@blamejs/blamejs-shop 0.4.49 → 0.4.50
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +2 -0
- package/lib/asset-manifest.json +1 -1
- package/lib/vendor/MANIFEST.json +58 -46
- package/lib/vendor/blamejs/.github/workflows/ci.yml +134 -1
- package/lib/vendor/blamejs/.gitignore +5 -1
- package/lib/vendor/blamejs/CHANGELOG.md +4 -0
- package/lib/vendor/blamejs/README.md +1 -1
- package/lib/vendor/blamejs/SECURITY.md +3 -1
- package/lib/vendor/blamejs/api-snapshot.json +10 -2
- package/lib/vendor/blamejs/lib/bundler.js +2 -7
- package/lib/vendor/blamejs/lib/config-drift.js +17 -3
- package/lib/vendor/blamejs/lib/crypto-field.js +30 -0
- package/lib/vendor/blamejs/lib/db-declare-row-policy.js +20 -1
- package/lib/vendor/blamejs/lib/db-schema.js +29 -0
- package/lib/vendor/blamejs/lib/db.js +7 -0
- package/lib/vendor/blamejs/lib/guard-csv.js +13 -4
- package/lib/vendor/blamejs/lib/local-db-thin.js +23 -1
- package/lib/vendor/blamejs/lib/mail-bimi.js +16 -3
- package/lib/vendor/blamejs/lib/mail-scan.js +2 -5
- package/lib/vendor/blamejs/lib/mail.js +16 -9
- package/lib/vendor/blamejs/lib/mcp.js +28 -6
- package/lib/vendor/blamejs/lib/middleware/bot-disclose.js +7 -5
- package/lib/vendor/blamejs/lib/middleware/speculation-rules.js +6 -4
- package/lib/vendor/blamejs/lib/numeric-bounds.js +32 -0
- package/lib/vendor/blamejs/lib/object-store/azure-blob.js +12 -1
- package/lib/vendor/blamejs/lib/object-store/gcs.js +12 -1
- package/lib/vendor/blamejs/lib/object-store/http-put.js +11 -1
- package/lib/vendor/blamejs/lib/object-store/index.js +4 -0
- package/lib/vendor/blamejs/lib/object-store/local.js +11 -1
- package/lib/vendor/blamejs/lib/object-store/sigv4.js +86 -5
- package/lib/vendor/blamejs/lib/parsers/safe-env.js +6 -3
- package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +6 -6
- package/lib/vendor/blamejs/lib/safe-buffer.js +69 -1
- package/lib/vendor/blamejs/lib/safe-decompress.js +3 -12
- package/lib/vendor/blamejs/lib/seeders.js +33 -39
- package/lib/vendor/blamejs/lib/storage.js +71 -7
- package/lib/vendor/blamejs/lib/vault/rotate.js +4 -13
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.15.10.json +53 -0
- package/lib/vendor/blamejs/release-notes/v0.15.11.json +52 -0
- package/lib/vendor/blamejs/test/integration/object-store-worm-lock.test.js +90 -16
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +150 -39
- package/lib/vendor/blamejs/test/layer-0-primitives/config-drift.test.js +19 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-aad-downgrade.test.js +96 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-schema-transaction.test.js +110 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/declare-row-policy.test.js +43 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/local-db-thin.test.js +28 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mcp.test.js +25 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/numeric-bounds.test.js +29 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/object-store-versioned-delete.test.js +97 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js +94 -0
- package/lib/vendor/blamejs/test/layer-5-integration/bundler-output.test.js +52 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
|
|
|
8
8
|
|
|
9
9
|
## v0.4.x
|
|
10
10
|
|
|
11
|
+
- v0.4.50 (2026-06-14) — **Refresh the vendored blamejs framework to 0.15.11.** Refreshes the vendored blamejs framework from 0.15.9 to 0.15.11 (through 0.15.10). 0.15.11 replaces a family of quadratic-time regexes that hostile input could exploit to stall a worker with linear-time scans, refuses a relocatable sealed-cell downgrade on the read side, fails closed when row-level security is enabled behind a non-native driver, and verifies the vendored crypto against a reviewed pin. 0.15.10 makes S3 Object-Lock versioned erasure reachable through the object store — a versioned delete that targets a specific object version (refused under an active retention rather than silently writing a delete-marker), plus version enumeration for right-to-erasure workflows — and pins the build toolchain's native bundler binary to a reviewed hash. This refresh carries no shop-facing API change and applies no migration; it keeps the bundled framework current and the security posture aligned with the latest release. **Changed:** *Vendored blamejs refreshed to 0.15.11* — The bundled framework is updated to blamejs 0.15.11. Across 0.15.10 and 0.15.11 it hardens a family of regular expressions against quadratic-time blow-up on hostile input (linear-time scans), refuses a relocatable sealed-cell downgrade when reading, fails closed when row-level security is enabled behind a driver that can't enforce it, adds versioned object erasure for S3 Object-Lock buckets (a versioned delete that refuses an active retention instead of leaving the data behind a delete-marker, plus version enumeration), and pins the build toolchain's native binary to a reviewed hash. Storefront and admin behaviour is unchanged by the refresh; the framework's PQC-first crypto, security middleware, and request lifecycle are carried forward as-is.
|
|
12
|
+
|
|
11
13
|
- v0.4.49 (2026-06-14) — **A stock write-off or audit adjustment can no longer strand a paid hold by dropping on-hand below what's reserved.** An operator stock write-off and a cycle-count audit adjustment both debit on-hand stock through the location adjustment, which guarded only against the shelf going below zero — not below the quantity already reserved by outstanding held allocations. So a write-off (or an audit-applied negative variance) could drop a location's on-hand below its outstanding holds, and when one of those holds later committed at fulfillment its debit would fail, stranding a paid order that could no longer be picked. Write-offs and audit adjustments now refuse a debit that would push on-hand below the held quantity for that SKU at that location (un-pinned holds count against every location), enforced inside the write so concurrent debits can't slip past it. A hold's own commit debit is unaffected — that stock is already reserved to it. No migration to apply. **Fixed:** *Stock write-offs and audit adjustments respect reserved holds* — The location stock adjustment now takes a hold-respecting mode used by write-offs and audit variance application: a debit is refused when it would drop on-hand below the outstanding held quantity for the SKU at that location, evaluated atomically as part of the write (un-pinned holds count against every location, matching the availability rule). Previously these operator adjustments only prevented on-hand from going negative, so they could shrink the shelf below what paid/committed holds had reserved — and the hold's later commit would then fail at fulfillment. Committing a hold still debits normally, since that stock is already reserved to it.
|
|
12
14
|
|
|
13
15
|
- v0.4.48 (2026-06-14) — **Hardening: pickup scheduling integrity, the save-for-later CSRF token, a store-credit expiry race, and gift-card ledger verification.** A batch of correctness and security hardening. A click-and-collect pickup already marked ready could be silently un-readied by re-scheduling it, which the pickup state machine has no transition for; re-scheduling in place is now restricted to a pending pickup. The pickup capacity gate counted bookings and then inserted in two steps, so two concurrent checkouts could over-book a full time slot; the cap is now enforced inside the write atomically. The authenticated Save-for-later cart action (POST /cart/lines/:line_id/save) inherited the edge cart forms' CSRF exemption by a path-prefix accident and shipped without requiring a token; it now demands the double-submit CSRF token like any other authenticated mutation, while the genuinely token-less edge cart forms stay exempt. Two concurrent store-credit expiry sweeps could over-burn still-valid credit; the sweep is now atomic and idempotent. And the gift-card ledger's chain verification accepted a populated ledger whose hash columns had all been cleared — a full-ledger rewrite read as verified; an unanchored populated chain now fails verification, while a genuinely empty ledger still passes. No migration to apply. **Fixed:** *A ready pickup can't be un-readied by re-scheduling* — Re-scheduling a click-and-collect pickup in place is now allowed only while it is still scheduled. A pickup already marked ready (its goods on the hold shelf) no longer regresses to scheduled and loses its ready timestamp when re-scheduled — the pickup state machine has no ready-to-scheduled transition, so the operator completes or escalates a ready pickup instead. · *Pickup time slots can't be over-booked under concurrency* — The pickup capacity limit is now enforced inside the booking write as a single conditional insert gated on the live count for the time slot, so two checkouts booking the same nearly-full slot at once can't both slip past the limit. Previously the count and the insert were separate steps, leaving a window where concurrent bookings over-filled a slot. · *Concurrent store-credit expiry sweeps can't over-burn valid credit* — The store-credit expiry sweep now burns expired credit atomically: the amount to expire is computed inside the write and conditioned on the credit still being unexpired, so a second sweep running at the same time finds nothing left to burn and can't dip into still-valid balance. Previously the sweep read the expirable total and then wrote in separate steps, so two concurrent sweeps could double-burn. **Security:** *The save-for-later cart action now requires its CSRF token* — POST /cart/lines/:line_id/save is a login-required cart mutation rendered only on the session-bound cart page, but it sat under the /cart/lines path prefix that exempts the cookie-less, token-less edge cart forms from CSRF — so it inherited that exemption and accepted state changes without a double-submit token. The exemption now carves this authenticated path back into CSRF protection from a single source shared by the request guard and the form renderer (so the set the guard enforces and the set the renderer tokenizes can't drift), while the legitimate edge cart forms remain exempt. · *A hash-cleared gift-card ledger no longer verifies as valid* — The gift-card ledger's chain verification reported a populated ledger whose hash-chain columns had all been nulled as verified — so an attacker who rewrote balances and cleared the chain hashes could pass verification undetected. A populated ledger with no chain anchor now fails verification; a genuinely empty ledger (no rows) still passes.
|
package/lib/asset-manifest.json
CHANGED
package/lib/vendor/MANIFEST.json
CHANGED
|
@@ -3,8 +3,8 @@
|
|
|
3
3
|
"_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
|
|
4
4
|
"packages": {
|
|
5
5
|
"blamejs": {
|
|
6
|
-
"version": "0.15.
|
|
7
|
-
"tag": "v0.15.
|
|
6
|
+
"version": "0.15.11",
|
|
7
|
+
"tag": "v0.15.11",
|
|
8
8
|
"license": "Apache-2.0",
|
|
9
9
|
"author": "blamejs contributors",
|
|
10
10
|
"source": "https://github.com/blamejs/blamejs",
|
|
@@ -818,6 +818,8 @@
|
|
|
818
818
|
"release-notes/v0.14.x.json": "lib/vendor/blamejs/release-notes/v0.14.x.json",
|
|
819
819
|
"release-notes/v0.15.0.json": "lib/vendor/blamejs/release-notes/v0.15.0.json",
|
|
820
820
|
"release-notes/v0.15.1.json": "lib/vendor/blamejs/release-notes/v0.15.1.json",
|
|
821
|
+
"release-notes/v0.15.10.json": "lib/vendor/blamejs/release-notes/v0.15.10.json",
|
|
822
|
+
"release-notes/v0.15.11.json": "lib/vendor/blamejs/release-notes/v0.15.11.json",
|
|
821
823
|
"release-notes/v0.15.2.json": "lib/vendor/blamejs/release-notes/v0.15.2.json",
|
|
822
824
|
"release-notes/v0.15.3.json": "lib/vendor/blamejs/release-notes/v0.15.3.json",
|
|
823
825
|
"release-notes/v0.15.4.json": "lib/vendor/blamejs/release-notes/v0.15.4.json",
|
|
@@ -1065,6 +1067,7 @@
|
|
|
1065
1067
|
"test/layer-0-primitives/credential-hash.test.js": "lib/vendor/blamejs/test/layer-0-primitives/credential-hash.test.js",
|
|
1066
1068
|
"test/layer-0-primitives/crypto-base64url.test.js": "lib/vendor/blamejs/test/layer-0-primitives/crypto-base64url.test.js",
|
|
1067
1069
|
"test/layer-0-primitives/crypto-envelope.test.js": "lib/vendor/blamejs/test/layer-0-primitives/crypto-envelope.test.js",
|
|
1070
|
+
"test/layer-0-primitives/crypto-field-aad-downgrade.test.js": "lib/vendor/blamejs/test/layer-0-primitives/crypto-field-aad-downgrade.test.js",
|
|
1068
1071
|
"test/layer-0-primitives/crypto-field-derived-hash.test.js": "lib/vendor/blamejs/test/layer-0-primitives/crypto-field-derived-hash.test.js",
|
|
1069
1072
|
"test/layer-0-primitives/crypto-field-dual-read-migrate.test.js": "lib/vendor/blamejs/test/layer-0-primitives/crypto-field-dual-read-migrate.test.js",
|
|
1070
1073
|
"test/layer-0-primitives/crypto-field-per-row-key.test.js": "lib/vendor/blamejs/test/layer-0-primitives/crypto-field-per-row-key.test.js",
|
|
@@ -1104,6 +1107,7 @@
|
|
|
1104
1107
|
"test/layer-0-primitives/db-role-for.test.js": "lib/vendor/blamejs/test/layer-0-primitives/db-role-for.test.js",
|
|
1105
1108
|
"test/layer-0-primitives/db-schema-drift.test.js": "lib/vendor/blamejs/test/layer-0-primitives/db-schema-drift.test.js",
|
|
1106
1109
|
"test/layer-0-primitives/db-schema-reconcile-emittable.test.js": "lib/vendor/blamejs/test/layer-0-primitives/db-schema-reconcile-emittable.test.js",
|
|
1110
|
+
"test/layer-0-primitives/db-schema-transaction.test.js": "lib/vendor/blamejs/test/layer-0-primitives/db-schema-transaction.test.js",
|
|
1107
1111
|
"test/layer-0-primitives/db-stream-and-payload-shape.test.js": "lib/vendor/blamejs/test/layer-0-primitives/db-stream-and-payload-shape.test.js",
|
|
1108
1112
|
"test/layer-0-primitives/db-vacuum.test.js": "lib/vendor/blamejs/test/layer-0-primitives/db-vacuum.test.js",
|
|
1109
1113
|
"test/layer-0-primitives/db-worm.test.js": "lib/vendor/blamejs/test/layer-0-primitives/db-worm.test.js",
|
|
@@ -1279,6 +1283,7 @@
|
|
|
1279
1283
|
"test/layer-0-primitives/notify.test.js": "lib/vendor/blamejs/test/layer-0-primitives/notify.test.js",
|
|
1280
1284
|
"test/layer-0-primitives/numeric-bounds.test.js": "lib/vendor/blamejs/test/layer-0-primitives/numeric-bounds.test.js",
|
|
1281
1285
|
"test/layer-0-primitives/oauth-callback.test.js": "lib/vendor/blamejs/test/layer-0-primitives/oauth-callback.test.js",
|
|
1286
|
+
"test/layer-0-primitives/object-store-versioned-delete.test.js": "lib/vendor/blamejs/test/layer-0-primitives/object-store-versioned-delete.test.js",
|
|
1282
1287
|
"test/layer-0-primitives/observability-tracing.test.js": "lib/vendor/blamejs/test/layer-0-primitives/observability-tracing.test.js",
|
|
1283
1288
|
"test/layer-0-primitives/observability.test.js": "lib/vendor/blamejs/test/layer-0-primitives/observability.test.js",
|
|
1284
1289
|
"test/layer-0-primitives/openapi.test.js": "lib/vendor/blamejs/test/layer-0-primitives/openapi.test.js",
|
|
@@ -1327,6 +1332,7 @@
|
|
|
1327
1332
|
"test/layer-0-primitives/safe-archive-inspect-unwrap.test.js": "lib/vendor/blamejs/test/layer-0-primitives/safe-archive-inspect-unwrap.test.js",
|
|
1328
1333
|
"test/layer-0-primitives/safe-async-loops.test.js": "lib/vendor/blamejs/test/layer-0-primitives/safe-async-loops.test.js",
|
|
1329
1334
|
"test/layer-0-primitives/safe-async-parallel.test.js": "lib/vendor/blamejs/test/layer-0-primitives/safe-async-parallel.test.js",
|
|
1335
|
+
"test/layer-0-primitives/safe-buffer-linear-scans.test.js": "lib/vendor/blamejs/test/layer-0-primitives/safe-buffer-linear-scans.test.js",
|
|
1330
1336
|
"test/layer-0-primitives/safe-decompress.test.js": "lib/vendor/blamejs/test/layer-0-primitives/safe-decompress.test.js",
|
|
1331
1337
|
"test/layer-0-primitives/safe-dns.test.js": "lib/vendor/blamejs/test/layer-0-primitives/safe-dns.test.js",
|
|
1332
1338
|
"test/layer-0-primitives/safe-ical.test.js": "lib/vendor/blamejs/test/layer-0-primitives/safe-ical.test.js",
|
|
@@ -1422,7 +1428,7 @@
|
|
|
1422
1428
|
"test/smoke.js": "lib/vendor/blamejs/test/smoke.js"
|
|
1423
1429
|
},
|
|
1424
1430
|
"bundler": "shallow git clone of release tag from github.com/blamejs/blamejs",
|
|
1425
|
-
"bundledAt": "2026-06-
|
|
1431
|
+
"bundledAt": "2026-06-14",
|
|
1426
1432
|
"hashes": {
|
|
1427
1433
|
".clusterfuzzlite/Dockerfile": "sha256:c0f51f4c7d592caea19fdcb658778fe3beda648bb95c3e8809622e1209a18cf1",
|
|
1428
1434
|
".clusterfuzzlite/build.sh": "sha256:b9f5a627272c65f6569fa20dcbb32c383ca3a1183ce2562d481408a2fbaf9881",
|
|
@@ -1439,20 +1445,20 @@
|
|
|
1439
1445
|
".github/workflows/actions-lint.yml": "sha256:d108da8e5eb9041ea245d9e5d6b8386f7d18b89e866663adb7fe78e0801ab68b",
|
|
1440
1446
|
".github/workflows/cflite_batch.yml": "sha256:802702ebad6b041b3f2f960aa4c645017e51f6455de40eb7ee92e8f83374d485",
|
|
1441
1447
|
".github/workflows/cflite_pr.yml": "sha256:618131bb2e66b07a74e9a70ac652aec15611ba271ca676832b7592048cd95ce7",
|
|
1442
|
-
".github/workflows/ci.yml": "sha256:
|
|
1448
|
+
".github/workflows/ci.yml": "sha256:705203a084d0d0682f53da3b86014b34d303e839af5b39c0b5872aab42238322",
|
|
1443
1449
|
".github/workflows/codeql.yml": "sha256:d314708c984aca73e52f888c7372d7eb1d41866ee93354302d22e6b3553fcef4",
|
|
1444
1450
|
".github/workflows/npm-publish.yml": "sha256:d7ca54674d8ba343a0b5e2e6d3a7d3c11242b54ffea1f4cc6e4b036ff51415aa",
|
|
1445
1451
|
".github/workflows/release-container.yml": "sha256:12f101dd4c08590e5b109259849a2f527f767d520990663cd67a7ba51d00b605",
|
|
1446
1452
|
".github/workflows/scorecard.yml": "sha256:aa71fc1bb925b2e69aec2bd8dabe2f8831f0bac660ed6b0905131155af550b3d",
|
|
1447
1453
|
".github/workflows/sha-to-tag-verify.yml": "sha256:48166f90ab60835d9cb1dc3852389d7e39821a54353dea85b6d43fccf12779c1",
|
|
1448
1454
|
".github/zizmor.yml": "sha256:fe08e66c5763dfb4edf1ea33e715f04e514b1baceb3a242241d8a60793db51d2",
|
|
1449
|
-
".gitignore": "sha256:
|
|
1455
|
+
".gitignore": "sha256:00cb03f17beef7fde174953481f2a973715c98c17d5f361b3d18cfc4d59a1a7c",
|
|
1450
1456
|
".gitleaks.toml": "sha256:e97869021bc744236bd882a2af070eebbbc95d211336c60bf179f6521d6ed96b",
|
|
1451
1457
|
".hadolint.yaml": "sha256:46a4fbc587c8e5998430788339cc3f2be8d1014a0466a0781eb2e51e31c6dd32",
|
|
1452
1458
|
".npmrc": "sha256:66f104e7d07c496d2d0409988225e8c0e4ceb8d247dbcac3be75b2128d20ce66",
|
|
1453
1459
|
".pinact.yaml": "sha256:0213ffda55961dc49b64c0a5dfa3c0567419633b1499d57eaf7c8d842d7da6c7",
|
|
1454
1460
|
"ARCHITECTURE.md": "sha256:9b1c8d2b1b7a41838eb348b0a008e4b4369718fd72bfe2974b37155f7536d35b",
|
|
1455
|
-
"CHANGELOG.md": "sha256:
|
|
1461
|
+
"CHANGELOG.md": "sha256:f61811342af353ab58363ccf7475f725a9a6c2e7275115e920277e3bbae6d0c4",
|
|
1456
1462
|
"CODE_OF_CONDUCT.md": "sha256:148a281960fff7c2fe6554dab66da572c72245ddeb00b0d14811558397bff386",
|
|
1457
1463
|
"CONTRIBUTING.md": "sha256:bb4dbdbc8598da31dbce653a8ed322e08ff46560173f2eb67a4d684653948332",
|
|
1458
1464
|
"GOVERNANCE.md": "sha256:906df6afb1f552b27b9acb50f7f96c47b917a2f1021cd4e987dbf4ee0e0a821b",
|
|
@@ -1460,9 +1466,9 @@
|
|
|
1460
1466
|
"LTS-CALENDAR.md": "sha256:8ed8c0051c3d4e14637a24555751b07758fbac2678688d9e1aca2ce312bcf585",
|
|
1461
1467
|
"MIGRATING.md": "sha256:3dcc952a3d4a77d53ff60fb67cb5eb5c3a3db2449d7c71f9c4dc7f868097153c",
|
|
1462
1468
|
"NOTICE": "sha256:f487fa47a11aca0f89e2615cdd3c713e9842abf7a30d8d328eeeae1c864aa774",
|
|
1463
|
-
"README.md": "sha256:
|
|
1464
|
-
"SECURITY.md": "sha256:
|
|
1465
|
-
"api-snapshot.json": "sha256:
|
|
1469
|
+
"README.md": "sha256:3ddcc197b003da0b02db8bdd1aef1e943c94f7eab613c633d6a45bb11d0a80e9",
|
|
1470
|
+
"SECURITY.md": "sha256:d2e91b0765807f1e39ff32b9ba55b7a8cef8c7304962efe794c3d84d0d9e315e",
|
|
1471
|
+
"api-snapshot.json": "sha256:049fbce0407976427de7b75063a6599744e018ba948e0c61301e3b8de768f0d7",
|
|
1466
1472
|
"assets/BlameJS_Logo.png": "sha256:3c65699753c771b48ef9ac7f45bb40815ec19a23afcdd0cd30ef4601bbbe293e",
|
|
1467
1473
|
"assets/BlameJS_Logo.svg": "sha256:dda44f3fb1343d5de9db6b1fcdb75fc649c57e7a99a8e8239fcf852e3841e1a8",
|
|
1468
1474
|
"bench/README.md": "sha256:74202f2507fd840bfc1ac6c681975d9273cf36cca6e0f72655f138337304033c",
|
|
@@ -1751,7 +1757,7 @@
|
|
|
1751
1757
|
"lib/breach-deadline.js": "sha256:8a7d80d03db154de2bd028fbec8f7695b789aea7ba26c3937e843f2242f6006a",
|
|
1752
1758
|
"lib/break-glass.js": "sha256:6d5de5ba5c93d8c2cd2e4cbe15e6067eb0a0a7881d817d95dc3786079b71b141",
|
|
1753
1759
|
"lib/budr.js": "sha256:5572da1872d12fafc312c5c9c75553ce6be69283c067f9648d4e1cc01c09208d",
|
|
1754
|
-
"lib/bundler.js": "sha256:
|
|
1760
|
+
"lib/bundler.js": "sha256:7643dc2ff49757eff457174ac5851a6d34319e7aa79cfe67ea2e974e2cd1c944",
|
|
1755
1761
|
"lib/cache-redis.js": "sha256:661ba39417085682cee1e5524685c9cb1e1277c6f1cef9ca4ae808e457d5499e",
|
|
1756
1762
|
"lib/cache-status.js": "sha256:f82bf22698c9b4fa10b7dc581fd39b83709267f105195908eee29612a14df15d",
|
|
1757
1763
|
"lib/cache.js": "sha256:03014c67a3bb428f936650f0c64800f7d96a3fdda8f1812ae54d7d882c303d17",
|
|
@@ -1782,7 +1788,7 @@
|
|
|
1782
1788
|
"lib/compliance-sanctions-fuzzy.js": "sha256:ec6f76fc40a245ff40a36f59a4d81ac8f20c16c2dbf9462e5c78bb58cbe36ba4",
|
|
1783
1789
|
"lib/compliance-sanctions.js": "sha256:9c924bce4d6fbdd884f6aac385537b5798006569f6370184530f3ef39a64f712",
|
|
1784
1790
|
"lib/compliance.js": "sha256:c6fe0a6398a511f7d8f607345f603e91c2c1708e841527ba9e4b5747a7eff5bc",
|
|
1785
|
-
"lib/config-drift.js": "sha256:
|
|
1791
|
+
"lib/config-drift.js": "sha256:759c0e2630fea9c03ae090c9db6882be4750d107c3a07dbb0cc68f6b94dd4292",
|
|
1786
1792
|
"lib/config.js": "sha256:07e20539293e9e365690addc902bc623e213c5ece972dc5b72199b375a17e66d",
|
|
1787
1793
|
"lib/consent.js": "sha256:7a101c997ad040a2845648670b866425935c3cda96a48dc678723ca2cd20f76d",
|
|
1788
1794
|
"lib/constants.js": "sha256:b64ae02d0ad14def9b572d446aab267f67c458de7e9073c6701786159a6e7960",
|
|
@@ -1793,7 +1799,7 @@
|
|
|
1793
1799
|
"lib/cra-report.js": "sha256:cbfba4d6646f4d32e798594dbc8994cb8b49df65c965691122a93ddf7129539a",
|
|
1794
1800
|
"lib/crdt.js": "sha256:66389cd4aa692b0b6c23404ab3ad1e33de97aebbb4c2c94beb66c09420244fea",
|
|
1795
1801
|
"lib/credential-hash.js": "sha256:9f4bf10f3ee86f03fba90e32778d99e0f9eb5966b826cbd1dc83e6c55000400e",
|
|
1796
|
-
"lib/crypto-field.js": "sha256:
|
|
1802
|
+
"lib/crypto-field.js": "sha256:491788371ef248d601844a900e498a78a1f94b5d367988344f4513d4bfb16e9c",
|
|
1797
1803
|
"lib/crypto-hpke-pq.js": "sha256:f086e23f4f80de9d0713826890bf8bafc0a8ddfa53fe7e87f5a0fed8ffa35caf",
|
|
1798
1804
|
"lib/crypto-hpke.js": "sha256:e9fb595fc16206237edeb738bfe4b037eeee91de9558e09ffe41e0f1e37558a7",
|
|
1799
1805
|
"lib/crypto-oprf.js": "sha256:5c98b56ba2322d3c3f40ac5c849370d927b76a535f19f76448469f349ac2b408",
|
|
@@ -1806,13 +1812,13 @@
|
|
|
1806
1812
|
"lib/dark-patterns.js": "sha256:e54cc6fb591748b937627560ccdfd84da0e84974da5189e15b911e00b3c7e51b",
|
|
1807
1813
|
"lib/data-act.js": "sha256:d5183e4855014241031285285c7707fae1ac51bccff6196381ceb4eeec0e692f",
|
|
1808
1814
|
"lib/db-collection.js": "sha256:cb7aa1f7cf6b7f6bd86829cc54fc27999e97422370283b258e54e4c05c6f0388",
|
|
1809
|
-
"lib/db-declare-row-policy.js": "sha256:
|
|
1815
|
+
"lib/db-declare-row-policy.js": "sha256:aea911d30d8d4108f2f83fd7d91c5f5a3c5be3f1ecec18be4674d7f1f8b39666",
|
|
1810
1816
|
"lib/db-declare-view.js": "sha256:82371eb03f635877f6541850edb617905722c3bcf60f592f28b2d57d44a50bff",
|
|
1811
1817
|
"lib/db-file-lifecycle.js": "sha256:e251def432535110987713b3e15422bd33887c5a67aeb9f0f5cad251ac359660",
|
|
1812
1818
|
"lib/db-query.js": "sha256:ff10f1ff5be12be39b6fe6f000562fa03165b4e58b0b2e862c575659be8fd75d",
|
|
1813
1819
|
"lib/db-role-context.js": "sha256:fa97dd17a8de1278a76a01d7979c3c847295c5efe1f14ab90701ca0e98f9bd3b",
|
|
1814
|
-
"lib/db-schema.js": "sha256:
|
|
1815
|
-
"lib/db.js": "sha256:
|
|
1820
|
+
"lib/db-schema.js": "sha256:5aaef5f61f16dc0913225cb3f134e9ef6d05bf917d15ea35360c8cfbb81de1cd",
|
|
1821
|
+
"lib/db.js": "sha256:daa3f3b4896db661820f393d976d411eece014d323b4913233921b6082fe698d",
|
|
1816
1822
|
"lib/dbsc.js": "sha256:37942972918443cf6ce192524dff61c2ac360b95f27d5e514ce7d665a288ea93",
|
|
1817
1823
|
"lib/ddl-change-control.js": "sha256:efda2a1618e0bf0b5221d59a8eaebec1958cea5394c3b101daf7e209724e3e5c",
|
|
1818
1824
|
"lib/deprecate.js": "sha256:95d227e20cd0b7f1ba5314e0c09432c23ebd405de0d5057f2527e2602cdcf21c",
|
|
@@ -1854,7 +1860,7 @@
|
|
|
1854
1860
|
"lib/guard-archive.js": "sha256:a950667fdf26ae8c4a3b4356a7aa0dc9cb9e1fc970b83eec6b9c9e70b03950f9",
|
|
1855
1861
|
"lib/guard-auth.js": "sha256:4ae4a1b9ab8a3daef009c931f8eceff21bf4281978bb950df51f060909f72f0e",
|
|
1856
1862
|
"lib/guard-cidr.js": "sha256:bdf6a0b959afed4155e89d97300844ff99dc92d88410f82c6c3ae3448e04bb03",
|
|
1857
|
-
"lib/guard-csv.js": "sha256:
