@blamejs/blamejs-shop 0.4.54 → 0.4.55

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.4.x
 
+- v0.4.55 (2026-06-14) — **Refresh the vendored blamejs framework to 0.15.12.** Refreshes the vendored blamejs framework from 0.15.11 to 0.15.12, a sweep of defense-in-depth hardening the shop picks up by composing the framework. The body parser no longer echoes a caught exception's internal detail (a filesystem errno and temp path, or a parse hook's thrown message) to the HTTP client — the client gets a generic status phrase while the full detail stays on the server-side audit chain. Filename guarding now strips every reserved character rather than only the first. The boot-time logger escapes bidirectional and control characters on every sink, closing a terminal log-forging and line-reordering vector. Structured-field string values (used by HTTP Message Signatures, Client Hints, and Cache-Control) are now decoded in a single conformant pass, the HTTP Message Signature content-digest check matches in constant time against the exact digest member, and any outbound TLS connection that runs with certificate validation disabled now emits an audit event so the degraded posture is visible. This refresh carries no shop-facing API change and applies no migration; it keeps the bundled framework current and the security posture aligned with the latest release. **Changed:** *Vendored blamejs refreshed to 0.15.12* — The bundled framework is updated to blamejs 0.15.12. It redacts internal error detail from body-parser error responses (the client gets a generic status phrase; full diagnostics stay on the audit chain), strips every reserved character in filename guarding instead of only the first, escapes bidirectional and control characters in the boot logger on every sink (Trojan-Source / log-forging defense), decodes RFC 8941 structured-field strings in a single conformant pass, verifies the HTTP Message Signature content-digest by exact constant-time member match, and emits an audit event whenever an outbound TLS connection is configured to skip certificate validation. No shop API change; the framework's PQC-first crypto, security middleware, and request lifecycle are carried forward as-is.
+
 - v0.4.54 (2026-06-14) — **The rewards page now shows what a customer's loyalty tier includes and their progress to the next tier.** A signed-in customer's rewards page now shows their current loyalty tier, how many points remain to reach the next tier (with a progress bar), and the perks their tier includes. Operators author the per-tier perks from a new console screen — free shipping over a threshold, a percent discount, early or exclusive access, priority support, or a birthday bonus. The perks are presented to customers as what their tier includes and that the shop honours them; they are not applied automatically at checkout, so the wording never promises an automatic discount the store doesn't yet apply. No migration to apply. **Added:** *Loyalty tier perks and next-tier progress on the rewards page* — The /account rewards page gains two sections: a tier-progress panel naming the customer's current tier and the points still needed to reach the next one (with a labelled progress bar, or a top-tier acknowledgement), and a list of the perks the customer's tier includes. The tier is resolved from the customer's own loyalty balance; the perks come from the operator-authored tier-benefit definitions. The perks are framed as tier inclusions the shop honours — the copy directs the customer to ask at checkout or contact support to have a perk applied — rather than implying an automatic discount. · *Tier-benefit authoring in the loyalty console* — A new admin screen under the loyalty console lets operators define the perks each tier includes: free shipping (optionally over a minimum order), a percent discount, early access (hours before general release), priority support (an SLA in minutes), exclusive access to a collection, or a birthday bonus. Benefits are created and archived from the screen, each change recorded to the audit trail under the loyalty permission. The screen states that these perks are shown to customers as tier inclusions the shop honours and are not applied automatically at checkout.
 
 - v0.4.53 (2026-06-14) — **A signed-in customer's cookie choices and newsletter unsubscribe now land in the durable consent record.** The durable, per-customer consent ledger — the GDPR Article 7(1) record a controller keeps to demonstrate consent — is now written from the real consent events for identified customers. When a signed-in customer saves their cookie preferences, each category (functional, analytics, marketing, preferences) is recorded as granted or withdrawn in the durable ledger, alongside the existing session-level cookie record. When a newsletter unsubscribe resolves to a customer account, a marketing-email withdrawal is recorded there too. Anonymous visitors and email-only subscribers with no account are unchanged — their cookie choice stays in the session-level store and their unsubscribe in the email-suppression list, neither of which can be customer-keyed. The ledger writes are best-effort and never block the banner save or the unsubscribe. No migration to apply. **Added:** *Cookie-banner choices recorded in the durable consent ledger for signed-in customers* — When an authenticated customer saves their cookie preferences, each of the four optional categories is now mirrored into the durable per-customer consent ledger as a granted or withdrawn decision (source: cookie banner), so a supervisory-authority audit shows the identified individual's choice and not only the session-keyed record. The durable record reflects the consent the storefront actually enforces: a browser-level opt-out signal (Global Privacy Control or Do Not Track) collapses the analytics and marketing categories to withdrawn even if their boxes were ticked, matching the runtime gate, so the record never claims consent the app refuses to honor. The customer is resolved from the existing signed-in session (a revoked session is treated as signed-out); anonymous visitors carry no account and are written only to the session-level cookie record as before. · *Newsletter unsubscribe records a marketing withdrawal for account holders* — A newsletter unsubscribe that resolves to a customer account now records a marketing-email withdrawal in the durable consent ledger. The unsubscribed address is matched to an account by its hashed form; an email-only subscriber with no account is handled by the existing email-suppression path only, since the durable ledger is keyed by customer. The existing unsubscribe behavior — the suppression entry and the one-click RFC 8058 flow — is unchanged.

package/lib/asset-manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.54",
+  "version": "0.4.55",
   "assets": {
     "css/admin.css": {
       "integrity": "sha384-imfe0otYErcB8rr2h6KLSGTtStirysptpXETSPY4zLv3bZoIT75Lo1dOvkOav+xL",

package/lib/vendor/MANIFEST.json

@@ -3,8 +3,8 @@
   "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
   "packages": {
     "blamejs": {
-      "version": "0.15.11",
-      "tag": "v0.15.11",
+      "version": "0.15.12",
+      "tag": "v0.15.12",
       "license": "Apache-2.0",
       "author": "blamejs contributors",
       "source": "https://github.com/blamejs/blamejs",
@@ -98,6 +98,7 @@
         "examples/wiki/lib/harvest-env-vars.js": "lib/vendor/blamejs/examples/wiki/lib/harvest-env-vars.js",
         "examples/wiki/lib/harvest-errors.js": "lib/vendor/blamejs/examples/wiki/lib/harvest-errors.js",
         "examples/wiki/lib/harvest-vendored-deps.js": "lib/vendor/blamejs/examples/wiki/lib/harvest-vendored-deps.js",
+        "examples/wiki/lib/html-entities.js": "lib/vendor/blamejs/examples/wiki/lib/html-entities.js",
         "examples/wiki/lib/nav.js": "lib/vendor/blamejs/examples/wiki/lib/nav.js",
         "examples/wiki/lib/opts-resolver.js": "lib/vendor/blamejs/examples/wiki/lib/opts-resolver.js",
         "examples/wiki/lib/page-generator.js": "lib/vendor/blamejs/examples/wiki/lib/page-generator.js",
@@ -820,6 +821,7 @@
         "release-notes/v0.15.1.json": "lib/vendor/blamejs/release-notes/v0.15.1.json",
         "release-notes/v0.15.10.json": "lib/vendor/blamejs/release-notes/v0.15.10.json",
         "release-notes/v0.15.11.json": "lib/vendor/blamejs/release-notes/v0.15.11.json",
+        "release-notes/v0.15.12.json": "lib/vendor/blamejs/release-notes/v0.15.12.json",
         "release-notes/v0.15.2.json": "lib/vendor/blamejs/release-notes/v0.15.2.json",
         "release-notes/v0.15.3.json": "lib/vendor/blamejs/release-notes/v0.15.3.json",
         "release-notes/v0.15.4.json": "lib/vendor/blamejs/release-notes/v0.15.4.json",
@@ -1013,6 +1015,7 @@
         "test/layer-0-primitives/base32.test.js": "lib/vendor/blamejs/test/layer-0-primitives/base32.test.js",
         "test/layer-0-primitives/bearer-auth.test.js": "lib/vendor/blamejs/test/layer-0-primitives/bearer-auth.test.js",
         "test/layer-0-primitives/body-parser-chunked-malformed.test.js": "lib/vendor/blamejs/test/layer-0-primitives/body-parser-chunked-malformed.test.js",
+        "test/layer-0-primitives/body-parser-error-redaction.test.js": "lib/vendor/blamejs/test/layer-0-primitives/body-parser-error-redaction.test.js",
         "test/layer-0-primitives/body-parser-smuggling.test.js": "lib/vendor/blamejs/test/layer-0-primitives/body-parser-smuggling.test.js",
         "test/layer-0-primitives/boot-gates.test.js": "lib/vendor/blamejs/test/layer-0-primitives/boot-gates.test.js",
         "test/layer-0-primitives/bot-guard.test.js": "lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js",
@@ -1458,7 +1461,7 @@
         ".npmrc": "sha256:66f104e7d07c496d2d0409988225e8c0e4ceb8d247dbcac3be75b2128d20ce66",
         ".pinact.yaml": "sha256:0213ffda55961dc49b64c0a5dfa3c0567419633b1499d57eaf7c8d842d7da6c7",
         "ARCHITECTURE.md": "sha256:9b1c8d2b1b7a41838eb348b0a008e4b4369718fd72bfe2974b37155f7536d35b",
-        "CHANGELOG.md": "sha256:f61811342af353ab58363ccf7475f725a9a6c2e7275115e920277e3bbae6d0c4",
+        "CHANGELOG.md": "sha256:2a614573a723479a0f45a2858219f0cbc23eba677dbf3ade18c80ce925ee5808",
         "CODE_OF_CONDUCT.md": "sha256:148a281960fff7c2fe6554dab66da572c72245ddeb00b0d14811558397bff386",
         "CONTRIBUTING.md": "sha256:bb4dbdbc8598da31dbce653a8ed322e08ff46560173f2eb67a4d684653948332",
         "GOVERNANCE.md": "sha256:906df6afb1f552b27b9acb50f7f96c47b917a2f1021cd4e987dbf4ee0e0a821b",
@@ -1467,8 +1470,8 @@
         "MIGRATING.md": "sha256:3dcc952a3d4a77d53ff60fb67cb5eb5c3a3db2449d7c71f9c4dc7f868097153c",
         "NOTICE": "sha256:f487fa47a11aca0f89e2615cdd3c713e9842abf7a30d8d328eeeae1c864aa774",
         "README.md": "sha256:3ddcc197b003da0b02db8bdd1aef1e943c94f7eab613c633d6a45bb11d0a80e9",
-        "SECURITY.md": "sha256:d2e91b0765807f1e39ff32b9ba55b7a8cef8c7304962efe794c3d84d0d9e315e",
-        "api-snapshot.json": "sha256:049fbce0407976427de7b75063a6599744e018ba948e0c61301e3b8de768f0d7",
+        "SECURITY.md": "sha256:23f7ee4a44f21e433ed1d3c6f414575eb3e30f66a328422973a1109a276c537b",
+        "api-snapshot.json": "sha256:3a7c3ea776de8571f10fce72389cdc14057469b20b636d4dbd1020d2de22e864",
         "assets/BlameJS_Logo.png": "sha256:3c65699753c771b48ef9ac7f45bb40815ec19a23afcdd0cd30ef4601bbbe293e",
         "assets/BlameJS_Logo.svg": "sha256:dda44f3fb1343d5de9db6b1fcdb75fc649c57e7a99a8e8239fcf852e3841e1a8",
         "bench/README.md": "sha256:74202f2507fd840bfc1ac6c681975d9273cf36cca6e0f72655f138337304033c",
@@ -1518,13 +1521,14 @@
         "examples/wiki/lib/harvest-env-vars.js": "sha256:b3113ba195b0dff7d1e42dd07259a092d96fe5aed4dad0cda601134fdf794046",
         "examples/wiki/lib/harvest-errors.js": "sha256:0c7dd6a1857ee04b584c1105f656bc964474be770f22f94a784ba2a99e702caf",
         "examples/wiki/lib/harvest-vendored-deps.js": "sha256:df43bf278050e987330f1bee64a581dd7b2aa349d698aa85da685f86d74d8585",
+        "examples/wiki/lib/html-entities.js": "sha256:1afa873a5eba49a9206530868ffdccdd2cf67d00afdb53ea88ae585526caeee8",
         "examples/wiki/lib/nav.js": "sha256:d56f262733ff72e80c24b121fe244dff4a827cb2f24698b0fe63b8edae582d28",
         "examples/wiki/lib/opts-resolver.js": "sha256:d5a7f1153e265a267b899515a42726afad6ecd8921f22fe5f3d17e9b81783c05",
         "examples/wiki/lib/page-generator.js": "sha256:056cf57ad85ff89f3708e5eec54ceda40ff7fccd7ee074d9553ed74788f4eceb",
         "examples/wiki/lib/section.js": "sha256:373d86c66fbd20ad086c3929fffca5da1fd1fb4ca43bc969c43bc5f826f67eb9",
         "examples/wiki/lib/source-comment-block-validator.js": "sha256:68159925581eda94f292c8063e494835e371f33c7cda16883bab86a8495e037f",
         "examples/wiki/lib/source-doc-parser.js": "sha256:ef3dd07420e8b8e6ac8f3eedc0764b06953acb67ebb8c53bba967fceb450abd0",
-        "examples/wiki/lib/symbol-index.js": "sha256:4f2bcffecf2106409c8d6e09db244fc5469402c0abf5d7c65a68bb63b7bec60b",
+        "examples/wiki/lib/symbol-index.js": "sha256:f3161921af896548164c6dbc73d9ad2b52d3050d983946342f84e9e837c815df",
         "examples/wiki/migrations/0001-pages-schema.js": "sha256:2760bf17df257d9e8c96ef5740ec258782c0bf316e6ae6f9409d63c3efe0d28b",
         "examples/wiki/package.json": "sha256:8efb9ee3012107f9631ce23e7846ff2b10cadf643ec449e7940de496728aaedb",
         "examples/wiki/public/img/blamejs-logo.png": "sha256:3c65699753c771b48ef9ac7f45bb40815ec19a23afcdd0cd30ef4601bbbe293e",
@@ -1549,12 +1553,12 @@
         "examples/wiki/src/wiki.js": "sha256:d27db30436ce441f13ff91cc8f7c4fa59a115b644748cd1fdfd855a8f910a797",
         "examples/wiki/test/AUDIT.md": "sha256:28868e102852aa5c0981421035066a1da6676ec5ed8d0f4b88571614dc3301ab",
         "examples/wiki/test/codebase-patterns.test.js": "sha256:5b95639ce11287e20944706d6f547d4c7da92c0ae94dce6bc12db8173ddbb2e9",
-        "examples/wiki/test/e2e.js": "sha256:b9a1681eeb3b9cad5dcc09d4b3d9b0be1923119a787f42d95a299c2ec16076a6",
+        "examples/wiki/test/e2e.js": "sha256:29941838e5f9445fb765be1ed491613e91c0383bf7cdb027d279c3884966fa78",
         "examples/wiki/test/find-missing-pages.js": "sha256:092c92b400d8f528df47ab4400f83834dd7a561269bd602e57f05eb740d9126a",
         "examples/wiki/test/integration.js": "sha256:f5d1ce3fce33036ddf98c0328608ce6b5ac57ef613d388c62724de54c209ef56",
         "examples/wiki/test/validate-cli-snapshot.js": "sha256:2986efd62acdf6bc1e98e883457aa8a59dd2ccde6910a5d3b6d3a0e4fbfcfe44",
         "examples/wiki/test/validate-env-snapshot.js": "sha256:dd00c689731446fc60fb2a7b6f04d220f92f402ed832e903f605107e1f3d7a4c",
-        "examples/wiki/test/validate-nav-coverage.js": "sha256:2050835bed24ff6d8b442175c61568cc9f9f01ee6045491d61d3ff121d518efb",
+        "examples/wiki/test/validate-nav-coverage.js": "sha256:71816ec8b1f46f74bbfadd3e8bb03c2aacd8ec690993b4627b9cdaad8d5aeb17",
         "examples/wiki/test/validate-site-coverage.js": "sha256:b1a2daf48c557f04fcae7f68c9e96a45fbac6d8797dda24969e419398ffe3ef1",
         "examples/wiki/test/validate-source-comment-blocks.js": "sha256:f6bc42a33f50a8988b04f8e4277b24863a2089b06dfa6726cc6140d140f51868",
         "examples/wiki/views/_layout.html": "sha256:38e3a814ca5108c97b6f5da5062525abb86361b9fab0022e4c8c9f866d503414",
@@ -1668,7 +1672,7 @@
         "lib/_test/crypto-fixtures.js": "sha256:91470fc813e41eeed06dee1e8fbb92d179af77eb01109c1256f7330cb2fc0980",
         "lib/a2a-tasks.js": "sha256:8308a8a00790035090ae2912030c288e0cf4eaa29134f4c73bb38ddef02a4e59",
         "lib/a2a.js": "sha256:2d11b818fb32fac0bfb25e92720d22a46840b9b209ecc5d76c2254496b037cca",
-        "lib/acme.js": "sha256:22ca4306c9edf87a38ded8594b680baf8292bed3cc3566eb0886481a9659a019",
+        "lib/acme.js": "sha256:3bf5e3458f4f701a4974c1388904fa5287932d9dc32effd6307f9dfc10737471",
         "lib/agent-audit.js": "sha256:e75baecca3146dfda7070704b0a2c25ffb0aca4f58119c9b50975f1c2f141b22",
         "lib/agent-envelope-mac.js": "sha256:2909c3d7a090c444478f122c657a66046f021afd75caf218e7ff7de09871be61",
         "lib/agent-event-bus.js": "sha256:b2134762dc81f021fef13bf76c880cc5a1476f8bc0fefda693d14fe1225f2262",
@@ -1770,11 +1774,11 @@
         "lib/circuit-breaker.js": "sha256:54244401ef17e588341176cece113b39f42c55ac3cfefe8f46b5172835b26f8c",
         "lib/cli-helpers.js": "sha256:ab292718a0076b66c32fc4a19a8150c25030cb7cff4bef9363612c29cb66f119",
         "lib/cli.js": "sha256:b1adbb76040121723b26d80a34a18bc5ccf1790e9ccccdaa9c6634d70c33b992",
-        "lib/client-hints.js": "sha256:946a874a97eec85beec55281cb577becc5cbac3a732ae7ac2ba9e948f61ed880",
+        "lib/client-hints.js": "sha256:a88dcdf05b8f477019bf848120e04de236182eb7cbd4b53ef5b33ff86c81417c",
         "lib/cloud-events.js": "sha256:001043964b61e36f62dc7f97874df3e12bbf81f75b491514b8ef18b696800ccb",
         "lib/cluster-provider-db.js": "sha256:d480a0afe22b5a083b4bfbdcf337d08a3a4a79307f35fb819c4e9a75f03bd02e",
         "lib/cluster-storage.js": "sha256:e6bc66e4a15cd13caa7516109185ab210c4638c8e73dbceff8a14ed8bd09489b",
-        "lib/cluster.js": "sha256:1291c5caaed34e32314c4bbef3ea3f587ac4bf2730e16fb022c4a0914600ac72",
+        "lib/cluster.js": "sha256:7a9263639fcccf72dd528e9ab5fd4b2ae893bf16ea0ab2b57b4b4dd45c336fbe",
         "lib/cms-codec.js": "sha256:2c03e170445a27e65b8ff0143eaf3f42e3baa435602436370ee7b20218e90dde",
         "lib/codepoint-class.js": "sha256:27217fd254d26a68b48365914c595f2a99f38aaa3bddee20f3a3ae0b0150a3ae",
         "lib/compliance-ai-act-logging.js": "sha256:4773a1fd4f11534fb3664f2f9634d6717c0a2d0c1cfd7d91f3d3d438f05fb7aa",
@@ -1867,7 +1871,7 @@
         "lib/guard-envelope.js": "sha256:829d50a86773c38070307322c6caa30b6f48ecc0d6862ca349bf96e256a006ad",
         "lib/guard-event-bus-payload.js": "sha256:f86fa1a384ce9358a337d5c75adfa43ca4c625b5b4f67a42cf37539db3c112a5",
         "lib/guard-event-bus-topic.js": "sha256:f68340ddcdc712ea59b346f2430e88f0168a3963e760dcbf21421d295371257b",
-        "lib/guard-filename.js": "sha256:5d734cd1711b0291326d7821009e9bab1a9f41e9aa9739c2b0f4c01c9ffd5a06",
+        "lib/guard-filename.js": "sha256:27e2209bad5b49e566340995f1f5602af3882b457ff59b614d11c284e0b04814",
         "lib/guard-graphql.js": "sha256:5f37ec1ee6099a1bbc98e97227b88735b3c20b3172b0e6f8a7dc9f1a90011538",
         "lib/guard-html-wcag-aria.js": "sha256:140bb16091a7c96793c35c470a41cad6449a1a5db5bb5608a8fcf5e7a32d0d1b",
         "lib/guard-html-wcag-forms.js": "sha256:ea44ac236c533bb1a713a4930ba2434bd8da3e64578582035c4974283dc215fb",
@@ -1916,10 +1920,10 @@
         "lib/handlers.js": "sha256:860d07682bc6199c5d06f2d91f4ba9ab26ff5e2d9a97c72af6a700505d0e44e2",
         "lib/honeytoken.js": "sha256:288a69a6c22107d41185c88ec86ca1bf424b3c10d349d90d5fc5037749db0568",
         "lib/html-balance.js": "sha256:325db4349ac4c968704e295f2c8cbec330c2d64908c89e9192ab443572c14910",
-        "lib/http-client-cache.js": "sha256:5bc95d801cffbde654d5216963dec888ff12ff150c2e82129f0f6d1dbb88b6cf",
+        "lib/http-client-cache.js": "sha256:ffdbe0d191904e6d7745e122feb134090578b7df4409920997618163d554d95d",
         "lib/http-client-cookie-jar.js": "sha256:d0e859a9b548a3dc97e3418a1698b27336021f8f7d6c5327b2004dd710fa06dc",
         "lib/http-client.js": "sha256:812c9261a86a2133d158ce80883263f755656619998aedb140beb02df03e5101",
-        "lib/http-message-signature.js": "sha256:9aae3f9231c607d4fdc7693aa8b473744af807bff07b7c50c3cf1bd0b07a3283",
+        "lib/http-message-signature.js": "sha256:85478e7bee460b33f3e31acb76bbfa5588781581f11f7fa9f124d2dde5960044",
         "lib/http2-teardown.js": "sha256:61d291c34e321e18b64d60a4c0253e638550fff7dc32568b980d3aa13bb178e2",
         "lib/i18n-messageformat.js": "sha256:9f7cc5761f9343e87a210b58706eed01fbfb66c563ad479e75a492b1365a25a1",
         "lib/i18n.js": "sha256:35f4c95e73d01dde200b6ad73dee03c19c894a032b28b794cd857048bf453adb",
@@ -1946,12 +1950,12 @@
         "lib/local-db-thin.js": "sha256:387adb8396afbabe41d1b1fd8fc943162916b607c970843d0a0e79e7841403fc",
         "lib/log-stream-cloudwatch.js": "sha256:0482086871bfb0de4a0039a8d90556a2730fa61c59da9749e09380f754967b73",
         "lib/log-stream-local.js": "sha256:1b0926149cf08fb61f2dd55914c5442b1659d322fe6235e473f941e19483d37e",
-        "lib/log-stream-otlp-grpc.js": "sha256:cc1dea9411030d0c468e86331143fad25a0f79757b25dd0866646be55abae298",
+        "lib/log-stream-otlp-grpc.js": "sha256:26e456002c9ac2cbd6045e26a4af441bab1b37d1947f1abe1d772dc5203ef066",
         "lib/log-stream-otlp.js": "sha256:715c666c29e822fe48881edde0520009dc4c0506f6ae39a75560d99e8e74e319",
-        "lib/log-stream-syslog.js": "sha256:21ded5786bb01d1791e5687d77c2dd710f8a0330750d32a740afb9c4700ffb77",
+        "lib/log-stream-syslog.js": "sha256:da9648a760c35a609a673419ead08b3f21daf72749ef6365f0c40256304e9bfc",
         "lib/log-stream-webhook.js": "sha256:390d771da48b3b084d1438f05a348ca34390084d5972074f75742110718e4622",
         "lib/log-stream.js": "sha256:9ffda79044835670fba447876b617b1d5cef0592abf08b52167e2ae7b6bcdba7",
-        "lib/log.js": "sha256:2c6215248d5db3d7b3b75495d00ffe1f5c72f3fccc1365aa7f5a550ff153d9a6",
+        "lib/log.js": "sha256:9350c55d2a4e2934d163d777150b833772d185fbb620ecd11d6908119255b360",
         "lib/lro.js": "sha256:da9baf47f27c422c32d51495b2896c887ec3ac283875712efcd7528fd396868b",
         "lib/mail-agent.js": "sha256:8d2c17ac5b1039689eed9ee236a806d89ca48ccc546d7f3ad330a4bb4e475e7c",
         "lib/mail-arc-sign.js": "sha256:ab7a36916d78e60664d4509133cb834bf20c5dacb298404b209d4da991b4cfd5",
@@ -1988,7 +1992,7 @@
         "lib/mail-store-fts.js": "sha256:786668ce0c8611a5278ef07cabc8188372f778981191f7e6174e0a6d5f7a8c35",
         "lib/mail-store.js": "sha256:a95a6d3b3a73d12ab78a12031bd740c6a9e20d7eed8bae4284664071572be6dc",
         "lib/mail-unsubscribe.js": "sha256:2944fd1103f00a202d704b0f3479f96c6aa3345be8cbafa2e0711ded111a3109",
-        "lib/mail.js": "sha256:63301e9a8416ac7b93f4703b8d30f2a8cd913d89165559a031916ce9ae7b160d",
+        "lib/mail.js": "sha256:e34e20864ca3399b1da9754ed58aad550574a70666b6e983a8fccf8569e60e28",
         "lib/mcp-tool-registry.js": "sha256:e768f0070bbfce30cdbc95a012104eb4528d9596f1ba5b1acbf28d805ae8a876",
         "lib/mcp.js": "sha256:d9be6805dc1dd13bf5871465aaa603ab43148d61fc9a4951ac83454264b66c25",
         "lib/mdoc.js": "sha256:c40087fe58cffb09c5a3b78cfd1c6063c1352c695b37c663ad95e855bb16742c",
@@ -2000,7 +2004,7 @@
         "lib/middleware/asyncapi-serve.js": "sha256:a0f0b62b264a5cd8a24e3cfddae722a84b5e2206729f77403906a1d1cfcd7c7b",
