doc: explicit mention arbitrary code execution as a vuln

This request came from Github Open Source Secure and it's always welcome to clarify the policy PR-URL: https://github.com/nodejs/node/pull/57426 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
2026-01-15 12:15:26 +00:00 · 2025-03-14 19:51:52 -03:00
parent 078af918d0
commit 645e376231
1 changed files with 3 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -106,6 +106,9 @@ a security vulnerability. Examples of unwanted actions are polluting globals,
 causing an unrecoverable crash, or any other unexpected side effects that can
 lead to a loss of confidentiality, integrity, or availability.

+For example, if trusted input (like secure application code) is correct,
+then untrusted input must not lead to arbitrary JavaScript code execution.
+
 **Node.js trusts everything else**. Examples include:

 * The developers and infrastructure that runs it.