npm - @blamejs/blamejs-shop - Versions diffs - 0.4.53 → 0.4.55 - Mend

@blamejs/blamejs-shop 0.4.53 → 0.4.55

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

package/lib/vendor/blamejs/test/layer-0-primitives/log-stream-otlp-grpc.test.js CHANGED Viewed

@@ -185,6 +185,32 @@ async function testValidationRejectsBadUrl() {
   check("missing url throws",  threw && threw.code === "BAD_OPT");
 }
+// The insecure-TLS audit must only fire on an actual TLS session. An h2c
+// endpoint (http://, cleartext HTTP/2) creates no TLS session, so allowInsecure
+// there skips no certificate and must NOT emit tls.insecure_skip_verify — a
+// false security/compliance event. https:// + allowInsecure still emits it.
+async function testInsecureTlsAuditGatedToHttps() {
+  var observability = require("../../lib/observability");
+  function capture(cfg) {
+    var events = [];
+    observability.setTap(function (name) { if (name === "tls.insecure_skip_verify") events.push(name); });
+    var session;
+    try { session = grpc._makeClient(cfg); }
+    finally { observability.setTap(null); }
+    if (session) {
+      session.on("error", function () { /* dead address — expected */ });
+      try { session.destroy(); } catch (_e) { /* best-effort */ }
+    }
+    return events.length;
+  }
+  var h2c = capture({ url: "http://127.0.0.1:1", allowInsecure: true, allowedProtocols: ["http:", "https:"] });
+  check("h2c (cleartext) endpoint with allowInsecure emits NO insecure-TLS audit", h2c === 0);
+  var tls = capture({ url: "https://127.0.0.1:1", allowInsecure: true, allowedProtocols: ["http:", "https:"] });
+  check("https endpoint with allowInsecure DOES emit the insecure-TLS audit", tls === 1);
+}
 async function run() {
   await testFramingShape();
   await testEncodeLogRecord();
@@ -192,6 +218,7 @@ async function run() {
   await testGrpcRoundTrip();
   await testGrpcServerErrorTrailer();
   await testValidationRejectsBadUrl();
+  await testInsecureTlsAuditGatedToHttps();
 }
 module.exports = { run: run };

package/lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js CHANGED Viewed

@@ -422,7 +422,38 @@ function testPkixHostShape() {
         err2 && err2.code === "tls/pkix-hostname-mismatch");
 }
+// v0.15.12 (#143) — an outbound TLS connection that honors rejectUnauthorized:
+// false (operator opt-in to disable peer-cert validation) must emit an audit +
+// observability event so the degraded posture is observable. Capture the event
+// through the real operator tap (observability.setTap) — observability has no
+// `emit`, so the emit must land on the safeEvent → tap path that an operator
+// actually wires (the live connect path is covered in the integration suite
+// alongside tls.classical_downgrade).
+function testInsecureTlsAudit() {
+  var nt = b.network.tls;
+  check("auditInsecureTls is exported", typeof nt.auditInsecureTls === "function");
+  var observability = require("../../lib/observability");
+  var captured = [];
+  observability.setTap(function (name, value, labels) { captured.push({ name: name, labels: labels }); });
+  try {
+    nt.auditInsecureTls({ host: "peer.example", port: 8443, source: "network.tls.connectWithEch" });
+  } finally {
+    observability.setTap(null);
+  }
+  var ev = captured.filter(function (c) { return c.name === "tls.insecure_skip_verify"; });
+  check("auditInsecureTls emits tls.insecure_skip_verify", ev.length >= 1);
+  check("audit event carries host/port/source",
+        ev.length >= 1 && ev[0].labels.host === "peer.example" &&
+        ev[0].labels.port === 8443 && ev[0].labels.source === "network.tls.connectWithEch");
+  var threw = false;
+  try { nt.auditInsecureTls(null); } catch (_e) { threw = true; }
+  check("auditInsecureTls is drop-silent on bad input (never throws into a connect)", threw === false);
+}
 async function run() {
+  testInsecureTlsAudit();
   testEchSurface();
   testEchParseDraft22();
   testEchParseAcceptsBase64();

package/lib/vendor/blamejs/test/layer-0-primitives/structured-fields.test.js CHANGED Viewed

@@ -156,6 +156,20 @@ function testUnquoteSfString() {
         b.structuredFields.unquoteSfString("bare-token") === "bare-token");
   check("unquoteSfString: unterminated quote returns null",
         b.structuredFields.unquoteSfString('"oops') === null);
+  // v0.15.12 (#77) — adjacent / repeated escapes the old two-pass .replace()
+  // decode mangled. unquoteSfString routes through the single-pass
+  // unescapeSfStringBody; the two-pass form returned a DOUBLED backslash for a
+  // lone escaped backslash.
+  check("unquoteSfString: lone escaped backslash decodes to a single backslash",
+        b.structuredFields.unquoteSfString('"\\\\"') === "\\");
+  check("unquoteSfString: escaped backslash adjacent to escaped quote",
+        b.structuredFields.unquoteSfString('"\\\\\\""') === "\\\"");
+  check("unescapeSfStringBody: lone escaped backslash -> single",
+        b.structuredFields.unescapeSfStringBody("\\\\") === "\\");
+  check("unescapeSfStringBody: two escaped backslashes -> two",
+        b.structuredFields.unescapeSfStringBody("\\\\\\\\") === "\\\\");
+  check("unescapeSfStringBody: non-string passthrough",
+        b.structuredFields.unescapeSfStringBody(42) === 42);
   check("unquoteSfString: empty returns empty",
         b.structuredFields.unquoteSfString("") === "");
   check("unquoteSfString: whitespace-only returns empty",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/blamejs-shop",
-  "version": "0.4.53",
+  "version": "0.4.55",
   "description": "Open-source framework built on blamejs. Vendored stack, zero npm runtime deps, PQC-first crypto, security-on by default.",
   "main": "lib/index.js",
   "scripts": {