Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade node-opcua from 2.64.1 to 2.126.0 #55

Closed

Conversation

biancode
Copy link
Contributor

This PR was automatically created by Snyk using the credentials of a real user.


![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)

Snyk has created this PR to upgrade node-opcua from 2.64.1 to 2.126.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 88 versions ahead of your current version.

  • The recommended version was released on a month ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Server-side Request Forgery (SSRF)
SNYK-JS-IP-6240864
537 Proof of Concept
high severity Observable Discrepancy
SNYK-JS-JSRSASIGN-6070731
537 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-NODEOPCUA-2988723
537 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-NODEOPCUA-2988724
537 Proof of Concept
high severity Denial of Service (DoS)
SNYK-JS-NODEOPCUA-2988725
537 Proof of Concept
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-SEMVER-3247795
537 Proof of Concept
medium severity Server-Side Request Forgery (SSRF)
SNYK-JS-IP-7148531
537 Proof of Concept
Release notes
Package name: node-opcua
  • 2.126.0 - 2024-06-18

    What's Changed (minor change)

    • transport: close tcp socket gracefuly using end instead of destroy #1373

    Full Changelog: v2.125.0...v2.126.0

  • 2.125.0 - 2024-06-05

    What's Changed

    • [Snyk] Security upgrade node from 21.7.2-alpine3.18 to 21.7.3-alpine3.18 by @ erossignon in #1366
    • [Snyk] Security upgrade node from 20.11.0-bookworm-slim to 20.13-bookworm-slim by @ erossignon in #1365

    🐛 Bug Fixes

    • [4094e30] Addressed vulnerabilities in packages/node-opcua-local-discovery-server/Dockerfile to enhance security (Details).
    • [c3fee4f] Reduced vulnerabilities in dockertest/Dockerfile through necessary upgrades (Vulnerability Details).
    • [bf630e0] Corrected issues with pnpm@8 version to ensure compatibility and stability.

    ✨ Enhancements

    • [df134da] Exposed ServerCapabilities_MinSupportedSampleRate and ServerCapabilities_MaxMonitoredItemsQueueSize for improved server capability reporting.
    • [d854585] [a4600e0] Finalized deprecation of node-opcua-client-crawler and introduced the professional module @ sterfive/crawler for NodeOPCUA Subscription members.

    🛠 Maintenance and Refactoring

    • [94a27fd] Refactored readNamespaceArray and resolveNodeId usage to optimize operations.
    • [c7d0c6d] Updated address space to use new form resolveNodeId.
    • [afd5b1e] Refactored recreateSubscriptionAndMonitoredItem to an async method for better performance.
    • [b530365]Added useful exports innode-opcua-client` to enhance module usability.
    • [1047d7f] Refactored tests to use withSessionAsync for improved test efficiency.
    • [7e0a73b] Refactored perform operation on client session in test-helper for enhanced testing capabilities.
    • [966393d] Optimized readNamespaceArray to use cache, reducing processing time.

    🚀 New Features

    • [6017513] Implemented NodeId.toString({namespace}) to produce 'nsu=someuri;i=1223' form nodeid string, enhancing node identification clarity.

    🔧 Deprecated

    • [4ad343f] Deprecated unused callback method OPCUAClient.withSession as part of ongoing API cleanup.
    • node-opcua-client-crawler module is now deprecated and will not be published anymore, @ sterfive/crawler private module shall be used instead. this module is available for NodeOPCUA Support Member (https://support.sterfive.com)

    📦 Updates

    • [ba47294] Updated packages to the latest versions to ensure security and performance improvements.

    Security Enhancements

    • Addressed multiple security issues identified by Snyk, significantly improving the overall security posture of the software components.

