Skip to content

docs: update threatmodel to include stance on runtime modification#10945

Merged
jasonsaayman merged 1 commit into
v1.xfrom
docs/update-threatmodel
May 26, 2026
Merged

docs: update threatmodel to include stance on runtime modification#10945
jasonsaayman merged 1 commit into
v1.xfrom
docs/update-threatmodel

Conversation

@jasonsaayman

@jasonsaayman jasonsaayman commented May 26, 2026
edited by cubic-dev-ai Bot
Loading

Copy link
Copy Markdown
Member

Summary

Update threat model to include stance on runtime modification

Linked issue

N/A

Changes

N/A

Checklist

  • Tests added or updated (or N/A with reason)
  • Docs/types updated if public API changed (index.d.ts and index.d.cts)
  • No breaking changes (or called out explicitly above)

Summary by cubic

Clarifies the threat model: axios does not defend against monkey‑patched JavaScript/Node.js runtime APIs when attacker code runs in the same process. This sets a clear security boundary.

Description

  • Summary of changes: Add a note to THREATMODEL.md stating axios won’t defend against patched runtime APIs like Object.keys, http.request, ClientRequest.prototype.setHeader, or fetch.
  • Reasoning: If attacker-controlled code runs in the same process, it can observe or alter requests below axios; this is outside axios’ security boundary.
  • Additional context: This does not change existing guidance about guarding config reads against polluted Object.prototype.

Docs

  • Mirror this clarification in /docs/security/threat-model.md (or equivalent), and link to it from any security overview page.

Testing

  • No tests added. Docs-only change; tests not needed.

Semantic version impact

  • No runtime or API changes. No release needed (docs-only).

Written for commit 1d206f3. Summary will update on new commits. Review in cubic

@jasonsaayman jasonsaayman self-assigned this May 26, 2026
@jasonsaayman jasonsaayman added priority::medium A medium priority commit::docs The PR is related to docs labels May 26, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 26, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Re-trigger cubic

@jasonsaayman jasonsaayman merged commit 34723be into v1.x May 26, 2026
28 checks passed
@jasonsaayman jasonsaayman deleted the docs/update-threatmodel branch May 26, 2026 06:41
jasonsaayman added a commit that referenced this pull request May 28, 2026
@jasonsaayman
docs: update threatmodel to include stance on runtime modification (#…
6b94251 
…10945)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

@jasonsaayman jasonsaayman

Labels

commit::docs The PR is related to docs priority::medium A medium priority

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonsaayman