From 3b094e302ebc74e338a8e03d003dfcd1777fc496 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Thu, 19 Mar 2026 16:09:25 -0300 Subject: [PATCH] Add minutes for Node.js Security team meeting on 2026-03-19 Documented the Node.js Security team meeting held on March 19, 2026, including agenda, announcements, and links to resources. --- meetings/2026-03-19.md | 65 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 meetings/2026-03-19.md diff --git a/meetings/2026-03-19.md b/meetings/2026-03-19.md new file mode 100644 index 00000000..ce3fa7ad --- /dev/null +++ b/meetings/2026-03-19.md @@ -0,0 +1,65 @@ +# Node.js Security team Meeting 2026-03-19 + +## Links + +* **Recording**: https://www.youtube.com/watch?v=7XV5ra3A5-I +* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1555 +* **Minutes**: https://hackmd.io/@openjs-nodejs/rkHBMRRl5-x + +## Present + +* Security wg team: @nodejs/security-wg +* Rafael Gonzaga: @RafaelGSS +* Marco Ippolito: @marco-ippolito +* Beth Griggs: @BethGriggs + +## Agenda + +## Announcements + +*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. + +- Node.js Security release announced to March 24th +- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues + - VEX file has been published + - There are more work to do. +- [ ] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+ + +### nodejs/security-wg + +* Node.js PURL is missing namespace [#1552](https://github.com/nodejs/security-wg/issues/1552) + * PURL = Package URL + * It needs to be fixed. It's missing the protocol (should be generic + * The ecosystem refers to Node.js as `node` while the project itself refers to `nodejs/node`. + * Proposal to use `nodejs/node` as preference in the VEX file + +* regenerate node.openvex.json [#1549](https://github.com/nodejs/security-wg/pull/1549) + * Remove from the agenda. + +* update deps index.json [#1547](https://github.com/nodejs/security-wg/pull/1547) + * Approved and merged. + +* Tracking: LLM-assisted H1 report triage [#1554](https://github.com/nodejs/security-wg/issues/1554) + * Beth is working on a model to classify open reports based on + * All closed reports + * SECURITY.md + * Next: Node.js documentation + +### nodejs/TSC + +* Proposal: Moving security reports to a public workflow [#1826](https://github.com/nodejs/TSC/issues/1826) + * We are going to discuss it in depth in the collaborator summit + * An intermediary proposal is to avoid CI embargo. Under discussion with releasers team. + +### nodejs/node + +* Auditing permissions [#59935](https://github.com/nodejs/node/issues/59935) + * Concluded by https://github.com/nodejs/node/commit/9ddd1a9c27c253f46d587a8c906ccd83417b4606. + +## Q&A, Other + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `Add to Google Calendar` at the bottom left to add to your own Google calendar.