From 9b68aaf42058c710207b7e2cd4ad94d5c5c11ad3 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Sat, 2 Mar 2024 00:02:41 +0100 Subject: [PATCH] doc: clarify Corepack threat model PR-URL: https://github.com/nodejs/node/pull/51917 Reviewed-By: Rafael Gonzaga Reviewed-By: Geoffrey Booth Reviewed-By: Trivikram Kamat Reviewed-By: Yagiz Nizipli Reviewed-By: Moshe Atlow Reviewed-By: Paolo Insogna Reviewed-By: Luigi Pinca Reviewed-By: Michael Dawson Reviewed-By: Chengzhong Wu Reviewed-By: Benjamin Gruenbaum --- SECURITY.md | 7 +++++++ doc/api/corepack.md | 12 ++++++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index f5b17eb626987d8..7d62c76e5b898c8 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -201,6 +201,13 @@ the community they pose. that artifact is large enough to impact performance or cause the runtime to run out of resources. +#### Vulnerabilities affecting software downloaded by Corepack + +* Corepack defaults to downloading the latest version of the software requested + by the user, or a specific version requested by the user. For this reason, + Node.js releases won't be affected by such vulnerabilities, users are + responsible to keep the software they use through Corepack up-to-date. + ## Assessing experimental features reports Experimental features are eligible to reports as any other stable feature of diff --git a/doc/api/corepack.md b/doc/api/corepack.md index b9c3ddca09c78cc..0b9d2baef336799 100644 --- a/doc/api/corepack.md +++ b/doc/api/corepack.md @@ -15,8 +15,16 @@ added: _[Corepack][Corepack repository]_ is an experimental tool to help with managing versions of your package managers. It exposes binary proxies for each [supported package manager][] that, when called, will identify whatever -package manager is configured for the current project, transparently install -it if needed, and finally run it without requiring explicit user interactions. +package manager is configured for the current project, download it if needed, +and finally run it. + +Despite Corepack being distributed with default installs of Node.js, the package +managers managed by Corepack are not part of the Node.js distribution and: + +* Upon first use, Corepack downloads the latest version from the network. +* Any required updates (related to security vulnerabilities or otherwise) are + out of scope of the Node.js project. If necessary end users must figure out + how to update on their own. This feature simplifies two core workflows: