Can we have "unsecure" features in Node.js? #1274
Comments
|
I'll be interested in listing to the discussion in the meeting since I can't make it. My first thought is that it will be a challenge to community/explain/justify why we exclude some parts of our APIs from vulnerability reports. We had discussion around doing so for experimental features and the consensus was that it was not the way to go at that point in time. |
|
I don't think it's a good idea to provide insecure features in core. We will receive issue, and h1 reports even if we mark it as insecure, because users will rely on the feature and build products and libraries on top. I think the expectation is that if something is stable, is secure for production. |
|
I agree with Marco. Seems like experimental is the way to go |
|
@aduh95 During today's security team meeting, we discussed the topic of adding an explicitly insecure feature to Node.js. Our consensus, for now, is that it is not a good choice. While having it built-in may seem convenient, it is not a strong enough argument to justify it being part of the core. If you would like to discuss this further, we welcome you to join one of our meetings. |
Originally posted by @tniessen in nodejs/node#45096 (comment)
In the PR linked above, I'm suggesting adding a static HTTP server that is targeted for development only, i.e. not meant to be production ready (ever, likely). Is there a way to make sure that bugs that will be found in this implementation will not result in security releases?
I think there is value to have this feature built-in (it's already available via npm packages, but having to add a dev dependency for such a simple feature seems silly), but it's unclear if it's worth it if it results in a flow of security vulnerability reports.
The text was updated successfully, but these errors were encountered: