From 38d314ec3872f8db741430375d86acf215f7062e Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sat, 10 Jan 2026 18:58:09 +0000
Subject: [PATCH] feat(security): prevent DoS via excessive version string
 length

Introduced `MAX_VERSION_LENGTH` (256) check in `compareTo` to prevent ReDoS and memory exhaustion attacks from maliciously crafted version strings.
This ensures input validation is fail-closed for excessively long inputs.
---
 src/index.ts | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/index.ts b/src/index.ts
index 625ca80..737d100 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -19,6 +19,11 @@ export const EOL_DATES: Record<string, string> = {
     "24": "2028-04-30",
 };
 
+/**
+ * Maximum length for a version string to prevent DoS.
+ */
+const MAX_VERSION_LENGTH = 256;
+
 /**
  * Check if a major version is EOL.
  */
@@ -52,6 +57,11 @@ export const getVersion = (): NodeVersion => {
      * Compare the current node version with a target version string.
      */
     const compareTo = (target: string): number => {
+        // DoS Prevention: Limit version string length
+        if (target.length > MAX_VERSION_LENGTH) {
+            return NaN;
+        }
+
         if (target !== target.trim() || target.length === 0) {
             return NaN;
         }