nodejs · nodejs-github-bot · Mar 1, 2024 · Feb 28, 2024 · Feb 28, 2024 · MylesBorins
diff --git a/SECURITY.md b/SECURITY.md
@@ -201,6 +201,13 @@ the community they pose.
   that artifact is large enough to impact performance or
   cause the runtime to run out of resources.
 
+#### Vulnerabilities affecting software downloaded by Corepack
+
+* Corepack defaults to downloading the latest version of the software requested
+  by the user, or a specific version requested by the user. For this reason,
+  Node.js releases won't be affected by such vulnerabilities, users are
+  responsible to keep the software they use through Corepack up-to-date.
+
 ## Assessing experimental features reports
 
 Experimental features are eligible to reports as any other stable feature of

diff --git a/doc/api/corepack.md b/doc/api/corepack.md
@@ -15,8 +15,16 @@ added:
 _[Corepack][Corepack repository]_ is an experimental tool to help with
 managing versions of your package managers. It exposes binary proxies for
 each [supported package manager][] that, when called, will identify whatever
-package manager is configured for the current project, transparently install
-it if needed, and finally run it without requiring explicit user interactions.
+package manager is configured for the current project, download it if needed,
+and finally run it.
+
+Despite Corepack being distributed with default installs of Node.js, the package
+managers managed by Corepack are not part of the Node.js distribution and:
+
+* Upon first use, Corepack downloads the latest version from the network.
+* Any required updates (related to security vulnerabilities or otherwise) are
+  out of scope of the Node.js project. If necessary end users must figure out
+  how to update on their own.
 
 This feature simplifies two core workflows: