@blamejs/blamejs-shop 0.4.53 → 0.4.55

package/lib/vendor/blamejs/lib/cluster.js

@@ -1089,8 +1089,10 @@ function discoveryHandler() {
         body = { leader: null, self: selfInfo };
         status = 503;
       }
-    } catch (e) {
-      body = { leader: null, self: selfInfo, error: e.message };
+    } catch (_e) {
+      // Generic client-facing reason — the caught error's message (a DB error
+      // detail / DSN / host:port) is not echoed to the client (CWE-209).
+      body = { leader: null, self: selfInfo, error: "leader lookup unavailable" };
       status = 503;
     }
     var json = JSON.stringify(body);

package/lib/vendor/blamejs/lib/guard-filename.js

@@ -80,7 +80,10 @@ var _err = GuardFilenameError.factory;
 //   Windows: < > : " / \ | ? *
 //   Unix:    /
 //   Both:    null and C0 controls (handled separately via codepoint-class)
-var RESERVED_CHARS_RE = /[<>:"/\\|?*]/;
+// Global so reservedCharPolicy:"strip" replaces EVERY reserved char, not just
+// the first (CodeQL js/incomplete-multi-character-sanitization). Only consumer
+// is the .replace() in _sanitize — no stateful .test()/.exec() lastIndex hazard.
+var RESERVED_CHARS_RE = /[<>:"/\\|?*]/g;
 
 // Windows reserved device names (case-insensitive). Match either the
 // bare name or `<name>.<anything>`.
@@ -586,8 +589,9 @@ function _sanitize(input, opts) {
 
   // Strip reserved chars when policy says strip.
   if (opts.reservedCharPolicy === "strip") {
+    // Single global strip — RESERVED_CHARS_RE (now /g) covers the whole
+    // reserved class INCLUDING path separators, so no second pass is needed.
     name = name.replace(RESERVED_CHARS_RE, "_");                            // allow:dynamic-regex — RESERVED_CHARS_RE is a compile-time literal
-    name = name.replace(/[<>:"|?*]/g, "_");
   } else if (opts.reservedCharPolicy === "reject") {
     if (/[<>:"|?*]/.test(name)) {
       throw _err("filename.reserved-char", "filename contains reserved character");

package/lib/vendor/blamejs/lib/http-client-cache.js

@@ -107,7 +107,9 @@ function _parseCacheControl(value) {
     else { k = p.slice(0, eq).trim(); v = p.slice(eq + 1).trim(); }
     // Strip surrounding quotes from value.
     if (v.length >= 2 && v.charAt(0) === '"' && v.charAt(v.length - 1) === '"') {
-      v = v.slice(1, v.length - 1).replace(/\\"/g, "\"").replace(/\\\\/g, "\\");
+      // Single-pass RFC 8941 unescape (chained .replace() mis-decodes
+      // an escaped backslash adjacent to another escape).
+      v = structuredFields.unescapeSfStringBody(v.slice(1, v.length - 1));
     }
     out[k.toLowerCase()] = v;
   }

package/lib/vendor/blamejs/lib/http-message-signature.js

@@ -60,6 +60,7 @@
  */
 
 var nodeCrypto       = require("node:crypto");
+var bCrypto          = require("./crypto");
 var safeUrl          = require("./safe-url");
 var safeBuffer       = require("./safe-buffer");
 var C                = require("./constants");
@@ -406,7 +407,9 @@ function _parseSignatureInput(headerValue) {
       throw _err("BAD_HEADER",
         "httpSig: Signature-Input: unterminated quoted token");
     }
-    var bareName = coveredRaw.slice(qStart, qEnd).replace(/\\\\/g, "\\").replace(/\\"/g, "\"");
+    // Single-pass RFC 8941 §3.3.3 unescape — NOT two chained .replace() passes,
+    // which mis-decode an escaped backslash adjacent to another escape.
+    var bareName = structuredFields.unescapeSfStringBody(coveredRaw.slice(qStart, qEnd));
     i2 = qEnd + 1;
     // Optional ;param=value;param=... suffix immediately following.
     var suffixStart = i2;
@@ -525,13 +528,27 @@ function verify(msg, opts) {
     if (!presented) {
       return { valid: false, reason: "content-digest-header-missing" };
     }
-    var actual = contentDigest(m.body);
-    // RFC 9530 allows multiple algorithms in one header (sha-512=...,
-    // sha-256=...). For SHA3-512 specifically — exact substring match
-    // against the presented header. For peer-supplied SHA-512 / SHA-256
-    // identifiers the operator is responsible for re-validating; this
-    // primitive only auto-checks SHA3-512.
-    if (presented.indexOf(actual.replace(/^sha3-512=/, "sha3-512=")) === -1) {
+    // contentDigest() returns the canonical structured-field form
+    // `sha3-512=:<base64>:`. RFC 9530 permits a multi-member header
+    // (e.g. `sha-256=:...:, sha3-512=:...:`); split on top-level commas and
+    // match the sha3-512 member EXACTLY, in constant time, rather than by an
+    // unanchored substring scan that could spuriously match the digest text
+    // buried inside another member's value or parameters. Peer-supplied
+    // sha-512 / sha-256 identifiers stay the operator's responsibility.
+    var expectedDigest = contentDigest(m.body);           // "sha3-512=:<b64>:"
+    var matchedDigest  = false;
+    var digestMembers  = structuredFields.splitTopLevel(presented, ",");
+    for (var di = 0; di < digestMembers.length; di++) {
+      var member = digestMembers[di].trim();
+      var deq = member.indexOf("=");
+      if (deq < 1) continue;
+      if (member.slice(0, deq).trim().toLowerCase() !== "sha3-512") continue;
+      var memberCanonical = "sha3-512=" + member.slice(deq + 1).trim();
+      // crypto.timingSafeEqual is the length-tolerant constant-time wrapper
+      // (returns false for unequal lengths without leaking via a length branch).
+      if (bCrypto.timingSafeEqual(memberCanonical, expectedDigest)) { matchedDigest = true; break; }
+    }
+    if (!matchedDigest) {
       return { valid: false, reason: "content-digest-mismatch" };
     }
   }

package/lib/vendor/blamejs/lib/log-stream-otlp-grpc.js

@@ -38,6 +38,9 @@ var lazyRequire = require("./lazy-require");
 // scrub attribute values through the telemetry redactor before they cross the
 // OTLP egress boundary (CWE-532).
 var observability = lazyRequire(function () { return require("./observability"); });
+// Lazy — network-tls is widely required; audit an insecure (cert-validation-
+// disabled) outbound TLS session at honor time, same surface as connectWithEch.
+var networkTls = lazyRequire(function () { return require("./network-tls"); });
 
 var _err = LogStreamError.factory;
 var _log = boot("log-stream-otlp-grpc");
@@ -215,7 +218,14 @@ function _makeClient(cfg) {
   var sessionOpts = {};
   if (cfg.ca) sessionOpts.ca = cfg.ca;
   if (cfg.servername) sessionOpts.servername = cfg.servername;
-  if (cfg.allowInsecure) sessionOpts.rejectUnauthorized = false;
+  if (cfg.allowInsecure && url.protocol === "https:") {
+    // allowInsecure only has meaning on a TLS session. For an h2c endpoint
+    // (http://, cleartext HTTP/2) there is no certificate to validate and
+    // nothing to skip, so neither rejectUnauthorized nor the insecure-TLS
+    // audit applies — emitting it there would be a false security event.
+    sessionOpts.rejectUnauthorized = false;
+    networkTls().auditInsecureTls({ host: authority, source: "log-stream.otlp-grpc" });
+  }
   var session = http2.connect(authority, sessionOpts);
   session.on("error", function () { /* surfaced through request err */ });
   if (typeof session.unref === "function") session.unref();
@@ -409,6 +419,7 @@ module.exports = {
   create:                create,
   // Exposed for layer-0 tests that verify the wire encoding without
   // standing up an HTTP/2 server.
+  _makeClient:           _makeClient,
   _encodeAnyValue:       _encodeAnyValue,
   _encodeKeyValue:       _encodeKeyValue,
   _encodeLogRecord:      _encodeLogRecord,

package/lib/vendor/blamejs/lib/log-stream-syslog.js

@@ -37,6 +37,9 @@ var safeAsync = require("./safe-async");
 var safeBuffer = require("./safe-buffer");
 var safeUrl = require("./safe-url");
 var { LogStreamError } = require("./framework-error");
+var lazyRequire = require("./lazy-require");
+// Lazy — audit a cert-validation-disabled syslog/TLS session at honor time.
+var networkTls = lazyRequire(function () { return require("./network-tls"); });
 
