►
From YouTube: Node.js Security WG meeting 2021-02-22
Description
Node.js Security WG Meeting for February 22, 2021
A
Hello,
everyone
and
welcome
to
the
ecosystem,
security
working
group
of
node.js.
Let
me
share
my
screen,
so
we
can
see
what
is
the
agenda
for
today.
B
A
Okay,
so
this
is
one,
and
I
actually
don't
know
if
there
are,
if
there
is
any
progress
in
the
last
meeting,
we
have
said
that
we
would
like
the
group
to
refocus
on
to
support
open
js
projects,
and
there
are
two
different
groups.
I
don't
know
if
you
had
the
time
to
to
have
a
look
at
the
two
of
them,
how
they
work
or
if
we
have
more
information
about
how
we
can
proceed
with
that.
C
C
My
guess
is
that
if
we
find
a
time
frame
that
is
more
friendly
for
math
for
for
for
michael,
he
can
tell
us
in
details
what
he
thinks
and
what
would
be
the
recommendation.
What
you?
What
do
you
think.
A
B
A
Great,
the
other
one
is
about
a
nomination.
B
C
A
C
C
A
A
Great
so
right
here
there
is
nothing
more
than
the
presentation,
but
if
we
could
discuss
the
the
time
for
the
next
meeting
a
bit.
So
if
you
go
to
the
to
the
doodle,
I've
seen
that
there
are
two
candidates.
So
this
is
central
european
time
because
that's
where
I'm
located,
but
the
two
candidates
are
this
one.
A
We
have
six
participants
and
there
is
another
one
here
where
we
have
seven
participants,
and
I
wanted
to
get
your
opinion
about
how
you'd
like
to
move
this
forward,
and
the
idea
I
had
is
to
interchange
the
meetings
and
have
one
one
week,
one
month,
the
one
time
and
the
other
month,
the
other
time,
just
to
make
sure
that
everyone
has
the
the
option
to
join.
C
I
think
that's
a
good
idea,
especially
if
we
can
do
that
at
very
different
time
in
the
day,
so
we
can
be
friendly
with
more
time
zones.
I
know
some
people
in
australia.
I've
been
frustrated
to
not
be
able
to
participate.
The
working
group
at
all.
C
C
I
mean
we
can
try
and
let's
start
to
alternate
between
those
two
two
times
and
days,
and
let's
see
this
goes
with
feedback,
I
mean
if,
if
we
manage
to
get
more
people
to
the
meetings,
that
will
already
be
a
success.
A
C
A
B
B
B
So,
for
example,
if
I
want
to
analyze,
I
don't
know
I
sticky
from
rock,
I
will
run
a
command
that
will
just
fetch
all
all
information,
tables,
etc,
and
it
will
open
a
page
with
every
information
about
fastifi.
So
we
we
see,
we
can
move
and
see.
Over
ufastifi
has
been
built
with
all
the
package
of
of
on
the
festive
core
framework.
B
We
have
some
information
here,
for
example,
all
the
global
statistics
of
the
number
of
package
total
size
on
the
disk,
indirect
dependency,
some
the
extension
it
use
across
all
the
project.
So
we
can
maybe
time
find
interesting
things.
So
here
we
see
there's
certain
k,
but
this
is
because
material
use
do
some
tests
on
ssl.
B
We
could
see
licenses
and
even
maintainers.
So,
for
example,
if
I
click
on
go
watch
if
available.
If
I
find
a
link
because
sometime
on
npm,
this
is
hard
to
find
the
link,
but
if
I
find
that
we
could
open
page
and
cutter
and,
for
example,
we
here
if
we,
I
there's
a
weird
extension
and
there's
a
search
bar
where
I
can
extension
and
maybe
fun
okay,
so
we
see
we
could
go
on
fast
if
he
and
if
we
click
on
the
package
or
anything
we
could.
This
is.
B
B
B
B
I
already
opened
at
least
20
pull
requests
on
npm
because
they
forget
a
lot
of
the
when
there
are
factors
they
just
forget
to
remove
this
some
dependencies,
and
this
is
very
useful
to
to
find
dependencies.
That's
not
used,
so
we
have
a
lot
of
also
better
phobia
information
for
all
the
size
of
the
package.
B
If
we
check
here,
we
can
even
we
have
listens
and
running.
So
if
we
open
listens,
we
have
also
information
about
the
licenses.
So
with
each
file
we
see
with
there's
two
files
with
licenses
mit
and
there
is
some
it
don't.
I
will
open
just
another
package,
but
we
have
some
warnings,
pop-ups
and
yeah.
We
can
just
go
watch
for
tree,
so
there
is
some
emoji,
some
emoji
just
mean
there
are
all
meaning
they
have
a
meaning.
