nodejs · RafaelGSS · Mar 27, 2025 · Mar 27, 2025
diff --git a/meetings/2025-03-27.md b/meetings/2025-03-27.md
@@ -0,0 +1,81 @@
+# Node.js Security Team Meeting 2025-03-27
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=K4IFJUZoxAo
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1460
+* **Minutes Google Doc**: https://docs.google.com/document/d/1-GLK0d3N6Y7a0t1qX88W-U6e3d9-XrWOx99BE6bxr9Y/edit?tab=t.0
+
+## Present
+
+* Security wg team: @nodejs/security-wg
+* Ulises Gascón: @UlisesGascon
+* Robert Waite: rowait@microsoft.com
+* Nguyen Duc Thien: @iuuukhueeee
+* Rafael Gonzaga: @RafaelGSS
+* Michael Dawson: @mhdawson
+* Marco Ippolito: @marco-ippolito
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+- [X] OpenSSF Scorecard Monitor Review:
+- The pkgjs org will probably track it too (separately)
+- No PR yet. Ulises is fixing the author commit
+
+### nodejs/node
+
+* src: add WDAC integration (Windows) #54364
+  * We did a careful review with Robert on this feature again
+  * Three new change requests
+    * Add typings
+    * Update documentation to REPLACEME instead of v24.0.0
+    * Update PR description for Notable Change section
+  * We’ll see if Yagiz will have time to review this PR again or dismiss his request changes
+  * We’ll mention it in the next TSC meeting for visibility
+    * No objections so far, so unless there new ones after mention in TSC meeting, we’ll plan to
+       land after current comments are addressed.
+
+* \[StepSecurity\] Apply security best practices #57535
+  * Have being doing security course with Carlos
+  * CodeQL could fill some important security gaps, have enabled on security wg repo
+  * Have been learning some good stuff
+  * Next action is to create an internal blog post to Node.js collaborators which share what was
+    learned and next steps.
+    * Most urgent is to document how to be more secure when using GitHub Actions
+
+### nodejs/security-wg
+
+* Update on CVEs for EOL Release Lines – MITRE Removal & Next Steps #1443
+  * Marco is working with HackerOne to update some existing CVEs for older EOL lines
+  * The next step is to create a ticket in their support
+
+* Node.js maintainers: Threat Model #1333
+  * Update to include: add impairing ability to the project day 2 day
+
+* OpenJS Security Compliance Checker [#1440](https://github.com/nodejs/security-wg/issues/1440)
+  * Ulises has replaced the issue body to use the current IDs, issues and docs. Also he will do a demo in the next meeting on the visionBoard + FortSphere capabilities for Node.js Org (ref)
+
+* OpenSSF Scorecard Report Updated #1459
+
+* Review Code Scanning Alerts #1453
+  * The plan is to review it on the next meeting
+
+* Audit build process for dependencies #1037
+  * No updates this week
+
+* Automate security release process #860
+  * Changelog and commit message fix for security releases
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+