Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: add meeting minutes #1067

Merged
merged 1 commit into from
Aug 4, 2023
Merged

doc: add meeting minutes #1067

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions meetings/2023-08-03.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# Node.js Security team Meeting 2023-08-03

## Links

* **Recording**: https://www.youtube.com/watch?v=fJNDQz9sAQo&ab_channel=node.js
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1059
* **Minutes Google Doc**: https://docs.google.com/document/d/1eLSRK2nKeEnWD1YcEjjROYgVOfuVRPupi7BS5kIMH4I/edit

## Present

* Security wg team: @nodejs/security-wg
* Marco Ippolito @marco-ippolito
* Rafael Gonzaga @RafaelGSS
* Michael Dawson @mhdawson
* Ulises Gascon @ulisesgascon
* Ruy Adorno @ruyadorno

## Agenda

## Announcements

*Extracted from **security-wg-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting.

- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
* Wait NVD database to be fixed - Ref: https://github.com/vehemont/nvdlib/issues/26

- [X] OpenSSF Scorecard Monitor Review
- Last report: https://github.com/nodejs/security-wg/pull/1066
- Organic improvements due SAST analysis and variations based on increasing/decreasing unreviewed changesets
- Ulises will apply stepsecurity auto-prs to all the repos in the org
- We will focus on monitoring from now on using the issue generated.

### nodejs/security-wg

* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
* No progress. Just for visibility.
* Marco is investigating this initiative.

* Initiative for CII-Best-Practices for Node.js Projects [#953](https://github.com/nodejs/security-wg/issues/953)
* Ulises will ask TSC for final approval in silver level
* Ulises will prepare the next step: gold level to be reviewed by the team following the previous process.

* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898)
* Discussion around https://github.com/nodejs/security-wg/issues/1039. We agreed to follow option 2 (array/multiple flags)

* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
* OSSF Funding approved by TSC (no objections until the end of the week)
* OSSF is approved the budget is no objections are presented before the end of the week

* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859)

## Q&A, Other

## Upcoming Meetings

* **Node.js Project Calendar**: <https://nodejs.org/calendar>

Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.