quickjs 0.13.0 → 0.14.0

data/ext/quickjsrb/vendor/polyfill-url.min.js

@@ -0,0 +1 @@
+(function(){let e={ftp:21,file:null,http:80,https:443,ws:80,wss:443};function t(t){return Object.prototype.hasOwnProperty.call(e,t)}function n(t){return e[t]??null}let r=/[\x00-\x1f\x7f-\uffff]/,i=/[\x00-\x1f \x22\x3c\x3e\x60\x7f-\uffff]/,a=/[\x00-\x1f \x22\x23\x3c\x3e\x7f-\uffff]/,o=/[\x00-\x1f \x22\x23\x27\x3c\x3e\x7f-\uffff]/,s=/[\x00-\x1f \x22\x23\x3c\x3e\x3f\x60\x7b-\x7d\x7f-\uffff]/,c=/[\x00-\x1f \x22\x23\x2f\x3a\x3b\x3d\x40\x5b-\x5e\x60\x7b-\x7d\x7f-\uffff]/;function l(e,t){let n=``;for(let r=0;r<e.length;r++){let i=e[r],a=e.charCodeAt(r);if(a>=55296&&a<=56319&&r+1<e.length){let t=e.charCodeAt(r+1);if(t>=56320&&t<=57343){let e=u((a-55296)*1024+(t-56320)+65536);for(let t of e)n+=`%`+t.toString(16).toUpperCase().padStart(2,`0`);r++;continue}}if(t.test(i)){let e=u(a);for(let t of e)n+=`%`+t.toString(16).toUpperCase().padStart(2,`0`)}else n+=i}return n}function u(e){return e<=127?[e]:e<=2047?[192|e>>6,128|e&63]:e<=65535?[224|e>>12,128|e>>6&63,128|e&63]:[240|e>>18,128|e>>12&63,128|e>>6&63,128|e&63]}function d(e){return e.replace(/%([0-9A-Fa-f]{2})/g,(e,t)=>String.fromCharCode(parseInt(t,16)))}function f(e){return e>=`0`&&e<=`9`}function p(e){return e>=`0`&&e<=`9`||e>=`a`&&e<=`f`||e>=`A`&&e<=`F`}function m(e){return e>=`a`&&e<=`z`||e>=`A`&&e<=`Z`}function h(e,t){if(e.length<2||!m(e[0]))return!1;let n=e[1];return t?n===`:`:n===`:`||n===`|`}function g(e){return e.length<2||!m(e[0])||e[1]!==`:`&&e[1]!==`|`?!1:e.length===2?!0:e[2]===`/`||e[2]===`\\`||e[2]===`?`||e[2]===`#`}function _(e,t){t===`file`&&e.length===1&&h(e[0],!0)||e.length>0&&e.pop()}function v(){return{scheme:``,username:``,password:``,host:null,port:null,path:[],query:null,fragment:null,cannotBeABaseURL:!1}}function y(e,t){let n=e.scheme+`:`;if(e.host===null?e.scheme===`file`&&(n+=`//`):(n+=`//`,(e.username!==``||e.password!==``)&&(n+=e.username,e.password!==``&&(n+=`:`+e.password),n+=`@`),n+=b(e.host),e.port!==null&&(n+=`:`+e.port)),e.cannotBeABaseURL)n+=e.path[0]??``;else for(let t of e.path)n+=`/`+t;return e.query!==null&&(n+=`?`+e.query),!t&&e.fragment!==null&&(n+=`#`+e.fragment),n}function b(e){return typeof e==`number`?x(e):Array.isArray(e)?`[`+S(e)+`]`:e}function x(e){let t=e,n=[];for(let e=0;e<4;e++)n.unshift(t%256),t=Math.floor(t/256);return n.join(`.`)}function S(e){let t=``,n=C(e),r=!1;for(let i=0;i<8;i++){if(r)if(e[i]!==0)r=!1;else continue;if(i===n){t+=i===0?`::`:`:`,r=!0;continue}t+=e[i].toString(16),i!==7&&(t+=`:`)}return t}function C(e){let t=-1,n=1,r=-1,i=0;for(let a=0;a<8;a++)e[a]===0?(r===-1&&(r=a,i=0),i++,i>n&&(n=i,t=r)):r=-1;return t}function w(e){return t(e.scheme)&&e.scheme!==`file`?e.scheme+`://`+b(e.host)+(e.port===null?``:`:`+e.port):`null`}function T(e){let t=e.split(`.`);if(t[t.length-1]===``&&t.pop(),t.length>4)return null;let n=[];for(let e of t){if(e===``)return null;let t;if(t=/^0[xX]/.test(e)?parseInt(e,16):e.startsWith(`0`)&&e.length>1?parseInt(e,8):parseInt(e,10),isNaN(t)||t<0)return null;n.push(t)}if(n.some((e,t)=>t<n.length-1&&e>255))return null;let r=n[n.length-1];if(r>=256**(5-n.length))return null;let i=r;for(let e=0;e<n.length-1;e++){if(n[e]>255)return null;i+=n[e]*256**(3-e)}return i}function E(e){let t=[0,0,0,0,0,0,0,0],n=0,r=null,i=0;for(e[i]===`:`&&e[i+1]===`:`&&(i+=2,n++,r=n);i<e.length;){if(n===8)return null;if(e[i]===`:`){if(r!==null)return null;i++,n++,r=n;continue}let a=0,o=0;for(;o<4&&i<e.length&&p(e[i]);)a=a*16+parseInt(e[i],16),i++,o++;if(i<e.length&&e[i]===`.`){if(o===0||(i-=o,n>6))return null;let r=0;for(;i<e.length;){let a=null;if(r>0)if(e[i]===`.`&&r<4)i++;else return null;if(!f(e[i]))return null;for(;i<e.length&&f(e[i]);){let t=parseInt(e[i],10);if(a=a===null?t:a*10+t,a>255)return null;i++}t[n]=t[n]*256+a,r++,(r===2||r===4)&&n++}if(r!==4)return null;break}else if(i<e.length&&e[i]===`:`){if(i++,i>=e.length)return null}else if(i<e.length)return null;t[n]=a,n++}if(r!==null){let e=n-r;for(n=7;n!==0&&e>0;)[t[n],t[r+e-1]]=[t[r+e-1],t[n]],n--,e--}else if(r===null&&n!==8)return null;return t}function D(e){for(let t of e)if(` #%/:?@[\\]`.includes(t)||t.charCodeAt(0)>126)return null;return l(e,r)}function O(e,t){if(e.startsWith(`[`))return e.endsWith(`]`)?E(e.slice(1,-1)):null;if(t)return D(e);let n=d(e).toLowerCase();if(!n)return null;let r=T(n);return r===null?n.includes(`..`)?null:n:r}function k(e,u,d,p){d||=v(),e=e.trim().replace(/[\t\n\r]/g,``);let y=p||`scheme start`,b=``,x=!1,S=!1,C=!1,w=0;for(;w<=e.length;){let v=e[w];switch(y){case`scheme start`:if(v!==void 0&&m(v))b+=v.toLowerCase(),y=`scheme`;else if(p)return null;else{y=`no scheme`;continue}break;case`scheme`:if(v!==void 0&&(m(v)||f(v)||`+-.`.includes(v)))b+=v.toLowerCase();else if(v===`:`){if(p&&(t(d.scheme)!==t(b)||(b===`http`||b===`https`)&&d.scheme===`file`||d.scheme===`file`&&(d.host===``||d.host===null)))return d;if(d.scheme=b,p)return d.port===n(d.scheme)&&(d.port=null),d;b=``,d.scheme===`file`?y=`file`:t(d.scheme)&&u&&u.scheme===d.scheme?y=`special relative or authority`:t(d.scheme)?y=`special authority slashes`:e[w+1]===`/`?(y=`path or authority`,w++):(d.cannotBeABaseURL=!0,d.path.push(``),y=`cannot-be-a-base-URL path`)}else if(!p)b=``,y=`no scheme`,w=-1;else return null;break;case`no scheme`:if(!u||u.cannotBeABaseURL&&v!==`#`)return null;if(u.cannotBeABaseURL&&v===`#`){d.scheme=u.scheme,d.path=u.path.slice(),d.query=u.query,d.fragment=``,d.cannotBeABaseURL=!0,y=`fragment`;break}y=u.scheme===`file`?`file`:`relative`;continue;case`special relative or authority`:if(v===`/`&&e[w+1]===`/`)y=`special authority ignore slashes`,w++;else{y=`relative`;continue}break;case`path or authority`:if(v===`/`)y=`authority`;else{y=`path`;continue}break;case`relative`:if(d.scheme=u.scheme,v===void 0)d.username=u.username,d.password=u.password,d.host=u.host,d.port=u.port,d.path=u.path.slice(),d.query=u.query;else if(v===`/`)y=`relative slash`;else if(v===`?`)d.username=u.username,d.password=u.password,d.host=u.host,d.port=u.port,d.path=u.path.slice(),d.query=``,y=`query`;else if(v===`#`)d.username=u.username,d.password=u.password,d.host=u.host,d.port=u.port,d.path=u.path.slice(),d.query=u.query,d.fragment=``,y=`fragment`;else if(t(d.scheme)&&v===`\\`)y=`relative slash`;else{d.username=u.username,d.password=u.password,d.host=u.host,d.port=u.port,d.path=u.path.slice(),d.path.length>0&&d.path.pop(),y=`path`;continue}break;case`relative slash`:if(t(d.scheme)&&(v===`/`||v===`\\`))y=`special authority ignore slashes`;else if(v===`/`)y=`authority`;else{d.username=u.username,d.password=u.password,d.host=u.host,d.port=u.port,y=`path`;continue}break;case`special authority slashes`:if(v===`/`&&e[w+1]===`/`)y=`special authority ignore slashes`,w++;else{y=`special authority ignore slashes`;continue}break;case`special authority ignore slashes`:if(v!==`/`&&v!==`\\`){y=`authority`;continue}break;case`authority`:if(v===`@`){x&&(b=`%40`+b),x=!0;for(let e=0;e<b.length;e++){let t=b[e];if(t===`:`&&!C){C=!0;continue}let n=l(t,c);C?d.password+=n:d.username+=n}b=``}else if(v===void 0||v===`/`||v===`?`||v===`#`||t(d.scheme)&&v===`\\`){if(x&&b===``)return null;w-=b.length+1,b=``,y=`host`}else b+=v;break;case`host`:case`hostname`:if(p&&d.scheme===`file`){y=`file host`;continue}else if(v===`:`&&!S){if(b===``)return null;let e=O(b,!t(d.scheme));if(e===null)return null;if(d.host=e,b=``,y=`port`,p===`hostname`)return d}else if(v===void 0||v===`/`||v===`?`||v===`#`||t(d.scheme)&&v===`\\`){if(t(d.scheme)&&b===``)return null;if(p&&b===``&&(d.username!==``||d.password!==``||d.port!==null))return d;let e=O(b,!t(d.scheme));if(e===null)return null;if(d.host=e,b=``,y=`path start`,p)return d;continue}else v===`[`&&(S=!0),v===`]`&&(S=!1),b+=v;break;case`port`:if(f(v))b+=v;else if(v===void 0||v===`/`||v===`?`||v===`#`||t(d.scheme)&&v===`\\`||p){if(b!==``){let e=parseInt(b,10);if(e>65535)return null;d.port=e===n(d.scheme)?null:e,b=``}if(p)return d;y=`path start`;continue}else return null;break;case`file`:if(d.scheme=`file`,d.host=``,v===`/`||v===`\\`)y=`file slash`;else if(u&&u.scheme===`file`){if(d.host=u.host,d.path=u.path.slice(),d.query=u.query,v===`?`)d.query=``,y=`query`;else if(v===`#`)d.fragment=``,y=`fragment`;else if(v!==void 0){d.query=null,g(e.slice(w))?d.path=[]:_(d.path,d.scheme),y=`path`;continue}}else{y=`path`;continue}break;case`file slash`:if(v===`/`||v===`\\`)y=`file host`;else{u&&u.scheme===`file`&&(d.host=u.host,!g(e.slice(w))&&u.path.length>0&&h(u.path[0],!0)&&d.path.push(u.path[0])),y=`path`;continue}break;case`file host`:if(v===void 0||v===`/`||v===`\\`||v===`?`||v===`#`){if(!p&&h(b,!1))y=`path`;else if(b===``){if(d.host=``,p)return d;y=`path start`}else{let e=O(b,!1);if(e===null)return null;if(d.host=e===`localhost`?``:e,p)return d;b=``,y=`path start`}continue}else b+=v;break;case`path start`:if(t(d.scheme)){if(y=`path`,v!==`/`&&v!==`\\`)continue}else if(!p&&v===`?`)d.query=``,y=`query`;else if(!p&&v===`#`)d.fragment=``,y=`fragment`;else if(v!==void 0){if(y=`path`,v!==`/`)continue}else p&&d.host===null&&d.path.push(``);break;case`path`:if(v===void 0||v===`/`||t(d.scheme)&&v===`\\`||!p&&(v===`?`||v===`#`)){let e=b.toLowerCase();e===`%2e`||e===`.`?b=`.`:(e===`%2e%2e`||e===`.%2e`||e===`%2e.`||e===`..`)&&(b=`..`),b===`..`?(_(d.path,d.scheme),v!==`/`&&!(t(d.scheme)&&v===`\\`)&&d.path.push(``)):b===`.`?v!==`/`&&!(t(d.scheme)&&v===`\\`)&&d.path.push(``):(d.scheme===`file`&&d.path.length===0&&h(b,!1)&&(b=b[0]+`:`),d.path.push(b)),b=``,v===`?`?(d.query=``,y=`query`):v===`#`&&(d.fragment=``,y=`fragment`)}else b+=l(v,s);break;case`cannot-be-a-base-URL path`:v===`?`?(d.query=``,y=`query`):v===`#`?(d.fragment=``,y=`fragment`):v!==void 0&&(d.path[0]+=l(v,r));break;case`query`:if(v===void 0||!p&&v===`#`){let e=t(d.scheme)?o:a;d.query+=l(b,e),b=``,v===`#`&&(d.fragment=``,y=`fragment`)}else b+=v;break;case`fragment`:v!==void 0&&(d.fragment+=l(v,i));break}w++}return d}var A=class{#e;#t;constructor(e=``){if(this.#e=[],this.#t=null,typeof e==`string`)e.startsWith(`?`)&&(e=e.slice(1)),this.#e=j(e);else if(Array.isArray(e))for(let t of e){if(!Array.isArray(t)||t.length!==2)throw TypeError(`Each pair must be an iterable [name, value] tuple`);this.#e.push([String(t[0]),String(t[1])])}else if(typeof e==`object`&&e)for(let t of Object.keys(e))this.#e.push([t,String(e[t])])}_setURL(e){this.#t=e}_update(){if(this.#t){let e=this.toString();this.#t._urlRecord.query=e===``?null:e}}append(e,t){this.#e.push([String(e),String(t)]),this._update()}delete(e,t){e=String(e),t===void 0?this.#e=this.#e.filter(([t])=>t!==e):(t=String(t),this.#e=this.#e.filter(([n,r])=>!(n===e&&r===t))),this._update()}get(e){e=String(e);let t=this.#e.find(([t])=>t===e);return t?t[1]:null}getAll(e){return e=String(e),this.#e.filter(([t])=>t===e).map(([,e])=>e)}has(e,t){return e=String(e),t===void 0?this.#e.some(([t])=>t===e):(t=String(t),this.#e.some(([n,r])=>n===e&&r===t))}set(e,t){e=String(e),t=String(t);let n=!1;if(this.#e=this.#e.filter(([t])=>t===e?n?!1:(n=!0,!0):!0),!n)this.#e.push([e,t]);else{let n=this.#e.findIndex(([t])=>t===e);this.#e[n][1]=t}this._update()}sort(){this.#e.sort((e,t)=>e[0]<t[0]?-1:+(e[0]>t[0])),this._update()}keys(){return this.#e.map(([e])=>e)[Symbol.iterator]()}values(){return this.#e.map(([,e])=>e)[Symbol.iterator]()}entries(){return this.#e.slice()[Symbol.iterator]()}forEach(e,t){for(let[n,r]of this.#e)e.call(t,r,n,this)}[Symbol.iterator](){return this.entries()}get size(){return this.#e.length}toString(){return this.#e.map(([e,t])=>M(e)+`=`+M(t)).join(`&`)}get[Symbol.toStringTag](){return`URLSearchParams`}};function j(e){return e===``?[]:e.split(`&`).map(e=>{let t=e.indexOf(`=`),n,r;return t===-1?(n=e,r=``):(n=e.slice(0,t),r=e.slice(t+1)),[N(n),N(r)]})}function M(e){return e.replace(/[^*\-._A-Za-z0-9]/g,e=>e===` `?`+`:u(e.charCodeAt(0)).map(e=>`%`+e.toString(16).toUpperCase().padStart(2,`0`)).join(``))}function N(e){return decodeURIComponent(e.replace(/\+/g,` `))}globalThis.URL=class e{#e;#t;constructor(e,t){let n=null;if(t!==void 0&&(n=k(String(t)),n===null))throw TypeError(`Failed to construct 'URL': Invalid base URL`);let r=k(String(e),n);if(r===null)throw TypeError(`Failed to construct 'URL': Invalid URL`);this.#e=r,this.#t=new A(r.query??``),this.#t._setURL(this)}get _urlRecord(){return this.#e}get href(){return y(this.#e,!1)}set href(e){let t=k(String(e));if(t===null)throw TypeError(`Invalid URL`);this.#e=t,this.#t=new A(t.query??``),this.#t._setURL(this)}get origin(){return w(this.#e)}get protocol(){return this.#e.scheme+`:`}set protocol(e){k(String(e)+`:`,null,this.#e,`scheme start`)}get username(){return this.#e.username}set username(e){this.#e.host===null||this.#e.host===``||this.#e.cannotBeABaseURL||this.#e.scheme===`file`||(this.#e.username=l(String(e),c))}get password(){return this.#e.password}set password(e){this.#e.host===null||this.#e.host===``||this.#e.cannotBeABaseURL||this.#e.scheme===`file`||(this.#e.password=l(String(e),c))}get host(){let e=this.#e;return e.host===null?``:e.port===null?b(e.host):b(e.host)+`:`+e.port}set host(e){this.#e.cannotBeABaseURL||k(String(e),null,this.#e,`host`)}get hostname(){return this.#e.host===null?``:b(this.#e.host)}set hostname(e){this.#e.cannotBeABaseURL||k(String(e),null,this.#e,`hostname`)}get port(){return this.#e.port===null?``:String(this.#e.port)}set port(e){this.#e.host===null||this.#e.host===``||this.#e.cannotBeABaseURL||this.#e.scheme===`file`||(e=String(e),e===``?this.#e.port=null:k(e,null,this.#e,`port`))}get pathname(){let e=this.#e;return e.cannotBeABaseURL?e.path[0]??``:e.path.length===0?``:`/`+e.path.join(`/`)}set pathname(e){this.#e.cannotBeABaseURL||(this.#e.path=[],k(String(e),null,this.#e,`path start`))}get search(){return this.#e.query===null||this.#e.query===``?``:`?`+this.#e.query}set search(e){if(e=String(e),e===``){this.#e.query=null,this.#t=new A(``),this.#t._setURL(this);return}e.startsWith(`?`)&&(e=e.slice(1)),this.#e.query=``,k(e,null,this.#e,`query`),this.#t=new A(this.#e.query??``),this.#t._setURL(this)}get searchParams(){return this.#t}get hash(){return this.#e.fragment===null||this.#e.fragment===``?``:`#`+this.#e.fragment}set hash(e){if(e=String(e),e===``){this.#e.fragment=null;return}e.startsWith(`#`)&&(e=e.slice(1)),this.#e.fragment=``,k(e,null,this.#e,`fragment`)}toString(){return this.href}toJSON(){return this.href}get[Symbol.toStringTag](){return`URL`}static canParse(t,n){try{return new e(t,n),!0}catch{return!1}}static parse(t,n){try{return new e(t,n)}catch{return null}}},globalThis.URLSearchParams=A})();

data/lib/quickjs/crypto_key.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Quickjs
+  class CryptoKey
+    attr_reader :type, :extractable, :algorithm, :usages, :key_data
+
+    def initialize(type, extractable, algorithm, usages, key_data)
+      @type = type
+      @extractable = extractable
+      @algorithm = algorithm
+      @usages = usages
+      @key_data = key_data
+    end
+  end
+end

data/lib/quickjs/subtle_crypto.rb

@@ -0,0 +1,493 @@
+# frozen_string_literal: true
+
+require "openssl"
+
+module Quickjs
+  module SubtleCrypto
+    DIGEST_ALGORITHMS = {
+      "SHA-1"   => "SHA1",
+      "SHA-256" => "SHA256",
+      "SHA-384" => "SHA384",
+      "SHA-512" => "SHA512",
+    }.freeze
+
+    AES_ALGORITHMS = %w[AES-GCM AES-CBC AES-CTR AES-KW].freeze
+    AES_VALID_LENGTHS = [128, 192, 256].freeze
+
+    HMAC_HASH_OUTPUT_LENGTHS = {
+      "SHA-1" => 160, "SHA-256" => 256, "SHA-384" => 384, "SHA-512" => 512,
+    }.freeze
+
+    EC_CURVE_MAP = {
+      "P-256" => "prime256v1",
+      "P-384" => "secp384r1",
+      "P-521" => "secp521r1",
+    }.freeze
+
+    EC_COORD_SIZES = {
+      "P-256" => 32, "P-384" => 48, "P-521" => 66,
+    }.freeze
+
+    RSA_ALGORITHMS = %w[RSASSA-PKCS1-v1_5 RSA-PSS RSA-OAEP].freeze
+    ECDSA_ALGORITHMS = %w[ECDSA].freeze
+    ECDH_ALGORITHMS = %w[ECDH X25519].freeze
+    KDF_ALGORITHMS = %w[PBKDF2 HKDF].freeze
+
+    def self.digest(algorithm_name, data)
+      ossl_name = DIGEST_ALGORITHMS[algorithm_name] or
+        raise ArgumentError, "SubtleCrypto: unsupported digest algorithm '#{algorithm_name}'"
+      OpenSSL::Digest.digest(ossl_name, data)
+    end
+
+    def self.generate_key(algo, extractable, usages)
+      name = algo[:name] or raise ArgumentError, "SubtleCrypto: algorithm name is required"
+      case name
+      when *AES_ALGORITHMS
+        length = algo[:length] or raise ArgumentError, "SubtleCrypto: AES key requires length"
+        raise ArgumentError, "SubtleCrypto: invalid AES key length #{length}" unless AES_VALID_LENGTHS.include?(length)
+        key_data = OpenSSL::Random.random_bytes(length / 8)
+        Quickjs::CryptoKey.new("secret", extractable, { "name" => name, "length" => length }, usages, key_data)
+      when "HMAC"
+        hash = algo[:hash] or raise ArgumentError, "SubtleCrypto: HMAC requires hash"
+        length = algo[:length] || HMAC_HASH_OUTPUT_LENGTHS[hash] or
+          raise ArgumentError, "SubtleCrypto: unsupported HMAC hash '#{hash}'"
+        key_data = OpenSSL::Random.random_bytes(length / 8)
+        Quickjs::CryptoKey.new("secret", extractable, { "name" => "HMAC", "hash" => hash, "length" => length }, usages, key_data)
+      when *RSA_ALGORITHMS
+        modulus_length = algo[:modulus_length] or raise ArgumentError, "SubtleCrypto: RSA key requires modulusLength"
+        public_exponent_bytes = algo[:public_exponent] or raise ArgumentError, "SubtleCrypto: RSA key requires publicExponent"
+        hash = algo[:hash] or raise ArgumentError, "SubtleCrypto: RSA key requires hash"
+        exponent = public_exponent_bytes.bytes.reduce(0) { |acc, b| (acc << 8) | b }
+        pkey = OpenSSL::PKey::RSA.generate(modulus_length, exponent)
+        algo_hash = { "name" => name, "modulusLength" => modulus_length, "publicExponent" => public_exponent_bytes, "hash" => hash }
+        {
+          private_key: Quickjs::CryptoKey.new("private", extractable, algo_hash, usages.select { |u| %w[sign decrypt unwrapKey].include?(u) }, pkey),
+          public_key: Quickjs::CryptoKey.new("public", true, algo_hash, usages.select { |u| %w[verify encrypt wrapKey].include?(u) }, pkey),
+        }
+      when "ECDSA", "ECDH"
+        named_curve = algo[:named_curve] or raise ArgumentError, "SubtleCrypto: EC key requires namedCurve"
+        ossl_curve = EC_CURVE_MAP[named_curve] or raise ArgumentError, "SubtleCrypto: unsupported curve '#{named_curve}'"
+        pkey = OpenSSL::PKey::EC.generate(ossl_curve)
+        algo_hash = { "name" => name, "namedCurve" => named_curve }
+        private_usages = name == "ECDSA" ? %w[sign] : %w[deriveKey deriveBits]
+        public_usages = name == "ECDSA" ? %w[verify] : []
+        {
+          private_key: Quickjs::CryptoKey.new("private", extractable, algo_hash, usages.select { |u| private_usages.include?(u) }, pkey),
+          public_key: Quickjs::CryptoKey.new("public", true, algo_hash, usages.select { |u| public_usages.include?(u) }, pkey),
+        }
+      when "Ed25519"
+        pkey = OpenSSL::PKey.generate_key("ED25519")
+        algo_hash = { "name" => "Ed25519" }
+        {
+          private_key: Quickjs::CryptoKey.new("private", extractable, algo_hash, usages.select { |u| u == "sign" }, pkey),
+          public_key: Quickjs::CryptoKey.new("public", true, algo_hash, usages.select { |u| u == "verify" }, pkey),
+        }
+      when "X25519"
+        pkey = OpenSSL::PKey.generate_key("X25519")
+        algo_hash = { "name" => "X25519" }
+        {
+          private_key: Quickjs::CryptoKey.new("private", extractable, algo_hash, usages.select { |u| %w[deriveKey deriveBits].include?(u) }, pkey),
+          public_key: Quickjs::CryptoKey.new("public", true, algo_hash, [], pkey),
+        }
+      else
+        raise ArgumentError, "SubtleCrypto: unsupported generateKey algorithm '#{name}'"
+      end
+    end
+
+    def self.import_key(format, key_data, algo, extractable, usages)
+      name = algo[:name] or raise ArgumentError, "SubtleCrypto: algorithm name is required"
+      case format
+      when "raw"
+        case name
+        when *AES_ALGORITHMS
+          length = key_data.bytesize * 8
+          raise ArgumentError, "SubtleCrypto: invalid AES key length #{length}" unless AES_VALID_LENGTHS.include?(length)
