Skip to content

Commit

Permalink
doc: clarify Corepack threat model
Browse files Browse the repository at this point in the history
PR-URL: #51917
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
  • Loading branch information
aduh95 authored and targos committed Mar 7, 2024
1 parent e992af8 commit 5908c12
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
7 changes: 7 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,13 @@ the community they pose.
that artifact is large enough to impact performance or
cause the runtime to run out of resources.

#### Vulnerabilities affecting software downloaded by Corepack

* Corepack defaults to downloading the latest version of the software requested
by the user, or a specific version requested by the user. For this reason,
Node.js releases won't be affected by such vulnerabilities, users are
responsible to keep the software they use through Corepack up-to-date.

## Assessing experimental features reports

Experimental features are eligible to reports as any other stable feature of
Expand Down
12 changes: 10 additions & 2 deletions doc/api/corepack.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,16 @@ added:
_[Corepack][Corepack repository]_ is an experimental tool to help with
managing versions of your package managers. It exposes binary proxies for
each [supported package manager][] that, when called, will identify whatever
package manager is configured for the current project, transparently install
it if needed, and finally run it without requiring explicit user interactions.
package manager is configured for the current project, download it if needed,
and finally run it.

Despite Corepack being distributed with default installs of Node.js, the package
managers managed by Corepack are not part of the Node.js distribution and:

* Upon first use, Corepack downloads the latest version from the network.
* Any required updates (related to security vulnerabilities or otherwise) are
out of scope of the Node.js project. If necessary end users must figure out
how to update on their own.

This feature simplifies two core workflows:

Expand Down

0 comments on commit 5908c12

Please sign in to comment.