-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
doc: clarify Corepack threat model #51917
Conversation
Review requested:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The same can be said about anything the user downloads via npm, I would assume, though perhaps that’s obvious.
@@ -201,6 +201,13 @@ the community they pose. | |||
that artifact is large enough to impact performance or | |||
cause the runtime to run out of resources. | |||
|
|||
#### Vulnerabilities affecting software downloaded by Corepack | |||
|
|||
* Corepack defaults to downloading the latest version of the software requested |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we call out that it doesn't always download from npm?
This is unique from downloading package managers with npm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure there is the assumption that downloads are from npm, so I'm good either way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Landed in 1429381 |
PR-URL: #51917 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Moshe Atlow <[email protected]> Reviewed-By: Paolo Insogna <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]>
PR-URL: #51917 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Moshe Atlow <[email protected]> Reviewed-By: Paolo Insogna <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]>
PR-URL: #51917 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Moshe Atlow <[email protected]> Reviewed-By: Paolo Insogna <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]>
PR-URL: nodejs#51917 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Moshe Atlow <[email protected]> Reviewed-By: Paolo Insogna <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]>
Refs: #51886 (comment)