+          Quickjs::CryptoKey.new("secret", extractable, { "name" => name, "length" => length }, usages, key_data)
+        when "HMAC"
+          hash = algo[:hash] or raise ArgumentError, "SubtleCrypto: HMAC requires hash"
+          length = key_data.bytesize * 8
+          Quickjs::CryptoKey.new("secret", extractable, { "name" => "HMAC", "hash" => hash, "length" => length }, usages, key_data)
+        when "PBKDF2"
+          Quickjs::CryptoKey.new("secret", false, { "name" => "PBKDF2" }, usages, key_data)
+        when "HKDF"
+          Quickjs::CryptoKey.new("secret", false, { "name" => "HKDF" }, usages, key_data)
+        when "ECDSA", "ECDH"
+          named_curve = algo[:named_curve] or raise ArgumentError, "SubtleCrypto: EC import requires namedCurve"
+          pkey = import_raw_ec_public(key_data, named_curve)
+          Quickjs::CryptoKey.new("public", extractable, { "name" => name, "namedCurve" => named_curve }, usages, pkey)
+        when "Ed25519"
+          pkey = import_raw_okp_public(key_data, "ED25519")
+          Quickjs::CryptoKey.new("public", extractable, { "name" => "Ed25519" }, usages, pkey)
+        when "X25519"
+          pkey = import_raw_okp_public(key_data, "X25519")
+          Quickjs::CryptoKey.new("public", extractable, { "name" => "X25519" }, usages, pkey)
+        else
+          raise ArgumentError, "SubtleCrypto: unsupported raw importKey algorithm '#{name}'"
+        end
+      when "spki"
+        pkey = OpenSSL::PKey.read(key_data)
+        case name
+        when *RSA_ALGORITHMS
+          rsa = pkey.is_a?(OpenSSL::PKey::RSA) ? pkey : raise(ArgumentError, "SubtleCrypto: key is not RSA")
+          hash = algo[:hash] or raise ArgumentError, "SubtleCrypto: RSA import requires hash"
+          pub_exp_bytes = [rsa.e.to_s(16)].pack("H*")
+          algo_hash = { "name" => name, "modulusLength" => rsa.n.num_bits, "publicExponent" => pub_exp_bytes, "hash" => hash }
+          Quickjs::CryptoKey.new("public", extractable, algo_hash, usages, pkey)
+        when "ECDSA", "ECDH"
+          named_curve = algo[:named_curve] or raise ArgumentError, "SubtleCrypto: EC import requires namedCurve"
+          Quickjs::CryptoKey.new("public", extractable, { "name" => name, "namedCurve" => named_curve }, usages, pkey)
+        when "Ed25519"
+          Quickjs::CryptoKey.new("public", extractable, { "name" => "Ed25519" }, usages, pkey)
+        when "X25519"
+          Quickjs::CryptoKey.new("public", extractable, { "name" => "X25519" }, usages, pkey)
+        else
+          raise ArgumentError, "SubtleCrypto: unsupported spki importKey algorithm '#{name}'"
+        end
+      when "pkcs8"
+        pkey = OpenSSL::PKey.read(key_data)
+        case name
+        when *RSA_ALGORITHMS
+          hash = algo[:hash] or raise ArgumentError, "SubtleCrypto: RSA import requires hash"
+          rsa = pkey.is_a?(OpenSSL::PKey::RSA) ? pkey : raise(ArgumentError, "SubtleCrypto: key is not RSA")
+          pub_exp_bytes = [rsa.e.to_s(16)].pack("H*")
+          algo_hash = { "name" => name, "modulusLength" => rsa.n.num_bits, "publicExponent" => pub_exp_bytes, "hash" => hash }
+          Quickjs::CryptoKey.new("private", extractable, algo_hash, usages, pkey)
+        when "ECDSA", "ECDH"
+          named_curve = algo[:named_curve] or raise ArgumentError, "SubtleCrypto: EC import requires namedCurve"
+          Quickjs::CryptoKey.new("private", extractable, { "name" => name, "namedCurve" => named_curve }, usages, pkey)
+        when "Ed25519"
+          Quickjs::CryptoKey.new("private", extractable, { "name" => "Ed25519" }, usages, pkey)
+        when "X25519"
+          Quickjs::CryptoKey.new("private", extractable, { "name" => "X25519" }, usages, pkey)
+        else
+          raise ArgumentError, "SubtleCrypto: unsupported pkcs8 importKey algorithm '#{name}'"
+        end
+      else
+        raise ArgumentError, "SubtleCrypto: unsupported importKey format '#{format}'"
+      end
+    end
+
+    def self.export_key(format, key)
+      name = key.algorithm["name"]
+      case format
+      when "raw"
+        raise ArgumentError, "SubtleCrypto: key is not extractable" unless key.extractable
+        case name
+        when *AES_ALGORITHMS, "HMAC"
+          key.key_data
+        when "ECDSA", "ECDH"
+          raise ArgumentError, "SubtleCrypto: raw export only for public EC keys" unless key.type == "public"
+          key.key_data.public_to_der.then { |spki_der| ec_spki_to_raw(spki_der) }
+        when "Ed25519", "X25519"
+          raise ArgumentError, "SubtleCrypto: raw export only for public OKP keys" unless key.type == "public"
+          if key.key_data.respond_to?(:raw_public_key)
+            key.key_data.raw_public_key
+          else
+            # raw_public_key added in openssl gem 3.2.0 (Ruby 3.3): https://github.com/ruby/openssl/blob/master/History.md
+            # Ed25519/X25519 SPKI DER is 44 bytes with the 32-byte key at the end
+            key.key_data.public_to_der[-32..]
+          end
+        else
+          raise ArgumentError, "SubtleCrypto: raw export not supported for '#{name}'"
+        end
+      when "spki"
+        raise ArgumentError, "SubtleCrypto: key is not extractable" unless key.extractable
+        raise ArgumentError, "SubtleCrypto: spki export requires public key" unless key.type == "public"
+        key.key_data.public_to_der
+      when "pkcs8"
+        raise ArgumentError, "SubtleCrypto: key is not extractable" unless key.extractable
+        raise ArgumentError, "SubtleCrypto: pkcs8 export requires private key" unless key.type == "private"
+        key.key_data.private_to_der
+      else
+        raise ArgumentError, "SubtleCrypto: unsupported exportKey format '#{format}'"
+      end
+    end
+
+    def self.encrypt(name, key, data, params = {})
+      case name
+      when "AES-GCM"
+        aes_gcm_encrypt(key, data, params)
+      when "AES-CBC"
+        aes_cbc_crypt(key, data, params, :encrypt)
+      when "AES-CTR"
+        aes_ctr_crypt(key, data, params, :encrypt)
+      when "AES-KW"
+        aes_kw_crypt(key, data, :encrypt)
+      when "RSA-OAEP"
+        rsa_oaep_crypt(key, data, params, :encrypt)
+      else
+        raise ArgumentError, "SubtleCrypto: unsupported encrypt algorithm '#{name}'"
+      end
+    end
+
+    def self.decrypt(name, key, data, params = {})
+      case name
+      when "AES-GCM"
+        aes_gcm_decrypt(key, data, params)
+      when "AES-CBC"
+        aes_cbc_crypt(key, data, params, :decrypt)
+      when "AES-CTR"
+        aes_ctr_crypt(key, data, params, :decrypt)
+      when "AES-KW"
+        aes_kw_crypt(key, data, :decrypt)
+      when "RSA-OAEP"
+        rsa_oaep_crypt(key, data, params, :decrypt)
+      else
+        raise ArgumentError, "SubtleCrypto: unsupported decrypt algorithm '#{name}'"
+      end
+    end
+
+    def self.sign(name, key, data, params = {})
+      case name
+      when "HMAC"
+        hash_name = ossl_digest_name(key.algorithm["hash"])
+        OpenSSL::HMAC.digest(hash_name, key.key_data, data)
+      when "RSASSA-PKCS1-v1_5"
+        hash_name = ossl_digest_name(key.algorithm["hash"])
+        key.key_data.sign(hash_name, data)
+      when "RSA-PSS"
+        hash_name = ossl_digest_name(key.algorithm["hash"])
+        salt_length = params[:salt_length] || :digest
+        key.key_data.sign_pss(hash_name, data, salt_length: salt_length, mgf1_hash: hash_name)
+      when "ECDSA"
+        hash_name = ossl_digest_name(params[:hash] || key.algorithm["hash"])
+        named_curve = key.algorithm["namedCurve"]
+        coord_size = EC_COORD_SIZES[named_curve] or raise ArgumentError, "SubtleCrypto: unsupported curve '#{named_curve}'"
+        der_sig = key.key_data.sign(hash_name, data)
+        der_to_p1363(der_sig, coord_size)
+      when "Ed25519"
+        key.key_data.sign(nil, data)
+      else
+        raise ArgumentError, "SubtleCrypto: unsupported sign algorithm '#{name}'"
+      end
+    end
+
+    def self.verify(name, key, signature, data, params = {})
+      case name
+      when "HMAC"
+        hash_name = ossl_digest_name(key.algorithm["hash"])
+        expected = OpenSSL::HMAC.digest(hash_name, key.key_data, data)
+        OpenSSL::HMAC.hexdigest(hash_name, key.key_data, data) == OpenSSL::HMAC.hexdigest(hash_name, key.key_data, data) &&
+          secure_compare(expected, signature)
+      when "RSASSA-PKCS1-v1_5"
+        hash_name = ossl_digest_name(key.algorithm["hash"])
+        key.key_data.verify(hash_name, signature, data)
+      when "RSA-PSS"
+        hash_name = ossl_digest_name(key.algorithm["hash"])
+        salt_length = params[:salt_length] || :digest
+        key.key_data.verify_pss(hash_name, signature, data, salt_length: salt_length, mgf1_hash: hash_name)
+      when "ECDSA"
+        hash_name = ossl_digest_name(params[:hash] || key.algorithm["hash"])
+        named_curve = key.algorithm["namedCurve"]
+        coord_size = EC_COORD_SIZES[named_curve] or raise ArgumentError, "SubtleCrypto: unsupported curve '#{named_curve}'"
+        begin
+          der_sig = p1363_to_der(signature, coord_size)
+          key.key_data.verify(hash_name, der_sig, data)
+        rescue OpenSSL::PKey::PKeyError
+          false
+        end
+      when "Ed25519"
+        begin
+          key.key_data.verify(nil, signature, data)
+        rescue OpenSSL::PKey::PKeyError
+          false
+        end
+      else
+        raise ArgumentError, "SubtleCrypto: unsupported verify algorithm '#{name}'"
+      end
+    end
+
+    def self.derive_bits(name, key, length_bits, params = {})
+      case name
+      when "PBKDF2"
+        hash_name = ossl_digest_name(params[:hash]) or raise ArgumentError, "SubtleCrypto: PBKDF2 requires hash"
+        salt = params[:salt] or raise ArgumentError, "SubtleCrypto: PBKDF2 requires salt"
+        iterations = params[:iterations] or raise ArgumentError, "SubtleCrypto: PBKDF2 requires iterations"
+        OpenSSL::KDF.pbkdf2_hmac(key.key_data, salt: salt, iterations: iterations, length: length_bits / 8, hash: hash_name)
+      when "HKDF"
+        hash_name = ossl_digest_name(params[:hash]) or raise ArgumentError, "SubtleCrypto: HKDF requires hash"
+        salt = params[:salt] || ""
+        info = params[:info] || ""
+        OpenSSL::KDF.hkdf(key.key_data, salt: salt, info: info, length: length_bits / 8, hash: hash_name)
+      when "ECDH"
+        peer_key = params[:public] or raise ArgumentError, "SubtleCrypto: ECDH requires public key"
+        shared = key.key_data.dh_compute_key(peer_key.key_data.public_key)
+        shared.byteslice(0, length_bits / 8)
+      when "X25519"
+        peer_key = params[:public] or raise ArgumentError, "SubtleCrypto: X25519 requires public key"
+        shared = key.key_data.derive(peer_key.key_data)
+        shared.byteslice(0, length_bits / 8)
+      else
+        raise ArgumentError, "SubtleCrypto: unsupported deriveBits algorithm '#{name}'"
+      end
+    end
+
+    def self.derive_key(name, key, derived_algo, extractable, usages, params = {})
+      derived_name = derived_algo[:name] or raise ArgumentError, "SubtleCrypto: derived key algorithm name is required"
+      derived_length = case derived_name
+                       when *AES_ALGORITHMS then derived_algo[:length] or raise ArgumentError, "SubtleCrypto: derived AES key requires length"
+                       when "HMAC" then derived_algo[:length] || HMAC_HASH_OUTPUT_LENGTHS[derived_algo[:hash]]
+                       else raise ArgumentError, "SubtleCrypto: unsupported derived key algorithm '#{derived_name}'"
+                       end
+      key_bytes = derive_bits(name, key, derived_length, params)
+      import_key("raw", key_bytes, derived_algo, extractable, usages)
+    end
+
+    def self.wrap_key(format, key, wrapping_key, wrap_algo_hash, wrap_name)
+      key_data = export_key(format, key)
+      encrypt(wrap_name, wrapping_key, key_data, wrap_algo_hash)
+    end
+
+    def self.unwrap_key(format, wrapped, unwrapping_key, unwrap_algo_hash, unwrapped_algo_hash, extractable, usages, unwrap_name)
+      key_data = decrypt(unwrap_name, unwrapping_key, wrapped, unwrap_algo_hash)
+      import_key(format, key_data, unwrapped_algo_hash, extractable, usages)
+    end
+
+    def self.aes_gcm_encrypt(key, data, params)
+      iv = params.fetch(:iv)
+      tag_length = params.fetch(:tag_length, 128)
+      additional_data = params[:additional_data]
+
+      cipher = OpenSSL::Cipher.new("aes-#{key.algorithm["length"]}-gcm")
+      cipher.encrypt
+      cipher.key = key.key_data
+      cipher.iv = iv
+      cipher.auth_data = additional_data || ""
+      ciphertext = cipher.update(data) + cipher.final
+      tag = cipher.auth_tag(tag_length / 8)
+      ciphertext + tag
+    end
+    private_class_method :aes_gcm_encrypt
+
+    def self.aes_gcm_decrypt(key, data, params)
+      iv = params.fetch(:iv)
+      tag_length = params.fetch(:tag_length, 128)
+      additional_data = params[:additional_data]
+
+      tag_bytes = tag_length / 8
+      ciphertext = data[0, data.bytesize - tag_bytes]
+      tag = data[-tag_bytes, tag_bytes]
+
+      decipher = OpenSSL::Cipher.new("aes-#{key.algorithm["length"]}-gcm")
+      decipher.decrypt
+      decipher.key = key.key_data
+      decipher.iv = iv
+      decipher.auth_tag = tag
+      decipher.auth_data = additional_data || ""
+      decipher.update(ciphertext) + decipher.final
+    rescue OpenSSL::Cipher::CipherError => e
+      raise RuntimeError, "SubtleCrypto: AES-GCM decryption failed: #{e.message}"
+    end
+    private_class_method :aes_gcm_decrypt
+
+    def self.aes_cbc_crypt(key, data, params, direction)
+      iv = params.fetch(:iv)
+
+      cipher = OpenSSL::Cipher.new("aes-#{key.algorithm["length"]}-cbc")
+      direction == :encrypt ? cipher.encrypt : cipher.decrypt
+      cipher.key = key.key_data
+      cipher.iv = iv
+      cipher.update(data) + cipher.final
+    rescue OpenSSL::Cipher::CipherError => e
+      raise RuntimeError, "SubtleCrypto: AES-CBC failed: #{e.message}"
+    end
+    private_class_method :aes_cbc_crypt
+
+    def self.aes_kw_crypt(key, data, direction)
+      bits = key.algorithm["length"]
+      cipher = OpenSSL::Cipher.new("aes-#{bits}-wrap")
+      direction == :encrypt ? cipher.encrypt : cipher.decrypt
+      cipher.key = key.key_data
+      cipher.update(data) + cipher.final
+    rescue OpenSSL::Cipher::CipherError => e
+      raise RuntimeError, "SubtleCrypto: AES-KW failed: #{e.message}"
+    end
+    private_class_method :aes_kw_crypt
+
+    def self.aes_ctr_crypt(key, data, params, direction)
+      counter = params.fetch(:counter)
+      length = params[:length] || 64
+
+      cipher = OpenSSL::Cipher.new("aes-#{key.algorithm["length"]}-ctr")
+      direction == :encrypt ? cipher.encrypt : cipher.decrypt
+      cipher.key = key.key_data
+      cipher.iv = counter
+      cipher.update(data) + cipher.final
+    end
+    private_class_method :aes_ctr_crypt
+
+    def self.rsa_oaep_crypt(key, data, params, direction)
+      hash_name = ossl_digest_name(key.algorithm["hash"])
+      opts = { rsa_padding_mode: "oaep", rsa_oaep_md: hash_name, rsa_mgf1_md: hash_name }
+      if direction == :encrypt
+        key.key_data.encrypt(data, opts)
+      else
+        key.key_data.decrypt(data, opts)
+      end
+    rescue OpenSSL::PKey::PKeyError => e