         "lib/middleware/attach-user.js": "sha256:776424918bf302378da99a85ff20c91a42f8c9f528ab435cd7a06b95ec523d6d",
         "lib/middleware/bearer-auth.js": "sha256:7835656ed33f02cda2b08bedb7ee8f52e035b5319ff8cfa73a3d0fe62611a2ea",
-        "lib/middleware/body-parser.js": "sha256:2016447bd64afe411ca6b4fc322408de032663da646577fba635c70d362c7bdb",
+        "lib/middleware/body-parser.js": "sha256:6edf0c77327ba1a57910deec741d577a68695999dc38cd1d55da6e5f0d82b738",
         "lib/middleware/bot-disclose.js": "sha256:0e02b7886c0f8a613d2896f9e20c303831ad75515e94130b8a2917d874c8a9c9",
         "lib/middleware/bot-guard.js": "sha256:804c5925d87583ccb7660dfe597d37234f1ae823e6751f4121de5626629f6102",
         "lib/middleware/clear-site-data.js": "sha256:6bd806673e0a12ac284bad04ab3dbce7ece25ab523e81ed057665acb593b5023",
@@ -2058,19 +2062,19 @@
         "lib/network-byte-quota.js": "sha256:f07b3eb80e7091101b8eeae069f41aaaba91f93ebe703513e1195e9f41464a2a",
         "lib/network-dane.js": "sha256:1ef443337d0b954735932271e3f60452fb60d83fd1e8d24b5d363d9b93458bf4",
         "lib/network-dns-resolver.js": "sha256:cf7f7fcb16b7590a8afd2105d08b9ff13c38ff87dcedcda63c0d7bb1b84c04ed",
-        "lib/network-dns.js": "sha256:8bbc4dc9875ac97bff4ae13f3ec7b4ffe0c9ec512c2ac228923c48818d4729bc",
+        "lib/network-dns.js": "sha256:1b4f2b8993fedf0cd99d11e0a52bf7f476a5958447a8a9a46323c657589bc4b2",
         "lib/network-dnssec.js": "sha256:9da79850ae79cb173321c6eb24ff310315fc0034e4fdcdabd08c630f355f3066",
-        "lib/network-heartbeat.js": "sha256:48bd4fa8772e6095c3816065615bfeb46ed1fd56195ec708a074b8afaf7b2915",
+        "lib/network-heartbeat.js": "sha256:c0e9829d43b7e720d3f5817654f17002aaaed07122eccb0ad27c642194f234e3",
         "lib/network-nts.js": "sha256:31ec97cc8a47ba11201c20d7ec8fa411df28489ea52db6098f1727380c08506e",
-        "lib/network-proxy.js": "sha256:64d02680242767371e1a9f90fd4c5f1d4bc3cd342186c0115994b5dffd9a2b13",
+        "lib/network-proxy.js": "sha256:64da517043d13897d994e0e9341e05f190bc8a14b973f5be6a1c051ddf14641b",
         "lib/network-smtp-policy.js": "sha256:10cbe63c174e3ef7b3859f3f47330aa9905d6fb52fed425893a6590e632362f3",
-        "lib/network-tls.js": "sha256:d413cde6d5f01aca90aaf629b74687ffcb8aadcb84809d91dcff284e7f3e9518",
+        "lib/network-tls.js": "sha256:aa3186fd6b0e7c5865dbf40be97823c547253f11475e318229afbd57b7780242",
         "lib/network-tsig.js": "sha256:42afd1d2f24eda02d3e259b8a80426f13cffaa15ca9108ebc7395ee4d55c227d",
-        "lib/network.js": "sha256:bd2ea636300123ef955fd2e55caff2ac13981a4bd2d9bce3a13114b91823f2cc",
+        "lib/network.js": "sha256:40cb01627bf45741cac22ef79f5985f69323e47732d54cf3ce28c06882830c25",
         "lib/nis2-report.js": "sha256:e473623e640869f4f43bacd1dec7e6b069426d62eb9fa67c3f7a829e22fe591e",
         "lib/nist-crosswalk.js": "sha256:cfa71b67eb0506ac27bc211e36dd688d7ae3c2045fc0ab1f7af4940f219ffcab",
         "lib/nonce-store.js": "sha256:f707fc106a893962e1762ed413efafdaf83835002b42fabfc5f5493f42432773",
-        "lib/notify.js": "sha256:055f5c3bba131e5dffbfc31c941a1f490d80d18c3e7b61fb91724e7f089acead",
+        "lib/notify.js": "sha256:8403472f90b244b2189345ed0cf5e953d8e7fb66d3da636391c4adb0df246d8b",
         "lib/ntp-check.js": "sha256:f775d143173dc6c926e5ffdd7cbe0d8de113f3926fbc06ee83520288a1067a0b",
         "lib/numeric-bounds.js": "sha256:c9116b608da34572e1f34009ddaaf3f5631fe6732d3ad0c7b2c9cc96024db3a1",
         "lib/numeric-checks.js": "sha256:acc5af6141e942415476b43dfb92dcb8ae243d24d022b619f5e092d15fd6894e",
@@ -2160,7 +2164,7 @@
         "lib/sd-notify.js": "sha256:2ef7395bbdab2ac4eb96083c57d401921c94278545f14427fc88cdd970bdb9eb",
         "lib/sec-cyber.js": "sha256:1af157cc5024f5c0b408e8f921d7b671df56315f9e438415eafc7fb031c4a76c",
         "lib/security-assert.js": "sha256:4a98cec339c0b421534fc650c9500fe8a1b39f89181d651a58a13e2ff9a8ae0f",
-        "lib/seeders.js": "sha256:49e91d35b92a90df07c5b01ae0dd66e8617be653779ca37dc587fdb65c3ae700",
+        "lib/seeders.js": "sha256:e3a4477646d0f52c5f2d37c2449827679a7d12200cb32cd8bcff95758e784ee5",
         "lib/self-update-standalone-verifier.js": "sha256:66a946cf9a1567a0ad6f288a4a919085e46e388c634fd6de341033df6ac56b94",
         "lib/self-update.js": "sha256:1b44a062249705a7c4b8cc7fb5b5de81da6d08d0833aadc690d16e48d67d982b",
         "lib/server-timing.js": "sha256:74f2556480363c860a7c80a3f2bc1adb68fee53aa4335059069fae66a1eb627c",
@@ -2175,7 +2179,7 @@
         "lib/static.js": "sha256:e9a3d3b3b6d1f67eac9d76b37dfcd14c996f1199453164994e9767dadb066867",
         "lib/storage.js": "sha256:d0eeceac260fa6684f3526a774e58f383178600def9a4fcb7ae9b6cffe00c4e7",
         "lib/stream-throttle.js": "sha256:abb1743b4b28c93a5c930a170b4fcc11ba45c5902193913512eab58675a09b2a",
-        "lib/structured-fields.js": "sha256:c700ed470a4166624c9683107080ce38f1df64c7c3e2c37d1a7258bf71737603",
+        "lib/structured-fields.js": "sha256:eae4a34ad64c73631cddbc1fb7ba8ad84905eedc02d76d246845439ebd6d778d",
         "lib/subject.js": "sha256:6441706d7c78b722acf322387e19ca7ccf96ce717175af3ab0c34236fc8860fb",
         "lib/tcpa-10dlc.js": "sha256:9bc84fb89e2673f21eacb57820287fc87d1607638a924f5d0961b93928abedb9",
         "lib/template.js": "sha256:0f087134199bca5ed5d0bbc09811d49d9bda6e8277b1a921b597f8eb8d1a0f45",
@@ -2228,7 +2232,7 @@
         "oss-fuzz/projects/blamejs/README.md": "sha256:ae13b7bb79ed8d69b1b3276e5562807a0349fb6e6b7d11cf1f683aad1eafdb4b",
         "oss-fuzz/projects/blamejs/build.sh": "sha256:0ced1cf21782c97be7f8d74faf5e27a308b60b2f858836fb5ca3b8c4e939a8f7",
         "oss-fuzz/projects/blamejs/project.yaml": "sha256:59f2cb83aa622325a175b77416fe155be15b70a9c798bd1a78bba05763b1b03d",
-        "package.json": "sha256:e075e4b1b169186cf0f30c36120cc23ebc114f9068317b0b010350554b9431e1",
+        "package.json": "sha256:a72a8c6989667cb571dbeb7ff3fe6c5081d59d874e6068a3ae41860a2183bb63",
         "release-notes/v0.0.x.json": "sha256:7a49819f30068ee119000cad7010194882bb8bfaa12acbdab4dfc066efb7982f",
         "release-notes/v0.1.x.json": "sha256:6742a8c17f947c5cb76f69dead7eea86b942d80621d914b774ba5488e09937e5",
         "release-notes/v0.10.x.json": "sha256:fe498045daf88337bd3d987e5964aa42c99a50e1685b6f09e51f698b8687726f",
@@ -2240,6 +2244,7 @@
         "release-notes/v0.15.1.json": "sha256:8f9951830f05cd69209ee8ea3bb6fb160ac18ca07e254e4d21a9491b1b4bd174",
         "release-notes/v0.15.10.json": "sha256:dfeda04aed22b18a35a6f8ed5200c7bce63bc58bb6af3fc9dcf7ed8fdd44a7a6",
         "release-notes/v0.15.11.json": "sha256:757e31bd0d646dcdde65bf44ca0bd8e42c95238b0c70dff1314559208b4f7ac9",
+        "release-notes/v0.15.12.json": "sha256:7d3bec8c06680e4d583ecfae01e36bffb891d2fea7d1852c6016aea174d93794",
         "release-notes/v0.15.2.json": "sha256:36e1423dda94ed4e55c660e0fae882019005d8de3ee5e3b6ac4f38ccf8e744a2",
         "release-notes/v0.15.3.json": "sha256:19a0074c445545468ca3cc411b21ec8bdb27be2669ae1950347cc244f6aa348c",
         "release-notes/v0.15.4.json": "sha256:6ac7fa0ef1728c27e71b2050d1b07a810f9b4b1440ccddbf28ad56e2f54d8585",
@@ -2280,7 +2285,7 @@
         "scripts/vendor-data-gen.js": "sha256:76b627bc6e19b4a122edfca6f514bcb8ca11af02902f0957e641f503337a8a0f",
         "scripts/vendor-data-keygen.js": "sha256:94eaa4d8f832b4aac9ccbcb2a07e6b99cd35cf7b044e1412079cebdefc1f4c0e",
         "scripts/vendor-update.sh": "sha256:c1c879ee620f064a06d776c1d330749b5128a35581352ef385fa8baf4a35f79a",
-        "test/00-primitives.js": "sha256:0a6c6b44c22c692372b072fc109cb734ac9e7812df1d122bbd94a12116c36d35",
+        "test/00-primitives.js": "sha256:b844eb57f0d25014179cb82271aa126b13d7390a4d546d13b2e7618a00e16dc8",
         "test/10-state.js": "sha256:0f0cb26460e61b17c747a6a6cb65bd20325e0a4f1af854713e599b2cc9277367",
         "test/20-db.js": "sha256:241ef6b7ef305d077aeafb22ee3bcc75b6b549a8fa9b1a6b5d6d5fba43b48d7d",
