archive/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-08-15 13:48:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

doc: clarify Corepack threat model

Browse source 
PR-URL: https://github.com/nodejs/node/pull/51917
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
This commit is contained in:
Antoine du Hamel 2024-03-02 00:02:41 +01:00 committed by GitHub
parent 17e0e3e2d6
commit 14293814a7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 17 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
SECURITY.md
View file

@ -201,6 +201,13 @@ the community they pose.
that artifact is large enough to impact performance or
cause the runtime to run out of resources.
#### Vulnerabilities affecting software downloaded by Corepack
* Corepack defaults to downloading the latest version of the software requested
by the user, or a specific version requested by the user. For this reason,
Node.js releases won't be affected by such vulnerabilities, users are
responsible to keep the software they use through Corepack up-to-date.
## Assessing experimental features reports
Experimental features are eligible to reports as any other stable feature of

12
doc/api/corepack.md
View file

@ -15,8 +15,16 @@ added:
_[Corepack][Corepack repository]_ is an experimental tool to help with
managing versions of your package managers. It exposes binary proxies for
each [supported package manager][] that, when called, will identify whatever
package manager is configured for the current project, transparently install
it if needed, and finally run it without requiring explicit user interactions.
package manager is configured for the current project, download it if needed,
and finally run it.
Despite Corepack being distributed with default installs of Node.js, the package
managers managed by Corepack are not part of the Node.js distribution and:
* Upon first use, Corepack downloads the latest version from the network.
* Any required updates (related to security vulnerabilities or otherwise) are
out of scope of the Node.js project. If necessary end users must figure out
how to update on their own.
This feature simplifies two core workflows: