security-wg icon indicating copy to clipboard operation
security-wg copied to clipboard
verified publisher icon nodejs

Can we have "unsecure" features in Node.js?

Open aduh95 opened this issue 1 year ago • 4 comments 

          Should there be a note about security in the docs? Specifically, I am wondering what would constitute a vulnerability here.

Originally posted by @tniessen in https://github.com/nodejs/node/issues/45096#issuecomment-2037169224

In the PR linked above, I'm suggesting adding a static HTTP server that is targeted for development only, i.e. not meant to be production ready (ever, likely). Is there a way to make sure that bugs that will be found in this implementation will not result in security releases? I think there is value to have this feature built-in (it's already available via npm packages, but having to add a dev dependency for such a simple feature seems silly), but it's unclear if it's worth it if it results in a flow of security vulnerability reports.

aduh95 avatar Apr 06 '24 08:04 aduh95

I'll be interested in listing to the discussion in the meeting since I can't make it. My first thought is that it will be a challenge to community/explain/justify why we exclude some parts of our APIs from vulnerability reports. We had discussion around doing so for experimental features and the consensus was that it was not the way to go at that point in time.

mhdawson avatar Apr 10 '24 22:04 mhdawson

I don't think it's a good idea to provide insecure features in core.

We will receive issue, and h1 reports even if we mark it as insecure, because users will rely on the feature and build products and libraries on top.

I think the expectation is that if something is stable, is secure for production. A insecure feature would be something forever experimental. I believe that would be more useful as a separate npm package.

marco-ippolito avatar Apr 11 '24 05:04 marco-ippolito

I agree with Marco. Seems like experimental is the way to go

UlisesGascon avatar Apr 11 '24 13:04 UlisesGascon

@aduh95 During today's security team meeting, we discussed the topic of adding an explicitly insecure feature to Node.js. Our consensus, for now, is that it is not a good choice. While having it built-in may seem convenient, it is not a strong enough argument to justify it being part of the core.

If you would like to discuss this further, we welcome you to join one of our meetings.

RafaelGSS avatar Apr 25 '24 14:04 RafaelGSS

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

github-actions[bot] avatar Jul 25 '24 00:07 github-actions[bot]