node-opcua

🚀 enhancements

• [177f468a9bcdedb98fab3d3fb2f87a8af0378e0e] [da25326ed66f5cfa42ef568627c908ff1bf9c0c6 [43c72e1ef322b4e8b4f6071e4125f6d2f0e85f4b] [3be4959823dbedd12fe2df87dff686be8fbca92c] improve creation of event filter selectClause and whereClause creation.

• #1183 , #1184 fixes Alarm_Tools EventFilter SelectClause contains two entries for ConditionId, instead of one

👬 contributors

• @Koseng

🌸 professional support

• more info is available at (https://gitlab.sterfive.fr). this site is accessible only for node-opcua Subscription Members.
• you can apply online at https://support.sterfive.com to enroll your company as a node-opcua member.

This important release fixes 3 CVEs that have been recently discovered.

*We strongly encourage you to upgrade your existing node-opcua to version 2.74.0 or greater and to contact Sterfive for support.

Only Sterfive's customers or members of the NodeOPCUA Subscription Membership are entitled to receive professional advice & support. You can apply online at https://support.sterfive.com .

‼️ vulnerabilities fixes

CVE-2022-21208

• The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.

CVE-2022-25231

• The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) by sending a specifically crafted OPC UA message with a special OPC UA NodeID, when the requested memory allocation exceeds the v8’s memory limit.

CVE-2022-24375

• The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.

🐛 bug fixes:

• [902b288aae91ef465d960039e353259a926711b1] server now returns ServiceFault response in case of error, instead of the corresponding Response of the Request command.
• [3fd46ec156e7718a506be41f3916310b6bdd0407] server: fix Subscription.modify that may cause server to crash;

©️ copyright update

• [email protected] is now copyrighted by Sterfive SAS. [902b288aae91ef465d960039e353259a926711b1]

please make sure to comply with the MIT license and includes the attributions to Sterfive SAS for NodeOPCUA in the documentation that accompanies your application.

Copyright (c) 2022  Sterfive SAS - 833264583 RCS ORLEANS - France (https://www.sterfive.com)
Copyright (c) 2014-2022 Etienne Rossignon

👬 contributors

• special Kudo to claroty'steam82 for finding the CVE. (Claroty Research https://claroty.com/team82/)

🐛 bug fixes

• 6a9a170c414d9eb2743ae1f266f9d84edf28ce9a fixes loading int64 as nodeset variable value from nodeset2.xml file

🐛 bug fixes

• 08e42411c0698658bf75e321aa05ca5eedac7d72 server: fix initial keepalive in subscription
• aed879358405d1bac2ea82e82f34871dad15e604 fix session exhaustion during reconnection #1162

🐴 enhancements

• 3a6ff3e7104af6632b2572b886d7c9b5ebbe6828 node-opcua-address-space: fix typescript export issues & refactor
• 0ac4e070e5ef251afc0d8d9c446ef03ce5ea137e handle AllowSubType in Extension Objects
• 47e0c7e328acd141a53e5a1e5120d0990848744a createMonitoredItemsLimit transact only when necessary

💪 reliability improvement

• 429194ac0038927017f2ed045f4f26b45600ccef [robustness] add variant array length overflow protection
• ca83cab2b3df0755c702184c78573629917ec3d1 [robustness] add buffer overflow protection in BinaryStream
• cb2e00640174a0a6bd4f7da648cdef68738b034e [reconnection] add new state in reconnection
• d7c50c5a1c83fe074d0bac4d46d58850a7477189 account for unattached subscriptions in maxSusbcriptions
• c2a1b30bf09cbef9c867d0426fcf20a2a5c83176 machinetool: fix typescript definition
• 98d7ba60537a1e3095e74573ef6ee889d3b58428 feat(server|client) handling oversized requests & responses
• a37faf1702a86e560d61445e92ccdc76f9eb4c42 Add a max retry to prevent infinite retries

