Let's nullify CVE-2026-21637

[aduh95]

I was discussing with @mcollina that we probably misjudged CVE-2026-21637, on a second look it doesn't look like a vulnerability, rather than a bug. The user responsibility is to not throw in that event handler, it's user code so outside of our threat model.

If revoking CVEs is a thing, I suggest we do that so users can adjust their expectations.

[mcollina]

Agreed, I made a mistake. What should we do? Do we need a blog post/rectification or just amend the CVE?

This was done first in Jan https://github.com/nodejs-private/node-private/pull/796 nodejs/node@20591b0618 and then in March https://github.com/nodejs-private/node-private/pull/819 nodejs/node@df8fbfb93d

[RafaelGSS]

We don't need to revoke the CVE. Once it's done, we shouldn't need to revert. For future reports that target the same topic, we can say that a mistake when evaluating a CVE shouldn't open the door to assigning a new CVE. We have done it in the past. Surprisingly, that's a normal workflow.