doc: add 2024-01-18 meeting

meetings/2024-01-18.md

@@ -0,0 +1,78 @@
+# Node.js Security Team Meeting 2024-01-18
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=WZxhzkmKmRg&ab_channel=node.js
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1196
+* **Minutes Google Doc**: https://docs.google.com/document/d/1Ca-cu-pfAxFnEcewEQYVP9u3AitS_PdTKy8m1B_5JTk/edit
+
+## Present
+
+* Ulises Gascon: @ulisesGascon
+* Thomas GENTILHOMME: @fraxken
+* Rafael Gonzaga: @RafaelGSS
+* Adam Ruddermann: @rudd
+* Michael Dawson: @mhdawson
+* Marco Ippolito: @marco-ippolito
+* Carlos Ayala: @CarlossAyala
+
+## Agenda
+
+## Announcements
+
+Rudd introduced himself as the new Security Engineer Champion at OpenJSF, and the team presented their latest initiatives and developments.
+- Discussions around SBOMs: https://docs.google.com/document/d/1KfxNDP4LaKyD5TW3GNEL_VZuKdl9UzuTOfcKgZ3D3bY/edit#heading=h.j08u9xksrk9r
+- OpenSSF Best Practices
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+
+- [X] OpenSSF Scorecard Monitor Review
+  - Details in [issue](https://github.com/nodejs/security-wg/issues/1200) and [PR](https://github.com/nodejs/security-wg/pull/1201)
+  - 0.3 oscillation in Node and Nodejs.org due code review practices
+  - Oscillation in nodejs/llhttp is ignored due API processing errors
+  - No changes or actions are required
+  - Ulises to work on a PR to reduce the tracking repositories that are not relevant 
+
+
+### nodejs/security-wg
+
+* Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs 
+[#1159](https://github.com/nodejs/security-wg/issues/1159)
+  * no updates
+
+* NodeJS Code integrity on Windows [#1149](https://github.com/nodejs/security-wg/issues/1149)
+  * no updates
+
+* Have a SBOM for Node.js? [#1115](https://github.com/nodejs/security-wg/issues/1115)
+  * no updates
+  * removing from the agenda until further updates
+
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+  * undici summary https://github.com/nodejs/security-wg/issues/1037#issuecomment-1884518748 
+
+* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953)
+  * No news from the OSSF regarding transferring issues  
+  * Change made: added hash reference in the documentation https://github.com/nodejs/security-wg/pull/956/commits/3f496a89aa0d4a905f33d0bda0ef417f392e3070
+  * Updated Gold proposal with last discussion agreements: https://github.com/nodejs/security-wg/pull/956/commits/91f35e74f87b95f1ce0f36f21bd660154a64831c
+  * Generated issues to follow up on the discussions outside the PR:
+     * The project MUST have FLOSS automated test suite(s) that provide at least 80% branch and 90% statement coverage: https://github.com/nodejs/security-wg/issues/1188
+     * Secured delivery against man-in-the-middle (MITM) attacks: https://github.com/nodejs/security-wg/issues/1190
+     * The project MUST include a license and copyright statement in each source file: https://github.com/nodejs/security-wg/issues/1187
+     * Hardening mechanisms: https://github.com/nodejs/security-wg/issues/1186
+  * Current expectation is to solve the discussions.
+
+* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898)
+  * Skipped
+
+
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
+