doc: add 2024-05-09 meeting notes (#1310)

nodejs · May 10, 2024 · 45e10be · 45e10be
1 parent 75b9c6e
commit 45e10be
Showing 1 changed file with 65 additions and 0 deletions.
diff --git a/meetings/2024-05-09.md b/meetings/2024-05-09.md
@@ -0,0 +1,65 @@
+# Node.js  Security team Meeting 2024-05-09
+
+## Links
+
+* **Recording**: https://www.youtube.com/watch?v=17Ccg-rix-M&ab_channel=node.js
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1302
+
+## Present
+
+* Michael Dawson (@mhdawson)
+* Thomas GENTILHOMME (@fraxken)
+* Carlos Espa (@Ceres6)
+* Marco Ippolito: @marco-ippolito 
+* Ulises Gascon (@UlisesGascon)
+* Italo José (@italojs_)
+* Rafael Gonzaga (@RafaelGSS)
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  * Michael - Tooling is running ok, and no new issues to discuss
+
+- [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
+  * Ulises - some issues with tooling. [ref](https://github.com/nodejs/security-wg/actions/runs/9018519638/job/24779366504)
+
+### nodejs/node
+
+* Remove --experimental-policy [#52575](https://github.com/nodejs/node/issues/52575)
+  * Has been removed in main
+
+### nodejs/security-wg
+
+* Discuss adding --security-revert to NODE_OPTIONS [#1262](https://github.com/nodejs/security-wg/issues/1262)
+  * We discussed and the consensus of those at the meeting was to proceed with the Env variable AND cveRevert API call being needed to revert as an additional option to the command line. Michael will summarize in the issue and then we can figure out how to create a PR that incorporates the approach.
+
+* Node.js Security Initiatives 2024 [#1255](https://github.com/nodejs/security-wg/issues/1255)
+
+* Proposed approach for build steps in deps which are not in make node  [#1236](https://github.com/nodejs/security-wg/issues/1236)
+  * Michael experimenting with building wasm build containers in https://github.com/mhdawson/node-wasm-build, looking good so far in terms of implementing the proposed approach.
+    * built GitHub action to build container and push to ghcr.io
+    * Based on what undici was doing to build container
+
+* Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs 
+[#1159](https://github.com/nodejs/security-wg/issues/1159)
+  * waiting on the report from OSTIF to be shared with TSC
+
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+
+
+
+## Q&A, Other
+
+Best Practices badge update:
+- Ulises has created two PRs that require some work to justify our responses (https://github.com/nodejs/security-wg/pull/1306 and https://github.com/nodejs/security-wg/pull/956)
+- Currently, the Scoring is not correct, as after the edition the responses were deleted by the application (seems like a bug)
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.