    Full Changelog: v2.124.0...v2.125.0

  • 2.124.0 - 2024-04-08

    What's changed:

    Version 2.124.0 of our software introduces significant enhancements to the client automatic reconnection mechanism

    • Client and Server Enhancements: Enhancements were made in reconnection logic and secure channel management, providing a more robust handling of network instabilities and secure communications.
    • New Server Features: We introduced features like setNextSubscriptionId() to align with open62541 behavior (subcriptionId counting from 1)
    • Maintenance and Debugging: We refined debugging outputs, adjusted test timings, and improved error handling across the system, enhancing both performance and developer experience.
    • Bug Fixes: Notable bug fixes ensure correct behavior in data handling and client-server interactions, particularly in edge cases of network failures and reconnections.

    🐛 Bug Fixes

    • [0fb5fcf] Fixed an issue where getters with ExtensionObject were not exposing the correct dataValue statusCode, ensuring data integrity and accurate reporting.
    • [e6b944d] Ensured nodeVersion operates properly when a node belongs to a custom namespace, maintaining namespace integrity.
    • [ac7fd1a] Corrected the raiseEvent method signature in TypeScript, aligning it with expected type definitions.

    Security Updates

    • [86d137b] Fixed vulnerabilities in packages/node-opcua-local-discovery-server/Dockerfile by upgrading dependencies to address security concerns highlighted by Snyk (Vulnerability 1, Vulnerability 2).

    ✨ Enhancements

    • [5d34b30] Improved secure channel recreation, enhancing the stability and reliability of secure connections.
    • [6fb0c97] Enhanced the reconnection workbench, optimizing the reconnection process under various network conditions.
    • [2590d1a] Client: Refined handling of reconnection edge cases, including server disconnections and network failures during ongoing reconnection attempts.
    • [7329295] findEndpoint now uses the same connection strategy as the parent OPCUAClient, harmonizing connection behaviors across the client.
    • [3e1e4a5] File-transfer: Exposed nodeId and async browseName, enhancing file handling capabilities in the client.
    • [38caa35] Improved reconnection logic to provide smoother client-server interactions during network instability.
    • [5ac2ae0] Updated createMonitoredItemsLimit to avoid using maxMonitoredItemsPerCall=0, optimizing monitoring efficiency.

    🛠 Maintenance and Refinements

    • [a945169] Adjusted test timing to better reflect real-world operational conditions.
    • [f0a57b2] Enhanced communication debug trace, offering more detailed diagnostic capabilities.
    • [67ea74d] Traced connection closure events, improving monitoring and troubleshooting of disconnections.
    • [ab393f2] Server: Added setNextSubscriptionId() to imitate open62541 behavior, enhancing subscription management capabilities.
  • 2.123.0 - 2024-03-10

    What's Changed

    • In this release, we've resolved a persistent issue in the OPCUA Client interface that led to premature disconnections or problems with security token renewal when there was a significant time discrepancy between the client and server clocks. Now, the OPCUA Client utilizes its own time, captured when the OpenSecurityChannelResponse is received, instead of relying on the server's time to calculate the security token's lifetime expiration. Additionally, it will display a warning in the console [NODE-OPCUA-W33] if there's a notable time difference between the server's time and the local time on the computer where the OPCUA client is running. This enhancement aims to make it easier to identify servers with time synchronization issues (#1349) (#1351).
      🎉 Special kudo to EirikVea for nailing the root cause.

    the warning message looks like:
    `

    [NODE-OPCUA-W33]  client : server token creation date exposes a time discrepancy of 10 minutes 23 seconds
                      the remote server clock doesn't match this computer date !
                      please check both server and client clocks are properly set .
                      server time:  2024-03-17 10:20:30.300Z
                      client time:   2024-03-17 10:30:53.300Z
                      server URL = opc.tcp.//mydevice:4840
    
    • Furthermore, we've incorporated the Aes256_Sha256_RsaPss security policy in this version, completing our transition to the OPC UA 1.05 security profiles by setting Aes256_Sha256_RsaPss as the default. We have also removed the Basic128Rsa15 and Basic256 security policies from the server's default policies. However, these can be reactivated, if necessary, by specifying the securityPolicies parameter in the OPCUA Server constructor. (#1348)

    Default policies used if securityPolicies is not specified:

    before now in v2.123.0
    None None
    Basic128Rsa15
    Basic256
    Basic256Sha256 Basic256Sha256
    Aes128_Sha256_RsaOaep Aes128_Sha256_RsaOaep
    Aes256_Sha256_RsaPss
    • We reintroduced PKCS1 padding (Issue #1347), which was previously removed in version 2.122.0, due to Node.js discontinuing support for PKCS padding with private key encryption. However, this reintroduction comes with a caveat for users of Node.js versions newer than 18.11.1 or NodeJS > 20.11.1. To enable PKCS1 padding, you must include the argument --security-revert=CVE-2023-46809 when running the Node.js executable. This step reverses a security fix in Node.js, allowing PKCS1 padding to function. Failure to apply this workaround may result in connectivity issues between the Client and Server when interacting with devices that still utilize the now-deprecated 128Rsa15 security policy for channel or user token encryption.

    • We found out that the recent version of NodeJS now emits an AggregateError instead of a Error on windows when multiple network cards are present, causing the connection mechanism to struggle, this only affects Node 20.11.1 on windows as far as we are aware [b4ff258]

    details

    🐛 Bug Fixes

    • [cd9dcb0] Fix crawler has throw error if the object does not contain displayName or description #1343
    • [b4ff258] Fix error message of AggregateError generated by Node.js 20.11.1 on Windows when connection is refused

    ✨ Enhancements

    • [26359c0] Fix Aes256_Sha256_RsaPss security policy #1259 #1281 (sponsored)
    • [31af8b2] Server: Adjust default security policies - add Aes256_Sha256_RsaPss in default security policies and remove deprecated Basic128Rsa15 and Basic256 from default security policies
    • [a9ec280] Client now displays a warning when the remote server clock is out of sync by more than 5 seconds #1349
    • [28efd1a] Now print time drift statistic to ClientSecureChannelLayer#toString
      [92dd8db] Display warning when the nodejs --security-revert=CVE-2023-46809 command line option needs to be used to allow legacy Basic192Rsa15 encryption and server ( in 20.11.1 and 18.11.1 onward)

    🛠 Maintenance

    • [e65ef43] Chore: code cleanup
    • [2f8275f] Chore: remove unused files
    • [fa0b34f] Chore: coerceSecurityPolicies
    • [bec0df2] Chore: improve client connection error feedback
    • [5a10fb1] Chore: fix import issue
    • [ccf10ee] Chore: adjust test assert
    • [8fcfcdc] Chore: exclude tsbuildinfo files from packages
    • [7402e8c] Chore: make build_address_space_for_conformance_testing async
    • [b853ea6] Chore: add missing describe with leak detector in test
    • [28fbdde] Investigate test failure on Windows

    👬🏽 contributors

    Full Changelog: v2.122.0...v2.123.0

    🌟 Join the NodeOPCUA Support Network! 🌟
    NodeOPCUA continues to grow and evolve, thanks to the invaluable support from community members like YOU! 🚀

    We're dedicated to enhancing and expanding the capabilities of node-opcua, and we invite you to be a part of this exciting journey. Consider contributing through our membership program at Sterfive or by donating on

    OpenCollective.

    🤝 Your support is crucial!

    Your contributions foster innovation and strengthen a community founded on cooperation and the exchange of knowledge. 🌱

    🌍 Together, we can drive the future of node-opcua forward! 🌍

  • 2.122.0 - 2024-02-28

    What's Changed

    🚨 Security update

    • OPCUAClient now avoids selecting deprecated security policy while choosing user identity token #1344

    For instance, when OPCUAClient encounters multiple identity token policyId for the same tokenType, the OPCUClient will select the policyId that provides the most robust encryption method. It will also avoid using Basic192RSA15, which is now deprecated in NodeJS 20.11.1 onward, to fix CVE-2023-46809.

