doc: clarify Corepack threat model

aduh95 · targos · commit 5908c121c644 · 2024-03-07T10:27:30.000+01:00
PR-URL: #51917 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
diff --git a/SECURITY.md b/SECURITY.md
@@ -201,6 +201,13 @@ the community they pose.
   that artifact is large enough to impact performance or
   cause the runtime to run out of resources.
 
+#### Vulnerabilities affecting software downloaded by Corepack
+
+* Corepack defaults to downloading the latest version of the software requested
+  by the user, or a specific version requested by the user. For this reason,
+  Node.js releases won't be affected by such vulnerabilities, users are
+  responsible to keep the software they use through Corepack up-to-date.
+
 ## Assessing experimental features reports
 
 Experimental features are eligible to reports as any other stable feature of
diff --git a/doc/api/corepack.md b/doc/api/corepack.md
@@ -15,8 +15,16 @@ added:
 _[Corepack][Corepack repository]_ is an experimental tool to help with
 managing versions of your package managers. It exposes binary proxies for
 each [supported package manager][] that, when called, will identify whatever
-package manager is configured for the current project, transparently install
-it if needed, and finally run it without requiring explicit user interactions.
+package manager is configured for the current project, download it if needed,
+and finally run it.
+
+Despite Corepack being distributed with default installs of Node.js, the package
+managers managed by Corepack are not part of the Node.js distribution and:
+
+* Upon first use, Corepack downloads the latest version from the network.
+* Any required updates (related to security vulnerabilities or otherwise) are
+  out of scope of the Node.js project. If necessary end users must figure out
+  how to update on their own.
 
 This feature simplifies two core workflows:
 