|
|
1863
|
+
"lib/guard-csv.js": "sha256:aab5875d766c1bbbd9ca448499d1de16a05ec51584191899d321dc840682fe5f",
|
|
1858
1864
|
"lib/guard-domain.js": "sha256:110be572daec1647a3c20694607ed9dc5a8ae28b2cf2296c65a796390c4b39ca",
|
|
1859
1865
|
"lib/guard-dsn.js": "sha256:57c4899f97e7b78583563a6804d377be80c6b46ab8ae09ba925512a55ca7e138",
|
|
1860
1866
|
"lib/guard-email.js": "sha256:337575789edb0b7af376a68d2f57a0292517b0a7591520ad5c3eeb8ae2f99e6f",
|
|
@@ -1937,7 +1943,7 @@
|
|
|
1937
1943
|
"lib/lazy-require.js": "sha256:1ac3c23e6d59e7c2d5c58e9245703506d4a88244f214b37b972c30b2d947b60c",
|
|
1938
1944
|
"lib/legal-hold.js": "sha256:acb087dfdd857157e012de19e576c6b73e2ca0cc9f9d5235dda394da815bab24",
|
|
1939
1945
|
"lib/link-header.js": "sha256:145387aeccc1eb6cfa63d42a7690c166673df5b0fc2dd77b69654d293f36a153",
|
|
1940
|
-
"lib/local-db-thin.js": "sha256:
|
|
1946
|
+
"lib/local-db-thin.js": "sha256:387adb8396afbabe41d1b1fd8fc943162916b607c970843d0a0e79e7841403fc",
|
|
1941
1947
|
"lib/log-stream-cloudwatch.js": "sha256:0482086871bfb0de4a0039a8d90556a2730fa61c59da9749e09380f754967b73",
|
|
1942
1948
|
"lib/log-stream-local.js": "sha256:1b0926149cf08fb61f2dd55914c5442b1659d322fe6235e473f941e19483d37e",
|
|
1943
1949
|
"lib/log-stream-otlp-grpc.js": "sha256:cc1dea9411030d0c468e86331143fad25a0f79757b25dd0866646be55abae298",
|
|
@@ -1951,7 +1957,7 @@
|
|
|
1951
1957
|
"lib/mail-arc-sign.js": "sha256:ab7a36916d78e60664d4509133cb834bf20c5dacb298404b209d4da991b4cfd5",
|
|
1952
1958
|
"lib/mail-arf.js": "sha256:13163945823f1cdc4bc3b5ae16b40bedeaea5f4a161f64340398523c9f54659c",
|
|
1953
1959
|
"lib/mail-auth.js": "sha256:aa6e3c128569a36af81a3651cc24f0eb60bde0ec5390ce6ba1b0838551502c5a",
|
|
1954
|
-
"lib/mail-bimi.js": "sha256:
|
|
1960
|
+
"lib/mail-bimi.js": "sha256:8bb7b37a3d6388a27a8ad9821f14e757546556fa6e007f26e5b6d7eee2c2ec7f",
|
|
1955
1961
|
"lib/mail-bounce.js": "sha256:62568978504fb7d3536d701755be22c6c45ea4028abf3691811034a6aa705632",
|
|
1956
1962
|
"lib/mail-crypto-pgp.js": "sha256:e95fc89120f5f1d99cd3219a779788e9208fb5ad0931c6407b3f27098323a6a1",
|
|
1957
1963
|
"lib/mail-crypto-smime.js": "sha256:edd1b7105c10e0604d0ec94e7b40acf3a8d746c849560f1f1a9be8e2122c9afd",
|
|
@@ -1965,7 +1971,7 @@
|
|
|
1965
1971
|
"lib/mail-mdn.js": "sha256:bba82a7ecfcf6f14ccd5d57d1c298b2ed3e565880e1df276fd2d39eded4ab674",
|
|
1966
1972
|
"lib/mail-rbl.js": "sha256:5c84c0505d4255c3fdc44077b9a98926036ee42bffd6d340095f622554a12769",
|
|
1967
1973
|
"lib/mail-require-tls.js": "sha256:1480690ff0f31fa3ab587c17c03fb396649b24cf684aedc6bd0b51e3092529c9",
|
|
1968
|
-
"lib/mail-scan.js": "sha256:
|
|
1974
|
+
"lib/mail-scan.js": "sha256:38836e4e85c60db5fcf4fa5f4e24d7509baf42848aacb34b2715d57c75f0a782",
|
|
1969
1975
|
"lib/mail-send-deliver.js": "sha256:ae48461c5394414d75cc69cf8d38e77741ee0158929ff3d0b057660b68221783",
|
|
1970
1976
|
"lib/mail-server-imap.js": "sha256:334bc4d189d021773529dd116a02d1f0fb3e034558b5f4a3c7c9b4d4dbe4a419",
|
|
1971
1977
|
"lib/mail-server-jmap.js": "sha256:42aab47bc973588a3fafb7823467d7f044bb08da48795634bc6dee59fea1aec4",
|
|
@@ -1982,9 +1988,9 @@
|
|
|
1982
1988
|
"lib/mail-store-fts.js": "sha256:786668ce0c8611a5278ef07cabc8188372f778981191f7e6174e0a6d5f7a8c35",
|
|
1983
1989
|
"lib/mail-store.js": "sha256:a95a6d3b3a73d12ab78a12031bd740c6a9e20d7eed8bae4284664071572be6dc",
|
|
1984
1990
|
"lib/mail-unsubscribe.js": "sha256:2944fd1103f00a202d704b0f3479f96c6aa3345be8cbafa2e0711ded111a3109",
|
|
1985
|
-
"lib/mail.js": "sha256:
|
|
1991
|
+
"lib/mail.js": "sha256:63301e9a8416ac7b93f4703b8d30f2a8cd913d89165559a031916ce9ae7b160d",
|
|
1986
1992
|
"lib/mcp-tool-registry.js": "sha256:e768f0070bbfce30cdbc95a012104eb4528d9596f1ba5b1acbf28d805ae8a876",
|
|
1987
|
-
"lib/mcp.js": "sha256:
|
|
1993
|
+
"lib/mcp.js": "sha256:d9be6805dc1dd13bf5871465aaa603ab43148d61fc9a4951ac83454264b66c25",
|
|
1988
1994
|
"lib/mdoc.js": "sha256:c40087fe58cffb09c5a3b78cfd1c6063c1352c695b37c663ad95e855bb16742c",
|
|
1989
1995
|
"lib/metrics.js": "sha256:b04adea462bb176bf52556c13c19d627d4223485cf30b7a2e06cb95b7ce5e6a9",
|
|
1990
1996
|
"lib/middleware/age-gate.js": "sha256:6ad04b98d8647a5ebcef9d89de15113eef02b01c7c8a51d375da93cd899722c3",
|
|
@@ -1995,7 +2001,7 @@
|
|
|
1995
2001
|
"lib/middleware/attach-user.js": "sha256:776424918bf302378da99a85ff20c91a42f8c9f528ab435cd7a06b95ec523d6d",
|
|
1996
2002
|
"lib/middleware/bearer-auth.js": "sha256:7835656ed33f02cda2b08bedb7ee8f52e035b5319ff8cfa73a3d0fe62611a2ea",
|
|
1997
2003
|
"lib/middleware/body-parser.js": "sha256:2016447bd64afe411ca6b4fc322408de032663da646577fba635c70d362c7bdb",
|
|
1998
|
-
"lib/middleware/bot-disclose.js": "sha256:
|
|
2004
|
+
"lib/middleware/bot-disclose.js": "sha256:0e02b7886c0f8a613d2896f9e20c303831ad75515e94130b8a2917d874c8a9c9",
|
|
1999
2005
|
"lib/middleware/bot-guard.js": "sha256:804c5925d87583ccb7660dfe597d37234f1ae823e6751f4121de5626629f6102",
|
|
2000
2006
|
"lib/middleware/clear-site-data.js": "sha256:6bd806673e0a12ac284bad04ab3dbce7ece25ab523e81ed057665acb593b5023",
|
|
2001
2007
|
"lib/middleware/compose-pipeline.js": "sha256:160719627523db40f35bfada8c9df670c93ffec042890698936497c2c0f20bdb",
|
|
@@ -2037,7 +2043,7 @@
|
|
|
2037
2043
|
"lib/middleware/security-headers.js": "sha256:9695677c991a2989ff87275d0d1baa3ba47e4d40a30ee5be7daa21f7c5db2e13",
|
|
2038
2044
|
"lib/middleware/security-txt.js": "sha256:453cbcdca396847ed8aa46757bb8977fda950f4d6fbd50172412c3970344e37b",
|
|
2039
2045
|
"lib/middleware/span-http-server.js": "sha256:9fb94fa14c41b2969cce5bc9877ce49de3576d3991cfc7cc64ef2129fdec2cb6",
|
|
2040
|
-
"lib/middleware/speculation-rules.js": "sha256:
|
|
2046
|
+
"lib/middleware/speculation-rules.js": "sha256:2cd5d20bbe28662017c7da94aef14dcb8b7fdc17190c4dbe0c5ee4fe289cbac6",
|
|
2041
2047
|
"lib/middleware/sse.js": "sha256:d0094cb33fced9bc748edd1f6d55fba6029ff3bff6da735d72ad5d10806f02f7",
|
|
2042
2048
|
"lib/middleware/trace-log-correlation.js": "sha256:f6a36bfcb666cee5434867b1841092793491491bb9da7bc92626dd93cfa7b0d0",
|
|
2043
2049
|
"lib/middleware/trace-propagate.js": "sha256:876b91a195ae17d6c8916884c10b3fcc54d12ae97d13927e501b58f77e0c306d",
|
|
@@ -2066,18 +2072,18 @@
|
|
|
2066
2072
|
"lib/nonce-store.js": "sha256:f707fc106a893962e1762ed413efafdaf83835002b42fabfc5f5493f42432773",
|
|
2067
2073
|
"lib/notify.js": "sha256:055f5c3bba131e5dffbfc31c941a1f490d80d18c3e7b61fb91724e7f089acead",
|
|
2068
2074
|
"lib/ntp-check.js": "sha256:f775d143173dc6c926e5ffdd7cbe0d8de113f3926fbc06ee83520288a1067a0b",
|
|
2069
|
-
"lib/numeric-bounds.js": "sha256:
|
|
2075
|
+
"lib/numeric-bounds.js": "sha256:c9116b608da34572e1f34009ddaaf3f5631fe6732d3ad0c7b2c9cc96024db3a1",
|
|
2070
2076
|
"lib/numeric-checks.js": "sha256:acc5af6141e942415476b43dfb92dcb8ae243d24d022b619f5e092d15fd6894e",
|
|
2071
2077
|
"lib/object-store/azure-blob-bucket-ops.js": "sha256:eaeceb5366dc49b169af35a6afce7f64048e60651673e7b754cce6ae5b99c50a",
|
|
2072
|
-