    Full Changelog: v2.121.0...v2.122.0

  • 2.121.0 - 2024-02-25

    Release Notes

    🐛 Bug Fixes

    • d81924c60 Adjust UAVariable: fixing #1342 by forcing timestamp to be set when a simple variable getter is used
    • ef9878409 Fix ambiguous abstract DataType with encoding while loading nodeset2 xml
    • 3b8613468 Server: monitored item; fix keep alive and resendInitialValue behavior
    • 7d161b074 Server channel: fix channel termination in registerChannel
    • ea7fac356 Fix release continuation point behavior
    • f521d25cb Fix eventNotifier type to be a EventNotifierFlags in InstantiateObjectOptions
    • e85efe29f Fix boiler instantiation by specifying the correct value for event notifier
    • 7c42fe464 Ensure event notifier flag SubscribeToEvents automatically set when an object has EventSource or Notifier
    • aacd2c86c Fix default variable matrix value while loading nodeset2.xml
    • 7fb5d7c88 Fix a bug causing the server to crash while raising AuditCertificate Events
    • 1e51b2184 Call should return BadMethodInvalid instead of BadNodeIdUnknown when MethodId doesn't exist or is not a method
    • e482774c8 BadChannelIdInvalid should be returned in a ServiceFault instead of a Valid Request
    • aae18eed7 Issue #1320 bug-fix: now instantiating variable with same name as parent objectType.
    • b9503fdf4 Issue #1326 bug-fix: no longer adding nodes from an unrelated object type to a node with the same browseName.

    🛡️ Security Updates

    • 8ec25b71a Deprecate RSAPKCS1V15_Decrypt due to CVE-2023-46809
    • 97568f4bf Update packages - [email protected] CVE-2023-46809
    • 0a27cef67 Fix: dockertest/Dockerfile to reduce vulnerabilities
    • ce26af470 Fix: packages/node-opcua-local-discovery-server/Dockerfile to reduce vulnerabilities

    ✨ Enhancements

    • 9ebe882e6 Feat: add description and displayName to base object when crawling
    • 17b48cc99 ArgumentList: verifyArgumentList returns BadTypeMismatch if at least one argument has a BadTypeMismatch status code
    • ea7fac356 Fix release continuation point behavior

    🛠 Maintenance

    • c38096565 Adjust flaky test on windows
    • 2eca643f2 Chore: reduce verbosity in test
    • 862ae72f5 Chore: adjust temporary folder location in tests
    • 22606c59b Update CTT.xml
    • adf2b22e9 CTT: ensure keepAlive is sent after 1xpublishInterval first time
    • 77ccf6417 Refactor: server tests to typescript
    • 88ba311f5 Add leak detector in test
    • 794e35cd1 Chore: fix typescript error in test
    • 47c75b7fb Address space for ctt: fix matrix variables
    • 4610fa986 Chore: adjust TCP socket in test
    • cd8d2705b Chore: server_tcp_transport cleanup
    • 4e75b2d5a ServerSecureChannel: return ServiceFault when OpenSecureChannel fails
    • 52388f80c Chore: remove unused import
    • b7b1f62ab Chore: improve log message
    • dd8872782 Chore: fix typos in comments
    • f85e696f4 Chore: fix typescript issue
    • 2e60c9984 Chore: fix timer id déclaration
    • 515303c2f Chore: improve error message in internalDecodeVariant, when matrices are inconsistent
    • 1dd5562a0 Update standard UA nodeSet2.xml to version 1.5.3
    • e8d592bb9 Update standard status codes
    • d5f8f15c3 Improve Variable value set typescript definition and add new async mode

    👬🏽 Contributors

    What's Changed

    • feat: add a description and displayName to base object when crawling by @ narttmk in #1338
    • [Snyk] Security upgrade node from 21.2-alpine3.18 to 21.6-alpine3.18 by @ erossignon in #1337
    • [Snyk] Security upgrade node from 20.8-bookworm-slim to 20.11.0-bookworm-slim by @ erossignon in #1340
    • Fix variable with the same name as object type by @ tetanw in #1329