📖 documentation

• 47a877cded9cbe11610ef583b6d59eb9b4f27a60 Update monitoring_home_temperature_with_a_raspberry.md
• efb7c5bfad2b9626395044764315f6a7be11e8b8 Update README.md

👬 contributors

• @daveycodes , clarity , @weekaung

More information about how those changes can impact your project are available to NodeOPCUA Support member.
Consider subscribing to Sterfive's Node-OPCUA membership

🐛 bug fixes

• 54887662573d7bdeb932f2fb18613d2597503861 fixes #1163 parsing informative version string in nodeset and trying to convert to semver whenever possible
• ddd8362f66845ec297c46f832b845a48adcf5a7c fixes #1164 - loading guid in extension object from nodeset2.xml file
• 7c05f81964ca0ff2f3c6a017e99aa0cdef421dbc OPCUAClient: allow connect after disconnect

🐴 enhancements

• 17f73665a5dea56e61a16816e95b0fdc69c72ed7 faeaa642e6afb7d253f66ada95db66db938612a3 b689b1b68a160ac099947375d419c793c252be0d feat(server-configuration): certificateExpirationAlarm
• a71724b7f1e9433ccfc9808fcc4d0b387a3f8b24 feat(alarm) improve typescript definition
• 1d9d3022703e807956d898183d3f32381b918495 feat(server) implements serverCapacity.maxMonitoredItems/maxMonitoredItemsPerSubscription
• 85ef55436fe4afe0ed430046ca1f19a9c2e73542 update sample
• ddee843b905a92381d0a3bf9dabb2d4ec2448b34 feat(server) implements maxSubscriptions/maxSubscriptionsPerSession
• 54a373903a9542dbbae809f4df0640cd2d7ae73d feat(server) deprecate maxAllowedSessionNumber in favor of serverCapabilities: {maxSessions: }
• 44c539782c8cd76bb3ab768f9ee75fcda02bf38f update types to 1.05.1
• f9c389a738502d246ad5baf3818cf8c3570685ad feat(server) expose extended server limites & capabilities from 1.05

👬 contributors

@DrHaraldWeber and @GoetzGoerisch

🐛 bug fixes

• [7d2d12c6f5035dc36694c2037f887dabbb1d3b18] fix decoding of derived nested structure
• [33077c31dfca6402978ddcfdc51db2d24adb0630] [637e633c01a63ea729c6086a33092c62f9be5ee9] make sure ObjectType instantiation replicates default value in child variables
• #1154 move chalk in dependency section of package.json

👻 vulnerabilities

• update to [email protected] to address CVE-2022-33987
• update to [email protected] to address CVE-2022-25898 Security fix in JWS and JWT validation

👭 contributors

• @AltarBeastiful

🐛 bug fix

• #1136 [3eb2563c89427f08e256d83da46d32e27d2f78d0] node-opcua-server crashes if invalid user identity token certificate is given
• #1152 [ffb56f287b467ea71bb50ac79f1c601d8044121b] [501d560acfcecc2847b71a991de09c740ca82857] Calling server-method with an argument with valueRank > 1 fails with BadInvalidArgument
• [ 9f1482c3af6b4a026b5092e30042bc8789cd8a45] fix extension object array loading in nodeset2.xml files
• [c52c9336a7a93f6f8393a9113a9efdf7ed9ac886] [f73241da716abb38c526d3bf5656bd282bc3eb00] fix unpacking of opaque structure on client
• [e6ae50aacf1fde193d303788ecc1fb6085f177fd] fix issue in AnalogItem instantiation

🚀 enhancement

• [4dd1a7b5a2be428ab2eb156996ca0d296bd0f1f6] introduce nodeset version 1.05

💔 breaking changes

• as a consequence of moving to nodeset version 1.05, 'DataType.Date and DataType.Time), two unofficial DataType from the OPC foundation that appeared in 1.04.10 has been removed in the material from the foundation. They have been also removed from the DataType enumeration in this release. ( see #1243)

👭 contributors

• @eg-be , @SanderDeWaal1992

🚀 improvement

• (modeler) improve promoteToMandatory [4a6e1467eaf13a9b6d4c41a6dab48408e629f1b7]
• refactor discovery test [4e449ebdaa337bad4a8ef8b9e6aed2b5dc6be332]

🐛 bug fix

• (variant) ensure that array of extension object can be null [878704b6ce68539f34e0f30b3318a74af20474ac]
• fix issue with bonjour [4500a75b97053d2d6556635ff9db57c29a75f42e]
• fix interface management on object/variable instantiation [de90a712b53ce6dc638b4e01d50e04fe7a78e262]
• [2af9a8a4ea19ad0ade1b85380995fca1c07ea565]
• fix PacketAssembler bug and add chunk size verification [dbcb5d5191118c22ee9c89332a94b94e6553d76b]
• add message chunk overflow detection [33ca3bab4ab781392a2f8d8f5a14de9a0aa0e410]

🐛 bug fix

• fix potential crash when userManager do not specify getUserRoles [fd6376980645c4149c66d934d8251532c9a71834]

• fix code behaves differently when executed in jest [0b516d4a5ece4352905c2461b739a89969b8b54a]

• read nodeset2.xml assuming UTF-8 and not ascii, to handle special characters [18782da60f8322beda412176dd2be3974cb37e08]

• read add SByte case in ExtensionObject loading in xml2 [61ee6248e10bbc70640a34b365fd0ed3d790f9cd]

• fix typescript definition [61ee6248e10bbc70640a34b365fd0ed3d790f9cd]
  👬 contributors:

• @hellivan

🚀 enhancements

• 827313e9c5d0c5e17adcafc2bd654f92eba3c919 update constants to latest standard nodeset
• 7d83e9564b7886687da45b2347f3a213331d99b0 refactor user manager
• 052ac6d4e55fd213c2c052a0868927e6cbef6dcb handle enumeration dataType better
• ba1f00a51d9450aae35923078e7e6a68e2a7a9ff improve extension object binding

🐛 bug fix

• #1134 b27d7b828e1f46675e6c156daf9975dc160cd020 clamp integer to requested size in XML datastructure loading
• #1132 e0ba3834395043cf4dca8f8d4b90bcad9ccca438 fix xml decoding of NodeId in ExtensionObject

📜 documentation

• #1133 5015a380a61b983fe5761c99e391a35036d52236 improve sample_server and usage of minum sampling interval

🔢 house keeping

• remove usage of deprecated String#substr

👬 contributors

• gabrielfpvh Graos mikakaraila

🐛 bug fix

• #1127 [77ab4df91fe2f9968f3fc0969af2d9b33ec87e26] Exception while processing Certificate Revocation List (CRL), causes CRL to be ignored resulting in 'BadCertificateRevocationUnknown' error.
• #1125 chore: clean-up before build & publish issue
• Loading enums from nodeset.xml files does not work for enums with negative values #937

⬆️ packages update

• [77ab4df91fe2f9968f3fc0969af2d9b33ec87e26] update packages (pki/crypto)
• [ 4bc41b89eb9eca72037402bcdd6ad5a68352806a] [c6fafab1c8b19bbc45fde5d597991e48803dbcb0] package updates

🔒 vulnerability fix

• use [email protected] which fixes minimist version to address vulnerability issue

🚧 work in progress

#1096 improving extension object loaded in nodeset2.xml

• [c5a5a442bbf77d459fec6ea0b956fd9bc3aff376] improve loadnodeset for xml extension object with enums
• [5efffe071deca69beaca7bb66fbaee46df58b33e] improve loadnoset for xml extension object
• [c0ebb4cfb4c11872bde2e80905cad89dc38a538f] feature: improve extension object nodeset export

👬 contributors

• vembacher for spotting issue with CRL version 1 in node-opcua-crypto #1127
• marcodisarno for spotting filename casing issue #1125
• OSjoerdWie for sponsoring our work on extension object loading in nodeset2.xml #1096

🐛 bug fixes

• [a3d61a6db1bea4e11e09818f83cf2821802b56bf] fix BaseNode#writeAttribute attributeId max

👍 enhancements:

• [ff450bf50141cbec62eb11ca52cd140d288fe28d] (loadNodeSet): handle Model consistently and display warning message if a nodeset file is missing or has a mistmatching version

💇 cleanup

• cleanup model generation, move graph generation to the commercial version

⚠️ known issue

• 2.64.0 exhibit an error on Linux due to a file name case sensitive issue on newly introduced nodesets. please use 2.64.1 instead

🐛 bug fixes

• 325a563e5 fix(file-transfer): fix readme
• ae38de5e1 chore(debug): upgrade hexy version
• 025870f9b improve markdown generation
• d8f2d2af8 fix: don't ping server if client is reconnecting
• 66a2e8438 fix: ensure keepAliveManager is started when session is activated
• 55c2a21f2 chore: fix error message in transport
• e9ae8abf9 chore: improve err message in makeRelativePath
• e0786c774 fix: issues in nodeset2xml export
• a75368c0b fix: name clash prevention
• eda9cb7e0 fix: filename typo
• 68fc9e4ae fix: passing description in UAVariableType/UAObjectType
• 64b82e9ba fix: LocalizedText to xml now ignores empty Locales
• 249ada9bf fix: data-type definition with recursion when loading nodeset

🚀 enhancements

• 498abd014 feat: add lookup folder in convertNamespaceTypeToTypescript
• 6e51af749 feature: isSupertypeOf now accept a NodeIdLike argument
• bc37ee5ec feature: add woodworking and glass-flat typescript definition files
• e4527d693 feature: add Woodworking and Glass nodesets

🐛 bug fix

• #1115 5068cf8b77f9907e3ea848b7bf31c8c500ec6b6a fix filename case issue in nodeset file ( causing 2.64.0 to break)

🚀 enhancement

• #1093 filter unrequested diagnostics info

👬 contributors

• thanks to @hoancea for proposing a fix for #1093

🐛 bug fixing

• resolution of minor issues

🚀 enhancement

• enhancement of OPCUA Model markdown generation and Graphviz class diagram

🚀 enhancement

• [263fa0ced798ef0f29436002213c03aea93ded5f] objectType and VariableType instantiation now supports InterfaceType

🏗️ refactoring

• renaming of internal types
  • VariableDataValueGetterAsync => VariableDataValueGetterCallback
  • DataValueCallback => CallbackT
  • StatusCallback => CallbackT
• [cfeac94415b11c49be1b09d6e6e6a795c67d8033] remove AttributeIds.ALL
• [5b3bc2286d4da68e1203e71fd467a1dc4b8be432] improve error handling to engine write to better track exception raised in provided get/set handlers

🚀 enhancement

• [314259c] add support for SecurityPolicy.Aes128_Sha256_RsaOaep on client and server

🐛 bug fix

• #1089 Unable to use ExtensionObjects with properties "key" and "value" (in Variant)
• [4968f243bf8eb81839968c7b3cba3ec3d8d586a2] displayName property in ObjectType/VariableType instantiation

👬 contributours

• @paulking00

🚀 enhancements

• [55ec55bc72ab9409333f042d3002ea3f9415c12c] Add Constant and NoVolatile flag in AccessLevelExFlag
• [19941e60ed0cd4533c097455eeeb7914ec5604ac] improve memory management on GetMonitoredItems implementation;
• #1018 [9f8611ba3fa43fa652ad1d33a978a0610c69286a] add test for GetMonitoredItems method call to the subscription containing roughly 35 variables result in warning prints

💔 breaking change

Now setValueFromSource will detect a Variant mismatch and raise an exception when a variant with the unexcepted type is used.
In prior versions, no strict type checking was performed at this level, and it was possible to accidentally store a string for instance where a Ìnt32` value was expected, leading to hard-to-find bugs. NodeOPCUA is raising an error on the console with a trace of where this happened and information about the expected DataType and actual DataType, so you can easily fix your server code. setValueFromSource raises also an exception now in these circumstances.

