From 6a23a01b4c8b486744b419b61f646b45ea92aa76 Mon Sep 17 00:00:00 2001 From: Phillip Ivan Pietruschka Date: Mon, 16 Feb 2026 14:56:13 +1100 Subject: [PATCH 1/4] support insecure-algorithms manifest permissions flag --- companion/lib/Instance/NodePath.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/companion/lib/Instance/NodePath.ts b/companion/lib/Instance/NodePath.ts index ffadc4e6bc..e3b30564d3 100644 --- a/companion/lib/Instance/NodePath.ts +++ b/companion/lib/Instance/NodePath.ts @@ -74,6 +74,8 @@ export function getNodeJsPermissionArguments( // Future: This should be scoped to some limited directories as specified by the user in the connection settings args.push('--allow-fs-read=*', '--allow-fs-write=*') } + //@ts-expect-error Error expected until PR#189 for companion-module-base merged + if (manifestPermissions['insecure-algorithms']) args.push('--openssl-legacy-provider') return args } From a77edd87c8b700253b1a557338d6342cf4f46cef Mon Sep 17 00:00:00 2001 From: Phillip Ivan Pietruschka Date: Wed, 18 Feb 2026 09:31:43 +1100 Subject: [PATCH 2/4] Rework order of operations in getNodeJsPermissionArguments method --- companion/lib/Instance/NodePath.ts | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/companion/lib/Instance/NodePath.ts b/companion/lib/Instance/NodePath.ts index e3b30564d3..4593a9d2f4 100644 --- a/companion/lib/Instance/NodePath.ts +++ b/companion/lib/Instance/NodePath.ts @@ -38,19 +38,23 @@ export function getNodeJsPermissionArguments( enableInspect: boolean ): string[] { // Not supported by surfaces - if (manifest.type === 'surface') return [] - + const args: string[] = [] + if (manifest.type === 'surface') return args + if (!doesModuleSupportPermissionsModel(moduleApiVersion)) return args + const manifestPermissions = manifest.runtime.permissions || {} + //@ts-expect-error until companion-module-base 1.15.0 released and included + if (manifestPermissions['insecure-algorithms']) args.push('--openssl-legacy-provider') // Not supported by node18 - if (enableInspect || manifest.runtime.type === 'node18' || !doesModuleSupportPermissionsModel(moduleApiVersion)) - return [] + if (enableInspect) return args + if (manifest.runtime.type === 'node18') return args - const args = [ + args.push( '--no-warnings=SecurityWarning', '--permission', // Always allow read access to the module source directory `--allow-fs-read=${moduleDir}`, - `--allow-fs-read=${isPackaged() ? import.meta.dirname : path.join(import.meta.dirname, '../../..')}`, // Allow read access to companion code, because of some esm loader issues - ] + `--allow-fs-read=${isPackaged() ? import.meta.dirname : path.join(import.meta.dirname, '../../..')}` // Allow read access to companion code, because of some esm loader issues + ) if (!isPackaged()) { // Always allow read access to module host package, needed when running a dev version @@ -64,7 +68,6 @@ export function getNodeJsPermissionArguments( forceReadWriteAll = true } - const manifestPermissions = manifest.runtime.permissions || {} if (manifestPermissions['worker-threads']) args.push('--allow-worker') if (manifestPermissions['child-process'] || manifestPermissions['native-addons']) args.push('--allow-child-process') if (manifestPermissions['native-addons']) args.push('--allow-addons') @@ -74,8 +77,6 @@ export function getNodeJsPermissionArguments( // Future: This should be scoped to some limited directories as specified by the user in the connection settings args.push('--allow-fs-read=*', '--allow-fs-write=*') } - //@ts-expect-error Error expected until PR#189 for companion-module-base merged - if (manifestPermissions['insecure-algorithms']) args.push('--openssl-legacy-provider') return args } From 4d9bfb94a1ac66fa8f251641198ac608b475c621 Mon Sep 17 00:00:00 2001 From: Phillip Ivan Pietruschka Date: Wed, 18 Feb 2026 09:42:04 +1100 Subject: [PATCH 3/4] slightly tweak order / formatting --- companion/lib/Instance/NodePath.ts | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/companion/lib/Instance/NodePath.ts b/companion/lib/Instance/NodePath.ts index 4593a9d2f4..ded3682e55 100644 --- a/companion/lib/Instance/NodePath.ts +++ b/companion/lib/Instance/NodePath.ts @@ -37,16 +37,20 @@ export function getNodeJsPermissionArguments( moduleDir: string, enableInspect: boolean ): string[] { - // Not supported by surfaces const args: string[] = [] + + // Not supported by surfaces if (manifest.type === 'surface') return args if (!doesModuleSupportPermissionsModel(moduleApiVersion)) return args + const manifestPermissions = manifest.runtime.permissions || {} + //@ts-expect-error until companion-module-base 1.15.0 released and included if (manifestPermissions['insecure-algorithms']) args.push('--openssl-legacy-provider') + // Not supported by node18 - if (enableInspect) return args if (manifest.runtime.type === 