Merge branch 'nodejs:main' into fix/module-esm-silent-failure-61104

Author: heathdutton

SECURITY.md

@@ -309,6 +309,32 @@ the community they pose.
   Node.js releases won't be affected by such vulnerabilities. Users are
   responsible for keeping the software they use through Corepack up-to-date.
 
+#### Exposing Application-Level APIs to Untrusted Users (CWE-653)
+
+* Node.js trusts the application code that uses its APIs. When application code
+  exposes Node.js functionality to untrusted users in an unsafe manner, any
+  resulting crashes, data corruption, or other issues are not considered
+  vulnerabilities in Node.js itself. It is the application's responsibility to:
+  * Validate and sanitize all untrusted input before passing it to Node.js APIs.
+  * Design appropriate access controls and security boundaries.
+  * Avoid exposing low-level or dangerous APIs directly to untrusted users.
+
+* Examples of scenarios that are **not** Node.js vulnerabilities:
+  * Allowing untrusted users to register SQLite user-defined functions that can
+    perform arbitrary operations (e.g., closing database connections during query
+    execution, causing crashes or use-after-free conditions).
+  * Exposing `child_process.exec()` or similar APIs to untrusted users without
+    proper input validation, allowing command injection.
+  * Allowing untrusted users to control file paths passed to file system APIs
+    without validation, leading to path traversal issues.
+  * Permitting untrusted users to define custom code that executes with the
+    application's privileges (e.g., custom transforms, plugins, or callbacks).
+
+* These scenarios represent application-level security issues, not Node.js
+  vulnerabilities. The root cause is the application's failure to establish
+  proper security boundaries between trusted application logic and untrusted
+  user input.
+
 ## Assessing experimental features reports
 
 Experimental features are eligible for security reports just like any other

benchmark/common.js

@@ -118,10 +118,9 @@ class Benchmark {
       const [, key, value] = match;
       if (configs[key] !== undefined) {
         cliOptions[key] ||= [];
-        cliOptions[key].push(
-          // Infer the type from the config object and parse accordingly
-          typeof configs[key][0] === 'number' ? +value : value,
-        );
+        const configType = typeof configs[key][0];
+        const configValue = configType === 'number' ? +value : configType === 'boolean' ? value === 'true' : value;
+        cliOptions[key].push(configValue);
       } else {
         extraOptions[key] = value;
       }
@@ -141,7 +140,7 @@ class Benchmark {
       const values = options[key];
 
       for (const value of values) {
-        if (typeof value !== 'number' && typeof value !== 'string') {
+        if (typeof value !== 'number' && typeof value !== 'string' && typeof value !== 'boolean') {
           throw new TypeError(
             `configuration "${key}" had type ${typeof value}`);
         }

benchmark/crypto/randomUUID.js

@@ -5,11 +5,10 @@ const { randomUUID } = require('crypto');
 
 const bench = common.createBenchmark(main, {
   n: [1e7],
-  disableEntropyCache: [0, 1],
+  disableEntropyCache: [false, true],
 });
 
 function main({ n, disableEntropyCache }) {
-  disableEntropyCache = !!disableEntropyCache;
   bench.start();
   for (let i = 0; i < n; ++i)
     randomUUID({ disableEntropyCache });

benchmark/util/deprecate.js

@@ -5,7 +5,7 @@ const assert = require('assert');
 
 const bench = common.createBenchmark(main, {
   n: [1e5],
-  modifyPrototype: [1, 0],
+  modifyPrototype: [true, false],
   emitWarningSync: [1, 0],
 }, {
   flags: ['--expose-internals'],
@@ -23,7 +23,7 @@ function main({ n, modifyPrototype, emitWarningSync }) {
     'This function is deprecated',
     'DEP0000',
     emitWarningSync,
-    !!modifyPrototype,
+    modifyPrototype,
   );
 
   let sum = 0;