Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: clarify Corepack threat model #51917

Merged
merged 2 commits into from
Mar 1, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,13 @@ the community they pose.
that artifact is large enough to impact performance or
cause the runtime to run out of resources.

#### Vulnerabilities affecting software downloaded by Corepack

* Corepack defaults to downloading the latest version of the software requested
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we call out that it doesn't always download from npm?

This is unique from downloading package managers with npm

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure there is the assumption that downloads are from npm, so I'm good either way.

by the user, or a specific version requested by the user. For this reason,
Node.js releases won't be affected by such vulnerabilities, users are
responsible to keep the software they use through Corepack up-to-date.

## Assessing experimental features reports

Experimental features are eligible to reports as any other stable feature of
Expand Down
12 changes: 10 additions & 2 deletions doc/api/corepack.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,16 @@ added:
_[Corepack][Corepack repository]_ is an experimental tool to help with
managing versions of your package managers. It exposes binary proxies for
each [supported package manager][] that, when called, will identify whatever
package manager is configured for the current project, transparently install
it if needed, and finally run it without requiring explicit user interactions.
package manager is configured for the current project, download it if needed,
and finally run it.

Despite Corepack being distributed with default installs of Node.js, the package
managers managed by Corepack are not part of the Node.js distribution and:

* Upon first use, Corepack downloads the latest version from the network.
* Any required updates (related to security vulnerabilities or otherwise) are
out of scope of the Node.js project. If necessary end users must figure out
how to update on their own.

This feature simplifies two core workflows:

Expand Down