Member of the Node.js Security WG
Escrito por: Ulises Gascón
May 26, 2022 — 5 min readThe Ecosystem Security Working Group is dedicated to enhancing security within the Node.js ecosystem.
Responsibilities include:
- Collaborating with the Node Security Platform to integrate community vulnerability data as a foundation asset.
- Ensuring timely and efficient vulnerability data updates, including documented processes for reporting vulnerabilities in community modules.
- Maintaining and sharing data on disclosed security vulnerabilities for:
- The core Node.js project
- Projects maintained by the Node.js Foundation technical group
- The external Node.js open-source ecosystem
- Promoting improved security practices within the Node.js ecosystem.
- Supporting the growth of a robust security service and product provider ecosystem.
My Participation
- Joined the Node.js Security WG in May 2022.
- Co-authored the Node.js Official Security Best Practices and continue to update it.
- Co-authored the Node.js Official Threat Model.
- Contributed to implementing the OpenSSF Scorecard in the Node.js organization.
- Published a blog post: You should use the OpenSSF Scorecard.
- Created the GitHub Action: OpenSSF Scorecard Monitor to streamline monitoring scores across organization repositories and dependencies. See report.
- Developed pipelines to manage the OpenSSF Scorecard within the Node.js Security WG.
- Ported the
is-my-node-vulnerableproject to GitHub Actions. - Improved the OpenSSF Scorecard scores across the Node.js organization. Example.
- Reviewed and maintained The OpenSSF CII Best Practices for Node.js, achieving:
- Actively participated in numerous initiatives: Pull requests, commits, issues.
- Co-authored the Contributor Threat Model.
The WG impact
- Node.js Doubles Security Releases with Newly Automated Process, Re-Evaluates Unsupported Experimental Features
- OpenJS Foundation Warns Consumer Privacy and Security at Risk in Three-Quarters of a Billion Websites
- Quick Start for New Sovereign Tech Fund Activities to Strengthen JavaScript
- Node.js State of Security + OpenJS Security Collab Space
- Let's automate Node.js Dependency Updates
- Why you should pin your GitHub Actions by commit-hash
- Open Source Security Foundation (OpenSSF) Selects Node.js as Initial Project to Improve Supply Chain Security
- NodeConf EU 2023| Rafael Gonzaga | The Journey of the Node.js Permission Model
- Node.js CollabSummit 2023 | Security: Next Initiatives Discussion
- Open Source Security Foundation (OpenSSF) Selects Node.js as Initial Project to Improve Supply Chain Security
Node.js Security Progress Report
- Microsoft’s Participation on Node.js Policy Integrity
- Double the Outcomes with Half the Churn
- Redefining Security Processes and Key Initiatives
- Node.js Security Progress Report - April 2024
- Progress on Permission Model, Fuzzer and Connections with Community
- Active Outreach to a Growing Node.js Security Community
- Node.js Security Progress Report – Active Outreach to a Growing Node.js Security Community
- Security Release and Node.js 21
- September Community Engagement
- Looking Into SBOM for Node.js
- Fewer Steps and More Releases
- 17 Reports Closed
- First Response Time Down to 8 Hours, New Security Release Announced
- Automation, Automation and more Automation
- More Community Participation Leads to Security Sustainability Progress
- Permission Model Merged
- OpenSSF Grant Renewed for 2023, New Ecosystem Focus
- More Successful December Outcomes
- Looking Forward to 2023
- Improving Security Processes
- Collab Summit Highlights Increased Focus On Security for Node.js
- Threat Model and Dependency Analysis Improvements
- Permission System Gets Its First Pull Request
- Progress Report – Strengthening Node.js Security
Last meeting
Meetings that I leaded
- 2024-10-24 Meeting notes, agenda and video
- 2024-06-06 Meeting notes, agenda and video
- 2023-09-28 Meeting notes, agenda and video
- 2023-05-11 Meeting notes, agenda and video
- 2023-04-27 Meeting notes, agenda and video
- 2023-03-30 Meeting notes, agenda and video
Meetings that I participated
- 2024-10-10 Meeting notes, agenda and video
- 2024-09-26 Meeting notes, agenda and video
- 2024-09-12 Meeting notes, agenda and video
- 2024-08-01 Meeting notes, agenda and video
- 2024-07-18 Meeting notes, agenda and video
- 2024-05-09 Meeting notes, agenda and video
- 2024-04-25 Meeting notes, agenda and video
- 2024-02-08 Meeting notes, agenda and video
- 2024-02-01 Meeting notes, agenda and video
- 2024-01-18 Meeting notes, agenda and video
- 2024-01-04 Meeting notes, agenda and video
- 2023-12-21 Meeting notes, agenda and video
- 2023-11-23 Meeting notes, agenda and video
- 2023-10-26 Meeting notes, agenda and video
- 2023-08-17 Meeting notes, agenda and video
- 2023-07-20 Meeting notes, agenda and video
- 2023-07-06 Meeting notes, agenda and video
- 2023-06-22 Meeting notes, agenda and video
- 2023-06-08 Meeting notes, agenda and video
- 2023-05-25 Meeting notes, agenda and video
- 2023-04-13 Meeting notes, agenda and video
- 2023-03-16 Meeting notes, agenda and video
- 2023-02-16 Meeting notes, agenda and video
- 2023-02-02 Meeting notes, agenda and video
- 2023-01-19 Meeting notes, agenda and video
- 2023-01-05 Meeting notes, agenda and video
- 2022-12-08 Meeting notes, agenda and video
- 2022-11-24 Meeting notes, agenda and video
- 2022-11-10 Meeting notes, agenda and video
- 2022-10-27 Meeting notes, agenda and video
- 2022-10-13 Meeting notes, agenda and video
- 2022-09-15 Meeting notes, agenda and video
- 2022-09-01 Meeting notes, agenda and video
- 2022-08-04 Meeting notes, agenda and video
- 2022-07-21 Meeting notes, agenda and video
- 2022-07-07 Meeting notes, agenda and video
- 2022-06-23 Meeting notes, agenda and video
- 2022-06-02 Meeting notes, agenda and video
- 2022-05-26 Meeting notes, agenda and video
- 2022-05-12 Meeting notes, agenda and video
- 2022-04-07 Next 10 Mini-summit - WASM and Security model/policies/etc: Meeting notes, agenda and video