From 7c5379a656bb305c958df1dcc2b51a9668830358 Mon Sep 17 00:00:00 2001
From: Mike McNeil <mikermcneil@users.noreply.github.com>
Date: Fri, 18 Mar 2022 17:07:29 -0500
Subject: [PATCH] closes https://github.com/balderdashy/sails/issues/7209

---
 .../application/advanced-usage/sails.reloadActions.md          | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/reference/application/advanced-usage/sails.reloadActions.md b/docs/reference/application/advanced-usage/sails.reloadActions.md
index ef2e50407..d816dfa0c 100644
--- a/docs/reference/application/advanced-usage/sails.reloadActions.md
+++ b/docs/reference/application/advanced-usage/sails.reloadActions.md
@@ -25,6 +25,9 @@ This method is useful primarily in development scenarios.
 | 1 |      _options_      | ((dictionary?))          | Currently accepts one key, `hooksToSkip`, which if given should be an array of names of hooks that should _not_ call their `reloadActions` method.
 | 2 |      _callback_              | ((function)) | A callback to be called with the virtual response.
 
+### Notes
+> - Never dynamically replace your Sails.js controller or action files on disk with untrusted code at runtime, regardless of whether you are using `.reloadActions()` in your app or not.  Since `reloadActions()` runs the code in your Sails.js app's files, if the files are not safe to run, then using `reloadActions()` would be [a security risk](https://github.com/balderdashy/sails/issues/7209).  This risk is only present if your Sails app is deliberately overwriting its own files to replace them with unsafe code.
+
 
 <docmeta name="displayName" value="sails.reloadActions()">
 <docmeta name="pageType" value="method">