From 69dfabca3ae2ed857e654d677076a72ea4d5e76c Mon Sep 17 00:00:00 2001
From: Paolo Insogna <paolo@cowtech.it>
Date: Mon, 20 Apr 2026 16:21:58 +0200
Subject: [PATCH] doc: trust FFI in the threat model

Signed-off-by: Paolo Insogna <paolo@cowtech.it>
---
 SECURITY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index 540ab0f9dee80d..0e88d7b50702fa 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -213,7 +213,7 @@ then untrusted input must not lead to arbitrary JavaScript code execution.
   along with anything under the control of the operating system.
 * The code it is asked to run, including JavaScript, WASM and native code, even
   if said code is dynamically loaded, e.g., all dependencies installed from the
-  npm registry.
+  npm registry or libraries loaded via `node:ffi`.
   The code run inherits all the privileges of the execution user.
 * Inputs provided to it by the code it is asked to run, as it is the
   responsibility of the application to perform the required input validations,