 var _err = LogStreamError.factory;
 var log  = boot("log-stream-syslog");
@@ -223,6 +226,9 @@ function create(config) {
       });
       if (cfg.ca) tlsOpts.ca = cfg.ca;
       if (cfg.servername) tlsOpts.servername = cfg.servername;
+      if (cfg.rejectUnauthorized === false) {
+        networkTls().auditInsecureTls({ host: cfg.host, port: cfg.port, source: "log-stream.syslog" });
+      }
       sock = nodeTls.connect(tlsOpts, onConnect);
     } else {
       sock = net.connect(connectOpts, onConnect);

package/lib/vendor/blamejs/lib/log.js

@@ -464,7 +464,11 @@ function boot(name) {
     var stream = (LEVELS[levelName] >= LEVELS.warn) ? process.stderr : process.stdout;
     var isTty = !!(stream && stream.isTTY);
     if (isTty) {
-      sink(prefix + String(msg));
+      // Raw human-readable line — escape BOTH the C0/newline (line-forging)
+      // and bidi (re-ordering) control classes the create() path neutralizes,
+      // so a hostile boot message can't inject lines or re-order the visible
+      // line on a TTY / syslog reader (CWE-117 / Trojan-Source CVE-2021-42574).
+      sink(_escapeBidiControls(_escapeC0Controls(prefix + String(msg))));
       return;
     }
     var entry = {
@@ -474,7 +478,9 @@ function boot(name) {
       component: name,
       boot:      true,
     };
-    sink(JSON.stringify(entry));
+    // JSON.stringify already escapes C0/newlines; bidi/format controls survive
+    // raw into a piped aggregator, so apply the same bidi escape create() uses.
+    sink(_escapeBidiControls(JSON.stringify(entry)));
   }
 
   function debug(msg, fields) {
@@ -560,6 +566,22 @@ function _escapeBidiControls(s) {
   });
 }
 
+// C0 control chars (incl. CR / LF / TAB) + DEL — escaped to `\uXXXX` so a
+// hostile message can't forge extra log lines on a raw (non-JSON) TTY sink
+// (log-injection, CWE-117). The create() path gets this for free from
+// JSON.stringify; the boot() TTY branch writes raw text and needs it
+// explicitly. Pairs with _escapeBidiControls (which only covers the bidi set).
+var _C0_CONTROL_RE = /[\u0000-\u001f\u007f]/g;   // eslint-disable-line no-control-regex -- the C0/DEL set is what we escape
+
+function _escapeC0Controls(s) {
+  if (typeof s !== "string" || s.length === 0) return s;
+  return s.replace(_C0_CONTROL_RE, function (ch) {
+    var code = ch.charCodeAt(0).toString(16);
+    while (code.length < 4) code = "0" + code;
+    return "\\u" + code;
+  });
+}
+
 // runs before safeEnv on the boot path; safeEnv requires log, so log
 // can't go through safeEnv to read its own level.
 function _bootMinLevel() {

package/lib/vendor/blamejs/lib/mail.js

@@ -76,6 +76,8 @@ var networkDns = lazyRequire(function () { return require("./network-dns"); });
 var nodeUrl = require("node:url");
 var numericBounds = require("./numeric-bounds");
 var nodeTls = lazyRequire(function () { return require("node:tls"); });
+// Lazy — audit a cert-validation-disabled SMTP/TLS session at honor time.
+var networkTls = lazyRequire(function () { return require("./network-tls"); });
 var safeJson = require("./safe-json");
 var safeSchema = require("./safe-schema");
 var validateOpts = require("./validate-opts");
@@ -778,6 +780,9 @@ function smtpTransport(opts) {
   var port = opts.port || 587;
   var useImplicitTLS = port === 465 || opts.implicitTls === true;
   var rejectUnauthorized = opts.rejectUnauthorized !== false;
+  if (rejectUnauthorized === false) {
+    networkTls().auditInsecureTls({ host: opts.host, port: port, source: "mail.smtp" });
+  }
   var ehloName = opts.ehloName || "blamejs";
   // GHSA-c7w3-x93f-qmm8 / GHSA-vvjj-xcjg-gr5g (nodemailer CRLF-injection
   // class) — any string concatenated into an outbound SMTP wire command

