@blamejs/blamejs-shop 0.3.4 → 0.3.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/admin.js +428 -6
- package/lib/asset-manifest.json +1 -1
- package/lib/vendor/MANIFEST.json +3 -3
- package/lib/vendor/blamejs/CHANGELOG.md +14 -0
- package/lib/vendor/blamejs/api-snapshot.json +2 -2
- package/lib/vendor/blamejs/lib/_test/crypto-fixtures.js +3 -3
- package/lib/vendor/blamejs/lib/a2a-tasks.js +24 -24
- package/lib/vendor/blamejs/lib/a2a.js +4 -4
- package/lib/vendor/blamejs/lib/acme.js +3 -3
- package/lib/vendor/blamejs/lib/agent-idempotency.js +1 -1
- package/lib/vendor/blamejs/lib/agent-orchestrator.js +8 -8
- package/lib/vendor/blamejs/lib/agent-posture-chain.js +2 -2
- package/lib/vendor/blamejs/lib/agent-saga.js +1 -1
- package/lib/vendor/blamejs/lib/agent-snapshot.js +1 -1
- package/lib/vendor/blamejs/lib/agent-stream.js +1 -1
- package/lib/vendor/blamejs/lib/agent-tenant.js +1 -1
- package/lib/vendor/blamejs/lib/agent-trace.js +3 -3
- package/lib/vendor/blamejs/lib/ai-capability.js +1 -1
- package/lib/vendor/blamejs/lib/ai-dp.js +4 -4
- package/lib/vendor/blamejs/lib/ai-input.js +4 -4
- package/lib/vendor/blamejs/lib/ai-model-manifest.js +7 -7
- package/lib/vendor/blamejs/lib/ai-pref.js +3 -3
- package/lib/vendor/blamejs/lib/archive-gz.js +2 -2
- package/lib/vendor/blamejs/lib/archive-read.js +25 -25
- package/lib/vendor/blamejs/lib/archive-tar-read.js +2 -2
- package/lib/vendor/blamejs/lib/archive-tar.js +20 -20
- package/lib/vendor/blamejs/lib/archive-wrap.js +10 -10
- package/lib/vendor/blamejs/lib/argon2-builtin.js +1 -1
- package/lib/vendor/blamejs/lib/asn1-der.js +45 -34
- package/lib/vendor/blamejs/lib/atomic-file.js +2 -2
- package/lib/vendor/blamejs/lib/audit-daily-review.js +3 -3
- package/lib/vendor/blamejs/lib/audit-sign.js +5 -5
- package/lib/vendor/blamejs/lib/audit-tools.js +1 -1
- package/lib/vendor/blamejs/lib/audit.js +2 -2
- package/lib/vendor/blamejs/lib/auth/acr-vocabulary.js +2 -2
- package/lib/vendor/blamejs/lib/auth/bot-challenge.js +3 -3
- package/lib/vendor/blamejs/lib/auth/ciba.js +7 -7
- package/lib/vendor/blamejs/lib/auth/dpop.js +3 -3
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +8 -8
- package/lib/vendor/blamejs/lib/auth/jar.js +11 -0
- package/lib/vendor/blamejs/lib/auth/jwt-external.js +5 -5
- package/lib/vendor/blamejs/lib/auth/oauth.js +7 -9
- package/lib/vendor/blamejs/lib/auth/oid4vci.js +10 -10
- package/lib/vendor/blamejs/lib/auth/oid4vp.js +2 -2
- package/lib/vendor/blamejs/lib/auth/openid-federation.js +2 -2
- package/lib/vendor/blamejs/lib/auth/passkey.js +3 -3
- package/lib/vendor/blamejs/lib/auth/saml.js +31 -43
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc-disclosure.js +1 -1
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +5 -5
- package/lib/vendor/blamejs/lib/auth/status-list.js +10 -10
- package/lib/vendor/blamejs/lib/auth/step-up.js +1 -1
- package/lib/vendor/blamejs/lib/auth-bot-challenge.js +1 -1
- package/lib/vendor/blamejs/lib/backup/index.js +7 -7
- package/lib/vendor/blamejs/lib/base32.js +8 -8
- package/lib/vendor/blamejs/lib/budr.js +2 -2
- package/lib/vendor/blamejs/lib/cache-status.js +2 -2
- package/lib/vendor/blamejs/lib/calendar.js +29 -29
- package/lib/vendor/blamejs/lib/cbor.js +12 -12
- package/lib/vendor/blamejs/lib/cdn-cache-control.js +1 -1
- package/lib/vendor/blamejs/lib/cert.js +5 -5
- package/lib/vendor/blamejs/lib/cloud-events.js +5 -5
- package/lib/vendor/blamejs/lib/cms-codec.js +21 -21
- package/lib/vendor/blamejs/lib/codepoint-class.js +12 -12
- package/lib/vendor/blamejs/lib/compliance-sanctions-fuzzy.js +4 -4
- package/lib/vendor/blamejs/lib/compliance-sanctions.js +4 -4
- package/lib/vendor/blamejs/lib/compliance.js +29 -29
- package/lib/vendor/blamejs/lib/content-credentials.js +38 -38
- package/lib/vendor/blamejs/lib/cookies.js +1 -1
- package/lib/vendor/blamejs/lib/cose.js +13 -13
- package/lib/vendor/blamejs/lib/cra-report.js +1 -1
- package/lib/vendor/blamejs/lib/crdt.js +1 -1
- package/lib/vendor/blamejs/lib/crypto-field.js +2 -2
- package/lib/vendor/blamejs/lib/crypto-xwing.js +7 -7
- package/lib/vendor/blamejs/lib/crypto.js +6 -6
- package/lib/vendor/blamejs/lib/csp.js +2 -2
- package/lib/vendor/blamejs/lib/cwt.js +4 -4
- package/lib/vendor/blamejs/lib/dark-patterns.js +2 -2
- package/lib/vendor/blamejs/lib/data-act.js +2 -2
- package/lib/vendor/blamejs/lib/db-file-lifecycle.js +4 -4
- package/lib/vendor/blamejs/lib/db-query.js +1 -1
- package/lib/vendor/blamejs/lib/db.js +6 -6
- package/lib/vendor/blamejs/lib/dbsc.js +13 -13
- package/lib/vendor/blamejs/lib/did.js +17 -17
- package/lib/vendor/blamejs/lib/dora.js +4 -4
- package/lib/vendor/blamejs/lib/dsr.js +1 -1
- package/lib/vendor/blamejs/lib/early-hints.js +2 -2
- package/lib/vendor/blamejs/lib/eat.js +4 -4
- package/lib/vendor/blamejs/lib/external-db-migrate.js +1 -1
- package/lib/vendor/blamejs/lib/external-db.js +1 -1
- package/lib/vendor/blamejs/lib/flag-cache.js +1 -1
- package/lib/vendor/blamejs/lib/flag-evaluation-context.js +2 -2
- package/lib/vendor/blamejs/lib/graphql-federation.js +13 -6
- package/lib/vendor/blamejs/lib/guard-agent-registry.js +5 -5
- package/lib/vendor/blamejs/lib/guard-archive.js +24 -24
- package/lib/vendor/blamejs/lib/guard-cidr.js +34 -34
- package/lib/vendor/blamejs/lib/guard-csv.js +1 -1
- package/lib/vendor/blamejs/lib/guard-domain.js +10 -10
- package/lib/vendor/blamejs/lib/guard-dsn.js +4 -4
- package/lib/vendor/blamejs/lib/guard-email.js +19 -19
- package/lib/vendor/blamejs/lib/guard-event-bus-payload.js +4 -4
- package/lib/vendor/blamejs/lib/guard-event-bus-topic.js +6 -6
- package/lib/vendor/blamejs/lib/guard-filename.js +7 -7
- package/lib/vendor/blamejs/lib/guard-graphql.js +9 -9
- package/lib/vendor/blamejs/lib/guard-html-wcag-tagwalk.js +1 -1
- package/lib/vendor/blamejs/lib/guard-html-wcag.js +4 -4
- package/lib/vendor/blamejs/lib/guard-html.js +7 -7
- package/lib/vendor/blamejs/lib/guard-idempotency-key.js +6 -6
- package/lib/vendor/blamejs/lib/guard-image.js +4 -4
- package/lib/vendor/blamejs/lib/guard-imap-command.js +17 -17
- package/lib/vendor/blamejs/lib/guard-jmap.js +20 -20
- package/lib/vendor/blamejs/lib/guard-json.js +12 -12
- package/lib/vendor/blamejs/lib/guard-jsonpath.js +3 -3
- package/lib/vendor/blamejs/lib/guard-jwt.js +4 -4
- package/lib/vendor/blamejs/lib/guard-list-id.js +7 -7
- package/lib/vendor/blamejs/lib/guard-list-unsubscribe.js +8 -8
- package/lib/vendor/blamejs/lib/guard-mail-compose.js +4 -4
- package/lib/vendor/blamejs/lib/guard-mail-move.js +5 -5
- package/lib/vendor/blamejs/lib/guard-mail-query.js +3 -3
- package/lib/vendor/blamejs/lib/guard-mail-reply.js +3 -3
- package/lib/vendor/blamejs/lib/guard-mail-sieve.js +6 -6
- package/lib/vendor/blamejs/lib/guard-managesieve-command.js +25 -25
- package/lib/vendor/blamejs/lib/guard-markdown.js +31 -31
- package/lib/vendor/blamejs/lib/guard-message-id.js +5 -5
- package/lib/vendor/blamejs/lib/guard-mime.js +1 -1
- package/lib/vendor/blamejs/lib/guard-oauth.js +3 -3
- package/lib/vendor/blamejs/lib/guard-pdf.js +6 -6
- package/lib/vendor/blamejs/lib/guard-pop3-command.js +11 -11
- package/lib/vendor/blamejs/lib/guard-posture-chain.js +5 -5
- package/lib/vendor/blamejs/lib/guard-regex.js +10 -10
- package/lib/vendor/blamejs/lib/guard-saga-config.js +5 -5
- package/lib/vendor/blamejs/lib/guard-smtp-command.js +6 -6
- package/lib/vendor/blamejs/lib/guard-snapshot-envelope.js +3 -3
- package/lib/vendor/blamejs/lib/guard-stream-args.js +4 -4
- package/lib/vendor/blamejs/lib/guard-svg.js +11 -11
- package/lib/vendor/blamejs/lib/guard-tenant-id.js +5 -5
- package/lib/vendor/blamejs/lib/guard-time.js +15 -15
- package/lib/vendor/blamejs/lib/guard-trace-context.js +4 -4
- package/lib/vendor/blamejs/lib/guard-uuid.js +11 -11
- package/lib/vendor/blamejs/lib/guard-xml.js +12 -12
- package/lib/vendor/blamejs/lib/guard-yaml.js +16 -16
- package/lib/vendor/blamejs/lib/honeytoken.js +5 -5
- package/lib/vendor/blamejs/lib/http-client-cache.js +18 -1
- package/lib/vendor/blamejs/lib/http-client.js +13 -10
- package/lib/vendor/blamejs/lib/http-message-signature.js +2 -2
- package/lib/vendor/blamejs/lib/iab-mspa.js +3 -3
- package/lib/vendor/blamejs/lib/iab-tcf.js +70 -70
- package/lib/vendor/blamejs/lib/inbox.js +4 -4
- package/lib/vendor/blamejs/lib/ip-utils.js +15 -15
- package/lib/vendor/blamejs/lib/jose-jwe-experimental.js +2 -2
- package/lib/vendor/blamejs/lib/json-path.js +3 -3
- package/lib/vendor/blamejs/lib/json-schema.js +1 -1
- package/lib/vendor/blamejs/lib/jsonapi.js +3 -3
- package/lib/vendor/blamejs/lib/jtd.js +2 -2
- package/lib/vendor/blamejs/lib/link-header.js +1 -1
- package/lib/vendor/blamejs/lib/local-db-thin.js +1 -1
- package/lib/vendor/blamejs/lib/log.js +8 -3
- package/lib/vendor/blamejs/lib/lro.js +4 -4
- package/lib/vendor/blamejs/lib/mail-agent.js +1 -1
- package/lib/vendor/blamejs/lib/mail-arc-sign.js +6 -6
- package/lib/vendor/blamejs/lib/mail-auth.js +44 -44
- package/lib/vendor/blamejs/lib/mail-bimi.js +3 -3
- package/lib/vendor/blamejs/lib/mail-crypto-pgp.js +53 -45
- package/lib/vendor/blamejs/lib/mail-crypto-smime.js +6 -6
- package/lib/vendor/blamejs/lib/mail-dav.js +1 -1
- package/lib/vendor/blamejs/lib/mail-deploy.js +40 -40
- package/lib/vendor/blamejs/lib/mail-dkim.js +12 -12
- package/lib/vendor/blamejs/lib/mail-greylist.js +12 -12
- package/lib/vendor/blamejs/lib/mail-helo.js +1 -1
- package/lib/vendor/blamejs/lib/mail-journal.js +8 -8
- package/lib/vendor/blamejs/lib/mail-rbl.js +7 -7
- package/lib/vendor/blamejs/lib/mail-scan.js +7 -7
- package/lib/vendor/blamejs/lib/mail-send-deliver.js +2 -2
- package/lib/vendor/blamejs/lib/mail-server-imap.js +12 -12
- package/lib/vendor/blamejs/lib/mail-server-jmap.js +18 -20
- package/lib/vendor/blamejs/lib/mail-server-managesieve.js +4 -4
- package/lib/vendor/blamejs/lib/mail-server-mx.js +17 -17
- package/lib/vendor/blamejs/lib/mail-server-pop3.js +4 -4
- package/lib/vendor/blamejs/lib/mail-server-rate-limit.js +2 -2
- package/lib/vendor/blamejs/lib/mail-server-submission.js +21 -21
- package/lib/vendor/blamejs/lib/mail-sieve.js +2 -2
- package/lib/vendor/blamejs/lib/mail-spam-score.js +5 -5
- package/lib/vendor/blamejs/lib/mail-srs.js +12 -12
- package/lib/vendor/blamejs/lib/mail-store-fts.js +2 -2
- package/lib/vendor/blamejs/lib/mail-store.js +8 -8
- package/lib/vendor/blamejs/lib/mail-unsubscribe.js +4 -4
- package/lib/vendor/blamejs/lib/mail.js +4 -4
- package/lib/vendor/blamejs/lib/mcp-tool-registry.js +4 -4
- package/lib/vendor/blamejs/lib/mcp.js +15 -15
- package/lib/vendor/blamejs/lib/mdoc.js +2 -2
- package/lib/vendor/blamejs/lib/metrics.js +8 -8
- package/lib/vendor/blamejs/lib/middleware/age-gate.js +15 -3
- package/lib/vendor/blamejs/lib/middleware/ai-act-disclosure.js +11 -4
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +7 -7
- package/lib/vendor/blamejs/lib/middleware/assetlinks.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/asyncapi-serve.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/bearer-auth.js +5 -5
- package/lib/vendor/blamejs/lib/middleware/body-parser.js +5 -5
- package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +16 -16
- package/lib/vendor/blamejs/lib/middleware/csp-report.js +4 -4
- package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/dpop.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/headers.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/host-allowlist.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/idempotency-key.js +12 -12
- package/lib/vendor/blamejs/lib/middleware/nel.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/openapi-serve.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/protected-resource-metadata.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +14 -5
- package/lib/vendor/blamejs/lib/middleware/require-aal.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/require-bound-key.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/require-content-type.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/require-methods.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/require-step-up.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/scim-server.js +1 -1
- package/lib/vendor/blamejs/lib/middleware/security-txt.js +3 -3
- package/lib/vendor/blamejs/lib/middleware/sse.js +14 -8
- package/lib/vendor/blamejs/lib/middleware/tus-upload.js +12 -12
- package/lib/vendor/blamejs/lib/middleware/web-app-manifest.js +2 -2
- package/lib/vendor/blamejs/lib/network-byte-quota.js +1 -1
- package/lib/vendor/blamejs/lib/network-dns-resolver.js +23 -23
- package/lib/vendor/blamejs/lib/network-dns.js +29 -29
- package/lib/vendor/blamejs/lib/network-dnssec.js +33 -33
- package/lib/vendor/blamejs/lib/network-smtp-policy.js +10 -10
- package/lib/vendor/blamejs/lib/network-tls.js +100 -98
- package/lib/vendor/blamejs/lib/network-tsig.js +33 -33
- package/lib/vendor/blamejs/lib/nis2-report.js +1 -1
- package/lib/vendor/blamejs/lib/ntp-check.js +3 -3
- package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +17 -17
- package/lib/vendor/blamejs/lib/observability-tracer.js +6 -6
- package/lib/vendor/blamejs/lib/observability.js +8 -8
- package/lib/vendor/blamejs/lib/openapi-yaml.js +1 -1
- package/lib/vendor/blamejs/lib/openapi.js +1 -1
- package/lib/vendor/blamejs/lib/outbox.js +6 -6
- package/lib/vendor/blamejs/lib/pqc-agent.js +4 -4
- package/lib/vendor/blamejs/lib/pqc-software.js +1 -1
- package/lib/vendor/blamejs/lib/privacy-pass.js +5 -5
- package/lib/vendor/blamejs/lib/problem-details.js +5 -5
- package/lib/vendor/blamejs/lib/promise-pool.js +1 -1
- package/lib/vendor/blamejs/lib/protobuf-encoder.js +9 -1
- package/lib/vendor/blamejs/lib/queue.js +4 -2
- package/lib/vendor/blamejs/lib/redact.js +2 -2
- package/lib/vendor/blamejs/lib/request-helpers.js +1 -1
- package/lib/vendor/blamejs/lib/router.js +10 -10
- package/lib/vendor/blamejs/lib/safe-async.js +2 -2
- package/lib/vendor/blamejs/lib/safe-decompress.js +1 -1
- package/lib/vendor/blamejs/lib/safe-dns.js +71 -71
- package/lib/vendor/blamejs/lib/safe-ical.js +19 -19
- package/lib/vendor/blamejs/lib/safe-icap.js +24 -24
- package/lib/vendor/blamejs/lib/safe-jsonpath.js +2 -2
- package/lib/vendor/blamejs/lib/safe-mime.js +10 -10
- package/lib/vendor/blamejs/lib/safe-mount-info.js +3 -3
- package/lib/vendor/blamejs/lib/safe-redirect.js +1 -1
- package/lib/vendor/blamejs/lib/safe-sieve.js +23 -23
- package/lib/vendor/blamejs/lib/safe-smtp.js +1 -1
- package/lib/vendor/blamejs/lib/safe-url.js +1 -1
- package/lib/vendor/blamejs/lib/safe-vcard.js +14 -14
- package/lib/vendor/blamejs/lib/sandbox.js +5 -5
- package/lib/vendor/blamejs/lib/sec-cyber.js +1 -1
- package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +3 -3
- package/lib/vendor/blamejs/lib/self-update.js +3 -3
- package/lib/vendor/blamejs/lib/server-timing.js +3 -3
- package/lib/vendor/blamejs/lib/session-device-binding.js +7 -7
- package/lib/vendor/blamejs/lib/session.js +8 -8
- package/lib/vendor/blamejs/lib/sse.js +12 -5
- package/lib/vendor/blamejs/lib/standard-webhooks.js +4 -4
- package/lib/vendor/blamejs/lib/storage.js +2 -2
- package/lib/vendor/blamejs/lib/stream-throttle.js +3 -3
- package/lib/vendor/blamejs/lib/structured-fields.js +15 -15
- package/lib/vendor/blamejs/lib/subject.js +1 -1
- package/lib/vendor/blamejs/lib/tcpa-10dlc.js +1 -1
- package/lib/vendor/blamejs/lib/tenant-quota.js +3 -3
- package/lib/vendor/blamejs/lib/test-harness.js +1 -1
- package/lib/vendor/blamejs/lib/tracing.js +1 -1
- package/lib/vendor/blamejs/lib/tsa.js +5 -5
- package/lib/vendor/blamejs/lib/uri-template.js +5 -5
- package/lib/vendor/blamejs/lib/vault/index.js +2 -2
- package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +4 -4
- package/lib/vendor/blamejs/lib/vc.js +2 -2
- package/lib/vendor/blamejs/lib/vendor-data.js +1 -1
- package/lib/vendor/blamejs/lib/watcher.js +4 -4
- package/lib/vendor/blamejs/lib/web-push-vapid.js +21 -21
- package/lib/vendor/blamejs/lib/webhook.js +2 -2
- package/lib/vendor/blamejs/lib/websocket.js +5 -5
