From f4d94eb39af83772e1e10db66d4d4ca3de5bc276 Mon Sep 17 00:00:00 2001
From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sun, 24 May 2026 10:04:18 +0200
Subject: [PATCH] fix: use ASCII control-range regex instead of \p{C} for
 password input

/^\P{C}+$/u throws "Invalid property name" at parse time on Node builds
without full ICU (e.g. nodejs-mobile), so the module fails to load and
the server can't boot there. Replace with an explicit C0/C1 control
exclusion, which needs no ICU and matches the actual intent (keep
control/escape bytes out of the interactive password buffer).

Closes #520
---
 src/server.js | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/server.js b/src/server.js
index 1504cf6..8459524 100644
--- a/src/server.js
+++ b/src/server.js
@@ -1067,12 +1067,15 @@ export function createServer(options = {}) {
           password = password.slice(0, -1);
           return;
         }
-        // Only accept printable input — \P{C} excludes control codes,
-        // so escape sequences from arrow keys, function keys, etc. don't
-        // sneak invisible bytes into the password buffer.
+        // Only accept printable input — reject C0/C1 control codes, so
+        // escape sequences from arrow keys, function keys, etc. don't
+        // sneak invisible bytes into the password buffer. Uses an explicit
+        // ASCII/C1 control range rather than the \p{C} Unicode property
+        // escape, which requires a full-ICU build and throws at parse time
+        // on no-ICU runtimes (e.g. nodejs-mobile). See #520.
         if (!key.ctrl && !key.meta &&
             typeof str === 'string' && str.length > 0 &&
-            /^\P{C}+$/u.test(str)) {
+            /^[^\u0000-\u001f\u007f-\u009f]+$/.test(str)) {
           password += str;
         }
       };