@contrast/agent 4.2.0 → 4.4.1

package/bin/VERSION

@@ -1 +1 @@
-2.24.0
+2.26.0

package/lib/assess/models/tag-range/index.js

@@ -14,7 +14,6 @@ Copyright: 2021 Contrast Security, Inc
 */
 'use strict';
 
-const _ = require('lodash');
 const logger = require('../../../core/logger')('contrast:tagRange');
 
 const Relationships = require('./relationships');
@@ -27,14 +26,13 @@ const DEFAULT_TAG = 'untrusted';
  */
 class TagRange {
   /**
-   * Validates the arguments to the contructor call.
-   * @param {number} start The starting index to track.
-   * @param {number} stop  The stopping index to track.
-   * @param {string} tag   The name of the tag.
+   * @param {number} start The starting index of string tracking on the data having the tag.
+   * @param {number} stop  The stopping index of string tracking on the data having the tag.
+   * @param {string?} tag  The name of the tag (default is "untrusted").
    */
-  static validate(start, stop, tag = DEFAULT_TAG) {
-    const bothFinite = _.isFinite(start) && _.isFinite(stop);
-    if (start > stop || !bothFinite) {
+  constructor(start, stop, tag = DEFAULT_TAG) {
+    // Validates the arguments to the contructor call.
+    if (!(start <= stop && start >= 0)) {
       logger.debug(
         'could not create tag %s with invalid range start: %s, stop %s.',
         tag,
@@ -42,15 +40,7 @@ class TagRange {
         stop
       );
     }
-  }
 
-  /**
-   * @param {number} start The starting index of string tracking on the data having the tag.
-   * @param {number} stop  The stopping index of string tracking on the data having the tag.
-   * @param {string?} tag  The name of the tag (default is "untrusted").
-   */
-  constructor(start, stop, tag = DEFAULT_TAG) {
-    TagRange.validate(start, stop, tag);
     /** @type {string} */
     this.tag = tag;
     /** @type {number} */

package/lib/assess/policy/signatures.json

@@ -125,6 +125,11 @@
       "methodName": "",
       "isModule": true
     },
+    "express-fileupload": {
+      "moduleName": "express-fileupload",
+      "methodName": "",
+      "isModule": true
+    },
     "pg.Connection.prototype.query": {
       "moduleName": "pg",
       "methodName": "Connection.prototype.query",
@@ -392,11 +397,13 @@
     },
     "ejs.Template.prototype.generateSource": {
       "moduleName": "ejs",
+      "version": ">=2.6.2",
       "methodName": "Template.prototype.generateSource",
       "isModule": true
     },
     "ejs.utils.escapeXML": {
       "moduleName": "ejs",
+      "version": ">=2.6.2",
       "fileName": "lib/utils.js",
       "methodName": "escapeXML",
       "isModule": true

package/lib/assess/policy/util.js

@@ -372,12 +372,19 @@ utils.createHookFromSignature = function(signature, options, patchType) {
       requireHook.resolve(
         {
           name: signature.moduleName,
-          file: signature.fileName
+          file: signature.fileName,
+          version: signature.version
         },
         requireCallback
       );
     } else {
-      requireHook.resolve({ name: signature.moduleName }, requireCallback);
+      requireHook.resolve(
+        {
+          name: signature.moduleName,
+          version: signature.version
+        },
+        requireCallback
+      );
     }
   } else {
     const mod = global[signature.moduleName],

package/lib/assess/propagators/manager.js

@@ -396,10 +396,24 @@ function isTargetTracked(target, hasTags) {
  * @return {Array} all valid targets based on type
  */
 function extractValidTarget(target, data) {
-  if (target === 'R' && isString(data.result) && data.result.length) {
-    return data.result;
+  let validTarget = null;
+  switch (target) {
+    case 'R':
+      validTarget = data.result;
+      break;
+    default:
+      logger.warn(
+        'Invalid target type %s for propagator %s',
+        target,
+        data.name
+      );
+      break;
+  }
+
+  if (isString(validTarget) && validTarget.length > 0) {
+    return validTarget;
   }
-  logger.warn('Invalid target type %s for propagator %s', target, data.name);
+
   return null;
 }
 /**

package/lib/assess/sinks/mongodb.js

@@ -33,6 +33,7 @@ const { PATCH_TYPES } = require('../../constants');
 const requireHook = require('../../hooks/require');
 const { Signature, CallContext } = require('../models');
 const policy = require('../policy');
+const Scopes = require('../../core/async-storage/scopes');
 
 const ruleId = 'nosql-injection';
 const disallowedTags = [
@@ -268,13 +269,16 @@ module.exports = ({ common }) => {
    */
   mongoSink.assess = (query, context) => {
     const searchDepth = 3;
-
-    const vulnerableString = common.isVulnerable({
-      searchDepth,
-      disallowedTags,
-      requiredTags,
-      input: query
-    });
+    let vulnerableString;
+
+    Scopes.runInAllowAllScope(() => {
+      vulnerableString = common.isVulnerable({
+        searchDepth,
+        disallowedTags,
+        requiredTags,
+        input: query
+      });
+    }, 'mongodbSink.assess');
 
     if (vulnerableString) {
       mongoSink.report(vulnerableString, context);

package/lib/contrast.js

@@ -403,15 +403,14 @@ contrastAgent.run = function(nodePath, script) {
  * @param  {String} script The path to the application's entry point.
  */
 contrastAgent.resetArgs = function(nodePath, script) {
-  const appArgs = agent.config.application.args;
-  const isPrimary = !agent.hasOwnProperty('cluster') || agent.cluster.isPrimary;
   script = path.resolve(script);
+  process.argv = agent.config
+    ? [nodePath, script].concat(agent.config.application.args)
+    : process.argv;
+  const isPrimary = !agent.hasOwnProperty('cluster') || agent.cluster.isPrimary;
   const location = isPrimary ? 'Entering main' : 'Entering fork';
 
   logger.debug('%s at %s', location, script);
-
-  // need to set process.argv to what it would be without our agent args
-  process.argv = [nodePath, script].concat(appArgs);
 };
 
 /**

package/lib/core/config/options.js

@@ -419,6 +419,13 @@ const agent = [
     fn: castBoolean,
     desc: 'whether to use speedracer for input analysis when enabled'
   },
+  {
+    name: 'agent.node.native_input_analysis',
+    arg: '[true]',
+    default: false,
+    fn: castBoolean,
+    desc: 'do agent-native input analysis prior to any external analysis'
+  },
   {
     name: 'agent.node.unsafe.deadzones',
     arg: '<modules>',

package/lib/core/logger/perf-logger.js

@@ -157,7 +157,9 @@ const STORAGE_KEY = 'REQ_PERF_DATA';
 
 module.exports = (agent) => {
   const enabled =
-    agent.config.agent.node.req_perf_logging && process.hrtime.bigint;
+    agent.config &&
+    agent.config.agent.node.req_perf_logging &&
+    process.hrtime.bigint;
   if (enabled) {
     agentEmitter.on('http.requestStart', (req) => {
       AsyncStorage.set(STORAGE_KEY, new RequestStats(req));

package/lib/hooks/express-fileupload.js

@@ -0,0 +1,57 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const patcher = require('../hooks/patcher');
+const { PATCH_TYPES } = require('../constants');
+const requireHook = require('../hooks/require');
+const agentEmitter = require('../agent-emitter');
+const logger = require('../core/logger')('contrast:hooks:express');
+
+function hook() {
+  requireHook.resolve({ name: 'express-fileupload' }, (fileupload) => {
+    logger.info('hooking express-fileupload middleware');
+    const hooked = patcher.patch(fileupload, {
+      name: 'express-fileupload',
+      patchType: PATCH_TYPES.FRAMEWORK,
+      alwaysRun: true,
+      post(data) {
+        data.result = patcher.patch(data.result, {
+          name: 'express.hookedFileUploadMiddleware',
+          patchType: PATCH_TYPES.FRAMEWORK,
+          alwaysRun: true,
+          pre(data) {
+            const [req, , next] = data.args;
+            data.args[2] = function contrastNext() {
+              try {
+                if (req.files) {
+                  agentEmitter.emit('assess.body', req, 'files');
+                }
+              } catch (err) {
+                logger.info(`Unable to patch express-fileupload. ${err}`);
+              }
+
+              next();
+            };
+          }
+        });
+      }
+    });
+
+    return hooked;
+  });
+}
+
+module.exports = hook;

package/lib/hooks/patcher.js

@@ -27,7 +27,8 @@ const logger = require('../core/logger')('contrast:hooks');
 const agent = require('../agent');
 const perfLogger = require('../core/logger/perf-logger')(agent);
 const _ = require('lodash');
-const perfLoggingEnabled = agent.config.agent.node.req_perf_logging;
+const perfLoggingEnabled =
+  agent.config && agent.config.agent.node.req_perf_logging;
 const tracker = require('../tracker.js');
 const { AsyncStorage } = require('../core/async-storage');
 const {

package/lib/instrumentation.js

@@ -152,6 +152,7 @@ function nonPolicyHooks(agent) {
   require('./hooks/http')(agent);
   require('./hooks/newrelic')();
   require('./hooks/express-session')();
+  require('./hooks/express-fileupload')();
 }
 
 /**

package/lib/libraries.js

@@ -66,8 +66,12 @@ function setRequiredBy(deps, requiredBy = new Map()) {
  * @param {Object} agent agent instance
  */
 function processDependencies(deps, requiredBy, agent) {
-  _.forEach(deps, (dep) => {
-    // find which dependents a given library has from the `requiredBy` map
+  for (const key in deps) {
+    const dep = deps[key];
+    if (!dep.name) {
+      dep.name = key;
+    }
+
     dep._requiredBy = requiredBy.has(dep.name)
       ? Array.from(requiredBy.get(dep.name))
       : [];
@@ -77,7 +81,7 @@ function processDependencies(deps, requiredBy, agent) {
     if (newLib) {
       processDependencies(dep.dependencies, requiredBy, agent);
     }
-  });
+  }
 }
 
 /**

package/lib/protect/analysis/aho-corasick.js

@@ -0,0 +1,192 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+// https://www.geeksforgeeks.org/aho-corasick-algorithm-pattern-searching/
+
+const a = 'a'.charCodeAt(0);
+const z = 'z'.charCodeAt(0);
+const A = 'A'.charCodeAt(0);
+const Z = 'Z'.charCodeAt(0);
+
+class AhoCorasick {
+  constructor(words) {
+    // the maximum number of states is equal to the sum of the length of
+    // the strings to be matched.
+    this.maxStates = 0;
+    for (const word of words) {
+      this.maxStates += word.length;
+      for (const char of word) {
+        // allow for any character to be upper or lower case. this could be
+        // restricted to certain words if desired, by changing the signature
+        // to {caseInsensitive, caseSensitive}.
+        if (char >= 'a' && char <= 'z') {
+          this.maxStates += 1;
+        } else if (char >= 'A' && char <= 'Z') {
+          this.maxStates += 1;
+        }
+      }
+    }
+
+    // can optimize this by trading off computation for space.
+    this.maxChars = 128;
+
+    // if this state matches words each match will be in an array at
+    // the state.
+    this.out = Array(this.maxStates + 1);
+    for (let i = 0; i <= this.maxStates; i++) {
+      this.out[i] = [];
+    }
+
+    // state to transition to on failure
+    this.fail = Array(this.maxStates + 1);
+
+    // maxStates + 1 rows
+    // maxChars columns
+    this.goto = Array(this.maxStates + 1);
+    for (let i = 0; i <= this.maxStates; i++) {
+      this.goto[i] = Array();
+    }
+
+    this.words = words;
+
+    this.stateCount = this.buildAutomata();
+
+    // keep state so this can be called in a streaming fashion
+    this.state = 0;
+  }
+
+  reset() {
+    this.state = 0;
+  }
+
+  /* eslint-disable complexity */
+  buildAutomata() {
+    // only the root state (state 0) to start with
+    let stateCount = 1;
+
+    // fill in the goto matrix.
+    for (let i = 0; i < this.words.length; i++) {
+      const word = Buffer.from(this.words[i]);
+      let state = 0;
+
+      // create transitions for all character of the current word
+      for (const byte of word) {
+        if (byte & 0x80) {
+          throw new Error('pattern character codes cannot exceed 127');
+        }
+        if (this.goto[state][byte] === undefined) {
+          this.goto[state][byte] = stateCount;
+          stateCount += 1;
+        }
+        const previousState = state;
+        state = this.goto[state][byte];
+
+        // now make it case insensitive by mapping the alternate case to the
+        // same state as the original case.
+        let extra;
+        if (byte >= a && byte <= z) {
+          extra = byte - (a - A);
+        } else if (byte >= A && byte <= Z) {
+          extra = byte + (a - A);
+        } else {
+          continue;
+        }
+
+        if (this.goto[previousState][extra] === undefined) {
+          // transition to the state that the other case character transitioned
+          // to.
+          this.goto[previousState][extra] = stateCount - 1;
+        }
+      }
+
+      // add current word to terminal list
+      this.out[state].push(this.words[i]);
+    }
+
+    // for all byte values that don't have a transition from the root, add
+    // a transition to the root.
+    for (let byte = 0; byte < this.maxChars; byte++) {
+      if (this.goto[0][byte] === undefined) {
+        this.goto[0][byte] = 0;
+      }
+    }
+
+    // failure function is computer using breadth first order.
+    const queue = [];
+
+    // iterate over all possible inputs
+    for (let i = 0; i < this.maxChars; i++) {
+      // all nodes of depth 1 have failure function value 0.
+      if (this.goto[0][i] !== 0) {
+        this.fail[this.goto[0][i]] = 0;
+        queue.push(this.goto[0][i]);
+      }
+    }
+
+    while (queue.length) {
+      // get the first state in the queue
+      const state = queue.shift();
+
+      // for the removed state, find the failure function for all
+      // characters for which a goto is not defined.
+      for (let i = 0; i < this.maxChars; i++) {
+        if (this.goto[state][i] === undefined) {
+          continue;
+        }
+
+        // get failure transition
+        let failure = this.fail[state];
+
+        // find the deepest node ..
+
+        while (this.goto[failure][i] === undefined) {
+          failure = this.fail[failure];
+        }
+
+        failure = this.goto[failure][i];
+        this.fail[this.goto[state][i]] = failure;
+
+        // merge outputs
+        this.out[this.goto[state][i]].push(...this.out[failure]);
+
+        // insert the next level node (of trie) into queue
+        queue.push(this.goto[state][i]);
+      }
+    }
+
+    return stateCount;
+  }
+
+  check(byte) {
+    // if it's > maxChars set it to a non-matching value to force failure.
+    // this could allow some memory-reduction optimizations if worth it. i.e.,
+    // maxChars only needs to be the highest charcode in the words the user
+    // passes in. and they can be offset by the lowest charcode as well.
+    if (byte >= this.maxChars) {
+      byte = 0;
+    }
+    let next = this.state;
+    while (this.goto[next][byte] === undefined) {
+      next = this.fail[next];
+    }
+
+    this.state = this.goto[next][byte];
+
+    return this.out[this.state].length ? this.out[this.state] : null;
+  }
+}
+
+module.exports = AhoCorasick;

package/lib/protect/analysis/dfsa-analyzer.js

@@ -0,0 +1,64 @@
+/**
+Copyright: 2021 Contrast Security, Inc
+  Contact: support@contrastsecurity.com
+  License: Commercial
+
+  NOTICE: This Software and the patented inventions embodied within may only be
+  used as part of Contrast Security’s commercial offerings. Even though it is
+  made available through public repositories, use of this Software is subject to
+  the applicable End User Licensing Agreement found at
+  https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+  between Contrast Security and the End User. The Software may not be reverse
+  engineered, modified, repackaged, sold, redistributed or otherwise used in a
+  way not consistent with the End User License Agreement.
+*/
+'use strict';
+
+const AhoCorasick = require('./aho-corasick');
+
+const defaultSuspicious = ";$'</\\&#%>=*(|`".split('');
+defaultSuspicious.push('--', 'shell.', 'union select');
+
+class Analyzer {
+  constructor(suspicious = defaultSuspicious, options = {}) {
+    this.options = options;
+    this.dfsa = Analyzer.prebuilt.get(suspicious);
+    if (!this.dfsa) {
+      this.dfsa = new AhoCorasick(suspicious);
+      Analyzer.prebuilt.set(suspicious, this.dfsa);
+    }
+  }
+
+  suspicious(buffer) {
+    const found = new Set();
+    for (let ix = 0; ix < buffer.length; ix++) {
+      const result = this.dfsa.check(buffer[ix]);
+      if (result) {
+        for (const pattern of result) {
+          found.add(pattern);
+        }
+        if (this.options.returnOnFirstMatch) {
+          break;
+        }
+      }
+    }
+    if (found.size) {
+      return [...found.values()];
+    }
+
+    return null;
+  }
+
+  reset() {
+    this.dfsa.reset();
+  }
+
+  static reset() {
+    Analyzer.prebuilt.clear();
+  }
+}
+
+// can't initialize class statics.
+Analyzer.prebuilt = new Map();
+
+module.exports = Analyzer;

package/lib/protect/input-analysis.js

@@ -179,6 +179,7 @@ class InputAnalysisSensor {
       }
 
       self.cacheChunk(meta, args);
+      this._readableState.autoDestroy = false;
       const context = { instance: this, method: emit, args };
 
       // The request exceeeds the max length SR can process

package/lib/protect/service.js

@@ -31,6 +31,7 @@ const headerValidators = require('./validators');
 const UserInputKit = require('../reporter/models/utils/user-input-kit');
 const UserInputFactory = require('../reporter/models/utils/user-input-factory');
 const blockRequest = require('../util/block-request');
+const Analyzer = require('./analysis/dfsa-analyzer');
 
 class ProtectService {
   /**
@@ -42,6 +43,7 @@ class ProtectService {
     this.config = agent.config;
     this.enabled = agent.isInDefendMode();
     this.assessEnabled = agent.isInAssessMode();
+    this.nativeAnalysis = this.config.agent.node.native_input_analysis;
 
     this._exclusionFactory = new ExclusionFactory({
       featureSet: agent.tsFeatureSet,
@@ -106,6 +108,17 @@ class ProtectService {
   analyzeRequestStream({ meta, req, res, appContext }) {
     const { requestId, chunks } = meta;
 
+    if (this.nativeAnalysis) {
+      const analyzer = new Analyzer();
+      // if nothing is suspicious then don't send the body for analysis
+      if (!chunks.some((b) => analyzer.suspicious(b))) {
+        return Promise.resolve(true);
+      } else {
+        // do some processing on the data. tbd in wasm/rust/napi. potentially
+        // replace entire "send to service".
+      }
+    }
+
     return this.reporter
       .sendMessage('request', { requestId, chunks })
       .then((agentSettings) =>

package/lib/reporter/models/app-update/index.js

@@ -90,11 +90,9 @@ module.exports = class AppUpdate {
 
     // exists somewhere else and DOES have a shasum. so, we check if we can find a hash/key, and then
     // we check if the library has been seen or not.
-    if (!name || !version) {
+    if (!version) {
       logger.info(
-        `package.json is missing data; unable to report lib.  name: ${
-          name ? name : 'unknown'
-        }  version: ${version ? version : 'unknown'}`,
+        `package: ${name} is missing version in package.json or it might not have been installed; unable to report lib.`,
         data
       );
       return false;

package/node_modules/unix-dgram/build/Makefile

@@ -309,7 +309,7 @@ endif
 
 quiet_cmd_regen_makefile = ACTION Regenerating $@
 cmd_regen_makefile = cd $(srcdir); /opt/hostedtoolcache/node/12.22.6/x64/lib/node_modules/npm/node_modules/node-gyp/gyp/gyp_main.py -fmake --ignore-environment "-Dlibrary=shared_library" "-Dvisibility=default" "-Dnode_root_dir=/home/runner/.cache/node-gyp/12.22.6" "-Dnode_gyp_dir=/opt/hostedtoolcache/node/12.22.6/x64/lib/node_modules/npm/node_modules/node-gyp" "-Dnode_lib_file=/home/runner/.cache/node-gyp/12.22.6/<(target_arch)/node.lib" "-Dmodule_root_dir=/home/runner/work/node-agent/node-agent/target/node_modules/unix-dgram" "-Dnode_engine=v8" "--depth=." "-Goutput_dir=." "--generator-output=build" -I/home/runner/work/node-agent/node-agent/target/node_modules/unix-dgram/build/config.gypi -I/opt/hostedtoolcache/node/12.22.6/x64/lib/node_modules/npm/node_modules/node-gyp/addon.gypi -I/home/runner/.cache/node-gyp/12.22.6/include/node/common.gypi "--toplevel-dir=." binding.gyp
-Makefile: $(srcdir)/build/config.gypi $(srcdir)/../../../../../../.cache/node-gyp/12.22.6/include/node/common.gypi $(srcdir)/binding.gyp $(srcdir)/../../../../../../../../opt/hostedtoolcache/node/12.22.6/x64/lib/node_modules/npm/node_modules/node-gyp/addon.gypi
+Makefile: $(srcdir)/../../../../../../../../opt/hostedtoolcache/node/12.22.6/x64/lib/node_modules/npm/node_modules/node-gyp/addon.gypi $(srcdir)/../../../../../../.cache/node-gyp/12.22.6/include/node/common.gypi $(srcdir)/binding.gyp $(srcdir)/build/config.gypi
 	$(call do_cmd,regen_makefile)
 
 # "all" is a concatenation of the "all" targets from all the included

package/node_modules/unix-dgram/build/config.gypi

@@ -126,7 +126,7 @@
     "progress": "",
     "https_proxy": "",
     "save_prod": "",
-    "npm_session": "f169f81a3c41a0c9",
+    "npm_session": "fb860f4007af86fc",
     "audit": "true",
     "cidr": "",
     "onload_script": "",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/agent",
-  "version": "4.2.0",
+  "version": "4.4.1",
   "description": "Node.js security instrumentation by Contrast Security",
   "keywords": [
     "security",
@@ -71,13 +71,13 @@
     "@babel/types": "^7.12.1",
     "@contrast/distringuish-prebuilt": "^2.2.0",
     "@contrast/flat": "^4.1.1",
-    "@contrast/fn-inspect": "^2.4.0",
+    "@contrast/fn-inspect": "^2.4.2",
     "@contrast/heapdump": "^1.1.0",
     "@contrast/protobuf-api": "^3.2.0",
-    "@contrast/require-hook": "^2.0.3",
+    "@contrast/require-hook": "^2.0.5",
     "@contrast/synchronous-source-maps": "^1.1.0",
     "amqp-connection-manager": "^3.2.2",
-    "amqplib": "^0.7.1",
+    "amqplib": "^0.8.0",
     "base64url": "^3.0.1",
     "big-integer": "^1.6.36",
     "bluebird": "^3.5.3",
@@ -112,7 +112,7 @@
     "@bmacnaughton/string-generator": "^1.0.0",
     "@contrast/eslint-config": "^2.0.1",
     "@contrast/fake-module": "file:test/mock/contrast-fake",
-    "@contrast/screener-service": "^1.12.2",
+    "@contrast/screener-service": "^1.12.4",
     "@hapi/boom": "file:test/mock/boom",
     "@hapi/hapi": "file:test/mock/hapi",
     "@ls-lint/ls-lint": "^1.8.1",
@@ -183,7 +183,7 @@
     "test": "test"
   },
   "engines": {
-    "node": ">=12.13.0 <13 || >=14.15.0 <15 || >=16.4.0 <17",
+    "node": ">=12.13.0 <13 || >=14.15.0 <15 || >=16.9.1 <17",
     "npm": ">=6.13.7 <7 || >=7.11.0"
   },
   "bundleDependencies": [