doc: clarify process._debugProcess() in Permission Model#62537
Open
cybe4sent1nel wants to merge 4 commits intonodejs:mainfrom
Open
doc: clarify process._debugProcess() in Permission Model#62537cybe4sent1nel wants to merge 4 commits intonodejs:mainfrom
cybe4sent1nel wants to merge 4 commits intonodejs:mainfrom
Conversation
Collaborator
|
Review requested:
|
RafaelGSS
reviewed
Apr 1, 2026
RafaelGSS
approved these changes
Apr 1, 2026
RafaelGSS
added
the
author ready
lpinca
reviewed
Apr 1, 2026
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
Author
|
Thanks for catching that — I've updated the sentence to remove the |
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
RafaelGSS
approved these changes
Apr 2, 2026
RafaelGSS
added
the
commit-queue
nodejs-github-bot
added
commit-queue-failed
Collaborator
Commit Queue failed- Loading data for nodejs/node/pull/62537 ✔ Done loading data for nodejs/node/pull/62537 ----------------------------------- PR info ------------------------------------ Title doc: clarify that process._debugProcess() is not restricted by the Permission Model (#62537) ⚠ Could not retrieve the email or name of the PR author's from user's GitHub profile! Branch cybe4sent1nel:doc/permission-model-debugprocess-clarification -> nodejs:main Labels doc, author ready Commits 3 - doc: clarify process._debugProcess() is not gated by kInspector - Update doc/api/permissions.md - Update permissions.md for V8 Inspector access Committers 2 - cybe4sent1nel <fahadkhanxyz8816.@gmail.com> - GitHub <noreply@github.com> PR-URL: https://github.com/nodejs/node/pull/62537 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> ------------------------------ Generated metadata ------------------------------ PR-URL: https://github.com/nodejs/node/pull/62537 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> -------------------------------------------------------------------------------- ℹ This PR was created on Wed, 01 Apr 2026 14:32:02 GMT ✔ Approvals: 1 ✔ - Rafael Gonzaga (@RafaelGSS) (TSC): https://github.com/nodejs/node/pull/62537#pullrequestreview-4050421568 ✘ This PR needs to wait 120 more hours to land (or 0 minutes if there is one more approval) ⚠ GitHub cannot link the author of 'doc: clarify process._debugProcess() is not gated by kInspector' to their GitHub account. ⚠ Please suggest them to take a look at https://github.com/nodejs/node/blob/99b1ada/doc/guides/contributing/pull-requests.md#step-1-fork ✔ Last GitHub CI successful ℹ Green GitHub CI is sufficient -------------------------------------------------------------------------------- ✔ Aborted `git node land` session in /home/runner/work/node/node/.ncuhttps://github.com/nodejs/node/actions/runs/23950275911 |
cybe4sent1nel
force-pushed
the
doc/permission-model-debugprocess-clarification
branch
from
7700deb to
6729b80
Compare
cybe4sent1nel
force-pushed
the
doc/permission-model-debugprocess-clarification
branch
from
6729b80 to
3a21809
Compare
cybe4sent1nel
changed the title
cybe4sent1nel
changed the title
cybe4sent1nel
changed the title
Reformat text for better readability in permissions documentation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a documentation note to the Permission Model page clarifying that
process._debugProcess()is not restricted by thekInspectorpermission scope or any other Permission Model scope.
Why
The Permission Model documentation lists "Inspector protocol" as a
restricted surface. A developer reading this reasonably expects that
--permissionprevents all Inspector activation — includingcross-process activation via
process._debugProcess().The current behavior creates a silent inconsistency:
kInspectorblocks the sandboxed process from opening its ownInspector.
kInspectordoes not block the sandboxed process from callingprocess._debugProcess(pid)to force another Node.js process toopen its Inspector.
This gap is not documented anywhere. This note ensures developers are
not surprised by this behavior when they rely on the Permission Model
as a sandbox.
Behavior unchanged
This is a documentation-only change. No API behavior is modified.
Background
Discussed with @RafaelGSS. The behavior is consistent with the Node.js
threat model (Node.js trusts the OS environment it runs in, and
cross-process signaling is an OS-level capability). The fix here is
documentation so operators understand what responsibility falls on them
vs. the Permission Model.
Checklist
make lintpasses