fix(installer): Improve Node.js binary detection, dependency management, and SNMPv3 fallback logic

This commit is contained in:
2025-03-26 13:27:47 +00:00
parent 5a13e49803
commit 4de6081a74
7 changed files with 177 additions and 18 deletions

View File

@@ -236,10 +236,10 @@ NUPST was designed with security in mind:
### Minimal Dependencies
- **Zero Runtime NPM Dependencies**: NUPST is built without any external NPM packages to minimize the attack surface and avoid supply chain risks.
- **Minimal Runtime Dependencies**: NUPST uses only one carefully selected NPM package (net-snmp) to minimize the attack surface and avoid supply chain risks while providing robust SNMP functionality.
- **Self-contained Node.js**: NUPST ships with its own Node.js binary, isolated from the system's Node.js installation. This ensures:
- No dependency on system Node.js versions
- Zero external libraries that could become compromised
- Minimal external libraries that could become compromised
- Consistent, tested environment for execution
- Reduced risk of dependency-based attacks
@@ -247,14 +247,30 @@ NUPST was designed with security in mind:
- **Privilege Separation**: Only specific commands that require elevated permissions (`enable`, `disable`, `update`) check for root access; all other functionality runs with minimal privileges.
- **Limited Network Access**: NUPST only communicates with the UPS device over SNMP and contacts npmjs.org only to check for updates.
- **Secure SNMPv3 Support**: Supports encrypted authentication and privacy for secure communication with the UPS device.
- **Isolated Execution**: The application runs in its working directory (`/opt/nupst`) or specified installation location, minimizing the impact on the rest of the system.
### SNMP Security Features
- **SNMPv3 Support with Secure Authentication and Privacy**:
- Three security levels available:
- `noAuthNoPriv`: No authentication or encryption (basic access)
- `authNoPriv`: Authentication without encryption (verifies identity)
- `authPriv`: Full authentication and encryption (most secure)
- Authentication protocols: MD5 or SHA
- Privacy/encryption protocols: DES or AES
- Automatic fallback mechanisms for compatibility
- Context support for segmented SNMP deployments
- Configurable timeouts based on security level
- **Graceful degradation**: If authentication or privacy details are missing or invalid, NUPST will automatically fall back to a lower security level while logging appropriate warnings.
- **Interactive setup**: Guided setup process to properly configure SNMPv3 security settings with clear explanations of each security option.
### Installation Security
- The installation script can be reviewed before execution (`curl -sSL [url] | less`)
- All setup scripts download only verified versions and check integrity
- Installation is transparent and places files in standard locations (`/opt/nupst`, `/usr/local/bin`, `/etc/systemd/system`)
- Automatically detects platform architecture and OS for proper binary selection
- Installs production dependencies locally without requiring global npm packages
### Audit and Review