Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: add 2024-08-29 meeting notes #1371

Merged
merged 1 commit into from
Sep 5, 2024
Merged

doc: add 2024-08-29 meeting notes #1371

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions meetings/2024-08-29.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Node.js Security team Meeting 2024-08-29

## Links

* **Recording**: https://www.youtube.com/watch?v=w4zzH-otKNI
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1365

## Present

* Michael Dawson (@mhdawson)
* Robert W - Microsoft
* Lee Holmes - Microsoft
* Rafael Gonzaga (@RafaelGSS)

## Agenda

## Announcements

*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.

- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
* Some questions about 3 V8 CVEs, confirmed that they are not vulns in the context of the Node.js security model - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/191
- [x] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+

### nodejs/node

* src: add WDAC integration (Windows) #54364
* Robert W summarised this feature and what it intends to protect.
* Rafael asked if this is turned on by default
* Robert W explained this is turned on via system configuration, so for Windows users that don’t make use of catalogue policy, it won’t be enabled by default.
* Some discussions about security expectations, running this on untrusted code
* The documentation will be aligned with Node.js threat model. This feature won’t prevent malicous code from bypassing it. This will serve as an extra layer of security for Node.js applications.
* More discussion on implementation on Node.js

### nodejs/security-wg

* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333)
* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)



## Q&A, Other

## Upcoming Meetings

* **Node.js Project Calendar**: <https://nodejs.org/calendar>

Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.

Loading