- package/lib/vendor/blamejs/lib/worker-pool.js +3 -3
- package/lib/vendor/blamejs/lib/ws-client.js +24 -24
- package/lib/vendor/blamejs/lib/xml-c14n.js +2 -2
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.13.x.json +1248 -0
- package/lib/vendor/blamejs/release-notes/v0.14.0.json +43 -0
- package/lib/vendor/blamejs/release-notes/v0.14.1.json +60 -0
- package/lib/vendor/blamejs/release-notes/v0.14.2.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.14.3.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.14.4.json +18 -0
- package/lib/vendor/blamejs/release-notes/v0.14.5.json +18 -0
- package/lib/vendor/blamejs/test/00-primitives.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/age-gate.test.js +22 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-jar.test.js +29 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +105 -9
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-ai-act.test.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +10 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-client-cache.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js +7 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js +11 -5
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-registry.test.js +34 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sse.test.js +12 -0
- package/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.13.0.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.1.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.10.json +0 -44
- package/lib/vendor/blamejs/release-notes/v0.13.11.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.12.json +0 -36
- package/lib/vendor/blamejs/release-notes/v0.13.13.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.14.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.15.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.16.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.17.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.18.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.19.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.2.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.20.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.21.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.22.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.23.json +0 -42
- package/lib/vendor/blamejs/release-notes/v0.13.24.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.13.25.json +0 -39
- package/lib/vendor/blamejs/release-notes/v0.13.26.json +0 -31
- package/lib/vendor/blamejs/release-notes/v0.13.27.json +0 -34
- package/lib/vendor/blamejs/release-notes/v0.13.28.json +0 -30
- package/lib/vendor/blamejs/release-notes/v0.13.29.json +0 -30
- package/lib/vendor/blamejs/release-notes/v0.13.3.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.30.json +0 -30
- package/lib/vendor/blamejs/release-notes/v0.13.31.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.13.32.json +0 -34
- package/lib/vendor/blamejs/release-notes/v0.13.33.json +0 -26
- package/lib/vendor/blamejs/release-notes/v0.13.34.json +0 -48
- package/lib/vendor/blamejs/release-notes/v0.13.35.json +0 -35
- package/lib/vendor/blamejs/release-notes/v0.13.36.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.37.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.38.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.39.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.4.json +0 -23
- package/lib/vendor/blamejs/release-notes/v0.13.40.json +0 -22
- package/lib/vendor/blamejs/release-notes/v0.13.41.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.42.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.43.json +0 -39
- package/lib/vendor/blamejs/release-notes/v0.13.44.json +0 -31
- package/lib/vendor/blamejs/release-notes/v0.13.45.json +0 -31
- package/lib/vendor/blamejs/release-notes/v0.13.46.json +0 -35
- package/lib/vendor/blamejs/release-notes/v0.13.5.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.6.json +0 -18
- package/lib/vendor/blamejs/release-notes/v0.13.7.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.8.json +0 -27
- package/lib/vendor/blamejs/release-notes/v0.13.9.json +0 -27
|
@@ -64,7 +64,7 @@ function generateVapidKeypair() {
|
|
|
64
64
|
var pubKeyObj = nodeCrypto.createPublicKey(kp.publicKey);
|
|
65
65
|
var jwk = pubKeyObj.export({ format: "jwk" });
|
|
66
66
|
var raw = Buffer.concat([
|
|
67
|
-
Buffer.from([0x04]), //
|
|
67
|
+
Buffer.from([0x04]), // uncompressed point prefix per SEC1 §2.3.3
|
|
68
68
|
Buffer.from(jwk.x, "base64url"),
|
|
69
69
|
Buffer.from(jwk.y, "base64url"),
|
|
70
70
|
]);
|
|
@@ -153,31 +153,31 @@ function buildVapidAuthHeader(opts) {
|
|
|
153
153
|
// node:crypto produces DER-encoded ECDSA signature; JWT ES256
|
|
154
154
|
// requires the raw 64-byte r||s shape. Convert.
|
|
155
155
|
var derSig = nodeCrypto.sign("sha256", Buffer.from(signingInput, "utf8"), keyObj);
|
|
156
|
-
var rawSig = _ecdsaDerToRaw(derSig, 32); //
|
|
156
|
+
var rawSig = _ecdsaDerToRaw(derSig, 32); // 32-byte P-256 component
|
|
157
157
|
var token = signingInput + "." + bCrypto.toBase64Url(rawSig);
|
|
158
158
|
return "vapid t=" + token + ", k=" + opts.publicKeyB64Url;
|
|
159
159
|
}
|
|
160
160
|
|
|
161
161
|
function _ecdsaDerToRaw(der, componentLen) {
|
|
162
162
|
// ECDSA-Sig-Value DER = SEQUENCE { r INTEGER, s INTEGER }.
|
|
163
|
-
if (der[0] !== 0x30) { //
|
|
163
|
+
if (der[0] !== 0x30) { // ASN.1 SEQUENCE tag
|
|
164
164
|
throw new WebPushError("web-push/bad-sig",
|
|
165
165
|
"ECDSA signature is not a DER SEQUENCE");
|
|
166
166
|
}
|
|
167
167
|
var off = 2;
|
|
168
|
-
if (der[1] & 0x80) off = 2 + (der[1] & 0x7f); //
|
|
169
|
-
if (der[off] !== 0x02) throw new WebPushError("web-push/bad-sig", "missing r INTEGER"); //
|
|
168
|
+
if (der[1] & 0x80) off = 2 + (der[1] & 0x7f); // long-form length byte
|
|
169
|
+
if (der[off] !== 0x02) throw new WebPushError("web-push/bad-sig", "missing r INTEGER"); // ASN.1 INTEGER tag
|
|
170
170
|
var rLen = der[off + 1];
|
|
171
171
|
var rStart = off + 2;
|
|
172
172
|
var r = der.slice(rStart, rStart + rLen);
|
|
173
173
|
off = rStart + rLen;
|
|
174
|
-
if (der[off] !== 0x02) throw new WebPushError("web-push/bad-sig", "missing s INTEGER"); //
|
|
174
|
+
if (der[off] !== 0x02) throw new WebPushError("web-push/bad-sig", "missing s INTEGER"); // ASN.1 INTEGER tag
|
|
175
175
|
var sLen = der[off + 1];
|
|
176
176
|
var sStart = off + 2;
|
|
177
177
|
var s = der.slice(sStart, sStart + sLen);
|
|
178
178
|
// Trim leading zero pad (DER requires it when high bit set; JWT raw doesn't).
|
|
179
|
-
if (r.length > componentLen && r[0] === 0x00) r = r.slice(1); //
|
|
180
|
-
if (s.length > componentLen && s[0] === 0x00) s = s.slice(1); //
|
|
179
|
+
if (r.length > componentLen && r[0] === 0x00) r = r.slice(1); // DER sign-bit pad
|
|
180
|
+
if (s.length > componentLen && s[0] === 0x00) s = s.slice(1); // DER sign-bit pad
|
|
181
181
|
var out = Buffer.alloc(componentLen * 2);
|
|
182
182
|
r.copy(out, componentLen - r.length);
|
|
183
183
|
s.copy(out, componentLen * 2 - s.length);
|
|
@@ -245,12 +245,12 @@ function encrypt(opts) {
|
|
|
245
245
|
}
|
|
246
246
|
// Decode the subscription's p256dh + auth.
|
|
247
247
|
var recipientPubRaw = Buffer.from(opts.subscription.keys.p256dh, "base64url");
|
|
248
|
-
if (recipientPubRaw.length !== 65 || recipientPubRaw[0] !== 0x04) { //
|
|
248
|
+
if (recipientPubRaw.length !== 65 || recipientPubRaw[0] !== 0x04) { // uncompressed P-256 point shape per SEC1 §2.3.3
|
|
249
249
|
throw new WebPushError("web-push/bad-p256dh",
|
|
250
250
|
"encrypt: p256dh must be a 65-byte uncompressed P-256 point");
|
|
251
251
|
}
|
|
252
252
|
var authSecret = Buffer.from(opts.subscription.keys.auth, "base64url");
|
|
253
|
-
if (authSecret.length !== 16) { //
|
|
253
|
+
if (authSecret.length !== 16) { // RFC 8291 §3.2 auth_secret length
|
|
254
254
|
throw new WebPushError("web-push/bad-auth",
|
|
255
255
|
"encrypt: auth must be a 16-byte secret (got " + authSecret.length + ")");
|
|
256
256
|
}
|
|
@@ -259,7 +259,7 @@ function encrypt(opts) {
|
|
|
259
259
|
ephemeral.generateKeys();
|
|
260
260
|
var ephemeralPubRaw = ephemeral.getPublicKey(); // uncompressed 65 bytes
|
|
261
261
|
// ECDH shared secret.
|
|
262
|
-
var sharedSecret = ephemeral.computeSecret(recipientPubRaw); //
|
|
262
|
+
var sharedSecret = ephemeral.computeSecret(recipientPubRaw); // ECDH shared secret (32 bytes per P-256)
|
|
263
263
|
// RFC 8291 §3.4 two-stage HKDF:
|
|
264
264
|
// PRK_key = HKDF-Extract(salt=auth_secret, IKM=ECDH_shared)
|
|
265
265
|
// key_info = "WebPush: info\x00" || ua_public || as_public
|
|
@@ -276,23 +276,23 @@ function encrypt(opts) {
|
|
|
276
276
|
recipientPubRaw,
|
|
277
277
|
ephemeralPubRaw,
|
|
278
278
|
]);
|
|
279
|
-
var ikm = _hkdf(authSecret, sharedSecret, keyInfo, 32); //
|
|
280
|
-
var salt = nodeCrypto.randomBytes(16); //
|
|
281
|
-
var cek = _hkdf(salt, ikm, Buffer.from("Content-Encoding: aes128gcm\x00", "utf8"), 16); //
|
|
282
|
-
var nonce = _hkdf(salt, ikm, Buffer.from("Content-Encoding: nonce\x00", "utf8"), 12); //
|
|
279
|
+
var ikm = _hkdf(authSecret, sharedSecret, keyInfo, 32); // 256-bit IKM
|
|
280
|
+
var salt = nodeCrypto.randomBytes(16); // RFC 8188 §2.2 16-byte salt
|
|
281
|
+
var cek = _hkdf(salt, ikm, Buffer.from("Content-Encoding: aes128gcm\x00", "utf8"), 16); // 128-bit AEAD key
|
|
282
|
+
var nonce = _hkdf(salt, ikm, Buffer.from("Content-Encoding: nonce\x00", "utf8"), 12); // 96-bit AEAD nonce
|
|
283
283
|
// RFC 8188 §2 padding: plaintext || 0x02 (delimiter for single-record).
|
|
284
284
|
// RFC 8291 mandates single-record (record_size > plaintext+padding+tag).
|
|
285
|
-
var padded = Buffer.concat([plaintext, Buffer.from([0x02])]); //
|
|
285
|
+
var padded = Buffer.concat([plaintext, Buffer.from([0x02])]); // RFC 8188 single-record delimiter
|
|
286
286
|
var cipher = nodeCrypto.createCipheriv("aes-128-gcm", cek, nonce);
|
|
287
287
|
var ct = Buffer.concat([cipher.update(padded), cipher.final()]);
|
|
288
288
|
var tag = cipher.getAuthTag();
|
|
289
289
|
// RFC 8188 §2.1 header: salt(16) || rs(4 big-endian) || idlen(1) || keyid
|
|
290
290
|
// For RFC 8291 the keyid is the as_public (ephemeral pubkey, 65 bytes).
|
|
291
|
-
var rs = padded.length + 16; //
|
|
292
|
-
var header = Buffer.alloc(16 + 4 + 1); //
|
|
291
|
+
var rs = padded.length + 16; // record size = plaintext + tag length
|
|
292
|
+
var header = Buffer.alloc(16 + 4 + 1); // salt + rs + idlen layout
|
|
293
293
|
salt.copy(header, 0);
|
|
294
|
-
header.writeUInt32BE(rs, 16); //
|
|
295
|
-
header[20] = ephemeralPubRaw.length; //
|
|
294
|
+
header.writeUInt32BE(rs, 16); // salt offset
|
|
295
|
+
header[20] = ephemeralPubRaw.length; // rs offset
|
|
296
296
|
var body = Buffer.concat([header, ephemeralPubRaw, ct, tag]);
|
|
297
297
|
var ttlSec = opts.ttlSec || (28 * 24 * 3600); // allow:raw-time-literal — RFC 8030 §5.2 default
|
|
298
298
|
return {
|
|
@@ -309,7 +309,7 @@ function _hkdf(salt, ikm, info, length) {
|
|
|
309
309
|
// RFC 5869 HKDF-Extract + Expand using SHA-256 (per RFC 8291 / 8188).
|
|
310
310
|
var prk = nodeCrypto.createHmac("sha256", salt).update(ikm).digest();
|
|
311
311
|
// Expand with one-byte counter (length <= 32 always in this use).
|
|
312
|
-
var t = Buffer.concat([info, Buffer.from([0x01])]); //
|
|
312
|
+
var t = Buffer.concat([info, Buffer.from([0x01])]); // HKDF counter start
|
|
313
313
|
var out = nodeCrypto.createHmac("sha256", prk).update(t).digest();
|
|
314
314
|
return out.slice(0, length);
|
|
315
315
|
}
|
|
@@ -751,7 +751,7 @@ function _writeError(res, status, code, message) {
|
|
|
751
751
|
// b.crypto.timingSafeEqual — never `===`.
|
|
752
752
|
|
|
753
753
|
var STRIPE_HMAC_ALG = "hmac-sha256-stripe";
|
|
754
|
-
var STRIPE_SIG_MAX_HEX = 256; //
|
|
754
|
+
var STRIPE_SIG_MAX_HEX = 256; // hex-char anti-DoS cap, not bytes
|
|
755
755
|
var STRIPE_DEFAULT_TOLERANCE_MS = C.TIME.minutes(5); // RFC 3161-ish 5 minute window default
|
|
756
756
|
var STRIPE_MIN_TOLERANCE_MS = C.TIME.seconds(30); // refuse below 30s
|
|
757
757
|
|
|
@@ -764,7 +764,7 @@ function _parseStripeSignatureHeader(header) {
|
|
|
764
764
|
throw new WebhookError("webhook/bad-stripe-header",
|
|
765
765
|
"verify: Stripe-Signature header must be a non-empty string");
|
|
766
766
|
}
|
|
767
|
-
if (header.length > 4096) { //
|
|
767
|
+
if (header.length > 4096) { // anti-DoS header cap
|
|
768
768
|
throw new WebhookError("webhook/bad-stripe-header",
|
|
769
769
|
"verify: Stripe-Signature header exceeds 4096 bytes");
|
|
770
770
|
}
|
|
@@ -189,9 +189,9 @@ var CLOSE_GRACE_MS = C.TIME.seconds(2);
|
|
|
189
189
|
// IANA-registered. 4000..4999 are private-use. Anything else is
|
|
190
190
|
// invalid.
|
|
191
191
|
function _isValidCloseCode(code) {
|
|
192
|
-
if (code === 1004 || code === 1005 || code === 1006 || code === 1015) return false; //
|
|
193
|
-
if (code >= 1000 && code <= 1011) return true; // allow:raw-
|
|
194
|
-
if (code >= 3000 && code <= 4999) return true; // allow:raw-
|
|
192
|
+
if (code === 1004 || code === 1005 || code === 1006 || code === 1015) return false; // RFC 6455 §7.4.2 reserved codes
|
|
193
|
+
if (code >= 1000 && code <= 1011) return true; // allow:raw-time-literal — code is a numeric, not seconds
|
|
194
|
+
if (code >= 3000 && code <= 4999) return true; // allow:raw-time-literal — code is a numeric, not seconds
|
|
195
195
|
return false;
|
|
196
196
|
}
|
|
197
197
|
|
|
@@ -1322,7 +1322,7 @@ function handleUpgrade(req, socket, head, opts) {
|
|
|
1322
1322
|
// breaking the upgrade in a way that's hard to diagnose; the format
|
|
1323
1323
|
// check at the top of handleUpgrade catches it loudly. Empty /
|
|
1324
1324
|
// undefined falls through to the RFC default in computeAcceptKey.
|
|
1325
|
-
var GUID_MAX_LENGTH = C.BYTES.bytes(64); //
|
|
1325
|
+
var GUID_MAX_LENGTH = C.BYTES.bytes(64); // UUID is 36 chars; 64 is a tolerant upper bound for the regex engine.
|
|
1326
1326
|
if (opts.handshakeGuid !== undefined && opts.handshakeGuid !== null) {
|
|
1327
1327
|
// Length cap before the regex test — UUIDs are exactly 36 chars so
|
|
1328
1328
|
// a > GUID_MAX_LENGTH input never matches the format and shouldn't
|
|
@@ -1341,7 +1341,7 @@ function handleUpgrade(req, socket, head, opts) {
|
|
|
1341
1341
|
// consumer would expect for a malformed request.
|
|
1342
1342
|
var v = validateUpgradeRequest(req, opts);
|
|
1343
1343
|
if (!v.ok) {
|
|
1344
|
-
_refuseUpgrade(socket, v.status || 400, v.reason); //
|
|
1344
|
+
_refuseUpgrade(socket, v.status || 400, v.reason); // HTTP 400 fallback
|
|
1345
1345
|
return null;
|
|
1346
1346
|
}
|
|
1347
1347
|
|
|
@@ -77,9 +77,9 @@ var { WorkerPoolError } = require("./framework-error");
|
|
|
77
77
|
var audit = lazyRequire(function () { return require("./audit"); });
|
|
78
78
|
|
|
79
79
|
var MIN_SIZE = 1;
|
|
80
|
-
var MAX_SIZE = 256; //
|
|
81
|
-
var DEFAULT_MAX_QUEUE_DEPTH = 1024; //
|
|
82
|
-
var MAX_QUEUE_DEPTH_CAP = 1048576; //
|
|
80
|
+
var MAX_SIZE = 256; // sanity ceiling on worker count, not bytes
|
|
81
|
+
var DEFAULT_MAX_QUEUE_DEPTH = 1024; // task-queue depth, not bytes
|
|
82
|
+
var MAX_QUEUE_DEPTH_CAP = 1048576; // task-queue depth ceiling, not bytes
|
|
83
83
|
var DEFAULT_TASK_TIMEOUT_MS = C.TIME.minutes(5);
|
|
84
84
|
var MAX_TASK_TIMEOUT_MS = C.TIME.hours(1);
|
|
85
85
|
|
|
@@ -76,16 +76,16 @@ var DEFAULT_RECONNECT_BASE_MS = C.TIME.seconds(1) / 2;
|
|
|
76
76
|
var DEFAULT_RECONNECT_MAX_MS = C.TIME.seconds(30);
|
|
77
77
|
var DEFAULT_RECONNECT_MAX_ATTEMPTS = 10;
|
|
78
78
|
|
|
79
|
-
var OPCODE_CONT = 0x00; //
|
|
80
|
-
var OPCODE_TEXT = 0x01; //
|
|
81
|
-
var OPCODE_BINARY = 0x02; //
|
|
82
|
-
var OPCODE_CLOSE = 0x08; //
|
|
83
|
-
var OPCODE_PING = 0x09; //
|
|
84
|
-
var OPCODE_PONG = 0x0A; //
|
|
79
|
+
var OPCODE_CONT = 0x00; // RFC 6455 opcode
|
|
80
|
+
var OPCODE_TEXT = 0x01; // RFC 6455 opcode
|
|
81
|
+
var OPCODE_BINARY = 0x02; // RFC 6455 opcode
|
|
82
|
+
var OPCODE_CLOSE = 0x08; // RFC 6455 opcode
|
|
83
|
+
var OPCODE_PING = 0x09; // RFC 6455 opcode
|
|
84
|
+
var OPCODE_PONG = 0x0A; // RFC 6455 opcode
|
|
85
85
|
|
|
86
|
-
var CLOSE_NORMAL = 1000; //
|
|
87
|
-
var CLOSE_GOING_AWAY = 1001; //
|
|
88
|
-
var CLOSE_ABNORMAL = 1006; //
|
|
86
|
+
var CLOSE_NORMAL = 1000; // RFC 6455 close code
|
|
87
|
+
var CLOSE_GOING_AWAY = 1001; // RFC 6455 close code
|
|
88
|
+
var CLOSE_ABNORMAL = 1006; // RFC 6455 close code (synthetic — never on wire)
|
|
89
89
|
|
|
90
90
|
// Permanent vs transient error classifier — used by reconnect logic
|
|
91
91
|
// so client doesn't hammer the server on credentials / handshake
|
|
@@ -360,7 +360,7 @@ class WsClient extends EventEmitter {
|
|
|
360
360
|
|
|
361
361
|
var parsed = dialParsed;
|
|
362
362
|
var port = parsed.port ? parseInt(parsed.port, 10) :
|
|
363
|
-
(parsed.protocol === "wss:" ? 443 : 80); //
|
|
363
|
+
(parsed.protocol === "wss:" ? 443 : 80); // TLS / HTTP default port
|
|
364
364
|
var host = parsed.hostname;
|
|
365
365
|
|
|
366
366
|
function _onError(err) { self._handleSocketError(err); }
|
|
@@ -443,7 +443,7 @@ class WsClient extends EventEmitter {
|
|
|
443
443
|
"Upgrade: websocket",
|
|
444
444
|
"Connection: Upgrade",
|
|
445
445
|
"Sec-WebSocket-Key: " + key,
|
|
446
|
-
"Sec-WebSocket-Version: 13", //
|
|
446
|
+
"Sec-WebSocket-Version: 13", // RFC 6455 §1.9
|
|
447
447
|
];
|
|
448
448
|
if (opts.origin) {
|
|
449
449
|
if (safeBuffer.hasCrlf(opts.origin)) {
|
|
@@ -510,7 +510,7 @@ class WsClient extends EventEmitter {
|
|
|
510
510
|
return;
|
|
511
511
|
}
|
|
512
512
|
var status = parseInt(match[1], 10);
|
|
513
|
-
if (status !== 101) { //
|
|
513
|
+
if (status !== 101) { // HTTP 101
|
|
514
514
|
// Body bytes after the header section are the server's
|
|
515
515
|
// explanation. Surface them on the error so callers can branch
|
|
516
516
|
// on the status code and inspect the body without re-parsing
|
|
@@ -560,7 +560,7 @@ class WsClient extends EventEmitter {
|
|
|
560
560
|
this._negotiatedSubprotocol = negotiatedSubprotocol;
|
|
561
561
|
|
|
562
562
|
this._negotiatedDeflate = false;
|
|
563
|
-
this._negotiatedWindowBits = 15; //
|
|
563
|
+
this._negotiatedWindowBits = 15; // RFC 7692 default windowBits
|
|
564
564
|
if (this._opts.permessageDeflate &&
|
|
565
565
|
(headers["sec-websocket-extensions"] || "").indexOf("permessage-deflate") !== -1) {
|
|
566
566
|
this._negotiatedDeflate = true;
|
|
@@ -572,7 +572,7 @@ class WsClient extends EventEmitter {
|
|
|
572
572
|
var smwbMatch = extLine.match(/server_max_window_bits\s*=\s*"?(\d+)"?/); // allow:regex-no-length-cap — bounded by header line + RFC 7692 §7.1
|
|
573
573
|
if (smwbMatch) {
|
|
574
574
|
var smwb = parseInt(smwbMatch[1], 10);
|
|
575
|
-
if (smwb < 8 || smwb > 15) { //
|
|
575
|
+
if (smwb < 8 || smwb > 15) { // RFC 7692 windowBits range
|
|
576
576
|
this._handleSocketError(new WsClientError("ws-client/deflate-error",
|
|
577
577
|
"server_max_window_bits=" + smwb + " is outside RFC 7692 range [8, 15]"));
|
|
578
578
|
return;
|
|
@@ -635,7 +635,7 @@ class WsClient extends EventEmitter {
|
|
|
635
635
|
frame.opcode === OPCODE_PONG ||
|
|
636
636
|
frame.opcode === OPCODE_CLOSE;
|
|
637
637
|
if (isControl) {
|
|
638
|
-
if (frame.payload.length > 125) { //
|
|
638
|
+
if (frame.payload.length > 125) { // RFC 6455 §5.5 control-frame cap
|
|
639
639
|
this._handleSocketError(new WsClientError("ws-client/control-too-big",
|
|
640
640
|
"control-frame payload exceeds 125 bytes (RFC 6455 §5.5)"));
|
|
641
641
|
return;
|
|
@@ -665,7 +665,7 @@ class WsClient extends EventEmitter {
|
|
|
665
665
|
var code = CLOSE_NORMAL, reason = "";
|
|
666
666
|
if (frame.payload.length >= 2) {
|
|
667
667
|
code = frame.payload.readUInt16BE(0);
|
|
668
|
-
var reasonBytes = frame.payload.subarray(2); //
|
|
668
|
+
var reasonBytes = frame.payload.subarray(2); // RFC 6455 close-frame layout
|
|
669
669
|
try {
|
|
670
670
|
reason = new TextDecoder("utf-8", { fatal: true }).decode(reasonBytes);
|
|
671
671
|
} catch (_e) {
|
|
@@ -711,7 +711,7 @@ class WsClient extends EventEmitter {
|
|
|
711
711
|
if (this._negotiatedDeflate && firstFrameRsv1) {
|
|
712
712
|
try {
|
|
713
713
|
var zlib = require("node:zlib"); // allow:inline-require — zlib only on deflate-negotiated path
|
|
714
|
-
var compressed = Buffer.concat([fullPayload, Buffer.from([0x00, 0x00, 0xff, 0xff])]); //
|
|
714
|
+
var compressed = Buffer.concat([fullPayload, Buffer.from([0x00, 0x00, 0xff, 0xff])]); // RFC 7692 §7.2.2 deflate trailer
|
|
715
715
|
// Decompression-bomb defense: zlib.inflateRawSync's
|
|
716
716
|
// `maxOutputLength` aborts the inflate the moment the
|
|
717
717
|
// output would exceed maxMessageBytes — never decode GBs
|
|
@@ -828,26 +828,26 @@ class WsClient extends EventEmitter {
|
|
|
828
828
|
// mid-codepoint — to be RFC-safe we truncate at code-point
|
|
829
829
|
// boundaries.
|
|
830
830
|
var rb = Buffer.from(reason, "utf8");
|
|
831
|
-
if (rb.length > 123) { //
|
|
831
|
+
if (rb.length > 123) { // RFC 6455 §5.5 (125 - 2)
|
|
832
832
|
// Truncate at last complete codepoint within 123 bytes. Use a
|
|
833
833
|
// fatal TextDecoder to validate; back off one byte at a time
|
|
834
834
|
// until the slice decodes cleanly. Bounded by [123 - 3, 123]
|
|
835
835
|
// since a single UTF-8 codepoint is at most 4 bytes.
|
|
836
836
|
var fatal = new TextDecoder("utf-8", { fatal: true });
|
|
837
|
-
var truncated = rb.subarray(0, 123); //
|
|
838
|
-
for (var bi = 0; bi < 4; bi += 1) { //
|
|
837
|
+
var truncated = rb.subarray(0, 123); // RFC 6455 §5.5
|
|
838
|
+
for (var bi = 0; bi < 4; bi += 1) { // max UTF-8 codepoint width
|
|
839
839
|
try { fatal.decode(truncated); break; }
|
|
840
840
|
catch (_e) { truncated = truncated.subarray(0, truncated.length - 1); }
|
|
841
841
|
}
|
|
842
842
|
rb = truncated;
|
|
843
843
|
}
|
|
844
|
-
var payload = Buffer.alloc(2 + rb.length); //
|
|
844
|
+
var payload = Buffer.alloc(2 + rb.length); // RFC 6455 close-frame layout
|
|
845
845
|
payload.writeUInt16BE(code, 0);
|
|
846
|
-
rb.copy(payload, 2); //
|
|
846
|
+
rb.copy(payload, 2); // RFC 6455 close-frame layout
|
|
847
847
|
this._readyState = "closing";
|
|
848
848
|
this._sendFrame(OPCODE_CLOSE, payload, { fin: true });
|
|
849
849
|
var self = this;
|
|
850
|
-
setTimeout(function () { self._teardown(code, reason, false); }, 1000).unref(); //
|
|
850
|
+
setTimeout(function () { self._teardown(code, reason, false); }, 1000).unref(); // graceful close grace window
|
|
851
851
|
}
|
|
852
852
|
|
|
853
853
|
_teardown(code, reason, willReconnect) {
|
|
@@ -921,7 +921,7 @@ class WsClient extends EventEmitter {
|
|
|
921
921
|
_scheduleReconnect() {
|
|
922
922
|
var rOpts = this._opts.reconnectOpts;
|
|
923
923
|
this._reconnectAttempt += 1;
|
|
924
|
-
var attempt = Math.min(this._reconnectAttempt, 30); //
|
|
924
|
+
var attempt = Math.min(this._reconnectAttempt, 30); // clamp 2^attempt overflow
|
|
925
925
|
var ceiling = Math.min(rOpts.maxMs, rOpts.baseMs * Math.pow(2, attempt - 1));
|
|
926
926
|
var delay = Math.floor(Math.random() * ceiling); // allow:math-random-noncrypto — backoff jitter, not security
|
|
927
927
|
var self = this;
|
|
@@ -62,7 +62,7 @@ var XmlC14nError = defineClass("XmlC14nError", { alwaysPermanent: true });
|
|
|
62
62
|
function _xmlErr(code, message) { return new XmlC14nError(code, message); }
|
|
63
63
|
|
|
64
64
|
var MAX_INPUT_BYTES = 8 * 1024 * 1024; // allow:raw-byte-literal — XML doc cap (8 MiB)
|
|
65
|
-
var MAX_DEPTH = 200; //
|
|
65
|
+
var MAX_DEPTH = 200; // element nesting depth ceiling
|
|
66
66
|
|
|
67
67
|
/**
|
|
68
68
|
* @primitive b.xmlC14n.parse
|
|
@@ -172,7 +172,7 @@ function parse(xml) {
|
|
|
172
172
|
if (name.charAt(0) === "#") {
|
|
173
173
|
var code;
|
|
174
174
|
if (name.charAt(1) === "x" || name.charAt(1) === "X") {
|
|
175
|
-
code = parseInt(name.slice(2), 16); //
|
|
175
|
+
code = parseInt(name.slice(2), 16); // hex radix
|
|
176
176
|
} else {
|
|
177
177
|
code = parseInt(name.slice(1), 10);
|
|
178
178
|
}
|