Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: clarify Corepack threat model #51917

Merged
merged 2 commits into from
Mar 1, 2024
Merged

doc: clarify Corepack threat model #51917

merged 2 commits into from
Mar 1, 2024

Conversation

aduh95
Copy link
Contributor

@aduh95 aduh95 commented Feb 28, 2024

@aduh95 aduh95 requested a review from mhdawson February 28, 2024 22:53
@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/tsc

@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Feb 28, 2024
GeoffreyBooth
GeoffreyBooth approved these changes Feb 28, 2024
View reviewed changes
Copy link
Member

@GeoffreyBooth GeoffreyBooth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same can be said about anything the user downloads via npm, I would assume, though perhaps that’s obvious.

@debadree25 debadree25 added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Feb 29, 2024
@aduh95 aduh95 added the commit-queue Add this label to land a pull request using GitHub Actions. label Feb 29, 2024
MylesBorins
MylesBorins reviewed Feb 29, 2024
View reviewed changes
SECURITY.md
@@ -201,6 +201,13 @@ the community they pose.
that artifact is large enough to impact performance or
cause the runtime to run out of resources.

#### Vulnerabilities affecting software downloaded by Corepack

* Corepack defaults to downloading the latest version of the software requested
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we call out that it doesn't always download from npm?

This is unique from downloading package managers with npm

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure there is the assumption that downloads are from npm, so I'm good either way.

mhdawson
mhdawson approved these changes Feb 29, 2024
View reviewed changes
Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 1, 2024
@nodejs-github-bot nodejs-github-bot merged commit 1429381 into nodejs:main Mar 1, 2024
18 checks passed
@nodejs-github-bot
Copy link
Collaborator

Landed in 1429381

@aduh95 aduh95 deleted the corepack-threat-model branch March 1, 2024 23:42
@aduh95 aduh95 mentioned this pull request Mar 3, 2024
Open
targos pushed a commit that referenced this pull request Mar 7, 2024
@aduh95 @targos
doc: clarify Corepack threat model
5908c12 
PR-URL: #51917
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
@targos targos mentioned this pull request Mar 7, 2024
Merged
@GeoffreyBooth GeoffreyBooth mentioned this pull request Mar 18, 2024
Closed
richardlau pushed a commit that referenced this pull request Mar 25, 2024
@aduh95 @richardlau
doc: clarify Corepack threat model
9b68aaf 
PR-URL: #51917
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
richardlau pushed a commit that referenced this pull request Mar 25, 2024
@aduh95 @richardlau
doc: clarify Corepack threat model
93d6d66 
PR-URL: #51917
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
@richardlau richardlau mentioned this pull request Mar 25, 2024
Merged
rdw-msft pushed a commit to rdw-msft/node that referenced this pull request Mar 26, 2024
@aduh95 @rdw-msft
doc: clarify Corepack threat model
eef0ee4 
PR-URL: nodejs#51917
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhdawson mhdawson mhdawson approved these changes

@MylesBorins MylesBorins MylesBorins left review comments

@trivikr trivikr trivikr approved these changes

@legendecas legendecas legendecas approved these changes

@MoLow MoLow MoLow approved these changes

@UlisesGascon UlisesGascon UlisesGascon approved these changes

@lpinca lpinca lpinca approved these changes

@benjamingr benjamingr benjamingr approved these changes

@arcanis arcanis arcanis approved these changes

@GeoffreyBooth GeoffreyBooth GeoffreyBooth approved these changes

@RafaelGSS RafaelGSS RafaelGSS approved these changes

@ShogunPanda ShogunPanda ShogunPanda approved these changes

@anonrig anonrig anonrig approved these changes

Assignees
No one assigned
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. doc Issues and PRs related to the documentations.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.