File tree 2 files changed +17
-2
lines changed
2 files changed +17
-2
lines changed Original file line number Diff line number Diff line change @@ -201,6 +201,13 @@ the community they pose.
201201 that artifact is large enough to impact performance or
202202 cause the runtime to run out of resources.
203203
204+ #### Vulnerabilities affecting software downloaded by Corepack
205+
206+ * Corepack defaults to downloading the latest version of the software requested
207+ by the user, or a specific version requested by the user. For this reason,
208+ Node.js releases won't be affected by such vulnerabilities, users are
209+ responsible to keep the software they use through Corepack up-to-date.
210+
204211## Assessing experimental features reports
205212
206213Experimental features are eligible to reports as any other stable feature of
Original file line number Diff line number Diff line change @@ -15,8 +15,16 @@ added:
1515_ [ Corepack] [ Corepack repository ] _ is an experimental tool to help with
1616managing versions of your package managers. It exposes binary proxies for
1717each [ supported package manager] [ ] that, when called, will identify whatever
18- package manager is configured for the current project, transparently install
19- it if needed, and finally run it without requiring explicit user interactions.
18+ package manager is configured for the current project, download it if needed,
19+ and finally run it.
20+
21+ Despite Corepack being distributed with default installs of Node.js, the package
22+ managers managed by Corepack are not part of the Node.js distribution and:
23+
24+ * Upon first use, Corepack downloads the latest version from the network.
25+ * Any required updates (related to security vulnerabilities or otherwise) are
26+ out of scope of the Node.js project. If necessary end users must figure out
27+ how to update on their own.
2028
2129This feature simplifies two core workflows:
2230
You can’t perform that action at this time.
0 commit comments