@@ -179,6 +179,11 @@ then untrusted input must not lead to arbitrary JavaScript code execution.
|
179 | 179 | See <https://nodejs.org/api/modules.html#all-together>. |
180 | 180 | * The `node:wasi` module does not currently provide the comprehensive file |
181 | 181 | system security properties provided by some WASI runtimes. |
| 182 | +* The execution path is trusted. Additionally, Node.js path manipulation functions |
| 183 | + such as `path.join()` and `path.normalize()` trust their input. Reports about issues |
| 184 | + related to these functions that rely on unsanitized input are not considered vulnerabilities |
| 185 | + requiring CVEs, as it's the user's responsibility to sanitize path inputs according to |
| 186 | + their security requirements. |
182 | 187 | |
183 | 188 | Any unexpected behavior from the data manipulation from Node.js Internal |
184 | 189 | functions may be considered a vulnerability if they are exploitable via |
|