diff --git a/meetings/2023-06-22.md b/meetings/2023-06-22.md new file mode 100644 index 00000000..5cd45324 --- /dev/null +++ b/meetings/2023-06-22.md @@ -0,0 +1,76 @@ +# Node.js Security team Meeting 2023-06-22 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=bXmuOBod2RU +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1026 +* **Minutes Google Doc**: https://docs.google.com/document/d/1X2F4JTChNLEod7qzh9aTEqgIJtGrvLumnnLk7efiE_o/edit + +## Present + +* Security wg team: @nodejs/security-wg +* Rafael Gonzaga: @RafaelGSS +* Michael Dawson: @mhdawson +* Ulises Gascon: @UlisesGascon + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting. + +- New Security Releases! + - Since Tuesday available. Details: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases + +- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + - 0.2 decrease in undici (expected) + +- [x] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/pull/1033 + - In the next call we will discuss about the future of this initiative (aside of monitoring) + +### nodejs/security-wg + +* Permission - Environment variables [#993](https://github.com/nodejs/security-wg/issues/993) + * Open for support from the community + * Removed from agenda + +* Requirement: Secure development knowledge [#987](https://github.com/nodejs/security-wg/issues/987) + * Removed from agenda +* Requirement: Publicly known medium-high vulnerabilities unpatched for +60 days [#986](https://github.com/nodejs/security-wg/issues/986) + * Removed from agenda +* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953) + * Silver level almost concluded. + * Waiting for badge resolution in the Entry level + * Waiting for access to the OSSF Best practices website + +* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898) + * New improvements and fixes shipped in the last release + * Investigation ongoing for symlinks + +* Update Charter / Readme.md [#874](https://github.com/nodejs/security-wg/pull/874) + * We want to keep this in the loop as we need to do more changes in the repo name, etc.. + * PR merged + +* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860) + * The three new releases were created the automation made by Rafael + * It will require some extra work to fine tune details (like multi-commits…), see: https://github.com/nodejs/security-wg/issues/860#issuecomment-1602747118 + +* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859) + * Once the gold standard is done, this initiative will be closed + +* Discussion about policy-integrity integration on Windows [#856](https://github.com/nodejs/security-wg/issues/856) + * Removed from the agenda + +## Q&A, Other + +* New initiatives will be starting soon + * Dependencies immutability + * Supply chain attacks mitigation (monitoring and promoting best practices) + + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. +