Node.js team assessment of CVE-2021-21148

[midawson]

Based on internal discussion and consultation with the V8 team, we believe that Node.js is NOT affected by CVE-2021-21148. This assessment assumes that the code passed to the Node.js runtime is trusted and secure, which is always an assumption of the Node.js security model.

Irrespective of Node.js not being affected, we will consider pulling in the patch from V8 as part of the regular ongoing release process. The patch has already been released in Node.js 14.15.5. As of this writing, it has not been released in Node.js 15.x or any releases earlier than 14.15.5.