Security Collab Space Meeting - February 02, 2026

# OpenJS Foundation Security Collab Space Meeting - February 02, 2026 ## Meeting Details - **Date**: February 02, 2026 - **Time**: 08:30 - 09:30 AM PT - **Zoom**: [Zoom Link]( https://zoom-lfx.platform.linuxfoundation.org/meeting/98301969246?password=889b7578-29b6-4be9-96c1-f74cbce812c4) - **Calendar**: https://calendar.openjsf.org --- ## Links * **Recording**: [To be added after meeting] * **GitHub Issue**: https://github.com/openjs-foundation/security-collab-space/issues/306 ## Present * Ben * Rafael * Robin Ginn (@rginn) * Kate * Jordan Harband * Chris de Almeida * Segio Rojas ## Agenda * ### Announcements * [PLACEHOLDER_ANNOUNCEMENTS] ### Issues Labeled `security-agenda` - [ ] [#285](https://github.com/openjs-foundation/security-collab-space/issues/285) - Aligning Projects with Minimum Security Reporting Guidelines ### Action Items from Previous Meeting - [ ] Add links to security training to our readme (BS) - [ ] Clean up the openjsf/security page (BS/KP) - [ ] Get our docs to not be draft () - [ ] Reframe Best Practices Badge Guide to be the minimal security guidelines, (Jordan Harband, Ben, Robin) - Ben Schedule Working Session - [ ] For new and existing projects, a requirement to read through "best practices", this would need to be finalize first. (All) ### New Action Items - [ ] Rafael will reach out to kate for OpenSSF meetings to discuss AI vulnerablity reports ## Discussion Notes ### AI Security Reports & Node Large increase in hackerone vulnerablity report for node, taking a lot of effort to evaluate. Looking at additional requrements for submissions and possibly changing how we handle these. There is a blog post being drafted, Robin will share for feedback. Matteo has reviewed. RG --> suggests bringing this topic to OpenSSF meetings, what are other projects outside of OpenJS seeing. ### Recent Security Release of Node.js & Docker Images Official node docker images rely on non-official docker images. When node ships a release, docker does not automatically release new images which results in a delay, for example 5 days. This is mentioned in our docs but we need to figure out how to make this part of a security release. There are discussions happening with the Docker team. ### nvm CVE CVE published last week. ### Socket Blog Report On Lodash https://socket.dev/blog/inside-lodash-security-reset ## Upcoming Meetings * **Next Meeting**: February 09, 2026 * **Calendar**: https://calendar.openjsf.org --- ## Resources - Security Collab Space repository: https://github.com/openjs-foundation/security-collab-space - OpenJS Security Guidelines: https://github.com/openjs-foundation/security-collab-space/tree/main/docs - Join Slack: https://slack-invite.openjsf.org/ (#security channel)