feat(node): add SIGUSR1 signal handler prevention flags

jdalton · jdalton · commit 35934330114c · 2025-10-25T17:21:18.000-04:00
Add support for disabling SIGUSR1 debugger signal handling in production:
- supportsNodeDisableSigusr1Flag(): Detects flag support (v22.14+, v23.7+, v24.8+)
- getNodeDisableSigusr1Flags(): Returns --disable-sigusr1 or --no-inspect fallback

SIGUSR1 is reserved by Node.js for starting the debugger/inspector.
In production CLI environments, we prevent debugger attachment for security.

--disable-sigusr1: Proper solution (prevents Signal I/O Thread creation entirely)
--no-inspect: Fallback for Node 18+ (still creates thread but blocks later)
diff --git a/src/constants/node.ts b/src/constants/node.ts
@@ -77,6 +77,43 @@ export function supportsNodeRun(): boolean {
   )
 }
 
+export function supportsNodeDisableSigusr1Flag(): boolean {
+  const major = getNodeMajorVersion()
+  // --disable-sigusr1 added in v22.14.0, v23.7.0.
+  // Stabilized in v22.20.0, v24.8.0.
+  if (major >= 24) {
+    const minor = Number.parseInt(process.version.split('.')[1] || '0', 10)
+    return minor >= 8
+  }
+  if (major === 23) {
+    const minor = Number.parseInt(process.version.split('.')[1] || '0', 10)
+    return minor >= 7
+  }
+  if (major === 22) {
+    const minor = Number.parseInt(process.version.split('.')[1] || '0', 10)
+    return minor >= 14
+  }
+  return false
+}
+
+let _nodeDisableSigusr1Flags: string[]
+export function getNodeDisableSigusr1Flags(): string[] {
+  if (_nodeDisableSigusr1Flags === undefined) {
+    // SIGUSR1 is reserved by Node.js for starting the debugger/inspector.
+    // In production CLI environments, we want to prevent debugger attachment.
+    //
+    // --disable-sigusr1: Prevents Signal I/O Thread from listening to SIGUSR1 (v22.14.0+).
+    // --no-inspect: Disables inspector on older Node versions that don't support --disable-sigusr1.
+    //
+    // Note: --disable-sigusr1 is the correct solution (prevents thread creation entirely).
+    // --no-inspect is a fallback that still creates the signal handler thread but blocks later.
+    _nodeDisableSigusr1Flags = supportsNodeDisableSigusr1Flag()
+      ? ['--disable-sigusr1']
+      : ['--no-inspect']
+  }
+  return _nodeDisableSigusr1Flags
+}
+
 export function supportsProcessSend(): boolean {
   return typeof process.send === 'function'
 }
