- Recording: https://youtu.be/jNC_SoX6MAg
- GitHub Issue: #829
- Minutes Google Doc: https://docs.google.com/document/d/1MtUVZ4dsVZeKNxxCeIVlN99edoFgNd5Z9C_6EjbJSYs/edit
- Security wg team: @nodejs/security-wg
- Rafael Gonzaga: @rafaelgss
- UlisesGascon: @ulisesgascon
- Facundo Tuesca: @facutuesca
- Thomas GENTILHOMME: @fraxken
*Extracted from security-wg-agenda labelled issues and pull requests from the nodejs org prior to the meeting.
-
Best Practices Document #819
- Removed the Assumptions tab
- Next steps:
- Rename the threat list to a user-friendly title
- Split specific mitigations into a separate blog post/document
- e.g Instead of pointing
policyas a mitigation, would be great to haveUsing Policies to mitigate X.
- Once the above steps are concluded, we can open a pull request.
-
Automatic check for dependencies' vulnerabilities in Node.js CI #802
- Maintaining blacklist in the Node.js repository is hard.
- Backport it to active release lines is worse
- Facundo suggested to move the blacklist to the nodejs-dependency-vuln-assessments repository
- Rafael said that blacklist might be completely superseded by GH Issues
- Discussions around potential fixes
- Rafael suggested creating a root issue and making it available in the security-wg agenda, to not lose the track of those vulnerabilities
- Even if an vulnerability doesn't affect Node.js, it might affect in the future.
- e.g: Vulnerability in InflateX is tagged as
does-not-affect-nodejs, a week later someone uses that function
- e.g: Vulnerability in InflateX is tagged as
- Even if an vulnerability doesn't affect Node.js, it might affect in the future.
- Maintaining blacklist in the Node.js repository is hard.
-
Threat Model #799
-
Permission Model #791
-
feature request for
require.pure(id)orpkg.pure:true#467
- Node.js Project Calendar: https://nodejs.org/calendar
Click +GoogleCalendar at the bottom right to add to your own Google calendar.