Skip to content

fix(deps): update dependency node-opcua to v2.174.0#763

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/node-opcua-2.x
Open

fix(deps): update dependency node-opcua to v2.174.0#763
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/node-opcua-2.x

Conversation

@renovate

@renovate renovate Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
node-opcua (source) 2.173.12.174.0 age confidence

Release Notes

node-opcua/node-opcua (node-opcua)

v2.174.0

Compare Source

node-opcua 2.174.0

Compare: v2.173.1...v2.174.0


✨ Headline feature — Role-Based Security & User Management (OPC 10000-18)

This release introduces a complete, spec-conformant implementation of OPC UA Role-Based Security and User Management as defined in OPC 10000-18. node-opcua servers can now model who a connecting user is, which Roles they hold, and what each Role is allowed to do — and let administrators manage all of it at runtime over OPC UA itself, using the standard RoleSet and UserManagement Methods.

What you get:

  • A standard RoleSet with well-known Roles (Anonymous, AuthenticatedUser, Operator, Observer, SecurityAdmin, ConfigureAdmin, …) plus the ability to create/remove custom Roles at runtime (AddRole/RemoveRole).
  • Identity mapping rules per Role — Anonymous, AuthenticatedUser, UserName, Thumbprint, and full X.509 Distinguished-Name criteria — administered live via AddIdentity/RemoveIdentity.
  • Application & endpoint restrictions per Role (AddApplication/AddEndpoint/…), enforced at role-resolution time against the calling application's certificate, security mode, and endpoint URL.
  • User Management Methods (AddUser/ModifyUser/RemoveUser/ChangePassword) with salted scrypt password hashing, password policies, must-change-password flow (Good_PasswordChangeRequired), and forced session termination on disable/remove.
  • Single source of truth wiring via createRoleBasedSecurity() — one call to set up users, roles, identities, and persistence consistently, with optionally-encrypted (AES-256-GCM) persistence that survives restarts.
  • A client API (ClientRoleSet / ClientUserManagement) and a ready-to-ship role-set-admin CLI (npm i -g node-opcua-role-set-admin) to administer any compliant server over OPC UA.
  • Defense-in-depth hardening: sensitive RoleSet/UserManagement nodes are hidden from non-admin Browse and require an encrypted channel, plus full audit events (RoleMappingRuleChangedAuditEventType, AuditUpdateMethodEventType) that never leak passwords.

Delivered across five new packages: node-opcua-role-set-common, node-opcua-role-set-server, node-opcua-role-set-client, node-opcua-role-set-admin, and node-opcua-role-set-test.

📖 For the full picture — architecture, getting-started, the security model and persistence — read the official guide: documentation/role_based_security.md.


🚀 Role-Based Security & User Management — key commits
  • Core implementation: 4 new packages (common store, server installRoleSet, client ClientRole, integration tests), WellKnownRoles, IRoleResolver. [d017a0c]
  • createRoleBasedSecurity() one-call wiring with a single shared user + identity store; unified via the userManager bridge. [6037983] [f58f0e2]
  • AddRole/RemoveRole with collision-proof GUID NodeIds and unique-name enforcement. [964d692]
  • X.509 full-DN matching + duplicate detection (§4.4.3); hardened AddIdentity/RemoveIdentity (§4.3–4.4.5). [55c83b7] [34ade4e]
  • Application/endpoint restriction store, matching rules, Method binding and full enforcement at role resolution incl. endpoint URL via SessionContext (§4.4.1–4.4.10). [c6d8fcf] [b8226d3] [0713897] [45553c5] [9fe26bb]
  • User Management store + Method handlers + ClientUserManagement; MustChangePassword / Good_PasswordChangeRequired surfaced end-to-end (§5). [c71f966] [f00d023] [603b39c] [d441175] [804f4bc]
  • Consolidated, optionally-encrypted, install-order-independent persistence archive. [db8e0fc] [593b474] [2e99681]
  • Audit events without password leakage (§4.5, §5). [dfb71f4] [a017677]
  • Terminate a user's live sessions on disable/remove (§5.2.6-7). [41385cd]
  • Browse/channel hardening of sensitive nodes (§4.4.1). [e94e44f]
  • ClientRoleSet cohesive client entry point; all tests interact only via the client. [0d938bc]
  • Standalone sample server with per-Role Variable permissions + realistic Role sets. [5e54521] [6322406]
  • role-set-admin CLI extracted into its own shippable package (hidden password prompt, programmatic API). [5831c48] [0ac0d68]
  • Cross-package overview guide + refreshed READMEs. [1cafb0e]
  • getCurrentUserRoles guards a userManager returning no roles. [43b95d4]
🚀 Other features

EventFilter / ContentFilter validation (OPC UA Part 4 §7.4.4.4 / §7.7)

  • Enforce ElementOperand reference rules, operand counts, cycle detection (acyclic graphs accepted), leachability, and MaxWhereClause/MaxSelectClauseParameters limits — rejecting non-conformant EventFilters at monitored-item create and modify with precise status codes. Validation is iterative so deep filters can't exhaust the stack. [6d3e490] [9374540] [0d225d5] [62e6f52] [f7fa976] [3edc016] [adc4258] [04cdd58]

Other

  • setDefaultCertificateSubject() for ESM compatibility, with validation. (#​1519) [6ef6032]
🐛 Fixes
  • reconnection: resume publishing after Republish returns BadMessageNotAvailable (e.g. CoDeSys) — terminate the republish loop and replenish the publish-request queue on the session-reactivation path. (#​1524) [86127dc]
  • transport: harden the HEL/ACK handshake against malformed/truncated responses; close the socket on a failed handshake decode so a peer can't leave the transport half-connected. [afbd99d] [a76dc10] [807ba48]
  • variant: never put an inconsistent empty Matrix on the wire — flag uninitialized fixed-dimension Matrix values as BadWaitingForInitialData and defensively emit a self-consistent empty matrix. (reported by Mika Karaila) [36eba55]
  • server: evict the oldest inactive session at maxSessions; avoid double-counting session timeouts (+ regression test). [0851311] [80e514b] [dd0ac10]
  • file-transfer: invalidate the file handle on close. [b4d4265]
  • test runners: adapt to mocha 12 named exports (Mocha is not a constructor). [5d2f4b9]
🔒 Security / dependencies
  • Resolve all 9 Dependabot vulnerabilities (drop abandoned benchmark/lodash, bump mocha, pin patched transitive dep: js-yaml, brace-expansion, picomatch, esbuild) — ppm audit reports 0. [9eae2d5]
🧹 Docs / CI / chore
  • Major README/funding overhaul for customer acquisition; new supported_features.md; Ecosystem section (MCP server, OPC UA Modeler). [1015045] [080a323] [5f32edb]
  • TypeDoc pipeline fixed and expanded to 30 packages; remove legacy YUIDoc/autodoc/browserify tooling; docs-deploy SEO/canonical-link hardening. [01d817c] [4ce14ad] [ac10a05] [f2f22d2] [aae5e08] [fbbf602] [726a94c]
  • CI: surface raw Windows test-runner exit codes; pin Node 24.15.0 on Windows (libuv fs-event crash workaround). [bbb29c6] [bf7b61b]
  • Test stability: move certificate reads into before() hooks to avoid load-time crashes; role-set leak-detector wrapping. [103b770] [ade0b16] [6326b74]
  • Nodeset catalog companion-spec dependency fixes; package updates. [080a323] [ab19561] [ab624e0] [e77af7d]
🙏 Contributors

Thanks to everyone who contributed to this release:

The Sterfive Team.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants