doc: add meeting minutes 25-05-23

meetings/2023-05-25.md

@@ -0,0 +1,80 @@
+# Node.js  Security WorkGroup Meeting 2023-05-25
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=c-tMjOJawSI
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/994
+* **Minutes Google Doc**: https://docs.google.com/document/d/1SPbPePi7U7YnPmTeYA1aBNL-SZHOnGayLeF-ZPLhjIo/edit
+
+## Present
+
+* Security wg team: @nodejs/security-wg
+* Ulises Gascon: @ulisesGascon
+* Marco Ippolito: @marco-ippolito
+* Rafael Gonzaga: @RafaelGSS
+* Ruy Adorno: @ruyadorno
+* Michael Dawson: @mhdawson
+* Laurent Simon: @laurentsimon 
+* Ashish Kurmi @ashishkurmi
+* Andrea Fassina @fasenderos
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+
+- [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
+https://github.com/nodejs/security-wg/pull/1003
+
+* Laurent showed a scorecard running via CLI with a granular report and custom checks
+
+### nodejs/security-wg
+
+* Nominate Ashish Kurmi [#989](https://github.com/nodejs/security-wg/issues/989)
+  * Invited and closed
+
+* Access to security tab in Github for key projects [#984](https://github.com/nodejs/security-wg/issues/984)
+  * This raises some security concerns once to get access to the security tab you will have access to security advisories, which is something we should avoid to a working group.
+  * Closed
+
+* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898)
+  * marco, working on path.resolve in C++ to allow relative path in the CLI
+  * Discussion around env permissions
+    * the less you have access, the less you make mistakes - Dawson, Michael
+    * Michael made a point that env permissions isn’t different from file system permissions, considering a malicious package could read all the environment variables. 
+
+* Automate security release process [#860](https://github.com/nodejs/security-wg/issues/860)
+  * Rafael created https://github.com/nodejs/node-core-utils/pull/665 to automate security proposal PRs
+
+* Assessment against best practices (OpenSSF Scorecards ...) [#859](https://github.com/nodejs/security-wg/issues/859)
+
+* Discussion about policy-integrity integration on Windows [#856](https://github.com/nodejs/security-wg/issues/856)
+  * skipped
+
+* Automate updates of all dependencies [#828](https://github.com/nodejs/security-wg/issues/828)
+  * 1 last dependency update left to be automated
+  * Andrea created 3 pull requests to improve dependency automation
+  * Marco opened a first draft pr on dependency updates backporting, might restrict the scope and focus only on OpenSSL
+
+* Requirement: It MUST be possible to configure the software so that smaller keylengths are completely disabled [#988](https://github.com/nodejs/security-wg/issues/988)
+* Requirement: Secure development knowledge [#987](https://github.com/nodejs/security-wg/issues/987)
+* Requirement: Publicly known medium-high vulnerabilities unpatched for +60 days [#986](https://github.com/nodejs/security-wg/issues/986)
+* Requirement: Static source code analysis daily or per commit [#985](https://github.com/nodejs/security-wg/issues/985)
+* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953)
+
+   * https://github.com/nodejs/security-wg/pull/954 - please review
+
+
+* Update Charter / Readme.md [#874](https://github.com/nodejs/security-wg/pull/874)
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+