Skip to content

meta: clarify --harmony features are outside threat model#64224

Open
mcollina wants to merge 1 commit into
nodejs:mainfrom
mcollina:harmony-threat-model
Open

meta: clarify --harmony features are outside threat model#64224
mcollina wants to merge 1 commit into
nodejs:mainfrom
mcollina:harmony-threat-model

Conversation

@mcollina

@mcollina mcollina commented Jul 1, 2026

Copy link
Copy Markdown
Member

We cannot be responsible for V8 experimental features in case they cause security problems.

Signed-off-by: Matteo Collina <hello@matteocollina.com>
@nodejs-github-bot

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/tsc

@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Jul 1, 2026
@mcollina mcollina requested review from ShogunPanda and aduh95 July 1, 2026 07:57
Comment thread SECURITY.md
Comment on lines +147 to +148
Node.js may expose V8 features that are controlled by `--harmony` flags
(e.g., `--harmony-optional-chaining`, `--harmony-shadowrealm`). These flags

@Renegade334 Renegade334 Jul 1, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--harmony is deprecated terminology in V8, and new features haven't used it for some time. I would suggest something like

Node.js may expose in-development V8 features that are only available via --js-* or --harmony-* runtime flags (e.g., --js-decorators, --harmony-shadowrealm).

--js-staging is the new global flag equivalent of --harmony.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

doc Issues and PRs related to the documentations.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants