@blamejs/blamejs-shop 0.4.31 → 0.4.33

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.4.x
 
+- v0.4.33 (2026-06-13) — **Raise the Node floor to 24.16.0 and refresh the vendored blamejs to 0.15.7.** A runtime and framework modernization. The minimum Node version is now 24.16.0 (the current LTS line) — the container base image, CI, and the package's engines floor all move together, so a deploy now runs on a Node that carries the latest LTS security patches. The vendored blamejs advances 0.15.6 → 0.15.7, a security and correctness release whose hardening reaches the shop by composition rather than new code: the OIDC ID-token verifier now enforces the authorized-party (azp) check, so a multi-audience token minted for a different client that also lists this shop in its audience array no longer verifies — closing a confused-deputy hole on Sign in with Google and Apple; the URL and host canonicalizer folds IPv4-mapped IPv6 addresses to their embedded IPv4 and strips trailing dots, so a dotted-IPv4 allowlist and a host comparison can't be slipped by an encoding trick on the outbound webhook and payment dials; and audited correctness fixes land in the background scheduler (a watchdog-abandoned run can no longer clobber the next run's state), the retention compliance floor (it now inherits the active compliance posture), credential rehashing (a digest shorter than the configured length is now flagged for upgrade), and SD-JWT key binding (audience and nonce now compare in constant time). No migration to apply. **Changed:** *Minimum Node is now 24.16.0* — The package engines floor, the container Dockerfile base image, the .nvmrc, and every CI runner move from Node 24.14.1 to 24.16.0 (LTS). Operators self-hosting the container or running the app directly must be on Node >= 24.16.0; it is a patch-level move within the same LTS line, so an existing 24.x install updates in place. The deployed container already builds on the new base. · *Vendored blamejs advanced 0.15.6 → 0.15.7* — The shop carries blamejs as a vendored, zero-runtime-dependency copy, refreshed through the vendor pipeline (not hand-edited) with per-file integrity hashes re-stamped. The shop's surface is unchanged — every primitive it composes kept its contract — so there is nothing to migrate; the security and correctness fixes below ride along because the shop already composes the affected primitives. **Security:** *Federated sign-in enforces the OIDC authorized-party check* — The OIDC verifier behind Sign in with Google and Apple now rejects a multi-audience ID token that omits an authorized-party (azp) claim, and any token whose azp is not this shop's client id — per OIDC Core 3.1.3.7. This closes a confused-deputy gap where a token minted for a different relying party, but whose audience array also listed this shop, would verify clean. Single-audience tokens (the common case) are unaffected. · *Outbound-host allowlist comparison resists encoding tricks* — The URL and host canonicalizer the shop runs on operator-supplied webhook endpoints (and the payment-provider dials) now folds an IPv4-mapped IPv6 address to its embedded IPv4 and strips trailing dots before any allowlist or SSRF comparison, so a dual-stack peer can no longer present one host form to the allowlist and resolve to another, and host. / host.. no longer evade a host check.
+
+- v0.4.32 (2026-06-13) — **Refresh the vendored blamejs framework to 0.15.6 — sign-in token hardening, SSRF-safe host canonicalization, and background-delivery reliability fixes.** A vendored-framework refresh from blamejs 0.14.22 to 0.15.6, picking up a run of security and correctness fixes in the foundation the shop is built on. The most shop-relevant: federated sign-in (Sign in with Google / Apple) is hardened — a SAML response whose subject confirmation omits an expiry is rejected instead of treated as fresh forever, and the OIDC ID-token verifier no longer lets a normal token skip expiry validation; the SSRF guard now canonicalizes obfuscated host and IP forms to one string before any allowlist comparison, so encoding tricks can't slip a request past the media-upload fetch or an outbound payment dial; and background delivery is more durable — a crashed publisher's in-flight outbox job is reclaimed, a server-sent-event connection caps its outbound buffer and evicts a stalled client instead of growing the heap, and a worker-pool task queued behind one that timed out is no longer dropped. The vendored tree is the single source of truth and was refreshed through the vendor pipeline, not hand-edited; per-file integrity hashes are re-stamped. No migration to apply. **Changed:** *Vendored blamejs advanced 0.14.22 → 0.15.6* — The shop carries blamejs as a vendored, zero-runtime-dependency copy; this release refreshes it across the 0.15 line. The shop's own surface is unchanged — every primitive it composes kept its contract — so there is nothing to migrate. The improvements below ride along in the foundation. **Fixed:** *Background delivery survives a crashed publisher and a slow client* — The outbox now reclaims a job left in-flight by a publisher that crashed mid-delivery, restoring at-least-once delivery for the shop's queued mail and outbound webhooks; server-sent-event connections cap their per-connection outbound buffer and evict a stalled client instead of growing memory without bound; and a background worker-pool task queued behind one that timed out is no longer silently dropped. A membership query against a sealed (encrypted) column now hashes each candidate so it returns results instead of failing, and a retention preview no longer rewrites the whole database file. **Security:** *Federated sign-in rejects unbounded and expiry-skipped assertions* — On the OIDC and SAML paths the shop uses for Sign in with Google and Apple, a SAML response whose Bearer or Holder-of-Key subject confirmation has no NotOnOrAfter is now refused rather than accepted as never-expiring, and the OIDC ID-token verifier restricts the expiry-validation bypass to back-channel-logout tokens bounded by an issued-at floor — a normal ID token can no longer be accepted past its expiry. · *SSRF allowlist comparison canonicalizes host and IP forms first* — Outbound fetches — the operator media-upload-from-URL path and the payment-provider dials — go through an SSRF guard that now collapses obfuscated host and IP encodings to a single canonical form before checking them, closing the gap where an encoding trick could present one string to the allowlist and resolve to another.
+
 - v0.4.31 (2026-06-13) — **A partial refund on a split-tender order no longer re-credits the gift card on top of the cash refund.** A refund-accounting fix. When an order was paid partly by gift card or redeemed loyalty and partly by cash, a partial refund of the cash slice returned the cash through the payment provider AND ALSO re-credited a proportional share to the gift card and loyalty balance — handing back more value than the refund. On a $50 order paid with a $20 gift card and $30 cash, a $30 refund returned $30 in cash plus $12 to the card: $42 for a $30 refund, and the over-credit landed on spendable balance. Refund accounting is now cash-first: a partial refund draws against the cash captured at checkout, and the gift-card and loyalty tenders are re-credited only for the portion of the cumulative refund that exceeds that cash. A full refund still returns every tender in full, exactly once. The gift-card and loyalty share each order was paid with is recorded at checkout so the refund path apportions correctly; orders placed before this release carry no recorded split and are treated as cash-only on partial refunds, with the full-refund path unchanged. No migration to apply. **Fixed:** *Partial refunds are cash-first on split-tender orders* — A partial refund returns value to the tender the customer was actually charged: the cash captured by the payment provider. The gift-card and loyalty balances are re-credited only once a refund exceeds the cash captured — so refunding the cash portion of a split-tender order returns just the cash, and the card is restored only by a refund that reaches into the credit-paid share or by a full refund. Previously a partial refund re-minted a proportional slice of the gift card and loyalty on every refund, returning more than the amount refunded; because that credit landed on spendable balance, the excess was real and re-usable. · *Reconcile gift-card balances touched by earlier split-tender partial refunds* — Operators who issued partial refunds on orders paid partly by gift card or loyalty before this release should review the affected gift-card balances and loyalty ledgers: those refunds may have credited value above the amount refunded. Full refunds were unaffected — they return each tender once. New refunds apportion correctly.
 
 - v0.4.30 (2026-06-11) — **Privacy exports and erasures now cover every customer-keyed table — including the guest-order claim audit, stock alerts' plaintext email, quotes, ratings, Q&A, operator notes, gift cards, and referrals.** A privacy-completeness release. A subject-access export now walks eight more customer-keyed domains, and erasure handles each with a stated basis: the guest-order claim audit's email hash — a verbatim copy of the lookup key the account erasure deliberately severs, which previously survived in full — is tombstoned under its own derivation while the order linkage stays under the audit basis; a stock-alert subscription's plaintext email is deleted outright; quotes, ratings, and Q&A keep their de-identified business records with the customer's free text and identity keys cleared; operator notes are deleted; gift cards and referral records stay under their accounting basis with the identity links severed. A stock-alert subscription made while signed in now links to the account, so it follows the customer through export and erasure rather than floating free. Every new domain reports in the export's completeness manifest and in the erasure's per-domain results — an unwired reader shows as absent, never silently dropped. No migration to apply. **Changed:** *Six more domains in the export, each with stated erasure semantics* — Quote requests and their negotiation messages, fulfillment ratings, product Q&A, operator customer notes, gift-card issue records, and referral activity (in both directions — as referrer and as referred) now stream into the subject-access export. Erasure treats each by its nature: the customer's quote message and Q&A identity are cleared in place with the de-identified business record retained, ratings and operator notes are deleted, and gift cards and referral accounting stay under their legal-obligation basis with the identity links severed and referred-email hashes tombstoned. Each domain reports its effect in the deletion result, and a deletion preview (dry run) touches nothing — verified per domain. **Fixed:** *Guest-order claim records join the export and erasure* — When a guest order attaches to an account on verified sign-in, the attachment is recorded with the buyer's email hash as the linking key. Those records are now part of the subject-access export, and an erasure tombstones the email hash under a derivation distinct from the account-level tombstone — so the two can never be cross-correlated — while the order linkage itself is retained under the same audit basis orders use. Previously the records were absent from the export, untouched by erasure, and invisible in the completeness manifest, and the surviving hash defeated the account erasure's deliberate severing of that key. · *Stock-alert subscriptions stop outliving an erasure* — A back-in-stock subscription stores the subscriber's email in plaintext — it has to send mail to it — but those rows survived an account erasure and never appeared in the export. The export now includes the customer's subscriptions (minus the bearer token hashes), erasure deletes the rows outright — freeing the address to subscribe again — and a subscription made while signed in is linked to the account so it follows the customer. Anonymous subscriptions keep their existing bounded lifetime and stay reachable by their unsubscribe token.

package/README.md

@@ -12,7 +12,7 @@ Homepage: **https://blamejs.shop**
 
 ## Requirements
 
-- Node.js LTS (>= 24.14.1)
+- Node.js LTS (>= 24.16.0)
 - For a deployable shop: a Cloudflare account (Workers, Containers, D1, R2, KV, Durable Objects). Local development works without it via `node:sqlite`.
 
 ## Install

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.31",
+  "version": "0.4.33",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-imfe0otYErcB8rr2h6KLSGTtStirysptpXETSPY4zLv3bZoIT75Lo1dOvkOav+xL",