Node.js Security team Meeting 2025-11-06

# Node.js Security team Meeting 2025-11-06 ## Links * **Recording**: https://www.youtube.com/watch?v=a7zV2sdSTEU * **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1530 * **Minutes**: https://hackmd.io/@openjs-nodejs/HyClNtW1Ze ## Present * Security wg team: @nodejs/security-wg * Rafael Gonzaga: @RafaelGSS * Ulises Gascón: @ulisesGascon * Marco Ippolito: @marco-ippolito * Wes Todd: @wesleytodd ## Agenda ## Announcements *Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. - [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues - We have reviewed the https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/213 and we don't believe those CVEs affects Node.js - [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/pull/1532 - No meaningful updates - Good improvement on CITGM - Updated dependencies. ### nodejs/security-wg - Reduce meeting frequency to monthly [#1527](https://github.com/nodejs/security-wg/issues/1527) - Active discussions are happening on OpenJS Security Collab Space * Create a VEX file for Node.js [#1517](https://github.com/nodejs/security-wg/issues/1517) - +1 from the team - Marco will create a PR to move forward with this initiative ### nodejs/node * Auditing permissions [#59935](https://github.com/nodejs/node/issues/59935) - Draft PR has been created - Rafael, currently the feature is emitting a warning to the console, but I don't think this is good. It would be much better to send the warning through a place where users can consume, like diagnostics_channel, however, there's no native implementation of dc yet, so we'll need to create one from scratch. Non-trivial work. * src: add WDAC integration (Windows) [#54364](https://github.com/nodejs/node/pull/54364) - TOCTOU issues - Removed from the agenda as its stale ## Q&A, Other - OpenJS Blog Post - Publishing Packages via CI - We have set up https://github.com/npm-pub-2025 - We need to consolitate step 2 and step 3 into just one - https://expressjs/ci-workflows - Proposal to have this action available for users to re-use - We'll compare our strategy with npm recent changes - Package Maintenance Working Group will set up a meeting to work technically on these actions - https://github.com/nodejs/package-maintenance - Next actions: Schedule the meeting, - Propose the action to the pkgjs organization, - Reduce the GOVERNANCE from pkgjs to handle small groups of maintainers - e.g 1 - 2 approvals for PRs ## Upcoming Meetings * **Node.js Project Calendar**: <https://nodejs.org/calendar> Click `Add to Google Calendar` at the bottom left to add to your own Google calendar.