From 3523f5d85d5327eb0e117a85faca5b154638fadc Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Wed, 4 Sep 2024 14:30:09 -0400 Subject: [PATCH 1/5] doc: add minutes for meeting 9 Sep 2024 Signed-off-by: Michael Dawson --- meetings/2024-09-04.md | 125 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 meetings/2024-09-04.md diff --git a/meetings/2024-09-04.md b/meetings/2024-09-04.md new file mode 100644 index 00000000..a4ec67a4 --- /dev/null +++ b/meetings/2024-09-04.md @@ -0,0 +1,125 @@ +# Node.js Technical Steering Committee (TSC) Meeting 2024-09-04 + +## Links + +* **Recording**: +* **GitHub Issue**: + +## Present + +* Antoine du Hamel @aduh95 (voting member) +* Yagiz Nizipli @anonrig (voting member) +* Benjamin Gruenbaum @benjamingr (voting member) +* Ruben Bridgewater @BridgeAR (voting member) +* Gireesh Punathil @gireeshpunathil (voting member) +* Chengzhong Wu @legendecas (voting member) +* Marco Ippolito @marco-ippolito (voting member) +* Matteo Collina @mcollina (voting member) +* Michael Dawson @mhdawson (voting member) +* Richard Lau @richardlau (voting member) +* Ruy Adorno @ruyadorno (voting member) +* Paolo Insogna @ShogunPanda (voting member) +* Amir Montazery (Guest) +* Joe Sepi @ (Guest - Node.js CPC rep) + +## Agenda + +### Announcements + + * Matteo, collaborator summit is confirmed for Dublin, if you are a collaborator planning on joining hope to see you there, it is two days after NodeConf. Nov 7-8th. + * Node 22.8.0 which fixed a regression with utf encoding and a few other bugs, If you are on Node.js 22.X you probably want to pick up. + +### Reminders + +* Remember to nominate people for the [contributor spotlight](https://github.com/nodejs/node/blob/main/doc/contributing/reconizing-contributors.md#bi-monthly-contributor-spotlight) + +### CPC and Board Meeting Updates + +*Extracted from **tsc-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting. + +### nodejs/node + +* Fuzzing report + * needs to land and then we should be good to + publish report. + * Amir will then send updated report + * Michael will then send email to get final ok from the TSC. + +* deps: V8: backport f320600cd1f4 (V18.x CVE-2024-4761) #54597 +* * Node.js 18 has an old version of V8, has quite a few CVEs reported against it because it is + part of chromium. + * These CVEs are outside the node.js threat model because they require untrusted code, + while the threat model indicates we trust the code that is asked to run. + * We had messaged that we would take some PRs to address to help people deal with the + scanning results. + * Some opposition, due to risk of accepting them. + * PR submitted did not build, highlighted risk + * Richard, even if it lands, does it even fix the problem with scanners reporting it. + * Has been pointed out that we have few people that can properly review V8 PRs which + adds to risk + * Matteo + * We should agree on approach/document + * Problem is that we are sending mixed signals + * Michael + * document that by default PRs would not be accepted if project does not + believe it affects ? + * Richard -> Node.js. Documentation for 18.x already limits changes to security fixes. + * Poala -> if it applies to our model should consider, but if not not a problem + * Richard -> a lot of V8 patches are not obvious if they are security related or not. Very hard + for us to understand if it will be low risk, and hard to see until we see the patch. + * Gireesh -> If we don’t accept this, what alternative exists for satisfying the scanners? + * Michael, nothing to satisfy the scanners, up to those who review the results to + allow/override. Richard they run off version numbers so even landing does not really help. + * Paolo -> how long would it take to write the patch + * Michael -> real challenge is how hard it will be to review, and be comfortable that it is + safe. + * Richard -> really hard until we see a PR to assess how easy/hard it will be. + * Richard have had some cases in the past that its been a big problem + * Possibly focus on messaging. + * Paolo, maybe we should just say we don’t do it. Due to risk of breakage. + * Richard, HeroDevs might be another option for people. + * Richard, existing release documentation already covers it. Please re-read and if not please + Disagree. I think -> , Issues which are + not applicable to Node.js critical bug fixes and security updates + +* Expose Undici's ProxyAgent and setGlobalDispatcher within Node [#43187](https://github.com/nodejs/node/issues/43187) + * Two parts + * For Node.js 23 do we want automatic support for HTTP_PROXY?, most frequent reason to + have access to undici from Node.js versus installing undici + * Problems exposing undici, cannot provide same stability guarrantees + * Michael, can we expose HTTP_PROXY without exposing undici + * Marco, should we create a new namespace for undici + * Paolo, in favor as well, yes lets create a new namespace + * if we expose undici, then it would be experimental and we can break whenever. That would + be an approach. + * Marco, if requires new namespace, but at some point it would need to be as stable as the + other APIs + * Matteo, exposing has a lot of issues, keeping outside