SECURITY.md: remove outdated sections, explicitely state no CVE#38
Open
aduh95 wants to merge 1 commit into
Open
SECURITY.md: remove outdated sections, explicitely state no CVE#38aduh95 wants to merge 1 commit into
aduh95 wants to merge 1 commit into
Conversation
Contributor
Author
|
/cc @nodejs/tsc @nodejs/security |
anonrig
approved these changes
Jul 1, 2026
UlisesGascon
reviewed
Jul 1, 2026
UlisesGascon
left a comment
Member
There was a problem hiding this comment.
I think the edition is not correct (removing additional content not intended?) 🤔
Contributor
Author
From the ones I have removed, what section(s) you think we should keep? |
Member
|
My fault! I was thinking that this SECURITY.md was the one that is included in node, undici, etc... but the repos have a dedicated file so the changes makes sense to me now 👍 |
UlisesGascon
approved these changes
Jul 1, 2026
Member
|
We should issue CVEs for llhttp. |
Contributor
Author
Well we never did and don't have a process for it. If we want to start one, it should have its own SECURITY.md (and would no longer be affected by this change) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What triggered this change is a discussion between @RafaelGSS, @ShogunPanda, and myself regarding the vulnerabilities that were patched as part of the recent llhttp security release. We didn't asked CVEs for those, and looking at the history we never did request any CVE for llhttp but one time (CVE-2020-8287) – and even then, the CVE was for Node.js, not llhttp.
The takeaway was that we needed to document that we do not issue CVEs for llhttp.
This file is used on all of our repos that do not have their own
SECURITY.md, including e.g. https://github.com/nodejs/llhttp/security#disclosure-policy (maybe try opening the link from a private window to see what an unpriviledged user sees).Because that document was copied from the nodejs/node repo a few years back, I find it mostly off-topic: you thought you clicked on the security policy of llhttp, but it describes the one of Node.js, and does not even clarify that it doesn't apply to the current repo. So I took the opportunity to remove all the outdated and off-topic sections.