diff --git a/meetings/2024-07-31.md b/meetings/2024-07-31.md new file mode 100644 index 00000000..9dc13f5b --- /dev/null +++ b/meetings/2024-07-31.md @@ -0,0 +1,116 @@ +# Node.js Technical Steering Committee (TSC) Meeting 2024-07-31 + +## Links + +* **Recording**: +* **GitHub Issue**: + +## Present + +* Antoine du Hamel @aduh95 (voting member) +* Yagiz Nizipli @anonrig (voting member) +* Ruben Bridgewater @BridgeAR (voting member) +* Gireesh Punathil @gireeshpunathil (voting member) +* Joyee Cheung @joyeecheung (voting member) +* Marco Ippolito @marco-ippolito (voting member) +* Matteo Collina @mcollina (voting member) +* Michael Dawson @mhdawson (voting member) +* Ruy Adorno @ruyadorno (voting member) +* Paolo Insogna @ShogunPanda (voting member) +* Joe Sepi @ (Guest - Node.js CPC rep) +* Сковорода Никита Андреевич (Guest) +* Joe Eames (Hero Devs - Guest) +* Aaron Frost (Hero Devs - Guest) +* Amir (OSTIF - Guest) + +## Agenda + +### Announcements + +* Matteo -> if you have not received notification for NodeConf.eu, will get them soon. Tickets are available. Still looking for venue for the collaborator summit either before or after. + * Joe have a lead, asking about IBM Dublin office + * Matteo, possible fallback which is a little bit outside of the city and would cost some $ + +### Reminders + +* Remember to nominate people for the [contributor spotlight](https://github.com/nodejs/node/blob/main/doc/contributing/reconizing-contributors.md#bi-monthly-contributor-spotlight) + +### CPC and Board Meeting Updates + +*Extracted from **tsc-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting. + +* Joe, CPC update + * Code of Conduct moderation team settled, PR open +* Matteo, Board update + * Plan to have an Node.js event in 2025 is progressing. Discussion of how much focus would + be on Node.js versus other topics. Top location would be Seattle and Fall, but still in + discussion. + +### nodejs/admin + +* Conversion to Enterprise account [#905](https://github.com/nodejs/admin/issues/905) + * Matteo we should do earlier than later, but can wait until the end of September + * Michael, 2 choices flip switch or go under OpenJS enterprise account + * personally lets make the smallest change possible + * No objections to flipping the bit now versus later. + +### nodejs/node + +* swc deps / typescript / release to give a status update on concerns? +(likely won't need though if we can get everything fixed async before the call) +context: nodejs/node#54123 (comment), thread in nodejs/node#54102 + * Nikita, concerned that build process pulls from internet versus being generated from the + source code that we have in the repo. Could result in supply chain attack + * proposing, that we add check that wasm is as expected, could be a short term solution until + we improve the build process. + * Marco - wasm is built in the same way that swc builds the package. It uses the crates + released in the rust registry. So same issue would apply to other swc users. Similar to saying + that everything which pulls package from npm is vulnerable as well. + * We can fix with a lock file, and should do that. + * Not sure what adding a check will fix, and it applies to other ways that we build + dependencies as well. + * Nikita, there are some other fixes that should be pulled in in addition to adding the security + check. + * Matteo, don’t think the safeguard is needed, since --experimental-strip-types is not run by + default. For those who are trying out the feature, looking at the risk, don’t see a significant risk + in this specific moment. Agree that to unflag it should be a top priority. This path is no the + highest risk, so not necessarily the place to focus. + * Antoine, as long as it stays dev only, runtime check is ok. Maybe we can move the check off + thread. Since it is the first time that we don’t run the users code directly the check would be + good. + * Nikita, additional check is only ~3% of the overall, and optimization should not override + security. + * Marco, would be ok if we added to Amaro, and have a flag to turn it on, can be enabled + through a flag that Node.js turns on. + * Nikita, agree that adding the check into Amaro would be a good way to do it, can file a pull + request to do that. Also want to update for the other bug. + * Marco next steps + * move change into Amaro + * update Amaro + * should be ready for the next 22.x release. + +### Hero devs esp program + +* Aaron, gave an overview of the program +* Matteo, one issue is we don’t issue CVE’s on older versions of Node.js, some people may take + that as them being safe. Is there anything on that side that you are thinking of doing? + * Aaron frost, happy to take on looking at past CVEs + * Michael, possible for follow up blog post to share results on CVEs + * Antoine, maybe add link to Node.js blog post + * Michael just want to do it in a way that does not imply project will support forever. + * Michael will send email to get discussion going + +### OSTIF update + +* Amir, thanks for the feedback on the Fuzzing security audit report, got some good feedback. + The last comment is about OSS Fuzz, itself, need fix before fuzzers can start running again. + * + * Will come back to get last thumbs up once report is updated and fuzzer is running + +## Strategic Initiatives + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.