Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can we have "unsecure" features in Node.js? #1274

Closed
aduh95 opened this issue Apr 6, 2024 · 5 comments
Closed

Can we have "unsecure" features in Node.js? #1274

aduh95 opened this issue Apr 6, 2024 · 5 comments
Labels

Comments

@aduh95
Copy link

aduh95 commented Apr 6, 2024

          Should there be a note about security in the docs? Specifically, I am wondering what would constitute a vulnerability here.

Originally posted by @tniessen in nodejs/node#45096 (comment)

In the PR linked above, I'm suggesting adding a static HTTP server that is targeted for development only, i.e. not meant to be production ready (ever, likely). Is there a way to make sure that bugs that will be found in this implementation will not result in security releases?
I think there is value to have this feature built-in (it's already available via npm packages, but having to add a dev dependency for such a simple feature seems silly), but it's unclear if it's worth it if it results in a flow of security vulnerability reports.

@mhdawson
Copy link
Member

I'll be interested in listing to the discussion in the meeting since I can't make it. My first thought is that it will be a challenge to community/explain/justify why we exclude some parts of our APIs from vulnerability reports. We had discussion around doing so for experimental features and the consensus was that it was not the way to go at that point in time.

@marco-ippolito
Copy link
Member

I don't think it's a good idea to provide insecure features in core.

We will receive issue, and h1 reports even if we mark it as insecure, because users will rely on the feature and build products and libraries on top.

I think the expectation is that if something is stable, is secure for production.
A insecure feature would be something forever experimental.
I believe that would be more useful as a separate npm package.

@UlisesGascon
Copy link
Member

I agree with Marco. Seems like experimental is the way to go

@RafaelGSS
Copy link
Member

@aduh95 During today's security team meeting, we discussed the topic of adding an explicitly insecure feature to Node.js. Our consensus, for now, is that it is not a good choice. While having it built-in may seem convenient, it is not a strong enough argument to justify it being part of the core.

If you would like to discuss this further, we welcome you to join one of our meetings.

Copy link
Contributor

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

@github-actions github-actions bot added the stale label Jul 25, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Aug 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants