diff --git a/meetings/2025-06-11.md b/meetings/2025-06-11.md new file mode 100644 index 00000000..393c7352 --- /dev/null +++ b/meetings/2025-06-11.md @@ -0,0 +1,65 @@ +# Node.js Security team Meeting 2025-11-06 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=a7zV2sdSTEU +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1530 +* **Minutes**: https://hackmd.io/@openjs-nodejs/HyClNtW1Ze + +## Present + +* Security wg team: @nodejs/security-wg +* Rafael Gonzaga: @RafaelGSS +* Ulises Gascón: @ulisesGascon +* Marco Ippolito: @marco-ippolito +* Wes Todd: @wesleytodd + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + - We have reviewed the https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/213 and we don't believe those CVEs affects Node.js +- [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/pull/1532 + - No meaningful updates + - Good improvement on CITGM - Updated dependencies. + +### nodejs/security-wg + +- Reduce meeting frequency to monthly [#1527](https://github.com/nodejs/security-wg/issues/1527) + - Active discussions are happening on OpenJS Security Collab Space + +* Create a VEX file for Node.js [#1517](https://github.com/nodejs/security-wg/issues/1517) + - +1 from the team + - Marco will create a PR to move forward with this initiative + +### nodejs/node + +* Auditing permissions [#59935](https://github.com/nodejs/node/issues/59935) + - Draft PR has been created + - Rafael, currently the feature is emitting a warning to the console, but I don't think this is good. It would be much better to send the warning through a place where users can consume, like diagnostics_channel, however, there's no native implementation of dc yet, so we'll need to create one from scratch. Non-trivial work. + +* src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364) + - TOCTOU issues + - Removed from the agenda as its stale + +## Q&A, Other + +- OpenJS Blog Post - Publishing Packages via CI + - We have set up https://github.com/npm-pub-2025 + - We need to consolitate step 2 and step 3 into just one + - https://expressjs/ci-workflows + - Proposal to have this action available for users to re-use + - We'll compare our strategy with npm recent changes + - Package Maintenance Working Group will set up a meeting to work technically on these actions - https://github.com/nodejs/package-maintenance + - Next actions: Schedule the meeting, + - Propose the action to the pkgjs organization, + - Reduce the GOVERNANCE from pkgjs to handle small groups of maintainers - e.g 1 - 2 approvals for PRs + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `Add to Google Calendar` at the bottom left to add to your own Google calendar.