package/lib/vendor/blamejs/lib/middleware/body-parser.js

@@ -375,6 +375,19 @@ function _detectSmuggling(req) {
   return null;
 }
 
+// Generic, operator-safe status phrase for a client error body — used when the
+// thrown error is NOT a framework-classified BodyParserError (or is a 5xx), so
+// an internal exception's message (fs errno + tmp path, a parse hook's thrown
+// detail) is never echoed to the client (CWE-209 / CodeQL js/stack-trace-exposure).
+var _GENERIC_REASON = {};
+_GENERIC_REASON[HTTP_STATUS.BAD_REQUEST]            = "Bad Request";
+_GENERIC_REASON[HTTP_STATUS.PAYLOAD_TOO_LARGE]      = "Payload Too Large";
+_GENERIC_REASON[HTTP_STATUS.UNSUPPORTED_MEDIA_TYPE] = "Unsupported Media Type";
+_GENERIC_REASON[HTTP_STATUS.INTERNAL_SERVER_ERROR]  = "Internal Server Error";
+function _genericReason(status) {
+  return _GENERIC_REASON[status] || (status >= 500 ? "Internal Server Error" : "Bad Request");
+}
+
 function _writeError(res, status, message, code) {
   if (res.headersSent) return;
   var body = JSON.stringify({ error: message, code: code });
@@ -469,10 +482,13 @@ async function _parseJson(req, opts) {
   }
   if (typeof opts.parseHook === "function") {
     try { parsed = opts.parseHook(parsed); }
-    catch (e) {
+    catch (_e) {
       throw new BodyParserError(
         "body-parser/json-hook",
-        "JSON parseHook failed: " + ((e && e.message) || String(e)),
+        // Operator parseHook threw — surface a fixed, safe message; the hook's
+        // own thrown detail (which may carry secrets) is the operator's to log,
+        // never echoed to the client (CWE-209).
+        "request body rejected by parse hook",
         true, HTTP_STATUS.BAD_REQUEST
       );
     }
@@ -1476,8 +1492,32 @@ function create(opts) {
       }
       var status = (e && typeof e.statusCode === "number") ? e.statusCode : HTTP_STATUS.BAD_REQUEST;
       var code   = (e && typeof e.code === "string") ? e.code : "body-parser/error";
-      var message = (e && e.message) ? e.message : String(e);
-      _writeError(res, status, message, code);
+      // Only a framework-classified 4xx BodyParserError carries a curated,
+      // operator-safe message (malformed JSON, poisoned key, smuggling). Any
+      // other thrown error — and every 5xx — gets a generic status phrase, so
+      // an internal exception (fs errno + tmp path, a parse hook's thrown
+      // secret) is never echoed to the client (CWE-209). The full diagnostic
+      // stays on the audit chain, redacted by safeEmit.
+      // Object(e) tolerates a non-object throw (throw null, or a string from
+      // an operator parse hook) without a truthiness guard on the caught
+      // binding — the caught value is always defined to CodeQL, so `e && …`
+      // reads as a dead sub-condition; this keeps the null-safety explicit.
+      var eo = Object(e);
+      var clientMessage = (eo.isBodyParserError === true && status < 500 && typeof eo.message === "string")
+        ? eo.message
+        : _genericReason(status);
+      try {
+        audit().safeEmit({
+          action:  "body-parser.error",
+          outcome: status >= 500 ? "failure" : "denied",
+          metadata: {
+            status:  status,
+            code:    code,
+            message: (e && e.message) ? String(e.message).slice(0, 256) : "",
+          },
+        });
+      } catch (_e) { /* audit best-effort — never mask the response */ }
+      _writeError(res, status, clientMessage, code);
     }
   };
 }
@@ -1501,9 +1541,11 @@ async function _parseJsonFromBuf(buf, opts) {
   }
   if (typeof opts.parseHook === "function") {
     try { parsed = opts.parseHook(parsed); }
-    catch (e) {
+    catch (_e) {
+      // Operator parseHook threw — fixed safe message; the hook's thrown
+      // detail (possible secrets) is never echoed to the client (CWE-209).
       throw new BodyParserError("body-parser/json-hook",
-        "JSON parseHook failed: " + ((e && e.message) || String(e)), true, HTTP_STATUS.BAD_REQUEST);
+        "request body rejected by parse hook", true, HTTP_STATUS.BAD_REQUEST);
     }
   }
   return parsed;

