Runtime Node is a production runtime image, and security is a core product requirement. This document explains what we support, how to report issues, and what is in scope.
All published image tags are actively supported, including older versions. When a security issue is confirmed, fixes are provided for affected supported tags; if a fix cannot be backported, we will document the constraint and provide upgrade guidance.
Please do not open public GitHub issues for security vulnerabilities.
Preferred channel:
- GitHub Security Advisories: https://github.com/Runtimes-Node/Runtime-Node/security/advisories/new
If you cannot use GitHub Security Advisories, email the maintainer:
Include the following:
- A clear description of the vulnerability.
- The affected image tag and platform.
- Steps to reproduce or a minimal proof of concept.
- Any relevant logs or scan output.
We will acknowledge reports as soon as possible and aim to respond within 5 business days. Fix timelines depend on severity and availability of upstream patches.
In scope:
- Inclusion of a shell, package manager, or OS utilities in the final runtime image.
- Missing or outdated CA certificates that break TLS security guarantees.
- Incorrect file permissions that weaken runtime isolation (for example, insecure
/tmp). - Supply-chain issues tied to the builder base image or dependencies.
- Packaging mistakes that expose unexpected binaries or files.
Out of scope:
- Vulnerabilities in your application code or dependencies.
- Issues that only affect the builder stage and are not shipped in the final image.
- Upstream Node.js vulnerabilities already fixed by upgrading the Node.js version.
Please allow time for verification and remediation before any public disclosure. We will coordinate a fix release and a public advisory when appropriate.