Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add threat model to SECURITY.md#17977

Merged
nicolo-ribaudo merged 6 commits into
mainfrom
threat-model
May 6, 2026
Merged

Add threat model to SECURITY.md#17977
nicolo-ribaudo merged 6 commits into
mainfrom
threat-model

Conversation

@nicolo-ribaudo
Copy link
Copy Markdown
Member

@nicolo-ribaudo nicolo-ribaudo commented May 4, 2026
edited
Loading

This will hopefully make it easier for the future to categorize vulnerability reports in the future, and gives better guidance to our users.

Some doubts I have:

  • CVSS doesn't work well for vulnerabilities affecting Babel's output, as most of its metrics depend on what environment is actually running the code generated by Babel. Maybe we should just not use CVSS there, and assign the severity manually based on how large impact we think a vulnerability can have?
  • DoS attacks where you give Babel excessively complex input (e.g. hugely nested syntax, or a very large file) are not security vulnerabilities, but maybe "The attacker gave me this trivial input, I run it through Babel, and now the process is stuck" should be? Or are they just bugs? If you need to protect against "excessively complex input code" the only reasonable protection is to be able to kill Babel when it takes too long anyway.

@nicolo-ribaudo nicolo-ribaudo added the PR: Docs 📝 A type of pull request used for our changelog categories label May 4, 2026
@babel-bot
Copy link
Copy Markdown
Collaborator

babel-bot commented May 4, 2026
edited
Loading

Build successful! You can test your changes in the REPL here: https://babeljs.io/repl/build/61476

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 4, 2026
edited
Loading

Open in StackBlitz

commit: 260fdf4

existentialism
existentialism reviewed May 4, 2026
View reviewed changes
Comment thread SECURITY.md Outdated
existentialism
existentialism reviewed May 4, 2026
View reviewed changes
Comment thread SECURITY.md Outdated
@nicolo-ribaudo
Copy link
Copy Markdown
Member Author

nicolo-ribaudo commented May 4, 2026

Thanks @existentialism for always being there for my grammar mistakes :)

JLHwung
JLHwung approved these changes May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@JLHwung JLHwung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well done! Thank you for preparing the much-needed policy clarification in the LLM era.

Comment thread SECURITY.md Outdated
Comment thread SECURITY.md
@nicolo-ribaudo @JLHwung
Update SECURITY.md
5f4c0f7 
Co-authored-by: Huáng Jùnliàng <[email protected]>
@nicolo-ribaudo nicolo-ribaudo mentioned this pull request May 5, 2026
Closed
@nicolo-ribaudo
Copy link
Copy Markdown
Member Author

nicolo-ribaudo commented May 5, 2026

@liuxingbaoyu I added some guidance on how to use Babel to transform untrusted input:

Users passing arbitrary code as input to Babel should take the appropriate measures to handle resource exhaustion caused by the transpilation process, such as by running Babel in a separate Node.js worker than can be terminated independently from the rest of the application.

@liuxingbaoyu
Copy link
Copy Markdown
Member

liuxingbaoyu commented May 6, 2026

@nicolo-ribaudo Thank you, this looks great!

@nicolo-ribaudo nicolo-ribaudo merged commit 788ceae into main May 6, 2026
102 checks passed
@nicolo-ribaudo nicolo-ribaudo deleted the threat-model branch May 6, 2026 11:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@existentialism existentialism existentialism left review comments

@JLHwung JLHwung JLHwung approved these changes

Assignees

No one assigned

Labels

PR: Docs 📝 A type of pull request used for our changelog categories

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@nicolo-ribaudo @babel-bot @liuxingbaoyu @existentialism @JLHwung