Skip to content

Commit

Permalink
docs: added meeting notes for 2023-03-30 (#941)
Browse files Browse the repository at this point in the history
* docs: added meeting notes for 2023-03-30

Related #932

* Apply suggestions from code review

Co-authored-by: Tobias Nießen <[email protected]>
Co-authored-by: Michael Dawson <[email protected]>

---------

Co-authored-by: Rafael Gonzaga <[email protected]>
Co-authored-by: Tobias Nießen <[email protected]>
Co-authored-by: Michael Dawson <[email protected]>
  • Loading branch information
4 people authored Apr 1, 2023
1 parent 62f3ebb commit 7b66370
Showing 1 changed file with 77 additions and 0 deletions.
77 changes: 77 additions & 0 deletions meetings/2023-03-30.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# Node.js Security WorkGroup Meeting 2023-03-30

## Links

* **Recording**: https://www.youtube.com/watch?v=e0quCriJFEw
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/932

## Present

* Michael Dawson (@mhdawson)
* Marco Ippolito (@marco-ippolito)
* Rafael Gonzaga (@RafaelGSS)
* Ulises Gascon (@ulisesGascon)
* Thomas GENTILHOMME (@fraxken)
* Ashish Kurmi

## Agenda

## Announcements
N/A

*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.

- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
- turns out action was disabled because there was no activity in the repo

### nodejs/security-wg

* Nominate Marco Ippolito [#923](https://github.com/nodejs/security-wg/issues/923)
* no concerns, next step is to submit PR to add to member list
* See: https://github.com/nodejs/security-wg/pull/938

* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898)
* Rafael covered some issues related to case sensitivity
* Going to drop `.deny` functionality to avoid attack vectors due the way the OS are managing case sensitivity in folders/files

* Improve SecurityWG Scorecard [#884](https://github.com/nodejs/security-wg/issues/884)
* There were some PRs done
* Fuzzing will be a challenge for the team, so we will ask help from the community.
* Code Review will be patched as soon as we achieve 30 Code reviews.
* Token permissions is a challenge for us, as we have some github actions that require write access to the repo. The action item for this is to modify the Github actions to create PRs and not to write directly in main branch.
* Ashish (from stepsecurity) confirmed that the stepsecurity will support now the Nodejs/Node repository
* Created a pull request to include harden runner in Github Actions for nodejs/security-wg. See: https://github.com/nodejs/security-wg/pull/936


* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
* Rafael will work with Matteo to lead the next security release and apply the automations that he created in the last weeks

* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859)
* PRs made by the community for Nodes/node and Nodejs/undici to include the scorecard
* Rafael has open this actions to the community and it is working good, new faces contributing

* Discussion about policy-integrity integration on Windows [#856](https://github.com/nodejs/security-wg/issues/856)
* No updates
* We will remove it from the agenda

* Automate updates of all dependencies [#828](https://github.com/nodejs/security-wg/issues/828)
* Marco has been working on this and there are several changes (Brotli and others). Here is the updated status: https://github.com/nodejs/security-wg/issues/828#issuecomment-1478430489
* Marco will continue working on it

### nodejs/nodejs-dependency-vuln-assessments

* Recursive support on Node.js dependencies [#89](https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/89)
* it is not a priority now, but it will be great to do it in the following weeks/months
* The issue is removed from the agenda, but remains open.

## Q&A, Other

* Add scorecard review to the agenda for (Nodejs, undici and security-wg)
* We can explore the OpenSSF Best practices (https://bestpractices.coreinfrastructure.org/) inititative. It is a long questionaty, but might be useful for Nodejs/node and a great exercise for the team. We agreed to include the recommendation to use the Scorecard and the Best practices into the Best practices document (See: https://github.com/nodejs/nodejs.org/pull/5217).

## Upcoming Meetings

* **Node.js Project Calendar**: <https://nodejs.org/calendar>

Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.

0 comments on commit 7b66370

Please sign in to comment.