From 779a42415da5e6e52a8317646758606b9dc9b0d3 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Thu, 29 Aug 2024 11:57:47 -0300 Subject: [PATCH] doc: add meeting notes --- meetings/2024-08-29.md | 50 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 meetings/2024-08-29.md diff --git a/meetings/2024-08-29.md b/meetings/2024-08-29.md new file mode 100644 index 00000000..0b4b11e2 --- /dev/null +++ b/meetings/2024-08-29.md @@ -0,0 +1,50 @@ +# Node.js Security team Meeting 2024-08-29 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=w4zzH-otKNI +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1365 + +## Present + +* Michael Dawson (@mhdawson) +* Robert W - Microsoft +* Lee Holmes - Microsoft +* Rafael Gonzaga (@RafaelGSS) + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + * Some questions about 3 V8 CVEs, confirmed that they are not vulns in the context of the Node.js security model - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/191 +- [x] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+ + +### nodejs/node + +* src: add WDAC integration (Windows) #54364 + * Robert W summarised this feature and what it intends to protect. + * Rafael asked if this is turned on by default + * Robert W explained this is turned on via system configuration, so for Windows users that don’t make use of catalogue policy, it won’t be enabled by default. + * Some discussions about security expectations, running this on untrusted code + * The documentation will be aligned with Node.js threat model. This feature won’t prevent malicous code from bypassing it. This will serve as an extra layer of security for Node.js applications. + * More discussion on implementation on Node.js + +### nodejs/security-wg + +* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333) +* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037) +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + + + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. +