         "test/30-chain.js": "sha256:6025201505a4c86ab385180147342d60edc1c5dd5728e2b78fb32b8b04ce7242",
@@ -2433,6 +2438,7 @@
         "test/layer-0-primitives/base32.test.js": "sha256:1eeb10fedeb4fc06fbd187a9979c3e9911eabf8ad30102ff31dc4331acaaa9e4",
         "test/layer-0-primitives/bearer-auth.test.js": "sha256:9a689903c100b3af9f39f573d735034c28a4e713db1ac222645d059abcaf2e7e",
         "test/layer-0-primitives/body-parser-chunked-malformed.test.js": "sha256:84897b0309ea7bfa369004f9a52fd027afd3fa61e0517ca8d9ab97c59d419d93",
+        "test/layer-0-primitives/body-parser-error-redaction.test.js": "sha256:ea6fa8c2df77cf47d2616bdfd69eb4de27d6e40e7dade99ba663567b4788dccc",
         "test/layer-0-primitives/body-parser-smuggling.test.js": "sha256:6b4e076b5d63fe073a01719c45f7ccf2507c5f550c45c0c654526bab3c11b646",
         "test/layer-0-primitives/boot-gates.test.js": "sha256:5374aa402ce494f0f14a2bd6cb485acdd04403834cdc16435cad959f5236e09c",
         "test/layer-0-primitives/bot-guard.test.js": "sha256:8f7e91d570d34bbebe2a60f1c1f540b5b45fb720b2bf674d638ec147bdc11a98",
@@ -2468,7 +2474,7 @@
         "test/layer-0-primitives/cluster-storage.test.js": "sha256:5627e621dff001e236b668e04336eb39c9fe08a4a7d45a640e6e7fccce37a022",
         "test/layer-0-primitives/cluster-vault-rotation.test.js": "sha256:3514e9e71d6c39e805248f58ad2f41528d091e196c0f3766a032675677161b2d",
         "test/layer-0-primitives/cms-codec.test.js": "sha256:7e46078ed82be5b69d22c48f22dba37ea5015371c2a8cf5f94fb1a792fb7bb78",
-        "test/layer-0-primitives/codebase-patterns.test.js": "sha256:b58229ff849a773ade72349a6f66ccc2ddcb26947214ff997c0f2b9078151932",
+        "test/layer-0-primitives/codebase-patterns.test.js": "sha256:d3a97a264a0f9b3c20fe7aada28a622da3cbdc6d262619d5f60cef753727c451",
         "test/layer-0-primitives/compliance-ai-act.test.js": "sha256:5ee4ad05d12233cb3c5457ef10a727833710bbc1ce1318838f9f9ef5d2cb8d4b",
         "test/layer-0-primitives/compliance-cascade.test.js": "sha256:ee02cf14541a837a9d7977c6ea6bf7f9210bed293925d93c976e31f270aebec4",
         "test/layer-0-primitives/compliance-eaa.test.js": "sha256:8afb3fa66f3f9452592995e77f5e0644d8c82de2321c551c6f5be6002b2c27a4",
@@ -2580,7 +2586,7 @@
         "test/layer-0-primitives/guard-envelope.test.js": "sha256:17e67045992d981b7eac36760b2eca1d5ac8b35a0a94f389da7cff2466e3a848",
         "test/layer-0-primitives/guard-event-bus-payload.test.js": "sha256:87830c4f9d0673ad8fcff9cb32f6b2862a166c4ba5a4b7f9d58505ea62801a7c",
         "test/layer-0-primitives/guard-event-bus-topic.test.js": "sha256:538e6d338541b724fc5bedb7f2fd33fae12777d292c771bb5d70720e30bf9156",
-        "test/layer-0-primitives/guard-filename.test.js": "sha256:fc0069fcde1edd8ef7e4152c6470b27d24045e83a9f24f4b5628a25aeea0de9c",
+        "test/layer-0-primitives/guard-filename.test.js": "sha256:cc164c406b4468d107dd3f22b3ebca5d9e4b30d19a14e6ce49e6ae78df369f67",
         "test/layer-0-primitives/guard-html-wcag.test.js": "sha256:11deaf7b28ed574731fb2d6a922dd2ca78c7f1c5e41635c0bed7ff0697c0f0f9",
         "test/layer-0-primitives/guard-html.test.js": "sha256:006c1850d9d8d07942a14eddd582d3769f707b3f0ab85c3f6c39911f6c84bb91",
         "test/layer-0-primitives/guard-idempotency-key.test.js": "sha256:18b233de627ea68cc289cb2fcd6ad5ca18db3bf911581747fd293e1bd3ee8789",
@@ -2613,7 +2619,7 @@
         "test/layer-0-primitives/html-balance.test.js": "sha256:edc4c833f7b80020244a658a955035f6c43c1ff85bc9b91f507cfc2b6c911c97",
         "test/layer-0-primitives/http-client-cache.test.js": "sha256:15e3668ff70e607686243ef71b35df7310efc31bb6084f6208e97f3f1aba13e8",
         "test/layer-0-primitives/http-client-stream.test.js": "sha256:5bbec3d1e358219909c541c4209318a3ad9f6adbe0e2e4912ebd5e8d1797139c",
-        "test/layer-0-primitives/http-message-signature.test.js": "sha256:5b4403372e537e54728cea50e08e04d8e546c9fb2b9362505b8a535f97825669",
+        "test/layer-0-primitives/http-message-signature.test.js": "sha256:7326f6266f4594813a2e07ca92d590c3b44325e77791213b2508b45826139e72",
         "test/layer-0-primitives/i18n-messageformat.test.js": "sha256:bdb8f3f47d07e3a6cbd6d8cbba97e6eda68ef56cad9d6655baca5bc0f8a64a39",
         "test/layer-0-primitives/i18n.test.js": "sha256:b6ca14a363de785618b97b101aa80a413a45acb734a3f98c025b390590f8459f",
         "test/layer-0-primitives/iab-mspa.test.js": "sha256:5a30581e101783b430eb5b912e8f82b57d3b46c5f9ca50e52173577fc7de7d8a",
@@ -2637,7 +2643,7 @@
         "test/layer-0-primitives/link-header.test.js": "sha256:c684b000921c6e79d6b9a432e5f2629f36b23fa9a2fc458b9b8d34857304d0fe",
         "test/layer-0-primitives/local-db-thin.test.js": "sha256:eaa7ede3b6f9a0f5e75561eef94bdbf8f5b145c3d440d9749a5a1ec11a349f8d",
         "test/layer-0-primitives/log-stream-cloudwatch.test.js": "sha256:0e82ddc62b373471c81480051f9d4508f6c5a1f2939f0e06ebd1c0089d3407fd",
-        "test/layer-0-primitives/log-stream-otlp-grpc.test.js": "sha256:eba3a37acca4e14ffd925b202928e23a5412d54df20b32b20ac2c5535790c8dc",
+        "test/layer-0-primitives/log-stream-otlp-grpc.test.js": "sha256:141837124af91e726f0d89270534e17b323991106f1ccca18e7b2b86c8834429",
         "test/layer-0-primitives/log-stream-otlp.test.js": "sha256:11ac86b07f2eecfd3326a17003061f2f1b89706f04626041e2c8087d99b30266",
         "test/layer-0-primitives/lro.test.js": "sha256:134407dc88a84450d69e15c23ff9d47617466f23a436b3d61339e6836e0c42ce",
         "test/layer-0-primitives/mail-agent.test.js": "sha256:51725784bab6849cb02f1e94e0ba97c2b8e7e101780a26ae7ec19f9d894640ef",
@@ -2694,7 +2700,7 @@
         "test/layer-0-primitives/network-heartbeat-passive.test.js": "sha256:4dae1d9f61c85489d1a91a6f4a242198d0bee89fdbacff9efba143e78e882ad0",
         "test/layer-0-primitives/network-tls-build-options.test.js": "sha256:0380ef886acc0a3bb0f7bc032c11991891fe9f19648e9f8d38829c7ea16b61b0",
         "test/layer-0-primitives/network-tls-ct-inclusion.test.js": "sha256:951b5eeded5762f667c534c0433e4b5f4b0a6a48c7c66a88492c0d4cebd21636",
-        "test/layer-0-primitives/network-tls.test.js": "sha256:fd15df3962d067aa284ec6db0db1e35fa03613c3be5ff560a041a5c164a4329c",
+        "test/layer-0-primitives/network-tls.test.js": "sha256:75605314bf5093ab040c46cdc17327cd609145c4b0b7a17fbbaa9679b94a3b46",
         "test/layer-0-primitives/network-tsig.test.js": "sha256:8845cb8f23876e6c68436491a412bbbd2c5415af23438c5ab2613358b3a4168f",
         "test/layer-0-primitives/network.test.js": "sha256:5424adaab9c3fe6e1b96e21eef90e51c5cf4c7fa8e96132306399d95cdfacdf1",
         "test/layer-0-primitives/nis2-report.test.js": "sha256:f7c604b7cc65e6a0f66d238524b5030d606f7df69938873ff90e94ddd46b908a",
@@ -2806,7 +2812,7 @@
         "test/layer-0-primitives/storage-presigned-url.test.js": "sha256:1429eedcee420858d5305681137b54b75c2affbab9d58b888854192a2592b0ee",
         "test/layer-0-primitives/stream-throttle.test.js": "sha256:8251900a22780ef84fbe31a69b3c784dca733746d82bb97f4415f69c1393f6f8",
         "test/layer-0-primitives/structured-fields-codec.test.js": "sha256:84834568ad750644eae96241d82248be60ec79cddc55452ae9223ae252d62ec7",
-        "test/layer-0-primitives/structured-fields.test.js": "sha256:67363639371517266e72966c15bf315bfef129bd57fa45ec700fff39d22081f6",
+        "test/layer-0-primitives/structured-fields.test.js": "sha256:043ca9de1bd7e35f22136e5e11ce8a71aacff02e6d200c29501acc96e0ca91e3",
         "test/layer-0-primitives/tcpa-10dlc.test.js": "sha256:ef60049e39f2c5fd136cbc03fbb53fde46851e0c6f1ad8ddee12424c836017bc",
         "test/layer-0-primitives/tenant-quota.test.js": "sha256:378adcf34d0aac5292d0bda80e2943f07d1f3d61e261964110c8a8774920aa3d",
         "test/layer-0-primitives/test-coverage.test.js": "sha256:175757e902e5867fa2d5d536606bff24e93689b44e769e41359aafbc98690528",

