Skip to content

doc: clarify Corepack threat model #51917

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 1, 2024
Merged

doc: clarify Corepack threat model #51917

merged 2 commits into from
Mar 1, 2024

Conversation

@aduh95
Copy link
Contributor

@aduh95 aduh95 commented Feb 28, 2024

@aduh95 aduh95 requested a review from mhdawson February 28, 2024 22:53
@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/tsc

@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Feb 28, 2024
GeoffreyBooth
GeoffreyBooth approved these changes Feb 28, 2024
View reviewed changes
Copy link
Member

@GeoffreyBooth GeoffreyBooth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same can be said about anything the user downloads via npm, I would assume, though perhaps that’s obvious.

@debadree25 debadree25 added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Feb 29, 2024
@aduh95 aduh95 added the commit-queue Add this label to land a pull request using GitHub Actions. label Feb 29, 2024
MylesBorins
MylesBorins reviewed Feb 29, 2024
View reviewed changes
SECURITY.md

#### Vulnerabilities affecting software downloaded by Corepack

* Corepack defaults to downloading the latest version of the software requested
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we call out that it doesn't always download from npm?

This is unique from downloading package managers with npm

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure there is the assumption that downloads are from npm, so I'm good either way.

mhdawson
mhdawson approved these changes Feb 29, 2024
View reviewed changes
Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 1, 2024
@nodejs-github-bot nodejs-github-bot merged commit 1429381 into nodejs:main Mar 1, 2024
@nodejs-github-bot
Copy link
Collaborator

Landed in 1429381

@aduh95 aduh95 deleted the corepack-threat-model branch March 1, 2024 23:42
@aduh95 aduh95 mentioned this pull request Mar 3, 2024
Closed
targos pushed a commit that referenced this pull request Mar 7, 2024
@aduh95 @targos
doc: clarify Corepack threat model
5908c12 
PR-URL: #51917
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Geoffrey Booth <[email protected]>
Reviewed-By: Trivikram Kamat <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Moshe Atlow <[email protected]>
Reviewed-By: Paolo Insogna <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
@targos targos mentioned this pull request Mar 7, 2024
Merged
@GeoffreyBooth GeoffreyBooth mentioned this pull request Mar 18, 2024
Closed
richardlau pushed a commit that referenced this pull request Mar 25, 2024
@aduh95 @richardlau
doc: clarify Corepack threat model
9b68aaf 
PR-URL: #51917
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Geoffrey Booth <[email protected]>
Reviewed-By: Trivikram Kamat <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Moshe Atlow <[email protected]>
Reviewed-By: Paolo Insogna <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
richardlau pushed a commit that referenced this pull request Mar 25, 2024
@aduh95 @richardlau
doc: clarify Corepack threat model
93d6d66 
PR-URL: #51917
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Geoffrey Booth <[email protected]>
Reviewed-By: Trivikram Kamat <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Moshe Atlow <[email protected]>
Reviewed-By: Paolo Insogna <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
@richardlau richardlau mentioned this pull request Mar 25, 2024
Merged
rdw-msft pushed a commit to rdw-msft/node that referenced this pull request Mar 26, 2024
@aduh95 @rdw-msft
doc: clarify Corepack threat model
eef0ee4 
PR-URL: nodejs#51917
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Geoffrey Booth <[email protected]>
Reviewed-By: Trivikram Kamat <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Moshe Atlow <[email protected]>
Reviewed-By: Paolo Insogna <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mhdawson mhdawson mhdawson approved these changes

@anonrig anonrig anonrig approved these changes

@benjamingr benjamingr benjamingr approved these changes

@lpinca lpinca lpinca approved these changes

@ShogunPanda ShogunPanda ShogunPanda approved these changes

@UlisesGascon UlisesGascon UlisesGascon approved these changes

@MoLow MoLow MoLow approved these changes

@legendecas legendecas legendecas approved these changes

@trivikr trivikr trivikr approved these changes

@RafaelGSS RafaelGSS RafaelGSS approved these changes

@GeoffreyBooth GeoffreyBooth GeoffreyBooth approved these changes

+2 more reviewers

@MylesBorins MylesBorins MylesBorins left review comments

@arcanis arcanis arcanis approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. doc Issues and PRs related to the documentations.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.