docs/threat_model/supply_chain_threat_model.rst

127 Node.js Tools
131 installed through the use of the Node.js package manager. They are pinned to
388   |             | for Python and Node.js, but we aren't able to do this for C |
555   |             | installation time through malicious Node.js dependencies.   |
561   | Threat and  | | Users of the Node.js tools, including the CI, may be      |
563   |             |   by the Node.js dependency auditor. Users of these tools   |
573   | Proposed    | - Limit Node.js tools to a minimal set of trusted packages  |
574   | Mitigations | - Pin Node.js packages to known versions                    |
575   |             | - Update dependencies for which Node.js’s auditor reports   |
577   |             | - Execute Node.js tools in the CI only from within a        |
580   | Mitigations | Yes, Node.js tools are limited to a minimal set of trusted  |
583   |             | reported, and Node.js tools are only executed within a      |