🐛 bug fixes

• #1086 [e0f4a1d62b2b18758bb46239c910e5d071c980f7] Method calls with enumeration types don't work as expected
• #849 [e0f4a1d62b2b18758bb46239c910e5d071c980f7] fixed Writing to an Enum Value from external OPC UA client leads to error in node-opcua server
• [b7b99bc133b4b9f1591990a9a054a9ea4b8b79d9] fix getArguments type definition
• [e215b88f8d16e1024e0fb97ac3eb34a4531fa1db] better support for reconnection when server returns BadTooManySession
• #1084 [33fd9a71194ad82ac0f68c629a54029948e3c73e] fix: ArgumentOptions arrayDimensions is being overridden to [0]
• Fix Variant Type mismatch [a61d2b3f1de4b7e3f139f9e91c4ce98cfff88f66] [44f8753d7be7fe48e9cf5ec821e41ac1ab859952] [006753e848e275adb6033f939e2af7cf128d3a5e] [8aa6a5ab6ae28cddb233a5e7cc9f10f88bcd1672] [d06e7e68f1f218a692999b22a4cc080b6e88b364] [a2bc2c2c5f76c96f7ca1301ffb9d757756984d72] [0ef8406feadba2a1361e291733bbee31bfae0061] [f1df5c8a5100acea574beed0153b3d60e76d8549]

🐙 refactoring

• 19eeca2119c9df502e3e5520353b896a3a27f319 eac4b648988ed57afa5e53573281c19e77241cf1 eb072886a9433bfd373522f2641fdce9def55a3f 77301cda2d5bf9f005e67ac015f5657730eab0ec 11b3a9402718515137a758b510842b0677bb29ca 5a25242b3fe7f847f2c3f560cdcc1ad7c6ae9dbb b1c89a43b8ac2fb78ddd87f93495f230da4758e5 fbc92aa4cfd657c3c77bbdfbbad902e9a5556e19 5af73c299d9774dba7da7f457b9c6c9873338cb0 8a839f34af97cc8c5c8100ccb20757629a035aef 923003db71c90d79896440a365293808ec3749c9
• [569ca51128f4f31740662fc7e9ee7d9b7249fc1b] fix flaky test and unregistering bonjour for leak detection
• [81f26cbe2c9dfffa7c11961b8bf312c445616157] [c0a8d6365fb0397cafb23cbe895b44d3449c5f5e] [4e927b2ad777ab17a86752d67debffa8881647dc] deprecate use of nullNodeId and make it strictly constant
• [0db9e28a03f4162bec4f00d329d63e183f3c4a18] add a mechanism to trace timedout request int ClientSecureChannel
• [20b546f1fc86bc6a0b44b75bf89dfb055aace65a] revisit structure definition management internally

👭 contributors

• @Filipecordeiro @marcodisarno @Graos

🐛 bug fixes:

• [3325f6c34bc9291e714e418f73bd8685bcacebd0] fix(server): allow new connection after DDOS attack when sessions are dropped by client without proper terminiation
• [67cd8c1b15614b87a3c27d3e373730f124a488fd] fix typedoc generation

⛵ improvement:

• [dd70c3dcc9e878f5f478cc48a4656471db90b7ef] #1072 renamed UANamespace to UANamespaceImpl and make it private ( use Namespace instead)
• [167cdcbabc2fa2e423fa9e1bc8e9784ca4473786] load_nodeset now ignore 'Deprecated' nodes in XML .
• [a251efb1389a99d14be0b4ea44b50058bc0747d8] update to latest standard UA NodeSet.xml
• various refactoring

💔 breaking change

• as spotted in #1081, the behavior of client.on("session_close", (session) => {}); has change slightly and session.channel may now be null.