doc: mention node:wasi in the Threat Model

RafaelGSS · richardlau · commit 52d8222d324d · 2024-03-25T18:14:10.000Z
PR-URL: #51211 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
diff --git a/SECURITY.md b/SECURITY.md
@@ -124,6 +124,8 @@ lead to a loss of confidentiality, integrity, or availability.
    end being on the local machine or remote.
 6. The file system when requiring a module.
    See <https://nodejs.org/api/modules.html#all-together>.
+7. The `node:wasi` module does not currently provide the comprehensive file
+   system security properties provided by some WASI runtimes.
 
 Any unexpected behavior from the data manipulation from Node.js Internal
 functions may be considered a vulnerability if they are exploitable via