package/lib/vendor/blamejs/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.15.x
 
+- v0.15.12 (2026-06-14) — **Hardens a set of defense-in-depth seams: a single-pass structured-field unescape, a constant-time content-digest member match, complete reserved-character stripping, a Trojan-Source escape on the boot logger, generic body-parse error responses, and an audit trail whenever outbound TLS certificate validation is disabled.** A sweep of low-severity but real hardening items. RFC 8941 structured-field string values (HTTP Message Signatures, Client Hints, Cache-Control) were un-escaped with two chained replaces that mis-decoded an escaped backslash adjacent to another escape; they now use one left-to-right pass that decodes each escape exactly once. The HTTP Message Signature content-digest check dropped a dead identity-replace and now matches the sha3-512 member by an exact, top-level, constant-time comparison instead of an unanchored substring scan. b.guardFilename's reserved-character strip used a non-global regex that left every separator after the first; it now strips all of them. The boot logger's TTY branch wrote raw text, bypassing the Trojan-Source / control-character escape the main logger applies — it now escapes the bidi and C0/newline control classes on every sink. The body parser no longer echoes a caught exception's detail (an fs errno + temp path, or a parse hook's thrown message) to the HTTP client — the client gets a generic status phrase while the full detail stays on the audit chain. And any outbound TLS connection that runs with peer-certificate validation disabled (an explicit operator opt-in, never a default) now emits a tls.insecure_skip_verify audit + observability event so the degraded posture is visible for compliance and incident response. **Added:** *b.structuredFields.unescapeSfStringBody(body)* — A single-pass decode of the RFC 8941 §3.3.3 quoted-string backslash escapes (the bytes between the surrounding quotes). It replaces the chained two-`.replace()` form, which is not equivalent to one decode — whichever pass runs first can rewrite a backslash the other escape sequence owns, so a lone escaped backslash decoded to two. The HTTP Message Signature, Client Hints, and Cache-Control sf-string readers now route through it. · *tls.insecure_skip_verify audit event* — b.network.tls.auditInsecureTls(meta) emits an audit + observability event at the point an outbound TLS connection honors rejectUnauthorized:false / allowInsecure. The connectWithEch, OTLP-gRPC log stream, syslog-TLS log stream, and SMTP transports all emit it when an operator disables certificate validation — parallel to the existing tls.classical_downgrade audit. No default changes; the framework never disables validation itself. **Security:** *Single-pass structured-field string unescape* — The RFC 8941 sf-string readers in HTTP Message Signatures (Signature-Input covered-component names), Client Hints, and Cache-Control directive values un-escaped with `.replace(/\\\\/g,"\\").replace(/\\"/g,'"')` — two sequential passes that mis-decode adjacent escapes (a lone escaped backslash became two). All four sites now use the single-pass b.structuredFields.unescapeSfStringBody. It is fail-closed (a mis-decoded covered-component name just fails the signature check, never bypasses it); the fix restores RFC-conformant interop with peers that legitimately escape these values. · *Constant-time, member-anchored content-digest verification* — b.crypto.httpSig.verify's covered content-digest check dropped a dead no-op replace and now parses the Content-Digest header into its top-level members and matches the sha3-512 member EXACTLY, in constant time (b.crypto.timingSafeEqual), rather than scanning for the digest text as a substring anywhere in the header. The Content-Digest header is already bound by the signature, so the substring form was not reachably exploitable; the change removes the latent ambiguity and the timing channel. · *Reserved-character filename strip removes every occurrence* — b.guardFilename's reservedCharPolicy:"strip" (the permissive profile) used a non-global regex, so only the FIRST reserved character — including path separators — was replaced and the rest leaked through. The strip is now global: every reserved character is removed. Not a traversal bypass (the unconditional security floor still throws on `..`, null bytes, NTFS ADS, UNC, overlong UTF-8), but the strip is now complete and consistent. · *Boot logger escapes control + bidi characters on every sink* — The boot-time logger's TTY branch wrote the raw message, bypassing the Trojan-Source (bidi) and control-character escapes the main logger applies — a hostile message could forge extra log lines on a terminal (CWE-117) or re-order the visible line (CVE-2021-42574). Both boot branches now escape the bidi and C0/newline control classes, matching the create() path and the logger's advertised guarantee. · *Body-parser error responses never echo internal detail* — The body-parser's terminal error path surfaced a caught exception's message verbatim to the HTTP client — a multipart filesystem error leaked the errno + temp path, and a parse hook's thrown error (which can carry secrets) was echoed back. The client now gets a curated message only for a framework-classified 4xx error and a generic status phrase otherwise; the parse-hook wrapper carries a fixed message, and full diagnostics stay on the audit chain server-side (CWE-209). The cluster leader-discovery endpoint's error body is generalized the same way.
+
 - v0.15.11 (2026-06-14) — **Replaces a family of quadratic-time regexes that hostile input could use to stall a worker with linear scans, refuses a relocatable sealed-cell downgrade on the read side, fails closed when enabling row-level security behind a non-native driver, and scans the vendored crypto for known CVEs on every build.** Several text-handling primitives stripped trailing whitespace or extracted a mail address with a regex whose backtracking is quadratic in the input length on adversarial strings — a request body, a YAML document, a CSV cell, or a From header crafted as a long run of spaces could pin a worker's CPU. Each is now a linear character scan with identical output. The HTML-content check the MCP tool surface applies gained the vbscript: and data:text/html vectors it was missing. On the data-at-rest side, an AAD-bound (or per-row-key) column now refuses a plain, unbound vault cell on read — a relocatable envelope an attacker with write access could copy in from another row defeats the cross-row binding, so the field is nulled rather than surfaced; operators mid-migration opt back in with registerTable({ allowPlainMigration: true }). declareRowPolicy now treats row-level-security as enabled only on a value that unambiguously means true, so a non-native Postgres driver that returns the string "f" can no longer be read as "already on" and silently skip the ENABLE that protects the table's rows. Finally, because the framework's crypto is vendored rather than installed, npm audit and Dependabot never see it: every build now matches the vendored versions against the OSV vulnerability database, with a complementary Semgrep pass and workflow-file static analysis alongside. **Added:** *b.safeBuffer.indexAfterOpenTag(html, tagName)* — A linear helper that returns the offset just past a `<tag ...>` opening tag (case-insensitive), or -1 when absent or unterminated — the insertion point a response rewriter uses to splice content after <body> or <head> without a regex. It replaces the O(n^2) html.match(/<body[^>]*>/i) shape and is stricter than it: a real tag boundary is required after the name, so <bodyfoo> is not mistaken for <body>. **Security:** *Linear-time replacements across a family of quadratic regexes (ReDoS class)* — Several primitives located or stripped text with a regex whose backtracking is quadratic in V8 on adversarial input (CWE-1333): b.safeBuffer and the safe-env / safe-yaml / guard-csv parsers stripped trailing horizontal whitespace with /[ \t]+$/; b.mail extracted the address from a `Name <addr>` header with /<([^>]+)>/; the bot-disclosure and speculation-rules response middleware found the <body> insertion point with /<body[^>]*>/i; and the BIMI certificate-chain splitter walked PEM blocks with a lazy /BEGIN[\s\S]*?END/ scan. A crafted field — a long run of spaces, an unterminated bracket, a body carrying many <body starts with no closing >, a chain of BEGIN markers — could drive a worker's CPU to seconds of work. Each is now a linear scan: a shared b.safeBuffer.stripTrailingHspace (backward char walk), b.safeBuffer.indexAfterOpenTag (forward indexOf walk for the tag insertion point), a forward indexOf for address extraction, and an indexOf walk for the PEM split. Output is byte-identical (the tag-find is stricter — it no longer mistakes <bodyfoo> for <body>), and 400K-character adversarial inputs that took 8–85 seconds now complete in under 2 ms. · *MCP HTML-content check covers vbscript: and data:text/html* — The dangerous-markup check applied to text/html tool content matched <script>/<iframe>/<object>/<embed> and javascript: URLs but not the vbscript: scheme or data:text/html payloads. Both are now refused; data: URLs carrying non-HTML media (data:image/png and similar) are unaffected. · *AAD-bound columns refuse a plain sealed cell on read* — b.cryptoField.unsealRow now refuses a plain, unbound vault: envelope found on an AAD-bound (or per-row-key) column and nulls the field instead of returning it. A plain envelope carries no per-cell binding, so a writer who could place one — copied from anywhere under the same vault root — would otherwise relocate a value across rows or columns and defeat the copy-protection the AAD binding advertises. Operators migrating pre-AAD rows up to bound ciphertext opt into a bounded acceptance window with registerTable({ allowPlainMigration: true }) and clear it when migration completes. · *Row-level-security enablement fails closed on non-native drivers* — b.db.declareRowPolicy read pg_class.relrowsecurity to skip a redundant ENABLE ROW LEVEL SECURITY, but tested it with a bare truthiness check. A native pg driver returns a JS boolean; a proxy or ORM may return the string "f" for a disabled table — and "f" is truthy, so the check read it as already-enabled and silently skipped the ENABLE, leaving every row in the table unprotected while the migration reported success. RLS now counts as enabled only on a value that unambiguously means true (true, 1, or "t"/"true"/"1"/"on"/"yes"); every other shape re-issues ENABLE, a harmless no-op on an already-enabled table. · *Vendored-crypto CVE scanning, complementary SAST, and workflow static analysis in CI* — The framework ships zero npm runtime dependencies — its crypto (the noble suite, the WebAuthn server, the PKI layer) is vendored under lib/vendor/, where npm audit, Dependabot, and Socket cannot see it. Every build now generates a CycloneDX SBOM of the vendored tree (each library carrying an npm purl) and runs it through OSV-Scanner, matching the exact pinned version against the OSV vulnerability database; a published CVE or GHSA affecting a vendored version fails the build so the copy is refreshed before merge. A Semgrep pass (registry security-audit + javascript packs at ERROR severity) runs alongside CodeQL as complementary SAST, and actionlint statically checks the workflow files. All three install the OSS tool from its upstream release, matching the existing secret-scan gate's posture. **Detectors:** *Quadratic trailing-whitespace and tag-find regex detectors* — Two codebase-pattern detectors refuse reintroduction of the quadratic shapes: the /[ \t]+$/ trailing-whitespace strip (as .replace, .test, or via the named TRAILING_HSPACE_RE export) outside the linear helper that owns it, and the str.match(/<tag[^>]*>/) document-tag find that the response middleware must route through b.safeBuffer.indexAfterOpenTag. Each is proven to fire on the removed shape and stay silent on the linear replacement, so the ReDoS class cannot creep back into a new parser, guard, or response rewriter.
 
