Skip to content

docs(threatmodel): clarify TLS and tag-replay threat wording#10722

Merged
jasonsaayman merged 3 commits intov1.xfrom
copilot/fix-spacing-in-threatmodel
Apr 15, 2026
Merged

docs(threatmodel): clarify TLS and tag-replay threat wording#10722
jasonsaayman merged 3 commits intov1.xfrom
copilot/fix-spacing-in-threatmodel

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 15, 2026
edited
Loading

This PR applies two targeted wording fixes in THREATMODEL.md to improve precision and readability in threat descriptions. It standardizes TLS terminology and rewrites a sentence fragment in the tag replay threat so the risk statement is explicit and grammatically complete.

  • Runtime threat model (T-R6)

    • Replaced informal wording:
      • cert errorcertificate error

  • Supply-chain threat model (T-S7)

    • Rewrote the description clause from a fragment to a complete statement:
      • ...pushes v1.99.99 to publish out of band.
      • ...pushes v1.99.99 so that a release is published out of band.
- to "fix" a cert error in dev, ships it to prod.
+ to "fix" a certificate error in dev, ships it to prod.

- ...or pushes `v1.99.99` to publish out of band.
+ ...or pushes `v1.99.99` so that a release is published out of band.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • no-such-domain-987654.com
    • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node --experimental-import-meta-resolve --require /home/REDACTED/work/axios/axios/node_modules/vitest/suppress-warnings.cjs --conditions node --conditions development /home/REDACTED/work/axios/axios/node_modules/vitest/dist/workers/forks.js (dns block)
  • notexistsurl.in.nowhere
    • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node --experimental-import-meta-resolve --require /home/REDACTED/work/axios/axios/node_modules/vitest/suppress-warnings.cjs --conditions node --conditions development /home/REDACTED/work/axios/axios/node_modules/vitest/dist/workers/forks.js (dns block)
  • postman-echo.com
    • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node --experimental-import-meta-resolve --require /home/REDACTED/work/axios/axios/node_modules/vitest/suppress-warnings.cjs --conditions node --conditions development /home/REDACTED/work/axios/axios/node_modules/vitest/dist/workers/forks.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt 
Please apply the following diffs and create a pull request.
Once the PR is ready, give it a title based on the messages of the fixes being applied.

[{"message":"Corrected spacing in 'cert error' to 'certificate error' for clarity and consistency with technical terminology.","fixFiles":[{"filePath":"THREATMODEL.md","diff":"diff --git a/THREATMODEL.md b/THREATMODEL.md\n--- a/THREATMODEL.md\n+++ b/THREATMODEL.md\n@@ -149,7 +149,7 @@\n \n |                   |                                                                                                                                |\n | ----------------- | ------------------------------------------------------------------------------------------------------------------------------ |\n-| **Description**   | Caller passes `httpsAgent: new https.Agent({ rejectUnauthorized: false })` to \"fix\" a cert error in dev, ships it to prod.     |\n+| **Description**   | Caller passes `httpsAgent: new https.Agent({ rejectUnauthorized: false })` to \"fix\" a certificate error in dev, ships it to prod. |\n | **Likelihood**    | Medium (very common copy-paste anti-pattern)                                                                                   |\n | **Impact**        | High (silent MITM)                                                                                                             |\n | **In scope?**     | **No.** axios delegates TLS entirely to Node's `https` module / the browser. We do not inspect or warn on agent configuration. |\n"}]},{"message":"Missing period at the end of the sentence fragment 'to publish out of band'.","fixFiles":[{"filePath":"THREATMODEL.md","diff":"diff --git a/THREATMODEL.md b/THREATMODEL.md\n--- a/THREATMODEL.md\n+++ b/THREATMODEL.md\n@@ -402,7 +402,7 @@\n \n |                 |                                                                                                                                                                                                                                                                                                            |\n | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n-| **Description** | Attacker with write access force-pushes an existing tag to point at a malicious commit, or pushes `v1.99.99` to publish out of band.                                                                                                                                                           |\n+| **Description** | Attacker with write access force-pushes an existing tag to point at a malicious commit, or pushes `v1.99.99` so that a release is published out of band.                                                                                                                                      |\n | **Likelihood**  | Low (requires write access - assumed compromised at that point)                                                                                                                                                                                                                                            |\n | **Impact**      | High                                                                                                                                                                                                                                                                                                       |\n | **Mitigations** | • npm rejects re-publishing an existing version - re-tagging you cannot overwrite the published `1.15.0`. <br>• Provenance attestation records the commit SHA the tag pointed to _at publish time_ - forensically verifiable. <br>• GitHub tag protection rules can prevent tag deletion/force-push. |\n"}]}]

Copilot AI changed the title [WIP] Fix spacing issue in threat model documentation docs(threatmodel): clarify TLS and tag-replay threat wording Apr 15, 2026
Copilot AI requested a review from jasonsaayman April 15, 2026 17:27
@jasonsaayman jasonsaayman marked this pull request as ready for review April 15, 2026 17:44
@jasonsaayman jasonsaayman added priority::medium A medium priority commit::docs The PR is related to docs labels Apr 15, 2026
@jasonsaayman jasonsaayman merged commit 42b2154 into v1.x Apr 15, 2026
4 of 5 checks passed
@jasonsaayman jasonsaayman deleted the copilot/fix-spacing-in-threatmodel branch April 15, 2026 18:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonsaayman jasonsaayman Awaiting requested review from jasonsaayman jasonsaayman is a code owner

Assignees

@jasonsaayman jasonsaayman

Copilot code review Copilot

Labels

commit::docs The PR is related to docs priority::medium A medium priority

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jasonsaayman