2025-03-27.md

Node.js Security Team Meeting 2025-03-27

Links

• Recording: https://www.youtube.com/watch?v=K4IFJUZoxAo
• GitHub Issue: #1460
• Minutes Google Doc: https://docs.google.com/document/d/1-GLK0d3N6Y7a0t1qX88W-U6e3d9-XrWOx99BE6bxr9Y/edit?tab=t.0

Present

• Security wg team: @nodejs/security-wg
• Ulises Gascón: @UlisesGascon
• Robert Waite: rowait@microsoft.com
• Nguyen Duc Thien: @iuuukhueeee
• Rafael Gonzaga: @RafaelGSS
• Michael Dawson: @mhdawson
• Marco Ippolito: @marco-ippolito

Agenda

Announcements

*Extracted from security-wg-agenda labelled issues and pull requests from the nodejs org prior to the meeting.

• Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
• OpenSSF Scorecard Monitor Review:
• The pkgjs org will probably track it too (separately)
• No PR yet. Ulises is fixing the author commit

nodejs/node

• src: add WDAC integration (Windows) #54364

  • We did a careful review with Robert on this feature again
  • Three new change requests
    • Add typings
    • Update documentation to REPLACEME instead of v24.0.0
    • Update PR description for Notable Change section
  • We’ll see if Yagiz will have time to review this PR again or dismiss his request changes
  • We’ll mention it in the next TSC meeting for visibility
    • No objections so far, so unless there new ones after mention in TSC meeting, we’ll plan to land after current comments are addressed.

• [StepSecurity] Apply security best practices #57535

  • Have being doing security course with Carlos
  • CodeQL could fill some important security gaps, have enabled on security wg repo
  • Have been learning some good stuff
  • Next action is to create an internal blog post to Node.js collaborators which share what was learned and next steps.
    • Most urgent is to document how to be more secure when using GitHub Actions

nodejs/security-wg

• Update on CVEs for EOL Release Lines – MITRE Removal & Next Steps #1443

  • Marco is working with HackerOne to update some existing CVEs for older EOL lines
  • The next step is to create a ticket in their support

• Node.js maintainers: Threat Model #1333

  • Update to include: add impairing ability to the project day 2 day

• OpenJS Security Compliance Checker #1440

  • Ulises has replaced the issue body to use the current IDs, issues and docs. Also he will do a demo in the next meeting on the visionBoard + FortSphere capabilities for Node.js Org (ref)

• OpenSSF Scorecard Report Updated #1459

• Review Code Scanning Alerts #1453

  • The plan is to review it on the next meeting

• Audit build process for dependencies #1037

  • No updates this week

• Automate security release process #860

  • Changelog and commit message fix for security releases

Q&A, Other

Upcoming Meetings

• Node.js Project Calendar: https://nodejs.org/calendar

Click +GoogleCalendar at the bottom right to add to your own Google calendar.