+      raise RuntimeError, "SubtleCrypto: RSA-OAEP failed: #{e.message}"
+    end
+    private_class_method :rsa_oaep_crypt
+
+    def self.ossl_digest_name(hash_name)
+      DIGEST_ALGORITHMS[hash_name] or raise ArgumentError, "SubtleCrypto: unsupported hash '#{hash_name}'"
+    end
+    private_class_method :ossl_digest_name
+
+    def self.secure_compare(a, b)
+      return false unless a.bytesize == b.bytesize
+      OpenSSL.fixed_length_secure_compare(a, b)
+    end
+    private_class_method :secure_compare
+
+    def self.der_to_p1363(der_sig, coord_size)
+      asn = OpenSSL::ASN1.decode(der_sig)
+      r_bn = asn.value[0].value
+      s_bn = asn.value[1].value
+      r_bytes = r_bn.to_s(2)
+      s_bytes = s_bn.to_s(2)
+      pad = "\x00" * coord_size
+      r_padded = (pad + r_bytes).byteslice(-coord_size, coord_size)
+      s_padded = (pad + s_bytes).byteslice(-coord_size, coord_size)
+      r_padded + s_padded
+    end
+    private_class_method :der_to_p1363
+
+    def self.p1363_to_der(p1363_sig, coord_size)
+      r_bytes = p1363_sig.byteslice(0, coord_size)
+      s_bytes = p1363_sig.byteslice(coord_size, coord_size)
+      r_bn = OpenSSL::BN.new(r_bytes, 2)
+      s_bn = OpenSSL::BN.new(s_bytes, 2)
+      OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Integer(r_bn),
+        OpenSSL::ASN1::Integer(s_bn),
+      ]).to_der
+    end
+    private_class_method :p1363_to_der
+
+    def self.import_raw_ec_public(raw_bytes, named_curve)
+      ossl_curve = EC_CURVE_MAP[named_curve] or
+        raise ArgumentError, "SubtleCrypto: unsupported EC curve '#{named_curve}'"
+      ec_oid = OpenSSL::ASN1::ObjectId("id-ecPublicKey")
+      curve_oid = OpenSSL::ASN1::ObjectId(ossl_curve)
+      algo_seq = OpenSSL::ASN1::Sequence([ec_oid, curve_oid])
+      spki = OpenSSL::ASN1::Sequence([algo_seq, OpenSSL::ASN1::BitString(raw_bytes)])
+      OpenSSL::PKey.read(spki.to_der)
+    end
+    private_class_method :import_raw_ec_public
+
+    def self.import_raw_okp_public(raw_bytes, ossl_algo)
+      oid = OpenSSL::ASN1::ObjectId(ossl_algo)
+      algo_seq = OpenSSL::ASN1::Sequence([oid])
+      spki = OpenSSL::ASN1::Sequence([algo_seq, OpenSSL::ASN1::BitString(raw_bytes)])
+      OpenSSL::PKey.read(spki.to_der)
+    end
+    private_class_method :import_raw_okp_public
+
+    def self.ec_spki_to_raw(spki_der)
+      asn = OpenSSL::ASN1.decode(spki_der)
+      asn.value[1].value
+    end
+    private_class_method :ec_spki_to_raw
+  end
+end

data/lib/quickjs/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Quickjs
-  VERSION = "0.13.0"
+  VERSION = "0.14.0"
 end

data/lib/quickjs.rb

@@ -1,7 +1,10 @@
 # frozen_string_literal: true
 
+require "securerandom"
 require "timeout"
 require_relative "quickjs/version"
+require_relative "quickjs/subtle_crypto"
+require_relative "quickjs/crypto_key"
 require_relative "quickjs/quickjsrb"
 
 module Quickjs

data/polyfills/check-licenses.mjs

@@ -0,0 +1,72 @@
+import { readFileSync } from "fs";
+
+const lock = JSON.parse(readFileSync(new URL("./package-lock.json", import.meta.url)));
+
+const ROOT_PACKAGES = [
+  "@formatjs/intl-getcanonicallocales",
+  "@formatjs/intl-locale",
+  "@formatjs/intl-pluralrules",
+  "@formatjs/intl-numberformat",
+  "@formatjs/intl-datetimeformat",
+];
+
+const BUILD_ONLY = new Set([
+  "rolldown", "@rolldown/pluginutils", "@oxc-project/types",
+  "@emnapi/core", "@emnapi/runtime", "@emnapi/wasi-threads",
+  "@napi-rs/wasm-runtime", "@tybys/wasm-util",
+]);
+
+function collectDeps(pkgName, visited = new Set()) {
+  if (visited.has(pkgName) || BUILD_ONLY.has(pkgName)) return visited;
+  visited.add(pkgName);
+  const info = lock.packages[`node_modules/${pkgName}`];
+  if (!info) return visited;
+  for (const dep of Object.keys({ ...info.dependencies, ...info.peerDependencies ?? {} })) {
+    collectDeps(dep, visited);
+  }
+  return visited;
+}
+
+const allDeps = new Set();
+for (const root of ROOT_PACKAGES) collectDeps(root, allDeps);
+
+let hasError = false;
+const byYear = {};
+
+for (const pkg of [...allDeps].sort()) {
+  let licenseText;
+  try {
+    licenseText = readFileSync(`node_modules/${pkg}/LICENSE.md`, "utf8");
+  } catch {
+    try {
+      licenseText = readFileSync(`node_modules/${pkg}/LICENSE`, "utf8");
+    } catch {
+      console.error(`ERROR: No license file found for ${pkg}`);
+      hasError = true;
+      continue;
+    }
+  }
+
+  const isMIT = licenseText.includes("MIT License");
+  const yearMatch = licenseText.match(/Copyright\s+\(c\)\s+(\d{4})/i);
+  const authorMatch = licenseText.match(/Copyright\s+\(c\)\s+\d{4}\s+(.+)/i);
+
+  if (!isMIT) {
+    console.error(`ERROR: ${pkg} is NOT MIT licensed`);
+    hasError = true;
+  }
+
+  const year = yearMatch?.[1] ?? "unknown";
+  const author = authorMatch?.[1]?.trim() ?? "unknown";
+  byYear[year] ??= { author, packages: [] };
+  byYear[year].packages.push(pkg);
+}
+
+console.log("Bundled dependencies by copyright year:\n");
+for (const year of Object.keys(byYear).sort()) {
+  const { author, packages } = byYear[year];
+  console.log(`  MIT License Copyright (c) ${year} ${author}`);
+  for (const pkg of packages) console.log(`    - ${pkg}`);
+}
+
+if (hasError) process.exit(1);