package/lib/vendor/blamejs/lib/network-dns.js

@@ -149,7 +149,7 @@ function setServers(serverList) {
     throw new DnsError("dns/setservers-failed", "dns.setServers failed: " + e.message);
   }
   _clearCache();
-  _emitObs("network.dns.servers.set", { count: serverList.length });
+  observability().safeEvent("network.dns.servers.set", 1, { count: serverList.length });
 }
 
 function getServers() {
@@ -169,7 +169,7 @@ function setResultOrder(order) {
     try { dns.setDefaultResultOrder(order); } catch (_e) { /* node may not support setter on this version — best-effort */ }
   }
   _clearCache();
-  _emitObs("network.dns.result_order.set", { order: order });
+  observability().safeEvent("network.dns.result_order.set", 1, { order: order });
 }
 
 function setFamily(fam) {
@@ -215,7 +215,7 @@ function useSystemResolver() {
   STATE.systemResolver = true;
   _resetDotPool();
   _clearCache();
-  _emitObs("network.dns.system_resolver.set", {});
+  observability().safeEvent("network.dns.system_resolver.set", 1, {});
 }
 
 function useDnsOverHttps(opts) {
@@ -246,7 +246,7 @@ function useDnsOverHttps(opts) {
   }
   STATE.doh = { url: url, method: method, ca: opts.ca || null };
   _clearCache();
-  _emitObs("network.dns.doh.set", { url: url, method: method || "auto" });
+  observability().safeEvent("network.dns.doh.set", 1, { url: url, method: method || "auto" });
 }
 
 function useDnsOverTls(opts) {
@@ -267,7 +267,7 @@ function useDnsOverTls(opts) {
   };
   _resetDotPool();
   _clearCache();
-  _emitObs("network.dns.dot.set", { host: STATE.dot.host, port: STATE.dot.port });
+  observability().safeEvent("network.dns.dot.set", 1, { host: STATE.dot.host, port: STATE.dot.port });
 }
 