 - v0.15.10 (2026-06-13) — **Makes S3 Object-Lock version erasure reachable through the object store, and pins the build toolchain's native binary to a reviewed hash.** The object store gains the versioned-delete surface its S3 Object Lock support always needed for real erasure. An unversioned delete on a versioning-enabled (Object-Lock) bucket only writes a delete-marker — the data version survives — so the framework's own delete could report success while a record protected for compliance, or one a data subject asked to erase, stayed on disk. b.objectStore / b.storage now carry a versionId: put and saveRaw return the version they created, deleteFile(key, { versionId, bypassGovernanceRetention }) targets a specific version (refused — not silently delete-markered — when it is under an active retention), and listVersions enumerates versions and delete-markers so an erasure workflow can find them. Backends with no version surface (the filesystem backend, and the current Azure and GCS adapters) refuse a versioned delete loudly rather than silently dropping the current object. Separately, the build toolchain's native bundler binary is now verified against a reviewed SHA-256 pin so a tampered or drifted binary is caught before it bundles the framework. **Added:** *Versioned object delete + listVersions for S3 Object-Lock erasure* — b.storage.deleteFile and the b.objectStore sigv4 backend now accept opts.versionId to erase a specific object version, and opts.bypassGovernanceRetention to lift a GOVERNANCE-mode retention for callers with the permission (COMPLIANCE stays immutable to everyone). b.storage.saveRaw and the backend put now return the versionId they created on a versioning-enabled bucket, and a new b.storage.listVersions(prefix) / backend listVersions enumerates every version and delete-marker (key, versionId, isLatest, deleteMarker, size, lastModified, etag) so a right-to-erasure or crypto-shred workflow can target prior versions. On a backend with no version surface, listVersions throws VERSIONS_UNSUPPORTED and a versioned delete throws VERSIONID_UNSUPPORTED rather than silently acting on the current object. · *b.localDb.thin reaches SQLite resource-limit parity (limits option)* — b.localDb.thin now opens its node:sqlite handle with the same parse-time statement-size cap as b.db and the CLI — a SQL statement over 1 MiB is rejected at parse time, the SQLITE_LIMIT_LENGTH floor that guards prepare()/exec() of raw SQL against an attacker-influenced megaquery (SQLite's default is 1 GB). The cap is on by default; a new limits option (e.g. { sqlLength: 2 * 1024 * 1024 } or other SQLITE_LIMIT_* keys) lets an operator raise or extend it. Previously the thin opener had no limits plumbing, so a consumer on that path could not reach parity with the rest of the framework's SQLite surface. **Fixed:** *S3 Object-Lock version erasure is reachable through the framework delete path* — On a versioning-enabled (Object-Lock) bucket, an unversioned DELETE only writes a delete-marker — the protected data version survives untouched — yet the framework's delete had no versionId surface, so it issued the unversioned form and reported success while the bytes the lock protects remained. A retention or legal hold could therefore look enforced to the framework caller while the operation WORM actually blocks was unreachable. The delete path now targets the exact version: deleting a version under a COMPLIANCE retention is refused (it throws, even with bypassGovernanceRetention), a no-retention version erases cleanly, and the enforcement is proven end-to-end against MinIO through the framework's own API. · *b.configDrift.verifyVendorIntegrity is now working-directory-independent* — The vendored-dependency integrity check resolved each manifest file path against process.cwd(), so it only worked when run from the application root. Run from anywhere else it read-failed every entry (reporting ok:false), and under a crafted working directory that happened to contain a clean vendor tree it could hash a different tree than the one actually loaded. It now resolves each file under the framework's own vendor directory by default — the tree loaded at runtime — and honors an explicit libVendorDir for verifying a deployed tree elsewhere, so the result no longer depends on where the process was started. **Security:** *Build toolchain native binary pinned to a reviewed hash* — The native bundler binary the build toolchain runs (esbuild's per-platform compiler, a development dependency that never ships in the runtime) is now verified against a SHA-256 pin captured by diffing the published package tarballs and hashing the binary. The build gate fails if the on-disk binary does not match the reviewed hash for its (version, platform); for a version that has not been reviewed it notes the gap and skips rather than trusting an unverified binary. A cross-artifact check keeps the version in agreement across package.json, the CI install step, and the hash map, so the gate can never quietly test a version that was never diffed — closing a real drift where CI had been installing an older patch than package.json declared. The reviewed diff is benign: version strings plus an installer size-bound and error-message hardening, no new install hooks, files, or network paths, and no runtime-dependency impact. **Detectors:** *Object-store erasure guard, esbuild-pin agreement, + structural re-anchoring of the lint detectors* — A new guard locks the object-store delete path to the versioned-erasure contract: b.storage.deleteFile must thread versionId to the backend, so it can never silently revert to the WORM-blind unversioned delete. A second guard enforces that the esbuild build-tool version agrees across package.json, the CI install step, and the binary-hash map, so a future bump can't update one and leave the gate testing an unreviewed version. Separately, the framework's internal codebase-pattern lint detectors were re-anchored from fixed character spans to structural code boundaries, so they keep matching the code they guard as those functions grow rather than aging out of range; reviving them surfaced a few internal validation and transaction sites that now route through shared helpers (a required positive-integer-with-range validator and an async transaction wrapper) instead of hand-rolling the check. No public API change.

