chore: add minutes doc for 2024-03-28 meeting (#1268)

marco-ippolito · fraxken · web-flow · commit f538ab7bddbd · 2024-03-28T21:18:03.000+01:00
* chore: add minutes doc for 2024-03-28 meeting

* Update meetings/2024-03-28.md

Co-authored-by: Thomas.G &lt;gentilhomme.thomas@gmail.com&gt;

---------

Co-authored-by: Thomas.G &lt;gentilhomme.thomas@gmail.com&gt;
diff --git a/meetings/2024-03-28.md b/meetings/2024-03-28.md
@@ -0,0 +1,69 @@
+# Node.js  Security team Meeting 2024-03-28
+
+## Links
+
+* **Recording**:  <https://www.youtube.com/watch?v=JaEpjuFTFZg>
+* **GitHub Issue**: <https://github.com/nodejs/security-wg/issues/1260>
+
+## Present
+
+* Marco Ippolito: @marco-ippolito
+* Thomas GENTILHOMME: @fraxken
+* Michael Dawson (@mhdawson)
+* Mert Can Altin
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+* Security release next week, announcement went out yesterday
+
+* [X] Vulnerability Review - <https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues>
+  * Michael
+    * tweaked when the jobs run this seems to have helped
+    * changed to ignore closed issues, so new issues will be opened in case we close one that
+       should not have.
+
+* [X] OpenSSF Scorecard Monitor Review - <https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+>
+  * From Ulises
+    * Scoring lower due to an issue with the action in terms of collecting some data
+    * Only actionable issue is undici, where it resorts issue on workflow tokens with excessive
+      Permissions
+
+* Some failures on undici, Thomas will ping the undici team. Issue: https://github.com/nodejs/undici/issues/3012
+
+### nodejs/security-wg
+
+* Node.js Security Initiatives 2024 [#1255](https://github.com/nodejs/security-wg/issues/1255)
+  * Proposed initiatives for 2024:
+    * Permission Model (2 Phase)  (Rafael)
+    * Assessment against best practices
+    * Automate Security release process (Marco/Rafael)
+    * Including SBOMs with Node.js (Marco)
+    * Audit and improving the build processes of the dependencies (Michael)
+  * Next meeting discuss with Ulisses about Assessment against best practices status
+
+* Proposed approach for build steps in deps which are not in make node  [#1236](https://github.com/nodejs/security-wg/issues/1236)
+
+* Security initiative in December 2023: fuzzing Nodejs: [#1159](https://github.com/nodejs/security-wg/issues/1159)
+  * <https://github.com/google/oss-fuzz/tree/master/projects/nodejs>
+  * Waiting for follow up, maybe Rafael has some news
+
+* Audit build process for dependencies - [#1037](https://github.com/nodejs/security-wg/issues/1037)
+  * Waiting for @security-wg feedback, then moving on to collaborate and adding base principles to Node
+
+* Initiative for CII-Best-Practices for Nodejs Projects  [#953](https://github.com/nodejs/security-wg/issues/953)
+  * No update this week
+
+* Permission Model - Roadmap  [#898](https://github.com/nodejs/security-wg/issues/898)
+  * No update for this week
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
