Skip to content

docs: update security best practices for current threat model #8374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 27, 2025
Merged

docs: update security best practices for current threat model #8374

merged 2 commits into from
Nov 27, 2025

Conversation

@RafaelGSS
Copy link
Member

@RafaelGSS RafaelGSS commented Nov 25, 2025

  • Align examples with current SECURITY.md threat model
  • Add scenarios for malicious deps and prototype pollution
  • Document Node.js permission model usage
  • Refresh policy mechanism guidance and external security resources

PTAL @nodejs/security-wg

@RafaelGSS
docs: update security best practices for current threat model
07dc2d5 
- Align examples with current SECURITY.md threat model
- Add scenarios for malicious deps and prototype pollution
- Document Node.js permission model usage
- Refresh policy mechanism guidance and external security resources
Copilot AI review requested due to automatic review settings November 25, 2025 18:39
@RafaelGSS RafaelGSS requested a review from a team as a code owner November 25, 2025 18:39
@vercel
Copy link

vercel bot commented Nov 25, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Updated (UTC)
nodejs-org Ready Ready Preview Nov 25, 2025 7:04pm

@github-actions
Copy link
Contributor

github-actions bot commented Nov 25, 2025

👋 Codeowner Review Request

The following codeowners have been identified for the changed files:

Team reviewers: @nodejs/security-wg

Please review the changes when you have a chance. Thank you! 🙏

@codecov
Copy link

codecov bot commented Nov 25, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.41%. Comparing base (563f9eb) to head (4dc88ed).
⚠️ Report is 4 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8374      +/-   ##
==========================================
+ Coverage   76.40%   76.41%   +0.01%     
==========================================
  Files         118      118              
  Lines        9928     9928              
  Branches      334      334              
==========================================
+ Hits         7585     7586       +1     
+ Misses       2341     2340       -1     
  Partials        2        2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copilot finished reviewing on behalf of RafaelGSS November 25, 2025 18:42
Copilot AI reviewed Nov 25, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the security best practices documentation to align with the current Node.js threat model, clarifying the distinction between Node.js core vulnerabilities and application-level security concerns. The changes enhance the documentation with concrete examples, updated guidance on security mechanisms, and new information about the Node.js permission model.

  • Adds clarifying introductions to major threat sections explaining the Node.js threat model scope
  • Provides concrete, realistic examples for malicious dependencies and prototype pollution scenarios
  • Documents the Node.js permission model as a runtime security mechanism
  • Updates policy mechanism guidance and adds new external security resources

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 25, 2025
edited
Loading

📦 Build Size Comparison

Summary

Metric Value
Old Total Size 3.51 MB
New Total Size 3.51 MB
Delta 0 B (0.00%)

Changes

➕ Added Assets (1)
Name Size
.next/static/chunks/6f23856e2717fe73.js 204.48 KB
➖ Removed Assets (1)
Name Size
.next/static/chunks/04a07082bdfb95c8.js 204.48 KB

@RafaelGSS RafaelGSS added the github_actions:pull-request Trigger Pull Request Checks label Nov 27, 2025
@github-actions github-actions bot removed the github_actions:pull-request Trigger Pull Request Checks label Nov 27, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 27, 2025
edited
Loading

Lighthouse Results

URL Performance Accessibility Best Practices SEO Report
/en 🟢 96 🟠 88 🟢 100 🟢 100 🔗
/en/about 🟢 100 🟢 93 🟢 100 🟠 88 🔗
/en/about/previous-releases 🟢 98 🟢 93 🟢 100 🟢 100 🔗
/en/download 🟢 90 🟢 96 🟢 100 🟢 100 🔗
/en/download/archive/current 🟢 100 🟢 100 🟢 100 🟢 100 🔗
/en/blog 🟢 100 🟢 100 🟢 96 🟢 100 🔗

@RafaelGSS RafaelGSS added this pull request to the merge queue Nov 27, 2025
Merged via the queue into main with commit 917f348 Nov 27, 2025
16 checks passed
@RafaelGSS RafaelGSS deleted the update-sec-best-practices branch November 27, 2025 13:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bmuenzenmeyer bmuenzenmeyer bmuenzenmeyer approved these changes

@UlisesGascon UlisesGascon UlisesGascon approved these changes

@aymen94 aymen94 aymen94 approved these changes

@avivkeller avivkeller avivkeller approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@RafaelGSS @bmuenzenmeyer @UlisesGascon @aymen94 @avivkeller