Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,25 @@ are not ready for public consumption and may have incomplete implementations,
missing security hardening, or other limitations that make them unsuitable
for production use.

### Experimental features behind `--harmony` flags

Node.js may expose V8 features that are controlled by `--harmony` flags
(e.g., `--harmony-optional-chaining`, `--harmony-shadowrealm`). These flags
Comment on lines +147 to +148

@Renegade334 Renegade334 Jul 1, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--harmony is deprecated terminology in V8, and new features haven't used it for some time. I would suggest something like

Node.js may expose in-development V8 features that are only available via --js-* or --harmony-* runtime flags (e.g., --js-decorators, --harmony-shadowrealm).

--js-staging is the new global flag equivalent of --harmony.

enable V8-level JavaScript language features that are not part of the
ECMAScript specification that Node.js implements and are not part of the
Node.js documented API surface.

* Security vulnerabilities that can only be triggered via `--harmony` flags
will **not** be accepted as valid security issues.
* Any issues with these features will be treated as normal bugs.
* No CVEs will be issued for issues that only affect `--harmony` flag features.
* Bug bounty rewards are not available for `--harmony` flag feature issues.

This policy recognizes that `--harmony` flags expose experimental V8 features
that are not part of the Node.js documented API surface, are not enabled by
default in production builds, and may have incomplete implementations or
missing security hardening.

### What constitutes a vulnerability

Being able to cause the following through control of the elements that Node.js
Expand Down
Loading