Michael Dawson

I've gotten info on how to request an update to the CVEs. Adding here so that we have a record (although I'll think about whether we have a good place...

The link I think should be - https://hackerone.com/nodejs/cve_requests

Ok updates are now submitted. They still need to be processed on the H1 side before we'll see the updates externally.

@aberezovski I think it is an artifact on how llhttp is updated for vulnerabilities. Since updating llhttp in advance would dislose the vulnerability, the commits for the security release were...

PR to add missing step to update the CMakeList.txt to llhttp update instructions. https://github.com/nodejs/node/pull/44136 It may not have fixed this case where we do things a bit differently for security...

@aberezovski if you believe my analysis is incorrect and we have actually missed something, please report through H1 so that we can handle as a additional/new vulnerability - see https://github.com/nodejs/node/security/policy

I have been thinking about how we might move towards a standardized approach for integrating WASM which would address some of the concerns on the distro side. Some aspects of...

@kapouer thanks for the details.

> as it's rather easy to patch nodejs so that it requires the external undici-fetch.js file instead of bundling it. I'm thinking that as there are more instances like this,...

@kapouer, @khardix, @kasicka as consumers of what I've proposed in https://github.com/nodejs/node/issues/44000#issuecomment-1204434268 what are your thoughts?