Node.js Security team Meeting 2024-02-29

[mhdawson]

Time

UTC Thu 29-Feb-2024 15:00 (03:00 PM):

Timezone	Date/Time
US / Pacific	Thu 29-Feb-2024 07:00 (07:00 AM)
US / Mountain	Thu 29-Feb-2024 08:00 (08:00 AM)
US / Central	Thu 29-Feb-2024 09:00 (09:00 AM)
US / Eastern	Thu 29-Feb-2024 10:00 (10:00 AM)
EU / Western	Thu 29-Feb-2024 15:00 (03:00 PM)
EU / Central	Thu 29-Feb-2024 16:00 (04:00 PM)
EU / Eastern	Thu 29-Feb-2024 17:00 (05:00 PM)
Moscow	Thu 29-Feb-2024 18:00 (06:00 PM)
Chennai	Thu 29-Feb-2024 20:30 (08:30 PM)
Hangzhou	Thu 29-Feb-2024 23:00 (11:00 PM)
Tokyo	Fri 01-Mar-2024 00:00 (12:00 AM)
Sydney	Fri 01-Mar-2024 02:00 (02:00 AM)

Or in your local time:

• https://www.timeanddate.com/worldclock/fixedtime.html?msg=Node.js+Foundation+Security%20team+Meeting+2024-02-29&iso=20240229T1500
• or https://www.wolframalpha.com/input/?i=03PM+UTC%2C+Feb+29%2C+2024+in+local+time

Links

• Minutes Google Doc: https://docs.google.com/document/d/1MEBmygnlfuuVTT86RjK69v5nRIfRCBx6NFBdASp3Whk/edit

Agenda

Extracted from security-wg-agenda labelled issues and pull requests from the nodejs org prior to the meeting.

nodejs/security-wg

• Proposed approach for build steps in deps which are not in make node #1236
• Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs #1159
• Audit build process for dependencies #1037
• Initiative for CII-Best-Practices for Nodejs Projects #953
• Permission Model - Roadmap #898

Invited

• Security wg team: @nodejs/security-wg

Observers/Guests

Notes

The agenda comes from issues labelled with security-wg-agenda across all of the repositories in the nodejs org. Please label any additional issues that should be on the agenda before the meeting starts.

Joining the meeting

https://zoom.us/j/92309450775

• link for participants: <>
• For those who just want to watch We stream our conference call straight to YouTube so anyone can listen to it live, it should start playing at https://www.youtube.com/c/nodejs+foundation/live when we turn it on. There's usually a short cat-herding time at the start of the meeting and then occasionally we have some quick private business to attend to before we can start recording & streaming. So be patient and it should show up.
• youtube admin page: https://www.youtube.com/my_live_events?filter=scheduled

---

Invitees

Please use the following emoji reactions in this post to indicate your availability.

• :+1: - Attending
• :-1: - Not attending
• :confused: - Not sure yet

[UlisesGascon]

I won't be ale to attend today, but I am trying to generate the OSSF reporting. Seems like GitHub at the moment is having some issues with the Actions, GitHub Status

[UlisesGascon]

Fast analysis from my side on the scoring:

• No actions are required by the team 🎉
• PR (for tracking): https://github.com/nodejs/security-wg/pull/1242
• Issue (for best evaluation): https://github.com/nodejs/security-wg/issues/1241

[marco-ippolito]

Mind that today security wg will be followed by the next-10 deep dive.

[richardlau]

FYI, I've opened https://github.com/nodejs/security-wg/issues/1243 to cover the increasing number of 503 errors being hit in https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/workflows/daily.yml.

[RafaelGSS]

I won't be able to host it due to https://github.com/nodejs/admin/issues/854