From d1c2716903bb2f85b99447ff67da1c10ed2a4bbc Mon Sep 17 00:00:00 2001
From: Michael Dawson <midawson@redhat.com>
Date: Thu, 4 Jan 2024 22:20:56 +0000
Subject: [PATCH 1/3] doc: add check for security reverts

- Add step to check that any PRs with breaking changes
  have command line options to revert
- Add info on how to easily add command line option
  to revert a breaking change related to a CVE

Signed-off-by: Michael Dawson <midawson@redhat.com>
---
 doc/contributing/security-release-process.md | 49 ++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md
index fa94d25e6fc176..237f9ac8d8cd1b 100644
--- a/doc/contributing/security-release-process.md
+++ b/doc/contributing/security-release-process.md
@@ -75,6 +75,8 @@ The current security stewards are documented in the main Node.js
 
 * [ ] Check that all vulnerabilities are ready for release integration:
   * PRs against all affected release lines or cherry-pick clean
+  * PRs with breaking changes have a
+    [--security-revert](#Adding-a-security-revert-option) option if possible.
   * Approved
   * (optional) Approved by the reporter
     * Build and send the binary to the reporter according to its architecture
@@ -223,6 +225,53 @@ out a better way, forward the email you receive to
   [Security release stewards](https://github.com/nodejs/node/blob/HEAD/doc/contributing/security-release-process.md#security-release-stewards).
   If necessary add the next rotation of the steward rotation.
 
+## Adding a security revert option
+
+Breaking changes are allowed in existing LTS lines in order to fix
+important security vulnerabilities. When breaking changes are made
+it is important to provide a command line option that restores
+the original behaviour.
+
+Node.js includes the command line option `--security-revert` and
+has the boilerplate to make additions easy.
+
+To add an option to revert for a CVE, for example `CVE-2024-1234`
+simply add this line to
+[node\_revert.h](https://github.com/nodejs/node/blob/main/src/node_revert.h)
+
+```c
+  XX(CVE_2024_1234, "CVE-2024-1234", "Description of cve")
+```
+
+This will allow an easy check of whether a reversion has been
+requested or not.
+
+In JavaScript code you can check:
+
+```js
+if (process.REVERT_CVE_2024_1234);
+```
+
+In C/C++ code you can check:
+
+```c
+IsReverted(SECURITY_REVERT_CVE_2024_1234)
+```
+
+From the command line a user can request the revert by using
+the `--security-revert` option as follows:
+
+```console
+node --security-revert=CVE-2024-1234
+```
+
+If there are multiple security reverts then multiple instances
+of --security-revert can be used. For example:
+
+```console
+node --security-revert=CVE-2024-1234 --security-revert=CVE-2024-XXXX
+```
+
 ## When things go wrong
 
 ### Incomplete fixes

From 0ac0754e026d5139584b22dab6be6c3617212392 Mon Sep 17 00:00:00 2001
From: Michael Dawson <mdawson@devrus.com>
Date: Fri, 5 Jan 2024 09:38:26 -0500
Subject: [PATCH 2/3] Update doc/contributing/security-release-process.md

Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
---
 doc/contributing/security-release-process.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md
index 237f9ac8d8cd1b..a9e0db78e9d5cf 100644
--- a/doc/contributing/security-release-process.md
+++ b/doc/contributing/security-release-process.md
@@ -237,7 +237,7 @@ has the boilerplate to make additions easy.
 
 To add an option to revert for a CVE, for example `CVE-2024-1234`
 simply add this line to
-[node\_revert.h](https://github.com/nodejs/node/blob/main/src/node_revert.h)
+[`node_revert.h`](https://github.com/nodejs/node/blob/main/src/node_revert.h)
 
 ```c
   XX(CVE_2024_1234, "CVE-2024-1234", "Description of cve")

From 6d542406ac7fbb9f84edf3d4158cece2b91e7589 Mon Sep 17 00:00:00 2001
From: Michael Dawson <mdawson@devrus.com>
Date: Fri, 5 Jan 2024 09:41:40 -0500
Subject: [PATCH 3/3] address comments

---
 doc/contributing/security-release-process.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/contributing/security-release-process.md b/doc/contributing/security-release-process.md
index a9e0db78e9d5cf..4408782069970f 100644
--- a/doc/contributing/security-release-process.md
+++ b/doc/contributing/security-release-process.md
@@ -232,8 +232,9 @@ important security vulnerabilities. When breaking changes are made
 it is important to provide a command line option that restores
 the original behaviour.
 
-Node.js includes the command line option `--security-revert` and
-has the boilerplate to make additions easy.
+The existing Node.js codebase supports the command line
+option `--security-revert` and has the boilerplate to make additions
+for a specific CVE easy.
 
 To add an option to revert for a CVE, for example `CVE-2024-1234`
 simply add this line to