"lib/object-store/azure-blob.js": "sha256:
|
|
2078
|
+
"lib/object-store/azure-blob.js": "sha256:b192f2d35b70ce7019a6d669061b87e0a4c12b786136463445be91439c5d087b",
|
|
2073
2079
|
"lib/object-store/gcs-bucket-ops.js": "sha256:da9aed4cd422a3c38557e47e1064b04af37e4d38a9fa9aa46413c6b7e0804a14",
|
|
2074
|
-
"lib/object-store/gcs.js": "sha256:
|
|
2075
|
-
"lib/object-store/http-put.js": "sha256:
|
|
2080
|
+
"lib/object-store/gcs.js": "sha256:efbbdd65cc883f9a86f444b51232b2973b1d5b57ffb8d34b19ce7f3d86b67d15",
|
|
2081
|
+
"lib/object-store/http-put.js": "sha256:f6c89707f40c8b456e2b3c5d589d9ca2fcfa683304bf64677e7210d7a6847046",
|
|
2076
2082
|
"lib/object-store/http-request.js": "sha256:fd6725426649edcf7c785a9e2ee055d0c45efd4a142bc07c3c199276a5eae9da",
|
|
2077
|
-
"lib/object-store/index.js": "sha256:
|
|
2078
|
-
"lib/object-store/local.js": "sha256:
|
|
2083
|
+
"lib/object-store/index.js": "sha256:53d91d27e19a6a75e3b96fa9a01376dbd6e19dd215cca5b4a0c65a777dd1e42b",
|
|
2084
|
+
"lib/object-store/local.js": "sha256:d220336c5c3b4c69b0821f7e5d67ee68d806e3e1300c565bb044bf07554d6757",
|
|
2079
2085
|
"lib/object-store/sigv4-bucket-ops.js": "sha256:e66942d752ee9ce16228074e252a0bacc061c5c4f0c9c96b731b3076317e29e6",
|
|
2080
|
-
"lib/object-store/sigv4.js": "sha256:
|
|
2086
|
+
"lib/object-store/sigv4.js": "sha256:ab35df71b76a2bff530f7c667e932f6643c4f25f38efe5f5b9c43f6572647a9a",
|
|
2081
2087
|
"lib/observability-otlp-exporter.js": "sha256:8a78ce733f87f8b83414b050a85ce243b13e2a268c501504f5e2f153dfcf04f6",
|
|
2082
2088
|
"lib/observability-tracer.js": "sha256:ab005ecba1ac73c776f038a3957637497fe71fe871cb6a8ec3dbd79339ec9e96",
|
|
2083
2089
|
"lib/observability.js": "sha256:fd581572fb0116f1be8a74b25a7b96d9ccb5722af2a51832d1f88819f30ed7bf",
|
|
@@ -2090,11 +2096,11 @@
|
|
|
2090
2096
|
"lib/outbox.js": "sha256:285807f3a3fe391118672dce6a1c94db104c26c0b267106532d1f8621f1a577c",
|
|
2091
2097
|
"lib/pagination.js": "sha256:2e1c8fbf554bde80fb08c418be811cf3c0af144ab172d2250eb87df4bfadef06",
|
|
2092
2098
|
"lib/parsers/index.js": "sha256:abb1ac7e2aeb2d566d78c749b389fa75c278cc4bf60af3621c650a220a64fcaf",
|
|
2093
|
-
"lib/parsers/safe-env.js": "sha256:
|
|
2099
|
+
"lib/parsers/safe-env.js": "sha256:369539a90de6b5ff997d892cd03d2a8e41fa4b1da3ace0816176ded0221580f0",
|
|
2094
2100
|
"lib/parsers/safe-ini.js": "sha256:01b18bea9194df180f122f06ec45bcf3d09de7609ce617f629a90ba7eb953b7b",
|
|
2095
2101
|
"lib/parsers/safe-toml.js": "sha256:a6c11801d3286a51f21e7f6757c2bad6784f180d8077f6b48223f6d6304bb98f",
|
|
2096
2102
|
"lib/parsers/safe-xml.js": "sha256:16d0cd3eb6b68d76d8ae1edb7b8b5bfdd7f920010782eece894949c18e517bc3",
|
|
2097
|
-
"lib/parsers/safe-yaml.js": "sha256:
|
|
2103
|
+
"lib/parsers/safe-yaml.js": "sha256:0d912c398d0fb80eed5d8ee2feba1dbacb04f2014f485243a06b32cf128478a6",
|
|
2098
2104
|
"lib/permissions.js": "sha256:86ecd3bbf80c65dacdf4a98101d421fa9d97a8632d11c34e578c9b23334b4e9d",
|
|
2099
2105
|
"lib/pick.js": "sha256:928f912af380154ff2aa380419e5a5fbd979f85d90b49bb0b538d75cfb016852",
|
|
2100
2106
|
"lib/pipl-cn.js": "sha256:3cc63a68fda3db7210c5c7fa35a5f4c38d389ce8e20acec7d314c811b25699ea",
|
|
@@ -2130,8 +2136,8 @@
|
|
|
2130
2136
|
"lib/router.js": "sha256:88c2f3883e2f174a3a0970b2c36a0a01fe6be352a5087ee02924705da054dc6e",
|
|
2131
2137
|
"lib/safe-archive.js": "sha256:48a8c985ff590220d69341fb7251e7c477ea2c43c1bdab43c62e2dcb58c0a9d4",
|
|
2132
2138
|
"lib/safe-async.js": "sha256:664d951488285c845295df097e3a6d0626f48737223f652222adc5c344dc3133",
|
|
2133
|
-
"lib/safe-buffer.js": "sha256:
|
|
2134
|
-
"lib/safe-decompress.js": "sha256:
|
|
2139
|
+
"lib/safe-buffer.js": "sha256:b99adf1f1560447f70d53b62743e57f4b6d13852d55a74891ce3473d3f95c803",
|
|
2140
|
+
"lib/safe-decompress.js": "sha256:401663c9fa69f8bdc18799398fdfc4364adf6e4aa4d5ef23b14e11d0b3eac4fc",
|
|
2135
2141
|
"lib/safe-dns.js": "sha256:b7091fa52c4026f72a1fe19f4e4ff1799a3982fca924abbcfadb8d34dda1ce1b",
|
|
2136
2142
|
"lib/safe-ical.js": "sha256:abe620872e1396cd787f7331f34bff043769c16a9d615516e9595d8839072c7a",
|
|
2137
2143
|
"lib/safe-icap.js": "sha256:e3ce5380979b119bc59eda973a7fe073bae294e402c9900cc6ca0aa872c04c38",
|
|
@@ -2154,7 +2160,7 @@
|
|
|
2154
2160
|
"lib/sd-notify.js": "sha256:2ef7395bbdab2ac4eb96083c57d401921c94278545f14427fc88cdd970bdb9eb",
|
|
2155
2161
|
"lib/sec-cyber.js": "sha256:1af157cc5024f5c0b408e8f921d7b671df56315f9e438415eafc7fb031c4a76c",
|
|
2156
2162
|
"lib/security-assert.js": "sha256:4a98cec339c0b421534fc650c9500fe8a1b39f89181d651a58a13e2ff9a8ae0f",
|
|
2157
|
-
"lib/seeders.js": "sha256:
|
|
2163
|
+
"lib/seeders.js": "sha256:49e91d35b92a90df07c5b01ae0dd66e8617be653779ca37dc587fdb65c3ae700",
|
|
2158
2164
|
"lib/self-update-standalone-verifier.js": "sha256:66a946cf9a1567a0ad6f288a4a919085e46e388c634fd6de341033df6ac56b94",
|
|
2159
2165
|
"lib/self-update.js": "sha256:1b44a062249705a7c4b8cc7fb5b5de81da6d08d0833aadc690d16e48d67d982b",
|
|
2160
2166
|
"lib/server-timing.js": "sha256:74f2556480363c860a7c80a3f2bc1adb68fee53aa4335059069fae66a1eb627c",
|
|
@@ -2167,7 +2173,7 @@
|
|
|
2167
2173
|
"lib/ssrf-guard.js": "sha256:65d3d1bf6841064cdf9b9e7ffb5a0a3ac9358e462943f5de09087640353dfac4",
|
|
2168
2174
|
"lib/standard-webhooks.js": "sha256:e604534d48202a41f2c9f6954a990731db80d0693794d3a80f371f843490ff57",
|
|
2169
2175
|
"lib/static.js": "sha256:e9a3d3b3b6d1f67eac9d76b37dfcd14c996f1199453164994e9767dadb066867",
|
|
2170
|
-
"lib/storage.js": "sha256:
|
|
2176
|
+
"lib/storage.js": "sha256:d0eeceac260fa6684f3526a774e58f383178600def9a4fcb7ae9b6cffe00c4e7",
|
|
2171
2177
|
"lib/stream-throttle.js": "sha256:abb1743b4b28c93a5c930a170b4fcc11ba45c5902193913512eab58675a09b2a",
|
|
2172
2178
|
"lib/structured-fields.js": "sha256:c700ed470a4166624c9683107080ce38f1df64c7c3e2c37d1a7258bf71737603",
|
|
2173
2179
|
"lib/subject.js": "sha256:6441706d7c78b722acf322387e19ca7ccf96ce717175af3ab0c34236fc8860fb",
|
|
@@ -2188,7 +2194,7 @@
|
|
|
2188
2194
|
"lib/vault/index.js": "sha256:47dc94fac353d6457f0456ce3ef1dfb225f10fcd2d1b479337b42f46a8bdbaa6",
|
|
2189
2195
|
"lib/vault/passphrase-ops.js": "sha256:094883b5c33a436b467d5e27a4ff6f6349256d9e1fe58d3d22ba02dd743c8925",
|
|
2190
2196
|
"lib/vault/passphrase-source.js": "sha256:33d869d7d3aa55dd96dda7b82be50253b844c2f5b2a546a3f67e5e2c483d9306",
|
|
2191
|
-
"lib/vault/rotate.js": "sha256:
|
|
2197
|
+
"lib/vault/rotate.js": "sha256:1a21e3370f994155876c3d43c01cc9febfa22ed22a7c57b7d13ca5abf0f89239",
|
|
2192
2198
|
"lib/vault/seal-pem-file.js": "sha256:b3df47212003e23d8283a2d9d18389893af10018dc7c3f9c8afb02aa9ba31ee8",
|
|
2193
2199
|
"lib/vault/wrap.js": "sha256:5d8d748c6eb603c018a9f5f5581f4d3270da34ea69dee6d6ef0e5199c727b800",
|
|
2194
2200
|
"lib/vc.js": "sha256:056f1cf35c78fb83e98cfe4acadfaa56987e727ac15787ce5677b0a5ead1470e",
|
|
@@ -2222,7 +2228,7 @@
|
|
|
2222
2228
|
"oss-fuzz/projects/blamejs/README.md": "sha256:ae13b7bb79ed8d69b1b3276e5562807a0349fb6e6b7d11cf1f683aad1eafdb4b",
|
|
2223
2229
|
"oss-fuzz/projects/blamejs/build.sh": "sha256:0ced1cf21782c97be7f8d74faf5e27a308b60b2f858836fb5ca3b8c4e939a8f7",
|
|
2224
2230
|
"oss-fuzz/projects/blamejs/project.yaml": "sha256:59f2cb83aa622325a175b77416fe155be15b70a9c798bd1a78bba05763b1b03d",
|
|
2225
|
-
"package.json": "sha256:
|
|
2231
|
+
"package.json": "sha256:e075e4b1b169186cf0f30c36120cc23ebc114f9068317b0b010350554b9431e1",
|
|
2226
2232
|
"release-notes/v0.0.x.json": "sha256:7a49819f30068ee119000cad7010194882bb8bfaa12acbdab4dfc066efb7982f",
|
|
2227
2233
|
"release-notes/v0.1.x.json": "sha256:6742a8c17f947c5cb76f69dead7eea86b942d80621d914b774ba5488e09937e5",
|
|
2228
2234
|
"release-notes/v0.10.x.json": "sha256:fe498045daf88337bd3d987e5964aa42c99a50e1685b6f09e51f698b8687726f",
|
|
@@ -2232,6 +2238,8 @@
|
|
|
2232
2238
|
"release-notes/v0.14.x.json": "sha256:743ab7b81e3c92fa0f374ac7a9f305d727347ddaed108fd5942ed83061b9d829",
|
|
2233
2239
|
"release-notes/v0.15.0.json": "sha256:32742b028dd57fa3f8e7ee2b39cf0237a61d9426706af5a2f9b8d942be977f06",
|
|
2234
2240
|
"release-notes/v0.15.1.json": "sha256:8f9951830f05cd69209ee8ea3bb6fb160ac18ca07e254e4d21a9491b1b4bd174",
|
|
2241
|
+
"release-notes/v0.15.10.json": "sha256:dfeda04aed22b18a35a6f8ed5200c7bce63bc58bb6af3fc9dcf7ed8fdd44a7a6",
|
|
2242
|
+
"release-notes/v0.15.11.json": "sha256:757e31bd0d646dcdde65bf44ca0bd8e42c95238b0c70dff1314559208b4f7ac9",
|
|
2235
2243
|
"release-notes/v0.15.2.json": "sha256:36e1423dda94ed4e55c660e0fae882019005d8de3ee5e3b6ac4f38ccf8e744a2",
|
|
2236
2244
|
"release-notes/v0.15.3.json": "sha256:19a0074c445545468ca3cc411b21ec8bdb27be2669ae1950347cc244f6aa348c",
|
|
2237
2245
|
"release-notes/v0.15.4.json": "sha256:6ac7fa0ef1728c27e71b2050d1b07a810f9b4b1440ccddbf28ad56e2f54d8585",
|
|
@@ -2330,7 +2338,7 @@
|
|
|
2330
2338
|
"test/integration/object-store-azure.test.js": "sha256:0bb869848c06cfd2fa791839cd4a58282ff3941cda98e59e47728ab04a0fddee",
|
|
2331
2339
|
"test/integration/object-store-gcs.test.js": "sha256:b929cfd3038158c10c5e68612dabffd2c70cff39ad5fe4141f953c68c6f28361",
|
|
2332
2340
|
"test/integration/object-store-sigv4.test.js": "sha256:64cd535e9e38e099364126efab0f49eb4f737247386535250da9159608e71677",
|
|
2333
|
-
"test/integration/object-store-worm-lock.test.js": "sha256:
|
|
2341
|
+
"test/integration/object-store-worm-lock.test.js": "sha256:106f4187ee31db531166c6eccc91a63881bc602afc2fef64dee1be187a7f27c2",
|
|
2334
2342
|
"test/integration/pqc-pkcs8-forward-compat.test.js": "sha256:e638c657bdb91e85a1fa2f81e0c0b266ffe5454e57b08069b615a292dec56230",
|
|
2335
2343
|
"test/integration/pubsub.test.js": "sha256:0a4233eb01466e3f162e136ee716f90ab6db19943e3597a1edbe7aa3c2755962",
|
|
2336
2344
|
"test/integration/queue-redis.test.js": "sha256:bc8d2f9974ca787cfc2f53869638ea2f985da49f3fe7f2322410e99e3758129a",
|
|
@@ -2460,14 +2468,14 @@
|
|
|
2460
2468
|
"test/layer-0-primitives/cluster-storage.test.js": "sha256:5627e621dff001e236b668e04336eb39c9fe08a4a7d45a640e6e7fccce37a022",
|
|
2461
2469
|
"test/layer-0-primitives/cluster-vault-rotation.test.js": "sha256:3514e9e71d6c39e805248f58ad2f41528d091e196c0f3766a032675677161b2d",
|
|
2462
2470
|
"test/layer-0-primitives/cms-codec.test.js": "sha256:7e46078ed82be5b69d22c48f22dba37ea5015371c2a8cf5f94fb1a792fb7bb78",
|
|
2463
|
-
"test/layer-0-primitives/codebase-patterns.test.js": "sha256:
|
|
2471
|
+
"test/layer-0-primitives/codebase-patterns.test.js": "sha256:b58229ff849a773ade72349a6f66ccc2ddcb26947214ff997c0f2b9078151932",
|
|
2464
2472
|
"test/layer-0-primitives/compliance-ai-act.test.js": "sha256:5ee4ad05d12233cb3c5457ef10a727833710bbc1ce1318838f9f9ef5d2cb8d4b",
|
|
2465
2473
|
"test/layer-0-primitives/compliance-cascade.test.js": "sha256:ee02cf14541a837a9d7977c6ea6bf7f9210bed293925d93c976e31f270aebec4",
|
|
2466
2474
|
"test/layer-0-primitives/compliance-eaa.test.js": "sha256:8afb3fa66f3f9452592995e77f5e0644d8c82de2321c551c6f5be6002b2c27a4",
|
|
2467
2475
|
"test/layer-0-primitives/compliance-eu-ai-act-posture.test.js": "sha256:3f45bb76ef390b7cc4396a37153d48f0f9465c5abc59851f0971fcc40c28dcea",
|
|
2468
2476
|
"test/layer-0-primitives/compliance-sanctions.test.js": "sha256:237f7ac9b8d39a2c3daedbede3588cca2c86cc518d28e756cb3faf07d9cb9348",
|
|
2469
2477
|
"test/layer-0-primitives/compliance.test.js": "sha256:d743b6e2df985daed1df4a7808e7e5bf91207d5909f5bd7d8f882e0c27dcfe1b",
|
|
2470
|
-
"test/layer-0-primitives/config-drift.test.js": "sha256:
|
|
2478
|
+
"test/layer-0-primitives/config-drift.test.js": "sha256:c6386ba904744c7a46c10c44ee5c098d94a0c962ff7f77b19df503bccee47093",
|
|
2471
2479
|
"test/layer-0-primitives/config.test.js": "sha256:af0e7dbd7cf2f2c109bf2d3e0eeb5b6e270b9576e27c4719247d2a1ce96cf6b6",
|
|
2472
2480
|
"test/layer-0-primitives/consent-purposes.test.js": "sha256:41e3ab30eac0536eb3228578a6de4b7bbf517d995bb6b23b0db14819c37374e0",
|
|
2473
2481
|
"test/layer-0-primitives/content-credentials.test.js": "sha256:923001403a4ec8744805a2790acffaa6aced38edd0fc5d9fc0114f610eb41185",
|
|
@@ -2479,6 +2487,7 @@
|
|
|
2479
2487
|
"test/layer-0-primitives/credential-hash.test.js": "sha256:cab340489726da55b986f7d92f1e0784da45917387179524e6ce914b125669f8",
|
|
2480
2488
|
"test/layer-0-primitives/crypto-base64url.test.js": "sha256:7bb8b221b2cbb421c855f0fb3f220a641430cbd6f08ae8e039f0f997d5287cc0",
|
|
2481
2489
|
"test/layer-0-primitives/crypto-envelope.test.js": "sha256:e9ea0ed1b3d8e9bf0a026901d64ce999541fa53215d405a501b267b841c588fe",
|
|
2490
|
+
"test/layer-0-primitives/crypto-field-aad-downgrade.test.js": "sha256:176ec0bcd8d21a0cca1554733509be83b699866eec3931dcdb61db399fc96cdf",
|
|
2482
2491
|
"test/layer-0-primitives/crypto-field-derived-hash.test.js": "sha256:3d8e29b5fa44fe20f27c1b3678253dac0a16b3af7ec5c1c97a88b38c7a5c7839",
|
|
2483
2492
|
"test/layer-0-primitives/crypto-field-dual-read-migrate.test.js": "sha256:7fde6e08993b39cea9e5787c7e7b1830ba48c9e810805ac5b7046060740b8cae",
|
|
2484
2493
|
"test/layer-0-primitives/crypto-field-per-row-key.test.js": "sha256:5f8193ca3c6179482c5f2ba7537a407e6ae3452f8a1f505e61c66d7575c29ba8",
|
|
@@ -2518,11 +2527,12 @@
|
|
|
2518
2527
|
"test/layer-0-primitives/db-role-for.test.js": "sha256:db17949e409e62b5b5085b5ffc72ceb7d96d590ac65c547580a0ad1adb81b87b",
|
|
2519
2528
|
"test/layer-0-primitives/db-schema-drift.test.js": "sha256:a94e511540f40f78e6cebeb48d91f09c9808cf8cbdf4cdd6b225bcfd9815b1f2",
|
|
2520
2529
|
"test/layer-0-primitives/db-schema-reconcile-emittable.test.js": "sha256:8c8dc6d433341320c4742f6ffc2f27c89172d4daf8c463692373b43b6bcd773e",
|
|
2530
|
+
"test/layer-0-primitives/db-schema-transaction.test.js": "sha256:3048818a4c77db7fd9f65ee689f91a81fd9987e21393c978d74b064f895b8d30",
|
|
2521
2531
|
"test/layer-0-primitives/db-stream-and-payload-shape.test.js": "sha256:960769d0d86478aa7212d5a2ec6cabf389b84cf0a731d43ac41f1229b8d17f3a",
|
|
2522
2532
|
"test/layer-0-primitives/db-vacuum.test.js": "sha256:087ff26348ce8e2ad9888be350f41691368370853cd82e1453575c43eafbbc3f",
|
|
2523
2533
|
"test/layer-0-primitives/db-worm.test.js": "sha256:bcf66d41d27a374b9e259009b1908bd0f4069ff0bc752783ab00851789b862e8",
|
|
2524
2534
|
"test/layer-0-primitives/ddl-change-control.test.js": "sha256:f9e7c97f75c8aa98a4723d43d15690dc54a562ca7e91fb181fb633926d346ac8",
|
|
2525
|
-
"test/layer-0-primitives/declare-row-policy.test.js": "sha256:
|
|
2535
|
+
"test/layer-0-primitives/declare-row-policy.test.js": "sha256:e263a6a3b3ba9ba6c551dad41200f3559d4ef8c9093618d91f4569e35393fcd8",
|
|
2526
2536
|
"test/layer-0-primitives/declare-view.test.js": "sha256:43bf4ec78c6ad4dd003ad2c29fb2607f6b63a26dc1207641ae13bf43c35b52f7",
|
|
2527
2537
|
"test/layer-0-primitives/defineguard-default-gate-posture-caps.test.js": "sha256:60714e90af6bbdc2a18084406a56da0476b1f474984296108eb864a70b905aca",
|
|
2528
2538
|
"test/layer-0-primitives/deny-response.test.js": "sha256:603a8694cbc557e9023d824c54976fef535f2028c39c4155ac180f7ffb35686c",
|
|
@@ -2625,7 +2635,7 @@
|
|
|
2625
2635
|
"test/layer-0-primitives/keychain.test.js": "sha256:8d6fa2888cd9e6757101c4d211891c5a6bf3f1a88842871ff188edf2d07d80c1",
|
|
2626
2636
|
"test/layer-0-primitives/legal-hold.test.js": "sha256:1444e62543d1046fee3974376729cc9db79313fe4f0fa883204a88cba7809c71",
|
|
2627
2637
|
"test/layer-0-primitives/link-header.test.js": "sha256:c684b000921c6e79d6b9a432e5f2629f36b23fa9a2fc458b9b8d34857304d0fe",
|
|
2628
|
-
"test/layer-0-primitives/local-db-thin.test.js": "sha256:
|
|
2638
|
+
"test/layer-0-primitives/local-db-thin.test.js": "sha256:eaa7ede3b6f9a0f5e75561eef94bdbf8f5b145c3d440d9749a5a1ec11a349f8d",
|
|
2629
2639
|
"test/layer-0-primitives/log-stream-cloudwatch.test.js": "sha256:0e82ddc62b373471c81480051f9d4508f6c5a1f2939f0e06ebd1c0089d3407fd",
|
|
2630
2640
|
"test/layer-0-primitives/log-stream-otlp-grpc.test.js": "sha256:eba3a37acca4e14ffd925b202928e23a5412d54df20b32b20ac2c5535790c8dc",
|
|
2631
2641
|
"test/layer-0-primitives/log-stream-otlp.test.js": "sha256:11ac86b07f2eecfd3326a17003061f2f1b89706f04626041e2c8087d99b30266",
|
|
@@ -2669,7 +2679,7 @@
|
|
|
2669
2679
|
"test/layer-0-primitives/mail-unsubscribe.test.js": "sha256:ffe070b31ae59b1f3cb1582b56f494501dc97a493e89111573a8383fabf1a269",
|
|
2670
2680
|
"test/layer-0-primitives/mail.test.js": "sha256:ef0dafe19c60852542f7cc523dfb0c92347261c43d706eeed58db9934d9f5c50",
|
|
2671
2681
|
"test/layer-0-primitives/mcp-tool-registry.test.js": "sha256:4d9a9a367489d93afcc8e0bca3442e0aefc683e40ddd29e6e2cddbe3a3b8732f",
|
|
2672
|
-
"test/layer-0-primitives/mcp.test.js": "sha256:
|
|
2682
|
+
"test/layer-0-primitives/mcp.test.js": "sha256:896a9b55fd9d21a1ec2b0d0753b5796eb045911ad28992ba17338285406ac2f9",
|
|
2673
2683
|
"test/layer-0-primitives/mdoc.test.js": "sha256:26b7436563fc592f684e2c40e678666654166c4d66a2239e774bc493f1ea65cf",
|
|
2674
2684
|
"test/layer-0-primitives/metrics-shadow-registry.test.js": "sha256:8ea834fd6b549c18976b535660a53aafccb1c6f0b7762086e8dbbc7ab8d832b6",
|
|
2675
2685
|
"test/layer-0-primitives/metrics-snapshot.test.js": "sha256:aa405be22acb6680b062d1de1aa7ce00029e414218a0e4e521e10a14b2254851",
|
|
@@ -2691,8 +2701,9 @@
|
|
|
2691
2701
|
"test/layer-0-primitives/nist-crosswalk.test.js": "sha256:ea8741fec9831d57a907d33ad08822ccdb71942c20482affbef8a68f3d82b1a7",
|
|
2692
2702
|
"test/layer-0-primitives/no-cache.test.js": "sha256:b80e5ae1ad53cbf552423c3b16653c6d011d773f2056fa156e4436fc4f014e9b",
|
|
2693
2703
|
"test/layer-0-primitives/notify.test.js": "sha256:8a7cf548e567cdcf0e6cc6d731c5e2e6fcc364e8838ef411999c324234da3917",
|
|
2694
|
-
"test/layer-0-primitives/numeric-bounds.test.js": "sha256:
|
|
2704
|
+
"test/layer-0-primitives/numeric-bounds.test.js": "sha256:4935cb433e72b15dff77cebef4c580128695c38ae619de6f7b9dd10868cdbbb7",
|
|
2695
2705
|
"test/layer-0-primitives/oauth-callback.test.js": "sha256:757b15b235c9ce2608571c8ff8a79e547858aeaccf3e515d66dae315cb582d5b",
|
|
2706
|
+
"test/layer-0-primitives/object-store-versioned-delete.test.js": "sha256:755a6b0914dc2f51f3d2d3a57ae3c5e013ee071e2edcfc717b7ee153c2ddc061",
|
|
2696
2707
|
"test/layer-0-primitives/observability-tracing.test.js": "sha256:0912c59a2b52ca139a61a06a5f0f57bcd952b0da503656efe6c0e0a3135765f4",
|
|
2697
2708
|
"test/layer-0-primitives/observability.test.js": "sha256:969600b4e53437d0efdb326cd7e4df06f807afd5c5d4f21100091f1c1e764258",
|
|
2698
2709
|
"test/layer-0-primitives/openapi.test.js": "sha256:2e552cbb27b70ac28688632364defc9d063b3b26ff45788012e656bce8ba31e3",
|
|
@@ -2741,6 +2752,7 @@
|
|
|
2741
2752
|
"test/layer-0-primitives/safe-archive-inspect-unwrap.test.js": "sha256:a640456c8cead20769ff3d6dc9c2197cc45444a4c94be42026052a9fcb6b62af",
|
|
2742
2753
|
"test/layer-0-primitives/safe-async-loops.test.js": "sha256:b57502cbcb0c110f1ff0be40e0bc1906d5fdc0fe1b8b09df4467344dc1c5d3ce",
|
|
2743
2754
|
"test/layer-0-primitives/safe-async-parallel.test.js": "sha256:7216af484682b9a30ae6e1c01c09bfeb1d1d439df62c7ef2e618e4ba445b3201",
|
|
2755
|
+
"test/layer-0-primitives/safe-buffer-linear-scans.test.js": "sha256:c6c2ea2b0abbeb45e922fad79870cb4dcff972a521ec1e57cc2cf5759465f3fc",
|
|
2744
2756
|
"test/layer-0-primitives/safe-decompress.test.js": "sha256:ea6556c5e4ea203f43ddf567d982e89b6adda41763be3517799c78d4d466a883",
|
|
2745
2757
|
"test/layer-0-primitives/safe-dns.test.js": "sha256:9eecde000ecf6bd09a5b7e392d956d7f00897687771ce12a24cb502bf8220d55",
|
|
2746
2758
|
"test/layer-0-primitives/safe-ical.test.js": "sha256:4611104506f91ce3d9b1cc38527f09ab3489929714f0a9d81faf383fc83c6244",
|
|
@@ -2829,7 +2841,7 @@
|
|
|
2829
2841
|
"test/layer-0-primitives/worm.test.js": "sha256:0908cfbf7228de39ab68796505c29071d3117571b8a6c07cef7d1fa27d0380b8",
|
|
2830
2842
|
"test/layer-0-primitives/ws-client.test.js": "sha256:b895297726ea0baca1c7cc4c51f8fbf464bd591c5ba4e2ad74bd70b3158b51a7",
|
|
2831
2843
|
"test/layer-1-state/api-key.test.js": "sha256:48d641b673a181746adf80dfa995f0ca29187af17aa4735590557fda4350dcb8",
|
|
2832
|
-
"test/layer-5-integration/bundler-output.test.js": "sha256:
|
|
2844
|
+
"test/layer-5-integration/bundler-output.test.js": "sha256:d54ea7e86cdeb0241d49df70e5c5962ad8a35e3a0a57ff0026361597c4785b0b",
|
|
2833
2845
|
"test/layer-5-integration/external-db-residency.test.js": "sha256:602f23b416800bc6ab5afd5c58fbfb5b63aeef352695b9984326415d6941ef75",
|
|
2834
2846
|
"test/layer-5-integration/guard-host-integration.test.js": "sha256:1f51bc2f94c7f96880f1bd65c8c92730488055219005f0b51ab33d16c8aba680",
|
|
2835
2847
|
"test/layer-5-integration/security-chaos.test.js": "sha256:7459c282a2169b54afb1f6fe36649116553f3f62b6acb454fb4f90cb3b02aa87",
|
|
@@ -82,7 +82,7 @@ jobs:
|
|
|
82
82
|
# runtime deps (everything vendored under lib/vendor/) and each
|
|
83
83
|
# transpilation step is a supply-chain hop. The explicit
|
|
84
84
|
# name@version specifiers are the source-of-truth pin.
|
|
85
|
-
run: npm install --no-audit --no-fund --no-save esbuild@0.28.