B
For
example,
the
little
planets
is
about
if
they
use
https
everything
that
could
escape
eventually
on
internet,
we
could
use
some
to
detect
native
add-ons
etc,
except
they
are
mini-shit
code
lot
of
things
like
package
as
a
script
also
and
other
like
when
there
is
a
point
of
or
things
like
pokey
po
pem,
we
we
could
see
it
directly
is
updated
useful
for,
for
example,
if
I
come
back
here,
I
could
directly
see
here,
for
example,
so
I
could
see
this
is
not
the
last
version
we
see.
B
Everlast
version
is
1.00,
so
as
a
mighty
maintainer
I
could.
I
could
see
also
easily
if
some
dependency
in
my
stream
is
not
up
to
date
year.
This
is
not
up
to
date.
The
last
is
2.123,
etc,
and
I
will
just
check.
I
think
that
I've
been
said
check
it.
There
is
a
new
one.
Oh
yeah,
I've
seen
this.
It
is
pretty
interesting.
This
little
emoji
means
there
is
two
licenses
here.
B
B
I
have
to
fix
something
because
I
don't
have
a
line
of
code
on
the
left,
but
we
could
here.
There
is
some
link
to
open
the
package.
Also,
the
root
of
the
package.
B
And
yeah
yeah,
that's
that's
it!
This
is
we
see
here
little
like
you
are
scared
of
vladimir,
but
you
see
when
there
are
little
eyes
like
this.
This
means
there
are.
You
know
dependencies,
so
some
sometimes
this
is
false
positive
we
have,
but
some
most
of
the
time.
This
is
right,
but
there's
some
case
where
the
static
analysis
failed
to
detect
or
or
because
the
package
used
some
specific
dependency
or
you
know
so
a
lot
of
case
not
not
only
yet,
but
most
of
the
time
I
will
say
that
this
is
accurate.
B
This
is
my
static
analysis.
Oh
I
I
know
sorry
for
I
guess
yeah
there's
some
for
unsafe
regates.
I
use
safe
progress
regex
this
one.
C
B
But
there
is
also
a
false
positive.
There
is
an
issue
open
and
I
don't
remember
where,
but
there
is
also
improv.
Hence
man
to
do
on
this
because
yeah,
we
kind
of
detect
a
lot
of
free,
regular
expression
and
safe,
but
they
are
safe,
but
yeah.
This
is
complicated.
Subject:
yeah,
that's
it!
So,
basically
the
web
appear
work
with
this
json.
B
C
So
is
there
any
server
or
is
there
any
passing
and
detection
happening
on
the
client
machine?
Do
you
have
a
web
api
for
that
or.
B
B
On
slim,
I
o
we
used
the
api
mod
to
generate
this
report,
so
we
we
used
it
on
the
multi
repository
to
extract
an
overall
view
of
what
dependency
we
use
on
slim,
io,
like
every
third
parties,
transitive
dependencies,
etc,
etc.
So,
like
we
see
all
the
extensions
we
have
in
in
our
project,
recently
warnings
and
yeah,
we
generate
this
report
with
it.
B
So
like
this,
this
is,
we
use
the
api
mode,
but
I
guess
this
could
be
used
in
a
lot
of
other
situation,
where
we
want
to
extract
that,
for
other
things
like
drawing
an
interface.
B
And
yeah:
that's
it:
okay,
pretty
simple!
If
you
have
no
other
question
and
yeah,
there
is
a
lot
of
possibilities
in
the
search
you
can,
for
example,
if
you
are
searching
for
dragon
built
in,
we
could,
for
example,
if
we
want
to
know
what
users
that
live,
so
we
we
know
for
festivity
and
light,
might
request
use
so
yeah.
This
is
useful
to
to
find
to
extract
and
find
the.
C
B
Yeah
yeah
there's
still
some
problem
and
we
are
still
working
on
on
rocky,
I'm
still
working
on
the
static
analysis,
because
there's
still
a
lot
of
false
positive
right
now,
but
this
is
also
capable
to
find
a
lot
of
like
this.
This
is,
I
guess,
a
baguette,
because
I'm
I'm
working
on
on
new
warning
capable
to
detect
obfuscated
code,
but
it
didn't
it.
Don't
work
very
well
right
now,
but
I
but
it's
going
to
but
yeah
it's
going
to
be
a
cool
features
too
and
yeah
it's
like
here
is
capable
to
the
text.
B
A
A
I
don't
know
if
there
is
any
other
topic,
otherwise
I
think
we've
covered
the
ones
we
had
in
the
agenda,
and
I
remember
that
for
auction
items
we
have
to
to
change
the
time
and
date
for
the
for
the
meetings
vladimir.
Have
we
do?
We
have
any
other
action
item
that
I
forget
about.
C
C
Yeah,
thanks
again
for
for
today,
eva
thanks
a
lot
for
the
demo
have
a
great
afternoon
team.