node-opcua / node-opcua / 25273896001
92%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 1211
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 92.202% (-0.007%) from 92.209%
25273896001

push

github

erossignon 
fix(secure-channel): module-load safety on non-Node runtimes

Two small independent defensive changes for consumers that load the
package in runtimes where process.version is unset / setImmediate isn't
present (browsers, Deno, sandboxed Node).

1. verify_pcks1.ts: early-return from testRSAPKCS1V15_EncryptDecrypt
   when process.version is absent or falsy. The function runs
   unconditionally at module load (called from source/index.ts); the
   regex process.version.match(/v([0-9]+)\.([0-9]+)\.([0-9]+)/)
   previously threw Error("Invalid version") if process.version was
   empty, blocking module load.

2. client_secure_channel_layer.ts: replace one setImmediate(...) call
   with typeof setImmediate === "function" ? setImmediate :
   (cb) => Promise.resolve().then(cb). In Node, this is a no-op (native
   setImmediate is always present). In browsers, the microtask fallback
   replaces the Node-only timer.

Why verify_pcks1.ts:

testRSAPKCS1V15_EncryptDecrypt is a startup diagnostic that warns users
about CVE-2023-46809 in certain Node 20.x builds. It's invoked at module
load of source/index.ts:17, so every consumer of node-opcua-secure-channel
runs it on import — including any consumer that imports the package from
a non-Node runtime.

The function's first statement parses process.version with a regex and
throws if the regex doesn't match. Under standard browser process
polyfills (process@0.11.10 — the one most bundlers install)
process.version is an empty string. The regex returns null, the
throw new Error("Invalid version") fires, and module load of anything
that imports node-opcua-secure-channel crashes.

This early-return turns that crash into a silent skip. Node users are
unaffected; the diagnostic runs exactly as before on any process.version
that's a real version string.

Why client_secure_channel_layer.ts:

One call site uses setImmediate(() => this.#_send_open_secure_channel_request(...))
to defer the first OpenSecureChannel send to the next ti... (continued)

18482 of 21951 branches covered (84.2%)

11 of 13 new or added lines in 2 files covered. (84.62%)

15 existing lines in 2 files now uncovered.

162197 of 175914 relevant lines covered (92.2%)

473136.65 hits per line

Uncovered Changes

Lines Coverage File
2
86.3
 -1.58% packages/node-opcua-secure-channel/source/verify_pcks1.ts

Coverage Regressions

Lines Coverage File
8
90.81
 -1.11% packages/node-opcua-server/source/register_server_manager.ts
7
90.45
 -0.38% packages/node-opcua-client/source/private/client_base_impl.ts
Jobs
ID Job ID Ran Files Coverage
1 25273896001.1 1211
92.2
 GitHub Action Run
Source Files on build 25273896001