generated from ossf/project-template
-
Notifications
You must be signed in to change notification settings - Fork 49
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #198 from ossf/add-nodejs-july-update
doc: add Node.js July update
- Loading branch information
Showing
1 changed file
with
90 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
# Update 2023-07 | ||
|
||
The following update is according to the [Security Support Role](./security-support-role.md) document. | ||
|
||
Each section points to at least one item on the priority list defined by the Security Support Role document. | ||
|
||
## 1) Fix and Triage Security Issues | ||
|
||
* TODO: Waiting H1 digest | ||
* 7 fixes ready + 3 backports for the next security release | ||
* Discussions about Node.js policy mechanism | ||
* Final action to the assessment against experimental features | ||
|
||
## 2) Support for Security Releases | ||
|
||
* Rafael taking lead in the Next Security Release - https://github.com/nodejs/node/pull/48569 | ||
|
||
* Security Release initial work | ||
* All the processes described by [security release process](https://github.com/RafaelGSS/node/blob/sec-release-stewards-update/doc/contributing/security-release-process.md) were done. | ||
* Reports evaluated | ||
* CVEs were requested | ||
* Sec Release announcement (pre/pos) | ||
|
||
* The Security Release will include updates to OpenSSL | ||
|
||
* Regular releases | ||
* v20.4.0 (Rafael) | ||
* v18.17.0 | ||
* v20.5.0 | ||
|
||
## 3) Node.js Security WG Initiatives | ||
|
||
2023 Security Initiatives - https://github.com/nodejs/security-wg#current-initiatives | ||
|
||
Permission Model: | ||
* Re-evaluation of Permission Model | ||
* Research in other runtimes and languages. | ||
* Add permission model debug - https://github.com/nodejs/node/pull/48677 | ||
* Add support to process.report.writeReport and v8 heapSnapshot - https://github.com/nodejs/node/pull/48564 | ||
* Restrict all permission model access when --experimental-permission is passed - https://github.com/nodejs/node/pull/48907 | ||
* Add Permission Model startup benchmark - https://github.com/nodejs/node/pull/48905/ | ||
* Fix Permission Model usage on Node.js REPL - https://github.com/nodejs/node/pull/48920 | ||
|
||
* Assessment against Best Practices | ||
* Continuos improvement on every Security WG Call | ||
* CII-Best-Practices | ||
* Entry Level - Done | ||
* Silver Level - 1 Question remaining - Waiting OSSF Team | ||
* https://github.com/nodejs/security-wg/issues/953 | ||
|
||
* Automate Security Release process | ||
* PR MERGED to automate the release proposal for security releases | ||
* https://github.com/nodejs/node-core-utils/pull/665 | ||
* PR Created to automate the Next Security Release issue | ||
* This PR automates the process of | ||
* Generating Next Security Release issue | ||
* Collect H1 Reports | ||
* https://github.com/nodejs/node-core-utils/pull/715 | ||
* Drop `<b>` in release tags - https://github.com/nodejs/node/pull/48649 | ||
* Mention git node release - https://github.com/nodejs/node/pull/48644 | ||
* Fixes to git node release | ||
* https://github.com/nodejs/node-core-utils/pull/711 | ||
* https://github.com/nodejs/node-core-utils/pull/712 | ||
|
||
## 4) Node.js Security Sustainability | ||
|
||
* Speaking Engagments: | ||
* NodeBR - Experience (July 22th) - Done | ||
* The Journey of the Node.js Permisison Model - NodeConf (Nov 6) - Accepted | ||
* Open Source Experience Paris (Dec 6) - Accepted | ||
* Node.js Collab Summit - Applied | ||
|
||
## 5) Improving Security Processes | ||
|
||
* Node.js major release (changelog) discussion - https://github.com/nodejs/TSC/issues/1371 | ||
* doc: remove nodejs/tweet mention - https://github.com/nodejs/node/pull/48769 | ||
* CVSS Calculator considering experimental features - https://github.com/nodejs/node/pull/48824 | ||
* OSSF Funding Work Description - https://github.com/nodejs/security-wg/issues/860#issuecomment-1636464514 | ||
* [In Progress] Clarify Policy expectations - https://github.com/nodejs/node/pull/48947 | ||
|
||
## WG Meetings | ||
|
||
TSC | ||
* 26/07 | ||
* 12/07 | ||
Security WG | ||
* 06/07 | ||
* 20/07 | ||
Release WG | ||
* 27/07 - Possibly new release (Ulises Gascon) |