- Recording: https://www.youtube.com/watch?v=7XV5ra3A5-I
- GitHub Issue: #1555
- Minutes: https://hackmd.io/@openjs-nodejs/rkHBMRRl5-x
- Security wg team: @nodejs/security-wg
- Rafael Gonzaga: @RafaelGSS
- Marco Ippolito: @marco-ippolito
- Beth Griggs: @BethGriggs
*Extracted from security-wg-agenda labelled issues and pull requests from the nodejs org prior to the meeting.
- Node.js Security release announced to March 24th
- Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
- VEX file has been published
- There are more work to do.
- OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
-
Node.js PURL is missing namespace #1552
- PURL = Package URL
- It needs to be fixed. It's missing the protocol (should be generic
- The ecosystem refers to Node.js as
nodewhile the project itself refers tonodejs/node. - Proposal to use
nodejs/nodeas preference in the VEX file
-
regenerate node.openvex.json #1549
- Remove from the agenda.
-
update deps index.json #1547
- Approved and merged.
-
Tracking: LLM-assisted H1 report triage #1554
- Beth is working on a model to classify open reports based on
- All closed reports
- SECURITY.md
- Next: Node.js documentation
- Beth is working on a model to classify open reports based on
- Proposal: Moving security reports to a public workflow #1826
- We are going to discuss it in depth in the collaborator summit
- An intermediary proposal is to avoid CI embargo. Under discussion with releasers team.
- Auditing permissions #59935
- Node.js Project Calendar: https://nodejs.org/calendar
Click Add to Google Calendar at the bottom left to add to your own Google calendar.