'node18') return args + if (enableInspect) return args args.push( '--no-warnings=SecurityWarning', From 945c65ef5536a948d9d2c2ef36780db447be2021 Mon Sep 17 00:00:00 2001 From: Julian Waller Date: Wed, 18 Feb 2026 22:02:20 +0000 Subject: [PATCH 4/4] wip: reorder --- companion/lib/Instance/NodePath.ts | 64 ++++++++++++++++-------------- 1 file changed, 34 insertions(+), 30 deletions(-) diff --git a/companion/lib/Instance/NodePath.ts b/companion/lib/Instance/NodePath.ts index ded3682e55..9a63d5ca97 100644 --- a/companion/lib/Instance/NodePath.ts +++ b/companion/lib/Instance/NodePath.ts @@ -2,7 +2,7 @@ import fs from 'fs-extra' import { isPackaged } from '../Resources/Util.js' import path from 'path' import { doesModuleSupportPermissionsModel } from './Connection/ApiVersions.js' -import type { SomeModuleManifest } from '@companion-app/shared/Model/ModuleManifest.js' +import type { ModuleManifestExt, SomeModuleManifest } from '@companion-app/shared/Model/ModuleManifest.js' import { createRequire } from 'module' /** @@ -41,45 +41,49 @@ export function getNodeJsPermissionArguments( // Not supported by surfaces if (manifest.type === 'surface') return args + + // Check module api is new enough if (!doesModuleSupportPermissionsModel(moduleApiVersion)) return args - const manifestPermissions = manifest.runtime.permissions || {} + const manifestPermissions: ModuleManifestExt['runtime']['permissions'] = manifest.runtime.permissions || {} - //@ts-expect-error until companion-module-base 1.15.0 released and included if (manifestPermissions['insecure-algorithms']) args.push('--openssl-legacy-provider') - // Not supported by node18 + // Node18 is more limited in supported arguments if (manifest.runtime.type === 'node18') return args - if (enableInspect) return args - - args.push( - '--no-warnings=SecurityWarning', - '--permission', - // Always allow read access to the module source directory - `--allow-fs-read=${moduleDir}`, - `--allow-fs-read=${isPackaged() ? import.meta.dirname : path.join(import.meta.dirname, '../../..')}` // Allow read access to companion code, because of some esm loader issues - ) - if (!isPackaged()) { - // Always allow read access to module host package, needed when running a dev version - const require = createRequire(import.meta.url) - args.push(`--allow-fs-read=${path.join(path.dirname(require.resolve('@companion-module/host')), '../../..')}`) - } + args.push('--use-system-ca') - let forceReadWriteAll = false - if (process.platform === 'win32' && moduleDir.startsWith('\\\\')) { - // This is a network path, which nodejs does not support for the permissions model - forceReadWriteAll = true - } + if (!enableInspect) { + args.push( + '--no-warnings=SecurityWarning', + '--permission', + // Always allow read access to the module source directory + `--allow-fs-read=${moduleDir}`, + `--allow-fs-read=${isPackaged() ? import.meta.dirname : path.join(import.meta.dirname, '../../..')}` // Allow read access to companion code, because of some esm loader issues + ) + + if (!isPackaged()) { + // Always allow read access to module host package, needed when running a dev version + const require = createRequire(import.meta.url) + args.push(`--allow-fs-read=${path.join(path.dirname(require.resolve('@companion-module/host')), '../../..')}`) + } + + let forceReadWriteAll = false + if (process.platform === 'win32' && moduleDir.startsWith('\\\\')) { + // This is a network path, which nodejs does not support for the permissions model + forceReadWriteAll = true + } - if (manifestPermissions['worker-threads']) args.push('--allow-worker') - if (manifestPermissions['child-process'] || manifestPermissions['native-addons']) args.push('--allow-child-process') - if (manifestPermissions['native-addons']) args.push('--allow-addons') - if (manifestPermissions['native-addons'] || manifestPermissions['filesystem'] || forceReadWriteAll) { - // Note: Using native addons usually means probing random filesystem paths to check the current platform + if (manifestPermissions['worker-threads']) args.push('--allow-worker') + if (manifestPermissions['child-process'] || manifestPermissions['native-addons']) args.push('--allow-child-process') + if (manifestPermissions['native-addons']) args.push('--allow-addons') + if (manifestPermissions['native-addons'] || manifestPermissions['filesystem'] || forceReadWriteAll) { + // Note: Using native addons usually means probing random filesystem paths to check the current platform - // Future: This should be scoped to some limited directories as specified by the user in the connection settings - args.push('--allow-fs-read=*', '--allow-fs-write=*') + // Future: This should be scoped to some limited directories as specified by the user in the connection settings + args.push('--allow-fs-read=*', '--allow-fs-write=*') + } } return args