2023-02-16.md

Node.js Security WorkGroup Meeting 2023-02-16

Recording: https://www.youtube.com/watch?v=HAqMRXb9aw4
GitHub Issue: #877

Working on the next security Release, probably it will released today

*Extracted from security-wg-agenda labeled issues and pull requests from the nodejs org prior to the meeting.

Discussion about policy-integrity integration on Windows #856
- Robert Waite and Lee Holmes lead the discussion
- They have been reviewing the policy integrity for Win machines
- Attack vector: An attacker that has access to the target system (compromise infra or similar scenarios) can modify a file and update the policy and CLI argument invocation with the new Hash and reboot the Node.js process.
- Prototype that uses detached signature to sign policy, with cert trusted by the systems policy system
- There is a potential PR ready with the changes suggested
- Discussions about possible implementations
  - Overlap with Single Binary Application effort
Automate security release process #860
- DraftPR created nodejs/node-core-utils#665
- Additional PR to be created for landing node in the private repository
Assessment against best practices (OpenSSF Scorecards ...) #859
- Demo for the security recommendations generated by the code scanning
- Demo for the Github Action to generate reports collecting scorecard results
- PR to be submitted with a new Pipeline to check scores for Nodejs and Undici
- ask to enable code scanning in Undici
Add OSSF Scorecard #851
Automate updates of all dependencies #828
- Marco has been working on the nghttp2 automation
Permission Model #791
- Good news! Permission Model is ready to go (technically)
- Waiting for CI unlock to trigger another CI
- Need to address/answer Tobias comment first

Node.js Project Calendar: https://nodejs.org/calendar

Click +GoogleCalendar at the bottom right to add to your own Google calendar.