doc: add meeting notes 2023-12-21

meetings/2023-12-21.md

@@ -0,0 +1,79 @@
+# Node.js  Security Team Meeting 2023-12-21
+
+## Links
+
+* **Recording**:  https://www.youtube.com/watch?v=WTwi31mH8ec
+* **GitHub Issue**: https://github.com/nodejs/security-wg/pull/1173
+* **Minutes Google Doc**: https://docs.google.com/document/d/1sG2PxLhiHZw0U4PLwa6amlpbmLSCydqAi0PHrMBGVLI/edit
+
+## Present
+
+* Security wg team: @nodejs/security-wg
+* Marco Ippolito: @marco-ippolito
+* GENTILHOMME Thomas: @fraxken
+* Rafael Gonzaga: @RafaelGSS
+* Ulises Gascon: @UlisesGascon
+* Anton Bauhofer: @antonbauhofer (spdx)
+* Robert: @rdw-msft (Microsoft)
+* Maximilian Huber: @maxhbr (spdx)
+* Amir Montazery: @Amir-Montazery (ostif)
+* Lee Homes (Microsoft)
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- [X] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+- [X] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
+  - Some interface failures have been fixed related to -1 values from the API 
+  - nodejs.org increased 1.4 points
+
+### nodejs/security-wg
+
+* Have a SBOM for Node.js? [#1115](https://github.com/nodejs/security-wg/issues/1115)
+  * spdx folks joined the conversation
+  * Discussion async in the issue with cdxgen
+  * A lib showcase would be appreciate
+
+* NodeJS Code integrity on Windows [#1149](https://github.com/nodejs/security-wg/issues/1149)
+  * Rafael to ping the relevant people to provide feedback to the PR (https://github.com/nodejs/node/pull/50644)
+  * Robert to provide examples of the threat and how this PR addresses it.
+
+
+* Security initiative in December 2023: fuzzing Nodejs: https://github.com/google/oss-fuzz/tree/master/projects/nodejs
+[#1159](https://github.com/nodejs/security-wg/issues/1159)
+  * no updates apart from the 3 PRs Adam has created
+
+* Amir from ostif.org - Discuss possibility of consulting engagement with security expert in November/December at 2023-11-09 3pm Security-WG meeting  [#1145](https://github.com/nodejs/security-wg/issues/1145)
+  * Closed
+
+* Permission Model - Roadmap [#898](https://github.com/nodejs/security-wg/issues/898)
+  * Rafael created some PRs to address some issues and include a new CLI flag: –allow-addons
+  * https://github.com/nodejs/node/pull/51183
+  * https://github.com/nodejs/node/pull/51184
+  * https://github.com/nodejs/node/pull/50758
+  * https://github.com/nodejs/node/pull/51209
+  * https://github.com/nodejs/node/pull/51211
+  * https://github.com/nodejs/node/pull/51212
+  * https://github.com/nodejs/node/pull/51213
+
+* License checker process/script [#1104](https://github.com/nodejs/security-wg/issues/1104)
+  * removing from the agenda until we find someone to work on it
+
+* Audit build process for dependencies [#1037](https://github.com/nodejs/security-wg/issues/1037)
+  * Marco will research if nodejs core still needs to use minimatch
+
+* Initiative for CII-Best-Practices for Nodejs Projects [#953](https://github.com/nodejs/security-wg/issues/953)
+  * Ulises has created PRs to add the missing context (discussions made, documentation, relevant links) to improve the experience while reviewing Gold and other levels. Please review the PRs: [Entry level](https://github.com/nodejs/security-wg/pull/1162) and [Silver level](https://github.com/nodejs/security-wg/pull/1163)
+  * Rafael suggested to perform a deep dive on it in the next meeting
+  * We can start to discuss about the gold level even if Silver has not yet granted (due technical matters). [PR](https://github.com/nodejs/security-wg/pull/956)
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `+GoogleCalendar` at the bottom right to add to your own Google calendar.