https://github.com/nodejs/security-wg/issues/856) | ||
| * No updates | ||
| * We will remove it from the agenda | ||
|
|
||
| * Automate updates of all dependencies [#828](https://github.com/nodejs/security-wg/issues/828) | ||
| * Marco has been working on this and there are several changes (Brotli and others). Here is the updated status: https://github.com/nodejs/security-wg/issues/828#issuecomment-1478430489 | ||
| * Marco will continue working on it | ||
|
|
||
| ### nodejs/nodejs-dependency-vuln-assessments | ||
|
|
||
| * Recursive support on Node.js dependencies [#89](https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/89) | ||
| * it is not a priority now, but it will be great to do it in the following weeks/months | ||
| * The issue is removed from the agenda, but remains open. | ||
|
|
||
| ## Q&A, Other | ||
|
|
||
| * Add scorecard review to the agenda for (Nodejs, undici and security-wg) | ||
| * We can explore the OpenSSF Best practices (https://bestpractices.coreinfrastructure.org/) inititative. It is a long questionaty, but might be useful for Nodejs/node and a great exercise for the team. We agreed to include the recommendation to use the Scorecard and the Best practices into the Best practices document (See: https://github.com/nodejs/nodejs.org/pull/5217). | ||
|
|
||
| ## Upcoming Meetings | ||
|
|
||
| * **Node.js Project Calendar**: <https://nodejs.org/calendar> | ||
|
|
||
| Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. | ||
|
|