diff --git a/bun.lock b/bun.lock
index 0eb880b..6b66795 100644
--- a/bun.lock
+++ b/bun.lock
@@ -1,12 +1,11 @@
 {
   "lockfileVersion": 1,
-  "configVersion": 1,
   "workspaces": {
     "": {
       "name": "node-version",
       "devDependencies": {
         "@arethetypeswrong/cli": "0.18.2",
-        "@biomejs/biome": "2.3.11",
+        "@biomejs/biome": "^2.3.11",
         "@changesets/cli": "2.29.8",
         "@total-typescript/tsconfig": "1.0.4",
         "@types/node": "24.10.4",
diff --git a/src/index.ts b/src/index.ts
index 625ca80..51eb499 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -19,6 +19,8 @@ export const EOL_DATES: Record<string, string> = {
     "24": "2028-04-30",
 };
 
+const MAX_VERSION_LENGTH = 256;
+
 /**
  * Check if a major version is EOL.
  */
@@ -52,6 +54,9 @@ export const getVersion = (): NodeVersion => {
      * Compare the current node version with a target version string.
      */
     const compareTo = (target: string): number => {
+        if (target.length > MAX_VERSION_LENGTH) {
+            return NaN;
+        }
         if (target !== target.trim() || target.length === 0) {
             return NaN;
         }
diff --git a/src/security.test.ts b/src/security.test.ts
index b5942fd..5ac56fe 100644
--- a/src/security.test.ts
+++ b/src/security.test.ts
@@ -63,4 +63,12 @@ describe("security fixes", () => {
         const v = getVersion();
         expect(v.isAtLeast("10.0.0")).toBe(true);
     });
+
+    test("should reject version strings exceeding MAX_VERSION_LENGTH", () => {
+        const v = getVersion();
+        const longVersion = `${"1".repeat(300)}.0.0`;
+        // Should be fail-closed (return false) for all checks if string is too long
+        expect(v.isAtLeast(longVersion)).toBe(false);
+        expect(v.isBelow(longVersion)).toBe(false);
+    });
 });