Increasing visibility of Node.js security patches on node-private

[RafaelGSS]

I've been doing security releases for quite a while and to be honest, it's a bit frustrating to not have enough people reviewing the patches before they go out. The reason for that is that reviewing that PR is... time-consuming. One would need to read the HackerOne report and have an understanding of that particular piece of code to review it properly -- despite the fact most TSC members do not have much time to spend on those scenarios.

That said, I wonder if we could find a way to improve the current situation. I believe that using GitHub Advisories for patches can be good as we could invite external people (with context on the particular patch) to review + the report. I just don't know if we can run Jenkins CI on it -- It also needs to be checked by the automation as it expects the PR to be created under node-private.

cc: @nodejs/tsc @nodejs/security

[RafaelGSS]

I think to not change the process too much, we could at least make a procedure to announce PRs that need review before going public at every TSC meeting.

Wdyt?

[mhdawson]

Mentioning them in the TSC meeting sounds ok to me

[mcollina]

The problem is that we can't run CI on GitHub Advisories (at least right now), making them useless for our use case ad they would lead to more work.

Instead, I think we could:

• expand the people with access to node-private
• add them as-needed to the hackerone reports