-
Notifications
You must be signed in to change notification settings - Fork 122
/
2022-12-08.md
63 lines (41 loc) · 2.59 KB
/
2022-12-08.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# Node.js Security WorkGroup Meeting 2022-12-08
## Links
* **Recording**: https://www.youtube.com/watch?v=fMfOVI4NLC0&ab_channel=node.js
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/849
* **Minutes Google Doc**: https://docs.google.com/document/d/16fixx6Xt3TwTeRgI3p4v2x0Q869i7x8upZrO-E6sSE0/edit
## Present
* Security wg team: @nodejs/security-wg
* Ulises Gascon: @ulisesgascon
* Rafael Gonzaga: @RafaelGSS
* Thomas GENTILHOMME: @fraxken
* Facundo Tuesca
## Agenda
## Announcements
*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
### nodejs/security-wg
* Node.js Security WG Initiatives 2023 [#846](https://github.com/nodejs/security-wg/issues/846)
* Ulises will update the Security WG README to include the next initiatives
* Currently, we have two well defined initiatives
* Permission Model
* Automate update dependencies
* There’s a consensus the checker when vulnerable is a good thing. However, we don’t know exactly in which place it would be better. Rafael will open an issue to discuss it with the TSC. We currently have two options: 1) work together with npm team to include this check when `npm install` 2) behind a flag --abort-when-vulnerable
* Automate updates of all dependencies [#828](https://github.com/nodejs/security-wg/issues/828)
* OpenSSL automation was created https://github.com/nodejs/node/pull/45605
* Discussion to keep 2 commits for OpenSSL update
* Currently, the action only accepts one commit, so if we really need two commits for OpenSSL update, we would need to rewrite a few things
* Rafael: I think we can try with one commit
* Base64, Acorn and Libuv update tools already merged
* Permission Model [#791](https://github.com/nodejs/security-wg/issues/791)
* Very good progress
* non-permissive approach merged
* Fixed a bug on the RadixTree algorithm
* Next steps: Documentation/Symlink edge cases
### nodejs/nodejs-dependency-vuln-assessments
* Recursive support on Node.js dependencies [#89](https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/89)
* The npm dependency contains a node_modules without a package-lock, so when npm audit runs, it will download the latest dependency, therefore, showing a false-negative.
* Thomas suggested using arborist manually
## Q&A, Other
## Upcoming Meetings
* **Node.js Project Calendar**: <https://nodejs.org/calendar>
Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.