Skip to content

Commit

Permalink
doc: add meeting notes (#1371)
Browse files Browse the repository at this point in the history
  • Loading branch information
RafaelGSS authored Sep 5, 2024
1 parent 4426a6e commit 4c60f4c
Showing 1 changed file with 50 additions and 0 deletions.
50 changes: 50 additions & 0 deletions meetings/2024-08-29.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Node.js Security team Meeting 2024-08-29

## Links

* **Recording**: https://www.youtube.com/watch?v=w4zzH-otKNI
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1365

## Present

* Michael Dawson (@mhdawson)
* Robert W - Microsoft
* Lee Holmes - Microsoft
* Rafael Gonzaga (@RafaelGSS)

## Agenda

## Announcements

*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.

- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
* Some questions about 3 V8 CVEs, confirmed that they are not vulns in the context of the Node.js security model - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/191
- [x] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+

### nodejs/node

* src: add WDAC integration (Windows) #54364
* Robert W summarised this feature and what it intends to protect.
* Rafael asked if this is turned on by default
* Robert W explained this is turned on via system configuration, so for Windows users that don’t make use of catalogue policy, it won’t be enabled by default.
* Some discussions about security expectations, running this on untrusted code
* The documentation will be aligned with Node.js threat model. This feature won’t prevent malicous code from bypassing it. This will serve as an extra layer of security for Node.js applications.
* More discussion on implementation on Node.js

### nodejs/security-wg

* Node.js maintainers: Threat Model [#1333](https://github.com/nodejs/security-wg/issues/1333)
* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)



## Q&A, Other

## Upcoming Meetings

* **Node.js Project Calendar**: <https://nodejs.org/calendar>

Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.

0 comments on commit 4c60f4c

Please sign in to comment.