    New Contributors

    Full Changelog: v2.120.0...v2.121.0

    ⚠️ Known issue

    • This version may cause OPCUAClient to fail to connect when the OPCUA Server exposes a UserTokenIdentity policy based on Basic192RSA15. This issue has been addressed in 2.112.0
  • 2.120.0 - 2024-01-21

    Release note for v2.200.0

    🐛 Bug Fixes

    • [521f18d2f] Fixes #1277 - Instantiating ObjectType with two Folders
    • [744648e3f] Relax Encoding detection to cope with bugs in python's asyncua - fixing #1232
    • [56b40b191] ClientSecureChannel: fix connection issue highlighted when server imposes maxChunk=1 #1335 #1263
    • [2372431fd] Ensure client.isReconnecting=true when client emits the 'connection_reestablished' event fixing #1331

    ✨ Enhancements

    • [45240f862] Add example for GitHub #1232

    🛠 Maintenance

    • [a0234bbb5] Update packages
    • [37e181611] Add open collective badges
    • [2e6d5937b] Update book URL
    • [85bee187a] Update lock file
    • [af3520542] Update copyright year
    • [f3d452bd6] Fix copyright year and other adjustments

    👬🏽 contributors

    🌟 Join the NodeOPCUA Support Network! 🌟

    NodeOPCUA continues to grow and evolve, thanks to the invaluable support from community members like YOU! 🚀

    We're dedicated to enhancing and expanding the capabilities of node-opcua, and we invite you to be a part of this exciting journey. Consider contributing through our membership program at Sterfive or by donating on

    OpenCollective.

    Your support is crucial! 🤝

    Your contributions foster innovation and strengthen a community founded on cooperation and the exchange of knowledge. 🌱

    🌍 Together, we can drive the future of node-opcua forward! 🌍

  • 2.119.2 - 2023-12-25

    v2.119.2

  • 2.119.1 - 2023-12-25

    v2.119.1

  • 2.119.0 - 2023-12-23

    Release Notes for 2.119.0

    🐛 Bug Fixes

    • [c70438e] Fix ConditionVariableType behavior with SourceTimestamp property
    • [77f1bf6] Fix MultiStateValueDiscrete behavior #1323
    • [3c7c80b] Fix: packages/node-opcua-local-discovery-server/Dockerfile to reduce vulnerabilities
    • [9eeb81a] Use AcknowledgeableConditionType_Acknowledge/Confirm when ConditionId is not an instance

    ✨ Enhancements

    • [84b55ee] Allow effectiveTransitionTime to be passed when setting a TwoStateVariable for instance UACondition#setEnableState(true, { effectiveTransitionTime: somedate})
    • [200e233] Allow time and receiveTime to be optionally passed on raiseNewCondition
    • [734c0d9] Issue #1303 refactor: Add 'host' parameter to OPCUAServer for specific interface binding
    • [8166185] Add findMethodId utility function to find a MethodId in a object or in its super type
    • [ee7b7e3] Factor out node-opcua-alarm-condition module

    🛠 Maintenance

    👬🏽 contributors

    🌟 Join the NodeOPCUA Support Network! 🌟

    NodeOPCUA continues to grow and evolve, thanks to the invaluable support from community members like YOU! 🚀

    We're dedicated to enhancing and expanding the capabilities of node-opcua, and we invite you to be a part of this exciting journey. Consider contributing through our membership program at Sterfive or by donating on OpenCollective. Your support is crucial! 🤝

    Your contributions foster innovation and strengthen a community founded on cooperation and the exchange of knowledge. 🌱

    🌍 Together, we can drive the future of node-opcua forward! 🌍

    We're profoundly grateful for your continued support and commitment to our mission! 💕👐

