Skip to content

doc: clarify EventEmitter error handling in threat model #61701

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nodejs-github-bot merged 1 commit into from
Feb 7, 2026
Merged

doc: clarify EventEmitter error handling in threat model #61701

nodejs-github-bot merged 1 commit into from
Feb 7, 2026
+12 −0

Conversation

@mcollina
Copy link
Member

@mcollina mcollina commented Feb 5, 2026

Summary

  • Add documentation to SECURITY.md clarifying that applications must attach 'error' handlers to EventEmitters
  • Specify that this includes HTTP streams and other Node.js core streams
  • Clarify that crashes from missing error handlers are not considered DoS vulnerabilities

Test plan

  • Documentation-only change, no tests needed

@mcollina
doc: clarify EventEmitter error handling in threat model
c5a0b73 
Add documentation explaining that applications are expected to attach
'error' event handlers to EventEmitters that can emit errors, including
HTTP streams. Crashes resulting from missing error handlers are not
considered denial-of-service vulnerabilities in Node.js.
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Feb 5, 2026

Review requested:

  • @nodejs/tsc

@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Feb 5, 2026
@addaleax addaleax added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Feb 6, 2026
@mcollina mcollina added the commit-queue Add this label to land a pull request using GitHub Actions. label Feb 6, 2026
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Feb 7, 2026
@nodejs-github-bot nodejs-github-bot merged commit 6aa465c into nodejs:main Feb 7, 2026
28 checks passed
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Feb 7, 2026

Landed in 6aa465c

aduh95 pushed a commit that referenced this pull request Feb 8, 2026
@mcollina @aduh95
doc: clarify EventEmitter error handling in threat model
439b816 
Add documentation explaining that applications are expected to attach
'error' event handlers to EventEmitters that can emit errors, including
HTTP streams. Crashes resulting from missing error handlers are not
considered denial-of-service vulnerabilities in Node.js.

PR-URL: #61701
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
@github-actions github-actions bot mentioned this pull request Feb 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasnell jasnell jasnell approved these changes

@addaleax addaleax addaleax approved these changes

@benjamingr benjamingr benjamingr approved these changes

@lpinca lpinca lpinca approved these changes

@cjihrig cjihrig cjihrig approved these changes

@UlisesGascon UlisesGascon UlisesGascon approved these changes

@legendecas legendecas legendecas approved these changes

@RafaelGSS RafaelGSS RafaelGSS approved these changes

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. doc Issues and PRs related to the documentations.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@mcollina @nodejs-github-bot @jasnell @addaleax @benjamingr @lpinca @cjihrig @UlisesGascon @legendecas @RafaelGSS