doc: add minutes for meeting 31 Jul 2024 (#1604)

mhdawson · web-flow · commit b491cfb0d506 · 2024-08-06T08:03:12.000+02:00
Signed-off-by: Michael Dawson &lt;midawson@redhat.com&gt;
diff --git a/meetings/2024-07-31.md b/meetings/2024-07-31.md
@@ -0,0 +1,116 @@
+# Node.js Technical Steering Committee (TSC) Meeting 2024-07-31
+
+## Links
+
+* **Recording**:  <https://www.youtube.com/watch?v=vUhrta5KVzE>
+* **GitHub Issue**: <https://github.com/nodejs/TSC/issues/1603>
+
+## Present
+
+* Antoine du Hamel @aduh95 (voting member)
+* Yagiz Nizipli @anonrig (voting member)
+* Ruben Bridgewater @BridgeAR (voting member)
+* Gireesh Punathil @gireeshpunathil (voting member)
+* Joyee Cheung @joyeecheung (voting member)
+* Marco Ippolito @marco-ippolito (voting member)
+* Matteo Collina @mcollina (voting member)
+* Michael Dawson @mhdawson (voting member)
+* Ruy Adorno @ruyadorno (voting member)
+* Paolo Insogna @ShogunPanda (voting member)
+* Joe Sepi @<sepi@joesepi.com> (Guest - Node.js CPC rep)
+* Сковорода Никита Андреевич <chalkerx@gmail.com> (Guest)
+* Joe Eames (Hero Devs - Guest)
+* Aaron Frost (Hero Devs - Guest)
+* Amir (OSTIF - Guest)
+
+## Agenda
+
+### Announcements
+
+* Matteo -> if you have not received notification for NodeConf.eu, will get them soon. Tickets are available. Still looking for venue for the collaborator summit either before or after.
+  * Joe have a lead, asking about IBM Dublin office
+  * Matteo, possible fallback which is a little bit outside of the city and would cost some $
+
+### Reminders
+
+* Remember to nominate people for the [contributor spotlight](https://github.com/nodejs/node/blob/main/doc/contributing/reconizing-contributors.md#bi-monthly-contributor-spotlight)
+
+### CPC and Board Meeting Updates
+
+*Extracted from **tsc-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting.
+
+* Joe, CPC update
+  * Code of Conduct moderation team settled, PR open
+* Matteo, Board update
+  * Plan to have an Node.js event in 2025 is progressing.  Discussion of how much focus would
+    be on Node.js versus other topics. Top location would be Seattle and Fall, but still in
+    discussion.
+
+### nodejs/admin
+
+* Conversion to Enterprise account [#905](https://github.com/nodejs/admin/issues/905)
+  * Matteo we should do earlier than later, but can wait until the end of September
+  * Michael, 2 choices flip switch or go under OpenJS enterprise account
+    * personally lets make the smallest change possible
+  * No objections to flipping the bit now versus later.
+
+### nodejs/node
+
+* swc deps / typescript / release to give a status update on concerns?
+(likely won't need though if we can get everything fixed async before the call)
+context: nodejs/node#54123 (comment), thread in nodejs/node#54102
+  * Nikita, concerned that build process pulls from internet versus being generated from the
+    source code that we have in the repo. Could result in supply chain attack
+    * proposing, that we add check that wasm is as expected, could be a short term solution until
+      we improve the build process.
+  * Marco - wasm is built in the same way that swc builds the package. It uses the crates
+    released in the rust registry. So same issue would apply to other swc users. Similar to saying
+    that everything which pulls package from npm is vulnerable as well.
+    * We can fix with a lock file, and should do that.
+    * Not sure what adding a check will fix, and it applies to other ways that we build
+      dependencies as well.
+  * Nikita, there are some other fixes that should be pulled in in addition to adding the security
+    check.
+  * Matteo, don’t think the safeguard is needed, since --experimental-strip-types is not run by
+    default. For those who are trying out the feature, looking at the risk, don’t see a significant risk
+    in this specific moment. Agree that to unflag it should be a top priority. This path is no the
+    highest risk, so not necessarily the place to focus.
+  * Antoine, as long as it stays dev only, runtime check is ok. Maybe we can move the check off
+    thread. Since it is the first time that we don’t run the users code directly the check would be
+    good.
+  * Nikita, additional check is only ~3% of the overall, and optimization should not override
+    security.
+  * Marco, would be ok if we added to Amaro, and have a flag to turn it on, can be enabled
+    through a flag that Node.js turns on.
+  * Nikita, agree that adding the check into Amaro would be a good way to do it, can file a pull
+    request to do that. Also want to update for the other bug.
+  * Marco next steps
+    * move change into Amaro
+    * update Amaro
+    * should be ready for the next 22.x release.
+
+### Hero devs esp program
+
+* Aaron, gave an overview of the program
+* Matteo, one issue is we don’t issue CVE’s on older versions of Node.js, some people may take
+  that as them being safe. Is there anything on that side that you are thinking of doing?
+  * Aaron frost, happy to take on looking at past CVEs
+  * Michael, possible for follow up blog post to share results on CVEs
+  * Antoine, maybe add link to Node.js blog post
+    * Michael just want to do it in a way that does not imply project will support forever.
+  * Michael will send email to get discussion going
+
+### OSTIF update
+
+* Amir, thanks for the feedback on the Fuzzing security audit report, got some good feedback.
+  The last comment is about OSS Fuzz, itself, need fix before fuzzers can start running again.
+  * <https://github.com/google/oss-fuzz/issues/11538>
+  * Will come back to get last thumbs up once report is updated and fuzzer is running
+
+## Strategic Initiatives
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.
