►
From YouTube: Node.js Security WG meeting 2021-03-25
Description
Node.js Security WG Meeting for March 25, 2021
A
Hello,
everyone-
this
is
the
security
working
group
meeting
for
march
and
our
main
topic
today
is
michael.
We
wanted
you
to
be
here,
so
we
would
like
to
refocus
this
group
on
openjs
projects
and
maybe
go
a
step
beyond
just
vulnerabilities
in
these
projects,
and
we
would
like
to
better
understand
the
two
I
think
you
said
there
are
two
different
kinds
of
working
groups
we
could.
We
could
become.
B
Yeah,
like
so
in
the
in
in
the
cpc
there's
working
groups,
which
are
a
bit
like
the
node
working
groups
and
and
actually
like
in
node,
there's,
there's
working
groups
and
teams,
so
there's
kind
of
different
ways
to
do
it,
but
the
working
groups.
The
the
key
feature
in
my
mind,
is
that
the
cpc
actually
delegates
some
responsibility
to
the
working
group.
B
So
if
there
was
something
that
was
like
required
a
tsc
level
decision,
they
would
likely
go
back
to
the
tsc
and
say:
hey
you
know:
do
you
think
this
is
the
right
direction
or
whatever
that
kind
of
stuff
practically
to
me?
It
doesn't
really
make
a
huge
difference,
because
you
know
the
the
whole
project
works
very
collectively
and
works
together
and
all
that.
B
So
so
those
are
teams
and
and
working
groups,
and
so
that
might
you
know,
even
at
the
cpc
level
forming
a
team
might
also
make
sense,
but
they
we
have
written
down
the
and
formalized
the
the
working
group
parts
part
of
things,
the
the
other
one
is
collaboration
spaces
and
where
they're
a
little
bit
different,
is
there
they're
meant
to
be
a
place
where
people
who
aren't
necessarily
as
closely
tied
to
the
project
or
the
foundation
already
can
come
and
talk
about
things
that
are
important,
have
a
script
ecosystem.
B
So
you
know
I
kind
of
see
and
this
this
may
not
be
completely
accurate,
but
in
my
mind
I
kind
of
see
like
a
team
or
a
working
group
as
a
place
where
you
know
we
already
have
people
who
are
participating
in
the
cpc
or
in
the
work.
You
know
the
extended
work,
the
cpc
and
they
say
well,
you
know
for
in
the
case
of
working
groups
and
the
one
that's
charted
today
is
the
standards
working
group
is
like
we'd
like
to
go
off
and
have
responsibility
to
work
on
this
and
we're
gonna.
B
We're
gonna
set
up
a
team,
a
working
group
to
do
that
we
could
set
up
a
team
as
well,
whereas
for
the
the
collaboration
spaces,
I
could
see
it
being
somebody
who
isn't
necessarily
already
involved
in
the
you
know
the
cpc
work
or
the
core
work
of
the
you
know,
which
was
like
around
onboarding
projects
and
stuff
like
that,
but
there's,
but
they
want
to
champion
moving
forward,
something
which
is
important
to
the
javascript
ecosystem.
B
So
the
first
application
that
we've
got
that's
been
approved
is
one
which
is
around.
How
do
we?
How
do
we
solve
the
problem?
Where
you
know
security
vulnerabilities
are
reported
everybody,
then
anybody
who
uses
so
it's
reported
in
x.
Any
module
that
uses
x
now
has
something
flagged
up.
Npm,
audit
or
snek
is
saying:
oh,
you
have
a
vulnerability
in
a
lot
of
cases.
B
B
Space
is
to
bring
people
together
and
to
talk
about
that
issue
and
figure
out
like
how
can
we
address
that,
like
maybe
you
know,
come
up
with
a
pattern
that
then
we
hope
you
know,
vendors
like
npm
and
snek
will
adopt
in
terms
of
like
if,
if
the
the
package
owner
creates
a
some
metadata
that
says
no,
this
isn't
a
this
isn't
apply
to
me
and
we
standardize
a
format
on
that.
They
could,
you
know,
accept
that
and
the
the
end
user
could
say.
