Would the `node-version-file` be a security issue?

[LitoMore]

Sorry for posting the question using a bug template. I didn't find a correct template for submitting questions.

Would the node-version-file be a security issue since contributors can update the Node.js version out of the GitHub Actions YAML file?

A non-first-time contributor can trigger actions without waiting for approval, and changing the running version is possible by creating a PR. My concern is that there may be some vulnerabilities in a specific version of Node.js. This could be a security issue.

Please correct me if I misunderstand the GitHub Actions security strategy above.

[gowridurgad]

Hi @LitoMore,
Thank you for reporting this issue. We will investigate it and get back to you as soon as we have some feedback.

[florianrusch]

Just my 5 cents on this topic: For me it's a feature that improves the developer experience (DX). The developers can manage the version they need themselves without having to remember to update the node version within the Github pipelines as well.

I haven't checked the source code, but as far as I know, only specific files are supported. I expect that only the node version is read from these files, which is then used in a URL, SDK, whatever, to get the corresponding node version. If nonsense is entered as the node version in the files, the action should simply throw an error in the sense of Couldn't find node version ‘fooobar’ and let the pipeline fail.

If a contributor enters a different, valid node version, it is the responsibility of the reviewer to ensure that this change was intentional. Whether the PR pipeline ran successfully with the new valid node version or not does not matter here, as IMHO it should not cause any problems.

[Shvernawalker]

#1224

[lmvysakh]

Hello @florianrusch,

Thank you for reaching out and sharing your valuable insight with us. We cordially appreciate the support.

---

Hi @LitoMore,

Thank you for raising this concern! Regarding security concerns, there is no inherent risk in using the node-version-file because:

1. PR Review Process: All pull requests, including those that change the node-version-file, must go through a thorough review process. This review includes checks for security and compatibility.
2. Automated Security Checks: Our CI/CD pipeline is configured to run security audits and tests on all proposed changes. Any vulnerabilities introduced by a new Node.js version will be caught during these automated checks.
3. Approval Requirements: Non-first-time contributors can trigger actions, but any changes to the node-version-file still require approval and review before being merged.

By adhering to these processes, we ensure that any changes to the Node.js version are secure and do not introduce vulnerabilities into the project.

I'll go ahead and close this issue now. If you encounter any further problems or have additional questions, please feel free to open a new issue. Thanks again!