Add runtime guardrail for SSI

[bengl]

When in SSI, bail out if our version of Node.js is incompatible.

[github-actions]

Overall package size

Self size: 6.73 MB
Deduped: 61.99 MB
No deduping: 62.27 MB

Dependency sizes

name	version	self size	total size
@datadog/native-appsec	8.0.1	15.59 MB	15.6 MB
@datadog/native-iast-taint-tracking	2.1.0	14.91 MB	14.92 MB
@datadog/pprof	5.3.0	9.85 MB	10.22 MB
protobufjs	7.2.5	2.77 MB	6.56 MB
@datadog/native-iast-rewriter	2.3.1	2.15 MB	2.24 MB
@opentelemetry/core	1.14.0	872.87 kB	1.47 MB
@datadog/native-metrics	2.0.0	898.77 kB	1.3 MB
@opentelemetry/api	1.8.0	1.21 MB	1.21 MB
import-in-the-middle	1.8.1	71.67 kB	741.34 kB
msgpack-lite	0.1.26	201.16 kB	281.59 kB
opentracing	0.14.7	194.81 kB	194.81 kB
semver	7.5.4	93.4 kB	123.8 kB
pprof-format	2.1.0	111.69 kB	111.69 kB
@datadog/sketches-js	2.1.0	109.9 kB	109.9 kB
lodash.sortby	4.7.0	75.76 kB	75.76 kB
lru-cache	7.14.0	74.95 kB	74.95 kB
ignore	5.2.4	51.22 kB	51.22 kB
int64-buffer	0.1.10	49.18 kB	49.18 kB
shell-quote	1.8.1	44.96 kB	44.96 kB
istanbul-lib-coverage	3.2.0	29.34 kB	29.34 kB
tlhunter-sorted-set	0.1.0	24.94 kB	24.94 kB
limiter	1.1.5	23.17 kB	23.17 kB
dc-polyfill	0.1.4	23.1 kB	23.1 kB
retry	0.13.1	18.85 kB	18.85 kB
jest-docblock	29.7.0	8.99 kB	12.76 kB
crypto-randomuuid	1.0.0	11.18 kB	11.18 kB
path-to-regexp	0.1.7	6.78 kB	6.78 kB
koalas	1.0.2	6.47 kB	6.47 kB
module-details-from-path	1.0.3	4.47 kB	4.47 kB

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[pr-commenter]

Benchmarks

Benchmark execution time: 2024-06-25 19:25:41

Comparing candidate commit acb6c1e in PR branch bengl/runtime-guardrails with baseline commit bc36d27 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 260 metrics, 6 unstable metrics.

[simon-id]

make sure to update this in april of the year 27002, when node 50000 releases

[bengl]

Maybe I should use Number.MAX_SAFE_INTEGER instead?

[Qard]

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 69.19%. Comparing base (b1f1f85) to head (077923f).
Report is 15 commits behind head on master.

❗ Current head 077923f differs from pull request most recent head acb6c1e

Please upload reports for the commit acb6c1e to get more accurate results.

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #4319       +/-   ##
===========================================
- Coverage   92.64%   69.19%   -23.46%     
===========================================
  Files         116        1      -115     
  Lines        4173      198     -3975     
  Branches       33       33               
===========================================
- Hits         3866      137     -3729     
+ Misses        307       61      -246     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[rochdev]

Let's use a real old version instead. The version number is not what would typically cause issues, but rather things that we do that could be unsupported in older versions, and that includes the bailout logic.

[bengl]

@rochdev Would one version prior to the current bottom of the engines field range suffice?

[rochdev]

To be honest I'd probably go with as low as we possibly can for the odd Node 4/6/8 that may try installing this, especially since it should be easy to support these versions for just the bailout script.

[rochdev]

New code looks good to me, but I'd say the minimum Node version should be lowered to at the very least 8, but if we can push 4 then that's even better. Both of those won't work on Apple Silicon though, so maybe the choice could be platform specific? In any case, this is not a blocker, but definitely something we should do, otherwise we have no idea if this works on older versions which may still fail.

[szegedi]

LGTM, one small nit.

[szegedi]

You could move this before forEach

[szegedi]

I often see this ['1', 'true', 'True'].includes(…) idiom. We do have an isTrue function in util.js though – could you use that instead for consistency? It also accepts the word "true" in any combination of letter cases and while "tRuE" is arguably weird, "TRUE" is reasonable.

Suggested change

	const forced = ['1', 'true', 'True'].includes(process.env.DD_INJECT_FORCE)
	const forced = isTrue(process.env.DD_INJECT_FORCE)

Even better, since you're creating a Config object on line 10 anyway you could let it read the env variable and expose its evaluation result as a property of the config object. That way the config object is the only source of configuration for all of the rest of the codebase. There's already some processing in there for e.g. DD_INJECTION_ENABLED that I added for profiler's needs, but you'd be welcome to generalize it, and then you could use a Config property for that as well.