Note: this is not about deprecation, it is about printing runtime warnings about security impact of some of the Node.js environment options. That would probably be a semver-major change.
Environment options are more dangereous because:
- It is very simple to blindly copy-paste suggestions from the internet without understanding the security impact — more simple than writing unsafe code.
- Users are more likely to blindly run some programs (like
npm) with those than modify them to use unsafe API.
- User might not even know that they are using unsafe env options: other appliations, stale/corrupted env, some libraries from npm — those all can set unsafe env options without user noticing that.
I have seen npm credentials in logs from npm being run with NODE_DEBUG=http and those logs being attached to issues.
I have seen modules setting NODE_TLS_REJECT_UNAUTHORIZED.
So far, the ones that I am aware of:
Anything else?
I also would like some discussion here, as I am not sure if that is the best approach in this situation.
/cc @nodejs/security-wg
Note: this is not about deprecation, it is about printing runtime warnings about security impact of some of the Node.js environment options. That would probably be a semver-major change.
Environment options are more dangereous because:
npm) with those than modify them to use unsafe API.I have seen npm credentials in logs from npm being run with
NODE_DEBUG=httpand those logs being attached to issues.I have seen modules setting
NODE_TLS_REJECT_UNAUTHORIZED.So far, the ones that I am aware of:
NODE_TLS_REJECT_UNAUTHORIZED=0(Propose NODE_TLS_REJECT_UNAUTHORIZED be renamed #5258),NODE_DEBUG=http(exposes auth data, logs are unsafe to share),--inspect=0.0.0.0flag? Not an env var, but highly copy-pasted.Anything else?
I also would like some discussion here, as I am not sure if that is the best approach in this situation.
/cc @nodejs/security-wg