Node.js Technical Steering Committee (TSC) Meeting 2025-11-12

# Node.js Technical Steering Committee (TSC) Meeting 2025-11-12 ## Links * **Recording**: https://www.youtube.com/watch?v=mp0B_8omTSo * **GitHub Issue**: https://github.com/nodejs/TSC/issues/1799 * **Minutes**: https://hackmd.io/@openjs-nodejs/S1DMaPtybg ## Present * Antoine du Hamel @aduh95 (voting member) * Gireesh Punathil @gireeshpunathil (voting member) * Joyee Cheung @joyeecheung (voting member) * Chengzhong Wu @legendecas (voting member) * Matteo Collina @mcollina (voting member) * Michaël Zasso @targos (voting member) * Paolo Insogna @ShogunPanda (voting member) * Richard Lau @richardlau (voting member) * Robert Nagy @ronag (voting member) ## Agenda ### Announcements - v24 and v25 had new releases yesterday! ### Reminders * Remember to nominate people for the [contributor spotlight](https://github.com/nodejs/node/blob/main/doc/contributing/reconizing-contributors.md#bi-monthly-contributor-spotlight) ### CPC and Board Meeting Updates *Extracted from **tsc-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting. ### nodejs/TSC * Collaborator Summit 2026 [#1800](https://github.com/nodejs/TSC/issues/1800) - Matteo to send an email to the TSC to ask for preferences between London and Vienna for Spring event. * Update charter with communication responsibilities [#1754](https://github.com/nodejs/TSC/pull/1754) - deferred to CPC discussions * Self-serve model for funding Node.js work [#1747](https://github.com/nodejs/TSC/issues/1747) - OpenJS Board is working on self-serving project funding * Draft Statement of Work - Test reliability lead [#1629](https://github.com/nodejs/TSC/issues/1629) - No progress. ### nodejs/admin * Enforcing npm publishing access on nodejs packages [#1017](https://github.com/nodejs/admin/issues/1017) - Chengzong explain the problem. - Joyee: the person triggering the release would have to do something on their phone. - Matteo: I propose we disable classic tokesn (2nd level of security) - Chengzong: disabling tokens will be too strict for us. The 2nd level of security would not have much impact, it would only impact manual publishing. - Joyee: from a security perspective, if there is an aumation we need to audit we should verify who has access to the repository. We have packages that have not been published for years, and the maintainer access could be done to teams, and some people are not very active. - Chengzong: this is a separate issue. - Joyee: we should look at what packages are being published and notify them. - Chengzong: we should at the tokens or look at the trusted publishing metadata. - ... - Joyee: we should ask the maintainers. - Matteo: I think we should pull the trigger. - ... - Targos: access details are in 1password for the nodejs-foundation account. - Chengzongh: I would post an issue on the packages. - Matteo: https://github.com/nodejs/admin/issues/1017#issuecomment-3521492200. * Only allow secure two-factor methods [#1005](https://github.com/nodejs/admin/issues/1005) - Chengzongh: we should be enforing the secure 2FA for packages. - ... - Matteo: so far we have a huge number of people with insecure 2FA. - Antoine: is this something we want to do? how much trouble are we willing to make? My advice is to start with nodejs-private. - Matteo: I concur, we have 46 members. - Antoine: it's an experiment, we would know what is the behavior. - Matteo: I'll take an action to contact all people that do not have secure 2FA in nodejs-private to make them secure. ### nodejs/node * doc: clarify the scope of `--disallow-code-generation-from-strings` [#58328](https://github.com/nodejs/node/pull/58328) * util: add colorize functionality [#43523](https://github.com/nodejs/node/pull/43523) ## Strategic Initiatives ## Upcoming Meetings * **Node.js Project Calendar**: <https://nodejs.org/calendar> Click `Add to Google Calendar` at the bottom left to add to your own Google calendar.