Add minutes for Node.js Security team meeting on 2026-03-19 (#1557)

RafaelGSS · web-flow · commit 750a7ba5c136 · 2026-03-20T09:07:55.000-03:00
Documented the Node.js Security team meeting held on March 19, 2026, including agenda, announcements, and links to resources.
diff --git a/meetings/2026-03-19.md b/meetings/2026-03-19.md
@@ -0,0 +1,65 @@
+# Node.js Security team Meeting 2026-03-19
+
+## Links
+
+* **Recording**: https://www.youtube.com/watch?v=7XV5ra3A5-I
+* **GitHub Issue**: https://github.com/nodejs/security-wg/issues/1555
+* **Minutes**: https://hackmd.io/@openjs-nodejs/rkHBMRRl5-x
+
+## Present
+
+* Security wg team: @nodejs/security-wg
+* Rafael Gonzaga: @RafaelGSS
+* Marco Ippolito: @marco-ippolito
+* Beth Griggs: @BethGriggs
+
+## Agenda
+
+## Announcements
+
+*Extracted from **security-wg-agenda** labelled issues and pull requests from the **nodejs org** prior to the meeting.
+
+- Node.js Security release announced to March 24th
+- [x] Vulnerability Review - https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues
+  - VEX file has been published
+  - There are more work to do.
+- [ ] OpenSSF Scorecard Monitor Review - https://github.com/nodejs/security-wg/issues?q=is%3Aissue+OpenSSF+Scorecard+Report+Updated%21+
+
+### nodejs/security-wg
+
+* Node.js PURL is missing namespace [#1552](https://github.com/nodejs/security-wg/issues/1552)
+  * PURL = Package URL
+  * It needs to be fixed. It's missing the protocol (should be generic
+  * The ecosystem refers to Node.js as `node` while the project itself refers to `nodejs/node`.
+  * Proposal to use `nodejs/node` as preference in the VEX file
+
+* regenerate node.openvex.json [#1549](https://github.com/nodejs/security-wg/pull/1549)
+  * Remove from the agenda.
+
+* update deps index.json [#1547](https://github.com/nodejs/security-wg/pull/1547)
+  * Approved and merged.
+
+* Tracking: LLM-assisted H1 report triage [#1554](https://github.com/nodejs/security-wg/issues/1554)
+  * Beth is working on a model to classify open reports based on
+    * All closed reports
+    * SECURITY.md
+    * Next: Node.js documentation
+
+### nodejs/TSC
+
+* Proposal: Moving security reports to a public workflow [#1826](https://github.com/nodejs/TSC/issues/1826)
+  * We are going to discuss it in depth in the collaborator summit
+  * An intermediary proposal is to avoid CI embargo. Under discussion with releasers team.
+
+### nodejs/node
+
+* Auditing permissions [#59935](https://github.com/nodejs/node/issues/59935)
+  * Concluded by https://github.com/nodejs/node/commit/9ddd1a9c27c253f46d587a8c906ccd83417b4606.
+
+## Q&A, Other
+
+## Upcoming Meetings
+
+* **Node.js Project Calendar**: <https://nodejs.org/calendar>
+
+Click `Add to Google Calendar` at the bottom left to add to your own Google calendar.