|
|
85
|
+
run: npm install --no-audit --no-fund --no-save esbuild@0.28.1 postject@1.0.0-alpha.6
|
|
86
86
|
|
|
87
87
|
- name: Run framework smoke
|
|
88
88
|
# NODE_OPTIONS heap bump — codebase-patterns duplicate-block
|
|
@@ -286,6 +286,139 @@ jobs:
|
|
|
286
286
|
run: |
|
|
287
287
|
gitleaks git --config=.gitleaks.toml --redact --verbose --exit-code=1
|
|
288
288
|
|
|
289
|
+
osv-scan:
|
|
290
|
+
name: OSV-Scanner (vendored-dep known CVEs)
|
|
291
|
+
runs-on: ubuntu-latest
|
|
292
|
+
steps:
|
|
293
|
+
- name: Checkout
|
|
294
|
+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
295
|
+
with:
|
|
296
|
+
persist-credentials: false
|
|
297
|
+
|
|
298
|
+
- name: Set up Node 24.16.0 LTS
|
|
299
|
+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
300
|
+
with:
|
|
301
|
+
node-version: '24.16.0'
|
|
302
|
+
|
|
303
|
+
- name: Build vendored-deps CycloneDX SBOM
|
|
304
|
+
# The framework ships ZERO npm runtime deps — its security-critical
|
|
305
|
+
# crypto (@noble/ciphers, @noble/curves, @noble/post-quantum,
|
|
306
|
+
# @simplewebauthn/server, peculiar-pki) is VENDORED under
|
|
307
|
+
# lib/vendor/, so `npm audit` / Dependabot / Socket never see it.
|
|
308
|
+
# check-vendor-currency.js tracks whether the vendored copies are
|
|
309
|
+
# up to date, but currency is not the same as "no known CVE". This
|
|
310
|
+
# SBOM emits each vendored library as an npm purl so a published
|
|
311
|
+
# advisory can be matched against the exact pinned version we ship.
|
|
312
|
+
run: node scripts/build-vendored-sbom.js > sbom.vendored.cdx.json
|
|
313
|
+
|
|
314
|
+
- name: Install osv-scanner
|
|
315
|
+
# Same posture as the gitleaks gate: pull the OSS binary straight
|
|
316
|
+
# from GitHub releases tracking the latest tag — a CVE-database
|
|
317
|
+
# front-end is a forward-looking security gate, and pinning would
|
|
318
|
+
# silently miss new advisories the scanner learns to surface.
|
|
319
|
+
# Authenticate the API call so the shared-runner-IP unauthenticated
|
|
320
|
+
# rate limit (60/hour) doesn't 403 the install mid-run.
|
|
321
|
+
env:
|
|
322
|
+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
323
|
+
run: |
|
|
324
|
+
set -euo pipefail
|
|
325
|
+
OSV_VERSION=$(curl -fsSL -H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
|
326
|
+
https://api.github.com/repos/google/osv-scanner/releases/latest \
|
|
327
|
+
| grep -oP '"tag_name":\s*"v\K[^"]+' | head -1)
|
|
328
|
+
if [ -z "$OSV_VERSION" ]; then
|
|
329
|
+
echo "::error::Could not resolve latest osv-scanner release tag from GitHub API"
|
|
330
|
+
exit 1
|
|
331
|
+
fi
|
|
332
|
+
echo "[osv-scanner] resolved latest release: v${OSV_VERSION}"
|
|
333
|
+
curl -fsSL "https://github.com/google/osv-scanner/releases/download/v${OSV_VERSION}/osv-scanner_linux_amd64" \
|
|
334
|
+
-o /tmp/osv-scanner
|
|
335
|
+
chmod +x /tmp/osv-scanner
|
|
336
|
+
sudo mv /tmp/osv-scanner /usr/local/bin/osv-scanner
|
|
337
|
+
osv-scanner --version
|
|
338
|
+
|
|
339
|
+
- name: Scan vendored deps for known CVEs
|
|
340
|
+
# Exit 1 on any advisory match. A hit means a published CVE/GHSA
|
|
341
|
+
# affects a version we vendor — refresh the vendored copy (the
|
|
342
|
+
# vendor-currency job points at the upstream release) and re-run.
|
|
343
|
+
run: osv-scanner scan -L sbom.vendored.cdx.json
|
|
344
|
+
|
|
345
|
+
semgrep:
|
|
346
|
+
name: Semgrep (complementary SAST)
|
|
347
|
+
runs-on: ubuntu-latest
|
|
348
|
+
steps:
|
|
349
|
+
- name: Checkout
|
|
350
|
+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
351
|
+
with:
|
|
352
|
+
persist-credentials: false
|
|
353
|
+
|
|
354
|
+
- name: Install Semgrep
|
|
355
|
+
# OSS CLI from PyPI tracking latest — same forward-looking posture
|
|
356
|
+
# as the gitleaks / osv-scanner gates (a SAST ruleset is a moving
|
|
357
|
+
# security target). pipx ships on the ubuntu-latest runner image
|
|
358
|
+
# and installs into an isolated venv, sidestepping PEP-668.
|
|
359
|
+
run: |
|
|
360
|
+
set -euo pipefail
|
|
361
|
+
pipx install semgrep
|
|
362
|
+
semgrep --version
|
|
363
|
+
|
|
364
|
+
- name: Run Semgrep (curated security packs, ERROR severity)
|
|
365
|
+
# Complementary to CodeQL: the Registry security-audit + javascript
|
|
366
|
+
# packs are a different rule set. Scoped to the shipped framework
|
|
367
|
+
# surface (lib/) at ERROR severity — the high-confidence subset —
|
|
368
|
+
# and fails the job on any match (--error). Structural-drift
|
|
369
|
+
# classes a generic SAST rule can't express are covered by the
|
|
370
|
+
# in-repo detector system (codebase-patterns.test.js). A confirmed
|
|
371
|
+
# false positive is silenced with an inline `// nosemgrep: <rule>`
|
|
372
|
+
# carrying the reason, mirroring the detector-allowlist discipline.
|
|
373
|
+
run: |
|
|
374
|
+
semgrep scan \
|
|
375
|
+
--config=p/security-audit \
|
|
376
|
+
--config=p/javascript \
|
|
377
|
+
--severity=ERROR \
|
|
378
|
+
--error \
|
|
379
|
+
--metrics=off \
|
|
380
|
+
--disable-version-check \
|
|
381
|
+
lib/
|
|
382
|
+
|
|
383
|
+
lint-actions:
|
|
384
|
+
name: actionlint (workflow lint)
|
|
385
|
+
runs-on: ubuntu-latest
|
|
386
|
+
steps:
|
|
387
|
+
- name: Checkout
|
|
388
|
+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
389
|
+
with:
|
|
390
|
+
persist-credentials: false
|
|
391
|
+
|
|
392
|
+
- name: Install actionlint
|
|
393
|
+
# OSS binary from GitHub releases (latest), same posture as the
|
|
394
|
+
# gitleaks / osv-scanner gates. actionlint statically checks the
|
|
395
|
+
# workflow YAML for the bug class this project has tripped on — a
|
|
396
|
+
# step referencing a value drifted out of agreement with a pinned
|
|
397
|
+
# tool version, a mistyped expression, an unsafe ${{ }}
|
|
398
|
+
# interpolation of untrusted input into a run block.
|
|
399
|
+
env:
|
|
400
|
+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
401
|
+
run: |
|
|
402
|
+
set -euo pipefail
|
|
403
|
+
AL_VERSION=$(curl -fsSL -H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
|
404
|
+
https://api.github.com/repos/rhysd/actionlint/releases/latest \
|
|
405
|
+
| grep -oP '"tag_name":\s*"v\K[^"]+' | head -1)
|
|
406
|
+
if [ -z "$AL_VERSION" ]; then
|
|
407
|
+
echo "::error::Could not resolve latest actionlint release tag from GitHub API"
|
|
408
|
+
exit 1
|
|
409
|
+
fi
|
|
410
|
+
echo "[actionlint] resolved latest release: v${AL_VERSION}"
|
|
411
|
+
curl -fsSL "https://github.com/rhysd/actionlint/releases/download/v${AL_VERSION}/actionlint_${AL_VERSION}_linux_amd64.tar.gz" \
|
|
412
|
+
| tar -xz -C /tmp actionlint
|
|
413
|
+
sudo mv /tmp/actionlint /usr/local/bin/actionlint
|
|
414
|
+
actionlint --version
|
|
415
|
+
|
|
416
|
+
- name: Run actionlint
|
|
417
|
+
# -color for a readable run log. actionlint shells out to the
|
|
418
|
+
# shellcheck already on the runner for `run:` blocks, so a shell
|
|
419
|
+
# bug inside a workflow step is caught here too.
|
|
420
|
+
run: actionlint -color
|
|
421
|
+
|
|
289
422
|
wiki-source-comment-blocks:
|
|
290
423
|
name: Wiki @module / @primitive comment-block convention
|
|
291
424
|
runs-on: ubuntu-latest
|
|
@@ -98,8 +98,12 @@ scripts/gen-changelog.js
|
|
|
98
98
|
|
|
99
99
|
# CycloneDX SBOM — generated by the npm-publish workflow at publish
|
|
100
100
|
# time and bundled into the tarball; never committed. Local `npm sbom`
|
|
101
|
-
# runs would otherwise leave the file lying around.
|
|
101
|
+
# runs would otherwise leave the file lying around. The vendored-deps
|
|
102
|
+
# variant is generated the same way (release time) and additionally by
|
|
103
|
+
# the OSV-Scanner CI job, which feeds it to the known-CVE scan and then
|
|
104
|
+
# discards it — never committed.
|
|
102
105
|
sbom.cdx.json
|
|
106
|
+
sbom.vendored.cdx.json
|
|
103
107
|
|
|
104
108
|
# OTel collector readback (integration-test fixture) — the collector writes
|
|
105
109
|
# received OTLP batches here for the egress-redaction test to read back; the
|