🛡️ Sentinel: [MEDIUM] Fix DoS via unbounded version strings

[google-labs-jules]

This PR addresses a potential Denial of Service (DoS) vulnerability where excessively long version strings could cause CPU/Memory exhaustion during parsing.

Changes:

• Added a length check (> 256) in src/index.ts compareTo function.
• Added a test case in src/security.test.ts to verify the fix and ensure fail-fast behavior.
• Updated .jules/sentinel.md with the new security learning.
• Added a changeset.

Verification:

• Run bun run test to verify all tests pass.
• Inspect src/index.ts to confirm the fail-fast check is before expensive operations.

---

PR created automatically by Jules for task 7219429045448141364 started by @srod

---

Summary by cubic

Prevents a potential DoS by enforcing a 256‑character limit on version strings in compareTo, failing fast to avoid CPU/Memory exhaustion. Adds a regression test and updates security notes.

• Bug Fixes
  • Limit target version strings to 256 chars in compareTo; return NaN for longer inputs.
  • Add test to verify fail-fast behavior and isAtLeast(false) for long input.
  • Update security doc and add changeset.

^{Written for commit ce33632. Summary will update on new commits.}

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[changeset-bot]

🦋 Changeset detected

Latest commit: ce33632

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
node-version	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (67d8793) to head (ce33632).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #823   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines           46        48    +2     
  Branches        16        17    +1     
=========================================
+ Hits            46        48    +2     

Flag	Coverage Δ
unittests	100.00% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[srod]

Superseded by #826 - closing duplicate bot-generated PR

[google-labs-jules]

Superseded by #826 - closing duplicate bot-generated PR

Understood. Acknowledging that this work is now obsolete and stopping work on this task.