add doc note about needing more mitigations

bmeck · bmeck · commit 1f1e8d8771fb · 2019-07-22T11:49:26.000-05:00
diff --git a/doc/api/policy.md b/doc/api/policy.md
@@ -146,6 +146,10 @@ the manifest and then immediately be used without searching.
 Any specifier missing from the list of dependency will result in an error
 according to the policy.
 
+This will not prevent access to APIs through other means such as direct access
+to `require.cache` and/or through `module.constructor`. Other means such as
+attenuating variables are necessary to lock down that path of loading modules.
+
 #### Example: Patched Dependency
 
 Since a dependency can be redirected, you can provide attenuated or modified