B
Well
if,
if
the
package
maintainers
from
this
this
this
and
this
package
have
said
it
doesn't
apply
to
me-
I
trust
them,
and
so
don't
don't
report
those
to
me.
So
that's
just
a
sort
of
a
concrete
example
of
where
that
you
know
was
an
a
logical
fit.
So
I
guess
the
you
know
in
thinking
of
where
it
makes
the
most
sense.
B
You
know
the
team
part
would
be
like.
Is
there?
Is
there
some
sort
of
charter
that
the
group
would
be
looking
to
sorry,
a
working
group
would
be
like.
Is
there
something
that
the
the
the
team
is
looking
to
have
delegated
from
the
cpc
to
that
group,
because
that's
kind
of
the
key
thing
of
why
it
would
be
a
like
an
actual
chartered
working
group?
B
Otherwise,
you
know
the
you
know
saying:
hey
we'd
like
to
start
a
collaboration
space.
You
know,
we've
got
a
defined
process
for
that.
It's
basically
you
know
you
can
create
repos.
You
can
get
support
from
marketing
and
there's
just
a
proposal
process
where
you
know
it's
kind
of,
like
you
say,
hey
we're
the
champions
and
here's
the
here's.
What
we
want
to
try
and
accomplish
right.
B
The
other
option
would
be
to
just
talk
to
the
cpc
and
say
well.
We'd
like
to
you
know,
set
up
a
more
or
less
formal,
like
an
informal
team,
but
you
know
I
I,
since
unless
there's
somebody
from
the
cpc
already
involved
in
the
like
the
security
working
group,
which
I
think
there
is
like
marseille,
has
been
involved
there
in
the
cbc
I'm
yeah,
I
think
he's
I
think,
he's
participated.
B
You
know
in
the
past
so
like.
If
he
wanted
to
sort
of
champion
the
hey,
we
should
form
a
team
that
would
be
you
know.
That
would
be
one
way
to
go
as
well,
but,
like
you
know,
anybody
could
say
well
let
this
is
the
security
is
an
important
area.
We
want
to
help
to
provide
you
know
either.
I
think
the
you
know
there
was
different.
Things
have
been
discussed
like
we
could
say
like
just
for
the
ecosystem
projects.
A
Yes,
yeah
from
what
I
hear
I
don't
working
group
is
like
the
last
step
you
would
take
and
since
we
haven't
been
able
to
meet
the
past
few
months,
the
first
step
is
probably
to
like,
have
everyone
here
and
discuss.
What
is
that
we
want
to
do.
A
B
Yeah
that
yeah,
it's
kind
of
like
a
team,
I
think,
would
be
easy
to
form
at
the
cpc
level
if
a
bunch
of
the
people
forming
the
team
are
already
involved
in
the
cpc
right.
But
the
collaboration
space,
but
it
is,
is,
I
think,
easier
if
you're
like
not
already
involved
in
participating
there
right,
because
it's
kind
of
there's
we've
written
down
like
here's,
how
you
can
come
and
just
start
a
space,
get
a
repo
and
that
kind
of
stuff
without
having
to
get
involved
in
the
the
the
general
cpc
work.
A
B
B
So
if
you
have
some
people
who
are
like
hey,
I
want
to
champion
this,
and
this
is
what
we
want
to
accomplish,
then,
where
whether
it's
a
team
or
working
group
or
whatever,
is
less
important,
it's
sort
of
having
a
clear
understanding
of
that
and
a
great
way
might
be
just
to
propose
a
collaboration
space,
and
then
you
know
if,
if
the
cpc
says,
oh,
that
should
really
be
a
team
or
something
else
that
you
know
that's
an
easy
way
to
get.
The
conversation
started
anyway,.
B
B
Yep
no
problem
and
yeah
once
once
you
figure
out
what
the
you
know
once
the
group
figures
out
what
it
wants
to
do,
I'm
happy
to
help
like
if
we
want
to
submit
a
collaboration,
space
proposal
or
whatever
I
can
help
with
that.
If
there's
any
help
needed
great
okay.
Thank
you
very
much.
Yep
thanks
have
a
good
day.
Talk
to
you.