Skip to content

doc: add 2025-07-17 meeting notes #1500

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RafaelGSS merged 1 commit into from
Jul 17, 2025
Merged

doc: add 2025-07-17 meeting notes #1500

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions meetings/2025-07-17.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# Node.js Security team Meeting 2025-07-17

## Links

* **Recording**: https://www.youtube.com/watch?v=_YmVz6tyYFc&ab_channel=node.js
* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1494
* **Minutes Google Doc**: https://docs.google.com/document/d/10DElWFkWGjavqCk5HsRZXZWsAiKCaYz0RFMWAzStuWk/edit?tab=t.0

## Present

* Security team: @nodejs/security-wg
* Marco Ippolito: @marco-ippolito
* Ulises Gascón: @UlisesGascon
* Robert Waite
* Rafael Gonzaga: @RafaelGSS

## Agenda

## Announcements

*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.

- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
- [X] OpenSSF Scorecard Monitor Review
- No action pending from our side: https://github.com/nodejs/security-wg/pull/1498

### nodejs/node

* doc: add constraints for mem leak to threat model #58917
* We briefly discussed it
* Task to review that async

* src: add WDAC integration (Windows) #54364
* Robert is working on a TOCTOU patch
* Robert also provided instructions on how to sign and use this feature on a Windows machine
* Rafael will run it locally once the last patch is concluded

### nodejs/security-wg

* Wrong CVE Creation - May 14th Security Releases #1483
* Identified the same bug in the last security release (July 15)
* Rafael is in contact with H1 to fix it

* Update on CVEs for EOL Release Lines – MITRE Removal & Next Steps #1443
* Still pending the update of old CVEs to include EOL lines

* Review Code Scanning Alerts #1453
* The remaining alerts are points to tools/ or test/
* There’s nothing to worry about
* Rafael will take the action to review that carefully before removing it from the agenda

* Node.js maintainers: Threat Model #1333
* Plan to finalise the document in the next session
* We’ll show it in the next security collab space (openjs foundation)
* Decide in the next session if the work is “concluded”

* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)

## Q&A, Other

## Upcoming Meetings

* **Node.js Project Calendar**: <https://nodejs.org/calendar>

Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.

Loading