From 8b358ecf4de6837363ad6bd2ee6f6ff5ec46dd30 Mon Sep 17 00:00:00 2001 From: Rich Trott Date: Sun, 21 Oct 2018 18:53:07 -0700 Subject: [PATCH] doc: remove problematic example from README MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove Buffer constructor example from security reporting examples. Even though the example text focuses on API compatibility, the pull request cited is about zero-filling vs. not zero-filling, which is not an API compatibility change (or at least is not unambiguously one). The fact that it's a pull request is also problematic, since it's not reporting a security issue but instead proposing a way to address one that has already been reported publicly. Finally, the text focuses on the fact that it was not deemed worth of backporting, but that was determined by a vote by a divided CTC. It is unreasonable to ask someone reporting an issue to make a determination that the CTC/TSC is divided on. In short, it's not a good example for the list it is in. Remove it. Refs: https://github.com/nodejs/node/pull/23759#discussion_r226804801 PR-URL: https://github.com/nodejs/node/pull/23817 Reviewed-By: Colin Ihrig Reviewed-By: Michael Dawson Reviewed-By: Michaƫl Zasso Reviewed-By: Luigi Pinca Reviewed-By: Trivikram Kamat --- README.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/README.md b/README.md index 933a71ec5af96a..a8dc9a1453098a 100644 --- a/README.md +++ b/README.md @@ -179,12 +179,6 @@ nonetheless. arbitrary JavaScript code. That is already the highest level of privilege possible. -- [#12141](https://github.com/nodejs/node/pull/12141): _buffer: zero fill - Buffer(num) by default_. The documented `Buffer()` behavior was prone to - [misuse](https://snyk.io/blog/exploiting-buffer/). It has since changed. It - was not deemed serious enough to fix in older releases and breaking API - stability. - ### Private disclosure preferred - [CVE-2016-7099](https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/):