src: add NODE_SECURITY_REVERT environment variable
Some vendors do not allow passing custom command-line flags to the node executable. There are concerns around allowing --security-revert
in NODE_OPTIONS
because it might be inherited by child processes unintentionally.
This patch introduces a new environment variable that, if set, is unset immediately unless it ends with "+sticky"
. Aside from that optional suffix, its value is a comma-separated list of CVE identifiers for which the respective security patches should be reverted.
This is not a particularly elegant approach, but since this should only be used under exceptional circumstances, I am not too worried about that.
Closes: https://github.com/nodejs/node/issues/52017