Skip to content

Latest commit

 

History

History
76 lines (51 loc) · 3.06 KB

2023-06-22.md

File metadata and controls

76 lines (51 loc) · 3.06 KB

Node.js Security team Meeting 2023-06-22

Links

Present

  • Security wg team: @nodejs/security-wg
  • Rafael Gonzaga: @RafaelGSS
  • Michael Dawson: @mhdawson
  • Ulises Gascon: @UlisesGascon

Agenda

Announcements

*Extracted from security-wg-agenda labeled issues and pull requests from the nodejs org prior to the meeting.

nodejs/security-wg

  • Permission - Environment variables #993

    • Open for support from the community
    • Removed from agenda

  • Requirement: Secure development knowledge #987

    • Removed from agenda

  • Requirement: Publicly known medium-high vulnerabilities unpatched for +60 days #986

    • Removed from agenda

  • Initiative for CII-Best-Practices for Nodejs Projects #953

    • Silver level almost concluded.
    • Waiting for badge resolution in the Entry level
    • Waiting for access to the OSSF Best practices website

  • Permission Model - Roadmap #898

    • New improvements and fixes shipped in the last release
    • Investigation ongoing for symlinks

  • Update Charter / Readme.md #874

    • We want to keep this in the loop as we need to do more changes in the repo name, etc..
    • PR merged

  • Automate security release process #860

    • The three new releases were created the automation made by Rafael
    • It will require some extra work to fine tune details (like multi-commits…), see: nodejs#860 (comment)

  • Assessment against best practices (OpenSSF Scorecards ...) #859

    • Once the gold standard is done, this initiative will be closed

  • Discussion about policy-integrity integration on Windows #856

    • Removed from the agenda

Q&A, Other

  • New initiatives will be starting soon
    • Dependencies immutability
    • Supply chain attacks mitigation (monitoring and promoting best practices)

Upcoming Meetings

Click +GoogleCalendar at the bottom right to add to your own Google calendar.