Node.js Security team Meeting 2026-03-19

# Node.js Security team Meeting 2026-03-19 ## Links * **Recording**: https://www.youtube.com/watch?v=7XV5ra3A5-I * **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1555 * **Minutes**: https://hackmd.io/@openjs-nodejs/rkHBMRRl5-x ## Present * Security wg team: @nodejs/security-wg * Rafael Gonzaga: @RafaelGSS * Marco Ippolito: @marco-ippolito * Beth Griggs: @BethGriggs ## Agenda ## Announcements *Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting. - Node.js Security release announced to March 24th - [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues - VEX file has been published - There are more work to do. - [ ] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+ ### nodejs/security-wg * Node.js PURL is missing namespace [#1552](https://github.com/nodejs/security-wg/issues/1552) * PURL = Package URL * It needs to be fixed. It's missing the protocol (should be generic * The ecosystem refers to Node.js as `node` while the project itself refers to `nodejs/node`. * Proposal to use `nodejs/node` as preference in the VEX file * regenerate node.openvex.json [#1549](https://github.com/nodejs/security-wg/pull/1549) * Remove from the agenda. * update deps index.json [#1547](https://github.com/nodejs/security-wg/pull/1547) * Approved and merged. * Tracking: LLM-assisted H1 report triage [#1554](https://github.com/nodejs/security-wg/issues/1554) * Beth is working on a model to classify open reports based on * All closed reports * SECURITY.md * Next: Node.js documentation ### nodejs/TSC * Proposal: Moving security reports to a public workflow [#1826](https://github.com/nodejs/TSC/issues/1826) * We are going to discuss it in depth in the collaborator summit * An intermediary proposal is to avoid CI embargo. Under discussion with releasers team. ### nodejs/node * Auditing permissions [#59935](https://github.com/nodejs/node/issues/59935) * Concluded by https://github.com/nodejs/node/commit/9ddd1a9c27c253f46d587a8c906ccd83417b4606. ## Q&A, Other ## Upcoming Meetings * **Node.js Project Calendar**: <https://nodejs.org/calendar> Click `Add to Google Calendar` at the bottom left to add to your own Google calendar.