 function _withTimeout(promise, ms, host) {
@@ -1178,13 +1178,13 @@ async function _querySvcbLike(host, qtype, opts) {
     throw new DnsError("dns/bad-transport",
       "dns.querySvcb: transport must be 'doh' | 'dot' | 'system' | undefined");
   }
-  _emitObs("network.dns.svcb.requested", { qtype: qtype, transport: opts.transport || "auto" });
+  observability().safeEvent("network.dns.svcb.requested", 1, { qtype: qtype, transport: opts.transport || "auto" });
   var startMs = _now();
   var reply;
   try {
     reply = await _rawQuery(host, qtype, opts.transport);
   } catch (e) {
-    _emitObs("network.dns.svcb.failure", {
+    observability().safeEvent("network.dns.svcb.failure", 1, {
       latencyMs: _now() - startMs,
       code:      e.code || "unknown",
     });
@@ -1198,7 +1198,7 @@ async function _querySvcbLike(host, qtype, opts) {
     records.push(_parseSvcbRdata(decoded.msg, ans.rdataOff, ans.rdlen));
   }
   records.sort(function (a, b) { return a.priority - b.priority; });
-  _emitObs("network.dns.svcb.success", {
+  observability().safeEvent("network.dns.svcb.success", 1, {
     latencyMs: _now() - startMs,
     count:     records.length,
     qtype:     qtype,
@@ -1322,7 +1322,7 @@ async function discoverEncrypted(opts) {
   try {
     records = await _querySvcbLike(name, DNS_QTYPE_SVCB, { transport: transport });
   } catch (e) {
-    _emitObs("network.dns.ddr.failure", {
+    observability().safeEvent("network.dns.ddr.failure", 1, {
       latencyMs: _now() - startMs,
       code:      e.code || "unknown",
     });
@@ -1333,7 +1333,7 @@ async function discoverEncrypted(opts) {
     throw e;
   }
   if (records.length === 0) {
-    _emitObs("network.dns.ddr.empty", { latencyMs: _now() - startMs });
+    observability().safeEvent("network.dns.ddr.empty", 1, { latencyMs: _now() - startMs });
     throw new DnsError("dns/ddr-not-discovered",
       "dns.discoverEncrypted: resolver returned empty DDR record set at " + name);
   }
@@ -1364,7 +1364,7 @@ async function discoverEncrypted(opts) {
     throw new DnsError("dns/ddr-not-discovered",
       "dns.discoverEncrypted: DDR records present but none advertised a recognized transport (alpn=dot/h2/h3)");
   }
-  _emitObs("network.dns.ddr.success", {
+  observability().safeEvent("network.dns.ddr.success", 1, {
     latencyMs: _now() - startMs,
     count:     resolvers.length,
   });
@@ -1454,7 +1454,7 @@ function useDesignatedResolvers(list) {
         });
       }
       _designatedResolvers = validated.slice();
-      _emitObs("network.dns.dnr.set", {
+      observability().safeEvent("network.dns.dnr.set", 1, {
         count:     validated.length,
         active:    j,
         transport: v.transport,
@@ -1462,7 +1462,7 @@ function useDesignatedResolvers(list) {
       return { active: j, count: validated.length };
     } catch (e) {
       lastErr = e;
-      _emitObs("network.dns.dnr.entry_failed", {
+      observability().safeEvent("network.dns.dnr.entry_failed", 1, {
         index:     j,
         transport: v.transport,
         code:      e.code || "unknown",
@@ -1511,7 +1511,7 @@ async function lookup(host, opts) {
     if (cached.error) throw cached.error;
     return opts.all ? cached.value : cached.value[0];
   }
-  _emitObs("network.dns.lookup.requested", { family: cacheKey });
+  observability().safeEvent("network.dns.lookup.requested", 1, { family: cacheKey });
   var startMs = _now();
   // Resolve secure-DNS default on first use. Idempotent.
   _ensureSecureDefault();
@@ -1546,11 +1546,11 @@ async function lookup(host, opts) {
       throw new DnsError("dns/no-result", "dns lookup of '" + host + "' returned no addresses");
     }
     _cachePutPositive(host, cacheKey, normalized);
-    _emitObs("network.dns.lookup.success", { latencyMs: _now() - startMs, count: normalized.length });
+    observability().safeEvent("network.dns.lookup.success", 1, { latencyMs: _now() - startMs, count: normalized.length });
     return opts.all ? normalized : normalized[0];
   } catch (e) {
     _cachePutNegative(host, cacheKey, e);
-    _emitObs("network.dns.lookup.failure", { latencyMs: _now() - startMs, code: e.code || "unknown" });
+    observability().safeEvent("network.dns.lookup.failure", 1, { latencyMs: _now() - startMs, code: e.code || "unknown" });
     throw e;
   }
 }
@@ -1571,7 +1571,7 @@ async function _resolveProtocol(host, family, opts) {
     throw new DnsError("dns/bad-transport",
       "dns.resolve" + family + ": transport must be 'doh' | 'dot' | 'system' | undefined");
   }
-  _emitObs("network.dns.resolve.requested", { family: family, transport: opts.transport || "auto" });
+  observability().safeEvent("network.dns.resolve.requested", 1, { family: family, transport: opts.transport || "auto" });
   var startMs = _now();
   try {
     var addrs;
@@ -1597,10 +1597,10 @@ async function _resolveProtocol(host, family, opts) {
     if (normalized.length === 0) {
       throw new DnsError("dns/no-result", "dns.resolve" + family + " of '" + host + "' returned no addresses");
     }
-    _emitObs("network.dns.resolve.success", { family: family, latencyMs: _now() - startMs, count: normalized.length });
+    observability().safeEvent("network.dns.resolve.success", 1, { family: family, latencyMs: _now() - startMs, count: normalized.length });
     return normalized;
   } catch (e) {
-    _emitObs("network.dns.resolve.failure", { family: family, latencyMs: _now() - startMs, code: e.code || "unknown" });
+    observability().safeEvent("network.dns.resolve.failure", 1, { family: family, latencyMs: _now() - startMs, code: e.code || "unknown" });
     if (e instanceof DnsError) throw e;
     throw new DnsError("dns/resolve-failed",
       "dns.resolve" + family + " of '" + host + "' failed: " + (e.message || String(e)));
@@ -1643,16 +1643,16 @@ async function reverse(ip) {
     throw new DnsError("dns/bad-ip",
       "dns.reverse: '" + ip + "' is not a valid IPv4 or IPv6 address");
   }
-  _emitObs("network.dns.reverse.requested", { family: net.isIPv6(ip) ? 6 : 4 });
+  observability().safeEvent("network.dns.reverse.requested", 1, { family: net.isIPv6(ip) ? 6 : 4 });
   var startMs = _now();
   try {
     var ptrs = await _withTimeout(dnsPromises.reverse(ip), STATE.lookupTimeoutMs, ip);
-    _emitObs("network.dns.reverse.success", {
+    observability().safeEvent("network.dns.reverse.success", 1, {
       latencyMs: _now() - startMs, count: Array.isArray(ptrs) ? ptrs.length : 0,
     });
     return Array.isArray(ptrs) ? ptrs : [];
   } catch (e) {
-    _emitObs("network.dns.reverse.failure", {
+    observability().safeEvent("network.dns.reverse.failure", 1, {
       latencyMs: _now() - startMs, code: e.code || "unknown",
     });
     if (e instanceof DnsError) throw e;
@@ -1674,10 +1674,6 @@ function nodeLookup(host, options, callback) {
   );
 }
 