package/lib/vendor/blamejs/SECURITY.md

@@ -374,6 +374,7 @@ This is the minimum-viable security posture for a production deployment. The fra
 - [ ] At boot, before any outbound socket opens: call `b.network.bootFromEnv({ env: process.env, audit: b.audit })` so operator-supplied NTP / DNS / proxy / DPI-trust / TCP socket settings (`BLAMEJS_NTP_*`, `BLAMEJS_DNS_*`, `HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`, `BLAMEJS_EXTRA_CA_CERTS`, `BLAMEJS_SOCKET_*`) apply uniformly
 - [ ] If you ship spans/metrics to an OTLP collector through a custom exporter (rather than the framework's `b.otelExport` / `b.logStream`, which already do this): run every span / metric / resource attribute **value** through `b.observability.redactAttrs(attrs)` before serialization. Telemetry is a first-class egress sink — an attribute value holding a bearer token, password, or PII is otherwise shipped to the collector verbatim (CWE-532). `redactAttrs` composes `b.redact.redact`, drops any attribute whose redactor throws (fail toward dropping), and honours an operator override installed via `b.observability.setRedactor`
 - [ ] If the deployment sits behind a deep-packet-inspection proxy with its own re-signing CA: install the CA via `b.network.tls.addCa("/path/to/corp-ca.pem", { label: "corp-mitm" })` and pass `allowDpiTrust: true` to `b.security.assertProduction` — every CA addition audits with subject + fingerprint so a forensic review can reconstruct the trust path
+- [ ] Never set `rejectUnauthorized: false` / `allowInsecure` on an outbound TLS path in production — the framework never disables peer-certificate validation itself, and any connection that runs with it disabled now emits a `tls.insecure_skip_verify` audit + observability event (host, port, source). Alert on that action and treat it as a finding; it is the compliance evidence (SOC 2 / PCI outbound-TLS posture) that no production connection skipped verification. For a self-signed dev cert, pin the CA via `b.network.tls.addCa(...)` instead of disabling validation
 - [ ] For authenticated time (HIPAA / PCI / FIPS shops): use `b.network.ntp.nts.query({ host: ntsKeServer })` (RFC 8915) instead of plain SNTP; set `BLAMEJS_NTS_REQUIRE=1` to fail closed on negotiation failure
 - [ ] When a DNS answer drives a trust decision (DANE / TLSA pinning, SSHFP, CAA enforcement, OPENPGPKEY lookup) and the upstream resolver isn't itself trusted: verify the answer's DNSSEC signature with `b.network.dns.dnssec.verifyRrset(...)` rather than trusting the resolver's AD bit — an on-path or compromised resolver can set AD on a forged answer, but cannot forge the RRSIG. Validate the whole delegation chain root→TLD→zone with `b.network.dns.dnssec.verifyChain(...)` (default-pinned to the IANA root KSKs, or `trustAnchors` for a private root) so trust is anchored, not borrowed from the resolver. `verifyChain` bounds KeyTrap (CVE-2023-50387) amplification with non-configurable caps (≤4 same-tag candidate keys per RRSIG, ≤64 DNSKEYs/zone, ≤16 DS/delegation, ≤128 chain links, and a signature-validation budget that scales with chain depth so deep delegations validate while bounded collisions stay bounded) and caps NSEC3 iterations at 150 (CVE-2023-50868) — a hostile zone is refused, not allowed to exhaust CPU. For a negative answer that drives a fail-closed decision (an allowlist lookup, a revocation check), verify the NSEC / NSEC3 proof with `b.network.dns.dnssec.verifyDenial(...)` so a forged NXDOMAIN cannot suppress a record; keep the default Opt-Out refusal unless the zone's opt-out spans are acceptable for that decision. For DANE / TLSA, once the TLSA RRset is DNSSEC-verified, pin the peer certificate with `b.network.dns.dane.matchCertificate(...)` — a DANE-EE(3) match authenticates the key with no public CA, while PKIX usages are flagged as still needing PKIX
 - [ ] At boot in production: call `await b.security.assertProduction({ vault: "wrapped", dbAtRest: "encrypted", auditSigning: "wrapped", ntpStrict: true, requireEnv: ["BLAMEJS_VAULT_PASSPHRASE"], dataDir: "./data" })` to refuse to start on weak posture instead of warning

package/lib/vendor/blamejs/api-snapshot.json

@@ -1,7 +1,7 @@
 {
   "version": 1,
-  "frameworkVersion": "0.15.11",
-  "createdAt": "2026-06-14T05:18:13.280Z",
+  "frameworkVersion": "0.15.12",
+  "createdAt": "2026-06-14T14:11:42.465Z",
   "exports": {
     "a2a": {
       "type": "object",
@@ -44422,6 +44422,10 @@
               "type": "function",
               "arity": 1
             },
+            "auditInsecureTls": {
+              "type": "function",
+              "arity": 1
+            },
             "buildOptions": {
               "type": "function",
               "arity": 1
@@ -51297,6 +51301,10 @@
           "type": "function",
           "arity": 2
         },
+        "unescapeSfStringBody": {
+          "type": "function",
+          "arity": 1
+        },
         "unquoteSfString": {
           "type": "function",
           "arity": 1

package/lib/vendor/blamejs/examples/wiki/lib/html-entities.js

@@ -0,0 +1,24 @@
+"use strict";
+
+// Single-pass decode of the built-in HTML entities the wiki page generator
+// emits. A CHAINED decode (`.replace(/&amp;/g,"&").replace(/&lt;/g,"<")...`)
+// double-decodes: `&amp;lt;` -> `&lt;` (step 1) -> `<` (step 2), un-escaping a
+// level that was never escaped at the source (CodeQL js/double-escaping,
+// CWE-116). One regex pass consumes each entity exactly once, so a replacement
+// output is never re-scanned. Mirrors the framework's production decoders
+// (lib/parsers/safe-xml.js etc.), which are all single-pass and not flagged.
+var _ENT = {
+  "&amp;":  "&",
+  "&lt;":   "<",
+  "&gt;":   ">",
+  "&quot;": "\"",
+  "&#39;":  "'",
+  "&#x27;": "'",
+};
+var _ENT_RE = /&(?:amp|lt|gt|quot|#39|#x27);/g;
+
+function unescapeBuiltinEntities(s) {
+  return String(s).replace(_ENT_RE, function (m) { return _ENT[m]; });
+}
+
+module.exports = { unescapeBuiltinEntities: unescapeBuiltinEntities };

package/lib/vendor/blamejs/examples/wiki/lib/symbol-index.js

@@ -15,18 +15,20 @@
 // the manifest at /api/symbols.json so the client autocomplete reads
 // it as a static JSON resource.
 
+var htmlEntities = require("./html-entities");
+
 var HEADING_RE = /<h([23])(?:\s+[^>]*)?>([\s\S]*?)<\/h\1>/g;
 var SIG_RE     = /b\.[a-zA-Z][a-zA-Z0-9_.]*(?:\s*\([^)]*\))?/g;
 var ID_ATTR_RE = /\bid\s*=\s*"([^"]+)"/;
 
 function _stripAnchorMarkup(s) {
-  return String(s)
+  // Single-pass entity decode — NOT a chained &amp;-first .replace() (which
+  // double-decodes &amp;lt; -> <).
+  var stripped = String(s)
     .replace(/<a\s+class="anchor"[^>]*>[\s\S]*?<\/a>/g, "")
     .replace(/<\/?code>/g, "")
-    .replace(/<[^>]+>/g, "")
-    .replace(/&amp;/g, "&")
-    .replace(/&lt;/g, "<")
-    .replace(/&gt;/g, ">")
+    .replace(/<[^>]+>/g, "");
+  return htmlEntities.unescapeBuiltinEntities(stripped)
     .replace(/\s+/g, " ")
     .replace(/^\s+|\s+$/g, "");
 }

package/lib/vendor/blamejs/examples/wiki/test/e2e.js

@@ -11,6 +11,7 @@ var http = require("node:http");
 var path = require("node:path");
 var fs = require("node:fs");
 var { buildApp } = require("../lib/build-app");
+var { unescapeBuiltinEntities: _unescapeBuiltinEntities } = require("../lib/html-entities");
 
 // Persistent output to .test-output/wiki-e2e.log at the framework
 // repo root so agents iterating on a failing run can grep the file
@@ -145,6 +146,13 @@ async function run() {
       headers: BROWSER_HEADERS,
     });
     assert("GET / → 200",                    home.statusCode === 200);
+    // #76 — the shared entity decoder is single-pass: a doubly-encoded
+    // `&amp;lt;` stays `&lt;` rather than double-decoding to `<` (the chained
+    // &amp;-first .replace() form the nav-coverage h1 check used to hand-roll).
+    assert("html-entities decode is single-pass (no &amp;lt; double-decode)",
+           _unescapeBuiltinEntities("&amp;lt;tag&amp;gt;") === "&lt;tag&gt;");
+    assert("html-entities decode handles normal entities",
+           _unescapeBuiltinEntities("Tom &amp; Jerry &lt; 5") === "Tom & Jerry < 5");
     assert("GET / body has 'blamejs'",       /blamejs/i.test(home.body));
     assert("GET / body has nav",             /rail-nav/i.test(home.body));
     assert("GET / loads strict CSP (no unsafe-inline)",
@@ -608,7 +616,7 @@ async function run() {
       var mainSlice = b2.slice(mainStart, mainEnd);
       var h1m = mainSlice.match(/<h1[^>]*>([\s\S]*?)<\/h1>/);
       if (!h1m) { navFailures.push("/" + ne.slug + " missing <h1>"); continue; }
-      var h1Text = h1m[1].replace(/<[^>]+>/g, "").replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">").trim();
+      var h1Text = _unescapeBuiltinEntities(h1m[1].replace(/<[^>]+>/g, "")).trim();
       if (h1Text !== ne.title && h1Text.indexOf(ne.title) === -1) {
         navFailures.push("/" + ne.slug + " <h1> `" + h1Text + "` ≠ `" + ne.title + "`");
         continue;

package/lib/vendor/blamejs/examples/wiki/test/validate-nav-coverage.js

@@ -33,6 +33,7 @@ var http = require("node:http");
 
 var nav  = require("../lib/nav");
 var site = require("../site.config");
+var { unescapeBuiltinEntities: _unescapeBuiltinEntities } = require("../lib/html-entities");
 
 var REPORT_ONLY = process.argv.indexOf("--report") !== -1;
 var PORT_ARG = process.argv.find(function (a) { return a.indexOf("--port=") === 0; });
@@ -96,14 +97,7 @@ function _checkBody(html, expectedTitle) {
   if (!h1Match) {
     issues.push("missing <h1> in <main>");
   } else {
-    var h1Text = h1Match[1]
-      .replace(/<[^>]+>/g, "")
-      .replace(/&amp;/g, "&")
-      .replace(/&lt;/g, "<")
-      .replace(/&gt;/g, ">")
-      .replace(/&quot;/g, '"')
-      .replace(/&#39;/g, "'")
-      .trim();
+    var h1Text = _unescapeBuiltinEntities(h1Match[1].replace(/<[^>]+>/g, "")).trim();
     if (h1Text !== expectedTitle && h1Text.indexOf(expectedTitle) === -1) {
       issues.push("<h1> text `" + h1Text + "` does not contain expected title `" + expectedTitle + "`");
     }