Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: add minutes for meeting 31 Jul 2024 #1604

Merged
merged 2 commits into from
Aug 6, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
116 changes: 116 additions & 0 deletions meetings/2024-07-31.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
# Node.js Technical Steering Committee (TSC) Meeting 2024-07-31

## Links

* **Recording**: <https://www.youtube.com/watch?v=vUhrta5KVzE>
* **GitHub Issue**: <https://github.com/nodejs/TSC/issues/1603>

## Present

* Antoine du Hamel @aduh95 (voting member)
* Yagiz Nizipli @anonrig (voting member)
* Ruben Bridgewater @BridgeAR (voting member)
* Gireesh Punathil @gireeshpunathil (voting member)
* Joyee Cheung @joyeecheung (voting member)
* Marco Ippolito @marco-ippolito (voting member)
* Matteo Collina @mcollina (voting member)
* Michael Dawson @mhdawson (voting member)
* Ruy Adorno @ruyadorno (voting member)
* Paolo Insogna @ShogunPanda (voting member)
* Joe Sepi @<[email protected]> (Guest - Node.js CPC rep)
* Сковорода Никита Андреевич <[email protected]> (Guest)
* Joe Eames (Hero Devs - Guest)
* Aaron Frost (Hero Devs - Guest)
* Amir (OSTIF - Guest)

## Agenda

### Announcements

* Matteo -> if you have not received notification for NodeConf.eu, will get them soon. Tickets are available. Still looking for venue for the collaborator summit either before or after.
* Joe have a lead, asking about IBM Dublin office
* Matteo, possible fallback which is a little bit outside of the city and would cost some $

### Reminders

* Remember to nominate people for the [contributor spotlight](https://github.com/nodejs/node/blob/main/doc/contributing/reconizing-contributors.md#bi-monthly-contributor-spotlight)

### CPC and Board Meeting Updates

*Extracted from **tsc-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting.

* Joe, CPC update
* Code of Conduct moderation team settled, PR open
* Matteo, Board update
* Plan to have an Node.js event in 2025 is progressing. Discussion of how much focus would
be on Node.js versus other topics. Top location would be Seattle and Fall, but still in
discussion.

### nodejs/admin

* Conversion to Enterprise account [#905](https://github.com/nodejs/admin/issues/905)
* Matteo we should do earlier than later, but can wait until the end of September
* Michael, 2 choices flip switch or go under OpenJS enterprise account
* personally lets make the smallest change possible
* No objections to flipping the bit now versus later.

### nodejs/node

* swc deps / typescript / release to give a status update on concerns?
(likely won't need though if we can get everything fixed async before the call)
context: nodejs/node#54123 (comment), thread in nodejs/node#54102
* Nikita, concerned that build process pulls from internet versus being generated from the
source code that we have in the repo. Could result in supply chain attack
* proposing, that we add check that wasm is as expected, could be a short term solution until
we improve the build process.
* Marco - wasm is built in the same way that swc builds the package. It uses the crates
released in the rust registry. So same issue would apply to other swc users. Similar to saying
that everything which pulls package from npm is vulnerable as well.
* We can fix with a lock file, and should do that.
* Not sure what adding a check will fix, and it applies to other ways that we build
dependencies as well.
* Nikita, there are some other fixes that should be pulled in in addition to adding the security
check.
* Matteo, don’t think the safeguard is needed, since --experimental-strip-types is not run by
default. For those who are trying out the feature, looking at the risk, don’t see a significant risk
in this specific moment. Agree that to unflag it should be a top priority. This path is no the
highest risk, so not necessarily the place to focus.
* Antoine, as long as it stays dev only, runtime check is ok. Maybe we can move the check off
thread. Since it is the first time that we don’t run the users code directly the check would be
good.
* Nikita, additional check is only ~3% of the overall, and optimization should not override
security.
* Marco, would be ok if we added to Amaro, and have a flag to turn it on, can be enabled
through a flag that Node.js turns on.
* Nikita, agree that adding the check into Amaro would be a good way to do it, can file a pull
request to do that. Also want to update for the other bug.
* Marco next steps
* move change into Amaro
* update Amaro
* should be ready for the next 22.x release.

### Hero devs esp program

* Aaron, gave an overview of the program
* Matteo, one issue is we don’t issue CVE’s on older versions of Node.js, some people may take
that as them being safe. Is there anything on that side that you are thinking of doing?
* Aaron frost, happy to take on looking at past CVEs
* Michael, possible for follow up blog post to share results on CVEs
* Antoine, maybe add link to Node.js blog post
* Michael just want to do it in a way that does not imply project will support forever.
* Michael will send email to get discussion going

### OSTIF update

* Amir, thanks for the feedback on the Fuzzing security audit report, got some good feedback.
The last comment is about OSS Fuzz, itself, need fix before fuzzers can start running again.
* <https://github.com/google/oss-fuzz/issues/11538>
* Will come back to get last thumbs up once report is updated and fuzzer is running

## Strategic Initiatives

## Upcoming Meetings

* **Node.js Project Calendar**: <https://nodejs.org/calendar>

Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.