Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 5908c12

Browse filesBrowse files
aduh95targos
aduh95
authored and
targos
committed
doc: clarify Corepack threat model
PR-URL: #51917 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
1 parent e992af8 commit 5908c12
Copy full SHA for 5908c12

File tree

Expand file treeCollapse file tree

2 files changed

+17
-2
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

2 files changed

+17
-2
lines changed
Open diff view settings
Collapse file

‎SECURITY.md‎

Copy file name to clipboardExpand all lines: SECURITY.md
+7Lines changed: 7 additions & 0 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -201,6 +201,13 @@ the community they pose.
201201
that artifact is large enough to impact performance or
202202
cause the runtime to run out of resources.
203203

204+
#### Vulnerabilities affecting software downloaded by Corepack
205+
206+
* Corepack defaults to downloading the latest version of the software requested
207+
by the user, or a specific version requested by the user. For this reason,
208+
Node.js releases won't be affected by such vulnerabilities, users are
209+
responsible to keep the software they use through Corepack up-to-date.
210+
204211
## Assessing experimental features reports
205212

206213
Experimental features are eligible to reports as any other stable feature of
Collapse file

‎doc/api/corepack.md‎

Copy file name to clipboardExpand all lines: doc/api/corepack.md
+10-2Lines changed: 10 additions & 2 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,16 @@ added:
1515
_[Corepack][Corepack repository]_ is an experimental tool to help with
1616
managing versions of your package managers. It exposes binary proxies for
1717
each [supported package manager][] that, when called, will identify whatever
18-
package manager is configured for the current project, transparently install
19-
it if needed, and finally run it without requiring explicit user interactions.
18+
package manager is configured for the current project, download it if needed,
19+
and finally run it.
20+
21+
Despite Corepack being distributed with default installs of Node.js, the package
22+
managers managed by Corepack are not part of the Node.js distribution and:
23+
24+
* Upon first use, Corepack downloads the latest version from the network.
25+
* Any required updates (related to security vulnerabilities or otherwise) are
26+
out of scope of the Node.js project. If necessary end users must figure out
27+
how to update on their own.
2028

2129
This feature simplifies two core workflows:
2230

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.