of core enabled a lot of + experimentation and speed. Barrier to entry is lower. But also less stable, some back and + forth + * Paolo, already have similar situation with llhttp, 3 release lines, if we choose to expose + undici can start to follow same approach. We would then have to start maintaining 3 different + versions of undici. + * Michael we are always in angst over thing that break, even if experimental so not really as + easy as we break at will, better to wait until rate of change drops + * Richard, llhttp is not quite the same as undici because we don’t expose it directly to users, + ie we can swap (and did swap) the implementation behind the scenes. + * Matteo has 3 parts + * the part we bundle in Node.js which is the Web standard part + * the part which is the public Undici API, quite large, has lots of agents, complex to address + lots of use cases. For example dispatchers, but they expose some very low level API. + * Generic question is people want to expose global dispatcher and access to dispatcher, + those have been relatively stable in API, minus the fact that we just changed the expose API. + +* doc: experimental flag for global accessible APIs [#54330](https://github.com/nodejs/node/pull/54330) + * Please take a look, on agenda for awareness + +## Strategic Initiatives + +* Skipped because we ran out of time. + +## Upcoming Meetings + +* **Node.js Project Calendar**: + +Click `+GoogleCalendar` at the bottom right to add to your own Google calendar. From 5d372438961aa195ade3d68d2da29574fda4008c Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Wed, 4 Sep 2024 14:33:06 -0400 Subject: [PATCH 2/5] squash: fixup linter complaints --- meetings/2024-09-04.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/meetings/2024-09-04.md b/meetings/2024-09-04.md index a4ec67a4..4d0e4fa4 100644 --- a/meetings/2024-09-04.md +++ b/meetings/2024-09-04.md @@ -25,9 +25,8 @@ ## Agenda ### Announcements - - * Matteo, collaborator summit is confirmed for Dublin, if you are a collaborator planning on joining hope to see you there, it is two days after NodeConf. Nov 7-8th. - * Node 22.8.0 which fixed a regression with utf encoding and a few other bugs, If you are on Node.js 22.X you probably want to pick up. +* Matteo, collaborator summit is confirmed for Dublin, if you are a collaborator planning on joining hope to see you there, it is two days after NodeConf. Nov 7-8th. +* Node 22.8.0 which fixed a regression with utf encoding and a few other bugs, If you are on Node.js 22.X you probably want to pick up. ### Reminders From 822abf9d81d5eae373ca1f8226c7959a045ed354 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Thu, 5 Sep 2024 14:09:43 -0400 Subject: [PATCH 3/5] Update meetings/2024-09-04.md Co-authored-by: Ruy Adorno --- meetings/2024-09-04.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meetings/2024-09-04.md b/meetings/2024-09-04.md index 4d0e4fa4..c6784888 100644 --- a/meetings/2024-09-04.md +++ b/meetings/2024-09-04.md @@ -34,6 +34,10 @@ ### CPC and Board Meeting Updates +* Joe + * Discussed discord server recently, basically in favor of the idea + * Code of conduct still a bit of a sticky point, have to figure out how to move forward with them + *Extracted from **tsc-agenda** labeled issues and pull requests from the **nodejs org** prior to the meeting. ### nodejs/node From 41602b95211f30107696a007e5da45b9e933536c Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Thu, 5 Sep 2024 14:09:49 -0400 Subject: [PATCH 4/5] Update meetings/2024-09-04.md Co-authored-by: Ruy Adorno --- meetings/2024-09-04.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meetings/2024-09-04.md b/meetings/2024-09-04.md index c6784888..4a70922c 100644 --- a/meetings/2024-09-04.md +++ b/meetings/2024-09-04.md @@ -49,7 +49,7 @@ * Michael will then send email to get final ok from the TSC. * deps: V8: backport f320600cd1f4 (V18.x CVE-2024-4761) #54597 -* * Node.js 18 has an old version of V8, has quite a few CVEs reported against it because it is + * Node.js 18 has an old version of V8, has quite a few CVEs reported against it because it is part of chromium. * These CVEs are outside the node.js threat model because they require untrusted code, while the threat model indicates we trust the code that is asked to run. From 3af68aad25985843a6850b800e0c4802bd7c2828 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Mon, 9 Sep 2024 11:11:06 -0400 Subject: [PATCH 5/5] Update meetings/2024-09-04.md Co-authored-by: Steven --- meetings/2024-09-04.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meetings/2024-09-04.md b/meetings/2024-09-04.md index 4a70922c..921857be 100644 --- a/meetings/2024-09-04.md +++ b/meetings/2024-09-04.md @@ -89,7 +89,7 @@ * Two parts * For Node.js 23 do we want automatic support for HTTP_PROXY?, most frequent reason to have access to undici from Node.js versus installing undici - * Problems exposing undici, cannot provide same stability guarrantees + * Problems exposing undici, cannot provide same stability guarantees * Michael, can we expose HTTP_PROXY without exposing undici * Marco, should we create a new namespace for undici * Paolo, in favor as well, yes lets create a new namespace