Comments (5)
mhdawson
commented on August 15, 2024
I'll be interested in listing to the discussion in the meeting since I can't make it. My first thought is that it will be a challenge to community/explain/justify why we exclude some parts of our APIs from vulnerability reports. We had discussion around doing so for experimental features and the consensus was that it was not the way to go at that point in time.
from security-wg.
marco-ippolito
commented on August 15, 2024
I don't think it's a good idea to provide insecure features in core.
We will receive issue, and h1 reports even if we mark it as insecure, because users will rely on the feature and build products and libraries on top.
I think the expectation is that if something is stable, is secure for production.
A insecure feature would be something forever experimental.
I believe that would be more useful as a separate npm package.
from security-wg.
UlisesGascon
commented on August 15, 2024
I agree with Marco. Seems like experimental is the way to go
from security-wg.
RafaelGSS
commented on August 15, 2024
@aduh95 During today's security team meeting, we discussed the topic of adding an explicitly insecure feature to Node.js. Our consensus, for now, is that it is not a good choice. While having it built-in may seem convenient, it is not a strong enough argument to justify it being part of the core.
If you would like to discuss this further, we welcome you to join one of our meetings.
from security-wg.
github-actions
commented on August 15, 2024
This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.
from security-wg.
Related Issues (20)
- OpenSSF Scorecard Report Updated!
- OpenSSF Scorecard Report Updated!
- OpenSSF Scorecard Report Updated!
- Node.js Security team Meeting 2024-05-23
- Node.js Security team Meeting 2024-06-06 HOT 4
- OpenSSF Scorecard Report Updated!
- OpenSSF Scorecard Report Updated!
- Ping TSC on deps update not from GithubBot HOT 10
- [Bug]:use pm2 and --experimental-permission, throw Error: Access to this API has been restricted
- Node.js Security team Meeting 2024-06-20 HOT 1
- Node.js maintainers: Threat Model HOT 1
- Node.js Security team Meeting 2024-07-04 HOT 4
- OpenSSF Scorecard Report Updated!
- spam
- Security Mailing List HOT 5
- Node.js Security team Meeting 2024-07-18
- OpenSSF Scorecard Report Updated!
- Node.js Security team Meeting 2024-08-01
- OpenSSF Scorecard Report Updated!
- Node.js Security team Meeting 2024-08-15 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-wg.