From 93256d69c34c02cdc16b93e3474377ab9a103a0e Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Fri, 9 Jan 2026 19:11:15 +0000
Subject: [PATCH] feat: Enforce MAX_VERSION_LENGTH in version comparisons

Adds a constant MAX_VERSION_LENGTH (256) to `src/index.ts` and enforces it in the `compareTo` function. This prevents potential Denial of Service (DoS) attacks via excessively long version strings by returning `NaN` (which results in `false` for all boolean comparisons) for strings exceeding this limit.
Also adds a regression test in `src/security.test.ts`.
---
 bun.lock             | 3 +--
 src/index.ts         | 5 +++++
 src/security.test.ts | 8 ++++++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/bun.lock b/bun.lock
index 0eb880b..6b66795 100644
--- a/bun.lock
+++ b/bun.lock
@@ -1,12 +1,11 @@
 {
   "lockfileVersion": 1,
-  "configVersion": 1,
   "workspaces": {
     "": {
       "name": "node-version",
       "devDependencies": {
         "@arethetypeswrong/cli": "0.18.2",
-        "@biomejs/biome": "2.3.11",
+        "@biomejs/biome": "^2.3.11",
         "@changesets/cli": "2.29.8",
         "@total-typescript/tsconfig": "1.0.4",
         "@types/node": "24.10.4",
diff --git a/src/index.ts b/src/index.ts
index 625ca80..51eb499 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -19,6 +19,8 @@ export const EOL_DATES: Record<string, string> = {
     "24": "2028-04-30",
 };
 
+const MAX_VERSION_LENGTH = 256;
+
 /**
  * Check if a major version is EOL.
  */
@@ -52,6 +54,9 @@ export const getVersion = (): NodeVersion => {
      * Compare the current node version with a target version string.
      */
     const compareTo = (target: string): number => {
+        if (target.length > MAX_VERSION_LENGTH) {
+            return NaN;
+        }
         if (target !== target.trim() || target.length === 0) {
             return NaN;
         }
diff --git a/src/security.test.ts b/src/security.test.ts
index b5942fd..5ac56fe 100644
--- a/src/security.test.ts
+++ b/src/security.test.ts
@@ -63,4 +63,12 @@ describe("security fixes", () => {
         const v = getVersion();
         expect(v.isAtLeast("10.0.0")).toBe(true);
     });
+
+    test("should reject version strings exceeding MAX_VERSION_LENGTH", () => {
+        const v = getVersion();
+        const longVersion = `${"1".repeat(300)}.0.0`;
+        // Should be fail-closed (return false) for all checks if string is too long
+        expect(v.isAtLeast(longVersion)).toBe(false);
+        expect(v.isBelow(longVersion)).toBe(false);
+    });
 });