-function _emitObs(name, fields) {
-  try { observability().emit(name, fields || {}); } catch (_e) { /* obs best-effort */ }
-}
-
 function _stateForTest() { return STATE; }
 function _resetForTest() {
   STATE.servers = null; STATE.resultOrder = null; STATE.family = 0;

package/lib/vendor/blamejs/lib/network-heartbeat.js

@@ -259,7 +259,7 @@ function statuses() {
 
 function _emitObsProbe(entry, result) {
   try {
-    observability().emit("network.heartbeat.probe", {
+    observability().safeEvent("network.heartbeat.probe", 1, {
       name:      entry.target.name,
       type:      entry.target.type,
       ok:        result.ok,
@@ -381,7 +381,7 @@ function passive(opts) {
 
 function _emitObsPong(state) {
   try {
-    observability().emit("network.heartbeat.passive.pong", {
+    observability().safeEvent("network.heartbeat.passive.pong", 1, {
       pongCount:  state.pongCount,
       timeoutMs:  state.timeoutMs,
     });
@@ -390,7 +390,7 @@ function _emitObsPong(state) {
 
 function _emitObsTimeout(state) {
   try {
-    observability().emit("network.heartbeat.passive.timeout", {
+    observability().safeEvent("network.heartbeat.passive.timeout", 1, {
       pongCount:  state.pongCount,
       lastPongMs: state.lastPongMs,
       timeoutMs:  state.timeoutMs,

package/lib/vendor/blamejs/lib/network-proxy.js

@@ -70,7 +70,7 @@ function set(opts) {
   if (opts.no !== undefined)    STATE.noProxy = _parseNoProxy(opts.no);
   if (opts.auth !== undefined)  STATE.auth = opts.auth ? _parseAuth(opts.auth) : null;
   STATE.agentCache.clear();
-  _emitObs("network.proxy.set", {
+  observability().safeEvent("network.proxy.set", 1, {
     httpSet:  !!STATE.http,
     httpsSet: !!STATE.https,
     noProxyCount: STATE.noProxy.length,
@@ -93,7 +93,7 @@ function fromEnv(envObj) {
   if (authEnv)    { STATE.auth = _parseAuth(authEnv);         changed = true; }
   if (changed) {
     STATE.agentCache.clear();
-    _emitObs("network.proxy.from_env", {
+    observability().safeEvent("network.proxy.from_env", 1, {
       httpSet:  !!STATE.http,
       httpsSet: !!STATE.https,
       noProxyCount: STATE.noProxy.length,
@@ -255,7 +255,7 @@ function agentFor(targetUrl) {
     };
   }
   STATE.agentCache.set(key, agent);
-  _emitObs("network.proxy.agent.created", { protocol: u.protocol });
+  observability().safeEvent("network.proxy.agent.created", 1, { protocol: u.protocol });
   return agent;
 }
 
@@ -268,10 +268,6 @@ function snapshot() {
   };
 }
 
-function _emitObs(name, fields) {
-  try { observability().emit(name, fields || {}); } catch (_e) { /* obs best-effort */ }
-}
-
 function _resetForTest() {
   STATE.http = null; STATE.https = null; STATE.noProxy = []; STATE.auth = null;
   STATE.agentCache.clear();