🛡️ Sentinel: [DoS Protection] Add input length limit to version comparison

[google-labs-jules]

🛡️ Sentinel: [DoS Protection] Add input length limit to version comparison

Vulnerability:
The compareTo function split input strings and iterated over them without checking the length. Extremely long version strings (e.g., millions of characters) could be used to cause high CPU/memory usage (DoS).

Fix:

• Added MAX_VERSION_LENGTH constant (256 characters).
• Added a check at the start of compareTo to return NaN (which results in false for comparisons) if the input length exceeds the limit.
• This is a safe, fail-closed mechanism.

Verification:

• Added regression tests in src/security.test.ts to ensure long strings are rejected and valid long strings (within limit) are accepted.
• Ran full test suite.

---

PR created automatically by Jules for task 3146843907473823444 started by @srod

---

Summary by cubic

Added a 256-character input limit to version comparison to prevent DoS from extremely long version strings. Oversized inputs now fail closed so comparisons return false without heavy processing.

• Bug Fixes
  • Early return with NaN in compareTo when input exceeds the limit.
  • Added tests to reject oversized inputs and accept valid long ones.
  • Published a patch changeset for node-version.

^{Written for commit 9bec866. Summary will update on new commits.}

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[changeset-bot]

🦋 Changeset detected

Latest commit: 9bec866

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
node-version	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (67d8793) to head (9bec866).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #815   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines           46        49    +3     
  Branches        16        17    +1     
=========================================
+ Hits            46        49    +3     

Flag	Coverage Δ
unittests	100.00% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[srod]

Superseded by #826 - closing duplicate bot-generated PR

[google-labs-jules]

Superseded by #826 - closing duplicate bot-generated PR

Understood. Acknowledging that this work is now obsolete and stopping work on this task.