Description
By default Node.js will listen for SIGUSR1 and start its internal inspector when it is received. This creates a security risk on production systems as the inspector interface could be used to eavesdrop on RPC intractions, for example, and execute arbitrary code in general.
For example in our infrastructure we use a PM2 module to listen for apps starting/restarting and send them their 'secrets' (API/signing keys etc) through sendLineToStdin(). However if a bad actor would manage to get access to the system they could send SIGUSR1 to the PM2 God process, attach a debugger and set some breakpoints to intercept these transactions and therefore steal the secrets.
This can easily be prevented by registering a no-op handler for SIGUSR1, as is recommended in the Security best practices provided by the Node.js team: https://nodejs.org/en/learn/getting-started/security-best-practices.