Skip to content

Commit

Permalink
Remove mention of --untrusted-code-mitigations in README.md (#458)
Browse files Browse the repository at this point in the history
This functionality was removed in Node 16.17.0 and 17.0.0.  Comments on the relevant issues suggest this mitigations may never have worked:

nodejs/node#43296
nodejs/node#43328
  • Loading branch information
davidjb authored Mar 7, 2024
1 parent ac5fbde commit e65b6b7
Showing 1 changed file with 0 additions and 6 deletions.
6 changes: 0 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -112,12 +112,6 @@ have usually been 3-5 of these updates within a single nodejs LTS release cycle.
recommended to use odd-numbered nodejs releases since these frequently break ABI and API
compatibility and isolated-vm doesn't aim to be compatible with bleeding edge v8.

Against potentially hostile code you should also consider turning on [v8 untrusted code
mitigations](https://v8.dev/docs/untrusted-code-mitigations), which helps address the class of
speculative execution attacks known as Spectre and Meltdown. You can enable this feature by running
`node` with the `--untrusted-code-mitigations` flag. This feature comes with a slight performance
cost and must be enabled per-process, therefore nodejs disables it by default.

v8 is a relatively robust runtime, but there are always new and exciting ways to crash, hang,
exploit, or otherwise disrupt a process with plain old JavaScript. Your application must be
resilient to these kinds of issues and attacks. It's a good idea to keep instances of `isolated-vm`
Expand Down

0 comments on commit e65b6b7

Please sign in to comment.