  • 2.118.0 - 2023-11-20
  • 2.117.0 - 2023-11-13
  • 2.116.0 - 2023-11-03
  • 2.115.0 - 2023-10-04
  • 2.114.0 - 2023-10-02
  • 2.113.2 - 2023-12-23
  • 2.113.1 - 2023-12-22
  • 2.113.0 - 2023-09-07
  • 2.112.0 - 2023-09-06
  • 2.111.0 - 2023-09-03
  • 2.110.0 - 2023-08-17
  • 2.109.0 - 2023-08-15
  • 2.108.0 - 2023-07-18
  • 2.107.0 - 2023-07-11
  • 2.106.0 - 2023-06-30
  • 2.105.1 - 2023-06-16
  • 2.105.0 - 2023-06-10
  • 2.104.0 - 2023-06-05
  • 2.103.0 - 2023-05-05
  • 2.102.0 - 2023-05-02
  • 2.101.0 - 2023-05-01
  • 2.100.0 - 2023-04-14
  • 2.99.0 - 2023-04-11
  • 2.98.2 - 2023-04-10
  • 2.98.1 - 2023-04-10
  • 2.98.0 - 2023-04-09
  • 2.97.0 - 2023-04-05
  • 2.96.0 - 2023-03-24
  • 2.95.0 - 2023-03-18
  • 2.94.0 - 2023-03-14
  • 2.93.0 - 2023-03-13
  • 2.92.0 - 2023-03-12
  • 2.91.1 - 2023-02-24
  • 2.91.0 - 2023-02-17
  • 2.90.1 - 2023-02-15
  • 2.90.0 - 2023-01-29
  • 2.89.0 - 2023-01-22
  • 2.88.0 - 2023-01-03
  • 2.87.0 - 2022-12-18
  • 2.86.1 - 2022-12-16
  • 2.86.0 - 2022-12-15
  • 2.85.0 - 2022-11-25
  • 2.84.0 - 2022-11-18
  • 2.83.0 - 2022-11-14
  • 2.82.0 - 2022-10-27
  • 2.81.0 - 2022-10-11
  • 2.80.0 - 2022-10-10
  • 2.79.1 - 2022-10-03
  • 2.79.0 - 2022-10-02
  • 2.78.0 - 2022-09-27
  • 2.77.0 - 2022-09-08
  • 2.76.2 - 2022-09-03
  • 2.76.1 - 2022-09-01
  • 2.76.0 - 2022-09-01
  • 2.75.0 - 2022-08-23
  • 2.74.0 - 2022-08-13
  • 2.73.1 - 2022-08-11
  • 2.73.0 - 2022-08-08
  • 2.72.2 - 2022-07-14
  • 2.72.1 - 2022-07-13
  • 2.72.0 - 2022-07-12
  • 2.71.0 - 2022-06-25
  • 2.70.3 - 2022-06-13
  • 2.70.2 - 2022-06-12
  • 2.70.1 - 2022-06-12
  • 2.70.0 - 2022-06-11
  • 2.69.1 - 2022-06-02
  • 2.69.0 - 2022-06-02
  • 2.68.1 - 2022-05-10
  • 2.68.0 - 2022-04-23
  • 2.67.1 - 2022-05-21
  • 2.67.0 - 2022-04-18
  • 2.66.3 - 2022-03-28
  • 2.66.2 - 2022-03-28
  • 2.66.1 - 2022-03-28
  • 2.66.0 - 2022-03-27
  • 2.65.1 - 2022-03-16
  • 2.65.0 - 2022-03-13
  • 2.64.1 - 2022-02-27
from node-opcua GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJmNWE4YjQ0OC00YWQzLTQ0MTQtOGU3OC00Mj...

Snyk has created this PR to upgrade node-opcua from 2.64.1 to 2.126.0.

See this package in npm:
node-opcua

See this project in Snyk:
https://app.snyk.io/org/biancode/project/c0ad31d1-3c4b-4fd2-b9bc-db89eb981b4f?utm_source=github&utm_medium=referral&page=upgrade-pr
Copy link

Greet Contributors Bot
Thank you for taking your time and effort for your contribution, we truly value it. 🎉

The amazing contributor in this pull request is @snyk-bot

@github-actions github-actions bot added the Stale label Sep 16, 2024
@github-actions github-actions bot closed this Oct 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Create ObjectType with Object
2 participants