-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Abort when vulnerable flag #852
Comments
What's the reasoning behind this? If |
I mean, I'm fine with a separate module, I just don't think people are going to use it. That's pretty much the same analogy for Neither do I think we should include that flag based just in my guess. We're going to discuss it on Security-WG. I'll elaborate on it soon. |
Discussed it on Security WG 05/01 - I'll proceed with a separate module and see how it goes. |
So, I built it https://github.com/RafaelGSS/is-my-node-vulnerable. Let's see how the community adopts it. |
Hey, I've been reconsidering and even after releasing https://github.com/RafaelGSS/is-my-node-vulnerable, I still believe it would be a valuable addition to the Node.js core. It will likely gain more adoption, especially since I don't have a large public audience as a regular user. That said, I'd love to discuss it again if possible @nodejs/tsc @nodejs/security-wg |
Would this flag just immediately abort when a node version went out of support, even if there weren't any vulns in it? |
It will behave similarly to 'is-my-node-vulnerable'. If a user is using an EOL version and no security release happened after it became EOL, it won't abort but will warn. |
FTR Since this would have to "phone home" to get an updated list of vulnerabilities I would be against any form of this being on by default (which isn't being proposed here), but will not block it being opt-in. |
What if the vuln list is not available ? (network issues, infrastructure issues) |
Yeah, I agree that it shouldn't ever be a thing that will be on by default. Currently, My idea is to have a |
Echoing the message I sent to Node.js TSC.
cc: @nodejs/security-wg UPDATE from last security meeting:
|
As previously discussed in #846. I'm creating this issue to discuss the possibility of including a flag (
--abort-when-vulnerable
) that will abort the node.js process if the version contains a known vulnerability.The idea is pretty simple: perform a remote call and check against our database: https://github.com/nodejs/security-wg/tree/main/vuln/core if the version in use is vulnerable. We will need to include more metadata such as the operating system, but that's easy to do.
A similar discussion is in progress on nodejs/node#44942 and one of the concerns raised was the necessity to perform a remote call. However, since this feature is also opt-in, I don't see why it could be a problem.
Just to summarize:
While it could just as easily be a module, I don't think it would be as reliable as having it as an option in Node.js. But, of course, I'm open to discussing it.
I'm tagging @nodejs/tsc to get more visibility on it before any work.
cc: @nodejs/security-wg
The text was updated successfully, but these errors were encountered: