@blamejs/blamejs-shop 0.4.69 → 0.4.70

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (297) hide show
  1. package/CHANGELOG.md +2 -0
  2. package/lib/admin.js +8 -6
  3. package/lib/asset-manifest.json +1 -1
  4. package/lib/security-middleware.js +65 -23
  5. package/lib/storefront.js +10 -7
  6. package/lib/vendor/MANIFEST.json +319 -267
  7. package/lib/vendor/blamejs/CHANGELOG.md +2 -0
  8. package/lib/vendor/blamejs/api-snapshot.json +58 -5
  9. package/lib/vendor/blamejs/examples/wiki/README.md +1 -1
  10. package/lib/vendor/blamejs/examples/wiki/docker-compose.prod.yml +9 -8
  11. package/lib/vendor/blamejs/examples/wiki/docker-compose.yml +10 -9
  12. package/lib/vendor/blamejs/examples/wiki/env-snapshot.json +4 -3
  13. package/lib/vendor/blamejs/examples/wiki/lib/build-app.js +33 -17
  14. package/lib/vendor/blamejs/examples/wiki/routes/admin.js +7 -10
  15. package/lib/vendor/blamejs/examples/wiki/server.js +5 -4
  16. package/lib/vendor/blamejs/examples/wiki/test/e2e.js +5 -0
  17. package/lib/vendor/blamejs/lib/a2a-tasks.js +38 -6
  18. package/lib/vendor/blamejs/lib/agent-event-bus.js +13 -0
  19. package/lib/vendor/blamejs/lib/agent-idempotency.js +5 -1
  20. package/lib/vendor/blamejs/lib/agent-snapshot.js +32 -2
  21. package/lib/vendor/blamejs/lib/ai-aedt-bias-audit.js +2 -1
  22. package/lib/vendor/blamejs/lib/ai-content-detect.js +1 -3
  23. package/lib/vendor/blamejs/lib/ai-frontier-protocol.js +1 -1
  24. package/lib/vendor/blamejs/lib/ai-model-manifest.js +1 -1
  25. package/lib/vendor/blamejs/lib/ai-output.js +16 -7
  26. package/lib/vendor/blamejs/lib/api-snapshot.js +4 -1
  27. package/lib/vendor/blamejs/lib/app-shutdown.js +7 -1
  28. package/lib/vendor/blamejs/lib/archive-gz.js +9 -0
  29. package/lib/vendor/blamejs/lib/archive-read.js +9 -7
  30. package/lib/vendor/blamejs/lib/archive-tar-read.js +51 -8
  31. package/lib/vendor/blamejs/lib/archive.js +4 -2
  32. package/lib/vendor/blamejs/lib/asn1-der.js +70 -22
  33. package/lib/vendor/blamejs/lib/atomic-file.js +204 -2
  34. package/lib/vendor/blamejs/lib/audit-chain.js +54 -5
  35. package/lib/vendor/blamejs/lib/audit-daily-review.js +12 -2
  36. package/lib/vendor/blamejs/lib/audit-sign.js +2 -1
  37. package/lib/vendor/blamejs/lib/audit-tools.js +108 -23
  38. package/lib/vendor/blamejs/lib/audit.js +7 -2
  39. package/lib/vendor/blamejs/lib/auth/access-lock.js +2 -2
  40. package/lib/vendor/blamejs/lib/auth/bot-challenge.js +1 -1
  41. package/lib/vendor/blamejs/lib/auth/ciba.js +43 -4
  42. package/lib/vendor/blamejs/lib/auth/dpop.js +6 -1
  43. package/lib/vendor/blamejs/lib/auth/fido-mds3.js +5 -1
  44. package/lib/vendor/blamejs/lib/auth/jwt.js +2 -2
  45. package/lib/vendor/blamejs/lib/auth/lockout.js +18 -2
  46. package/lib/vendor/blamejs/lib/auth/passkey.js +1 -1
  47. package/lib/vendor/blamejs/lib/auth/password.js +1 -1
  48. package/lib/vendor/blamejs/lib/auth/saml.js +33 -13
  49. package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +24 -4
  50. package/lib/vendor/blamejs/lib/auth/status-list.js +14 -2
  51. package/lib/vendor/blamejs/lib/auth/step-up.js +9 -1
  52. package/lib/vendor/blamejs/lib/auth-bot-challenge.js +21 -2
  53. package/lib/vendor/blamejs/lib/backup/bundle.js +7 -2
  54. package/lib/vendor/blamejs/lib/backup/crypto.js +23 -8
  55. package/lib/vendor/blamejs/lib/backup/index.js +41 -20
  56. package/lib/vendor/blamejs/lib/backup/manifest.js +7 -1
  57. package/lib/vendor/blamejs/lib/break-glass.js +41 -22
  58. package/lib/vendor/blamejs/lib/cbor.js +34 -11
  59. package/lib/vendor/blamejs/lib/cdn-cache-control.js +7 -3
  60. package/lib/vendor/blamejs/lib/cert.js +5 -3
  61. package/lib/vendor/blamejs/lib/cli.js +5 -1
  62. package/lib/vendor/blamejs/lib/cloud-events.js +3 -2
  63. package/lib/vendor/blamejs/lib/cluster-storage.js +7 -3
  64. package/lib/vendor/blamejs/lib/codepoint-class.js +17 -0
  65. package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -1
  66. package/lib/vendor/blamejs/lib/compliance-sanctions.js +9 -7
  67. package/lib/vendor/blamejs/lib/compliance.js +1 -1
  68. package/lib/vendor/blamejs/lib/config-drift.js +22 -8
  69. package/lib/vendor/blamejs/lib/content-credentials.js +11 -8
  70. package/lib/vendor/blamejs/lib/content-digest.js +11 -4
  71. package/lib/vendor/blamejs/lib/cookies.js +10 -2
  72. package/lib/vendor/blamejs/lib/cose.js +20 -0
  73. package/lib/vendor/blamejs/lib/crdt.js +2 -1
  74. package/lib/vendor/blamejs/lib/crypto-field.js +29 -23
  75. package/lib/vendor/blamejs/lib/crypto.js +18 -4
  76. package/lib/vendor/blamejs/lib/csp.js +4 -0
  77. package/lib/vendor/blamejs/lib/daemon.js +4 -1
  78. package/lib/vendor/blamejs/lib/data-act.js +27 -4
  79. package/lib/vendor/blamejs/lib/db-file-lifecycle.js +14 -6
  80. package/lib/vendor/blamejs/lib/db-query.js +69 -9
  81. package/lib/vendor/blamejs/lib/db.js +32 -15
  82. package/lib/vendor/blamejs/lib/dora.js +43 -13
  83. package/lib/vendor/blamejs/lib/dr-runbook.js +1 -1
  84. package/lib/vendor/blamejs/lib/dsa.js +2 -1
  85. package/lib/vendor/blamejs/lib/dsr.js +22 -8
  86. package/lib/vendor/blamejs/lib/early-hints.js +19 -0
  87. package/lib/vendor/blamejs/lib/eat.js +5 -1
  88. package/lib/vendor/blamejs/lib/external-db.js +60 -4
  89. package/lib/vendor/blamejs/lib/fda-21cfr11.js +30 -5
  90. package/lib/vendor/blamejs/lib/flag-providers.js +6 -2
  91. package/lib/vendor/blamejs/lib/forms.js +1 -1
  92. package/lib/vendor/blamejs/lib/gate-contract.js +46 -5
  93. package/lib/vendor/blamejs/lib/gdpr-ropa.js +18 -9
  94. package/lib/vendor/blamejs/lib/graphql-federation.js +17 -4
  95. package/lib/vendor/blamejs/lib/guard-all.js +2 -2
  96. package/lib/vendor/blamejs/lib/guard-dsn.js +1 -1
  97. package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
  98. package/lib/vendor/blamejs/lib/guard-html.js +9 -11
  99. package/lib/vendor/blamejs/lib/guard-imap-command.js +1 -1
  100. package/lib/vendor/blamejs/lib/guard-jmap.js +1 -1
  101. package/lib/vendor/blamejs/lib/guard-json.js +14 -6
  102. package/lib/vendor/blamejs/lib/guard-mail-move.js +1 -1
  103. package/lib/vendor/blamejs/lib/guard-managesieve-command.js +1 -1
  104. package/lib/vendor/blamejs/lib/guard-pop3-command.js +1 -1
  105. package/lib/vendor/blamejs/lib/guard-smtp-command.js +1 -1
  106. package/lib/vendor/blamejs/lib/guard-svg.js +8 -9
  107. package/lib/vendor/blamejs/lib/html-balance.js +7 -3
  108. package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +33 -12
  109. package/lib/vendor/blamejs/lib/http-client.js +225 -53
  110. package/lib/vendor/blamejs/lib/iab-tcf.js +3 -2
  111. package/lib/vendor/blamejs/lib/importmap-integrity.js +41 -1
  112. package/lib/vendor/blamejs/lib/incident-report.js +9 -6
  113. package/lib/vendor/blamejs/lib/json-patch.js +1 -1
  114. package/lib/vendor/blamejs/lib/json-path.js +24 -3
  115. package/lib/vendor/blamejs/lib/jtd.js +2 -2
  116. package/lib/vendor/blamejs/lib/legal-hold.js +24 -8
  117. package/lib/vendor/blamejs/lib/log.js +2 -2
  118. package/lib/vendor/blamejs/lib/mail-agent.js +2 -2
  119. package/lib/vendor/blamejs/lib/mail-arf.js +1 -1
  120. package/lib/vendor/blamejs/lib/mail-auth.js +3 -3
  121. package/lib/vendor/blamejs/lib/mail-bimi.js +16 -16
  122. package/lib/vendor/blamejs/lib/mail-bounce.js +3 -3
  123. package/lib/vendor/blamejs/lib/mail-crypto-smime.js +71 -6
  124. package/lib/vendor/blamejs/lib/mail-deploy.js +9 -5
  125. package/lib/vendor/blamejs/lib/mail-greylist.js +2 -4
  126. package/lib/vendor/blamejs/lib/mail-helo.js +2 -4
  127. package/lib/vendor/blamejs/lib/mail-journal.js +11 -8
  128. package/lib/vendor/blamejs/lib/mail-mdn.js +8 -4
  129. package/lib/vendor/blamejs/lib/mail-rbl.js +2 -4
  130. package/lib/vendor/blamejs/lib/mail-scan.js +3 -5
  131. package/lib/vendor/blamejs/lib/mail-server-jmap.js +4 -1
  132. package/lib/vendor/blamejs/lib/mail-server-registry.js +1 -1
  133. package/lib/vendor/blamejs/lib/mail-server-tls.js +9 -2
  134. package/lib/vendor/blamejs/lib/mail-spam-score.js +2 -4
  135. package/lib/vendor/blamejs/lib/mail-store-fts.js +1 -1
  136. package/lib/vendor/blamejs/lib/mail.js +22 -2
  137. package/lib/vendor/blamejs/lib/markup-tokenizer.js +24 -0
  138. package/lib/vendor/blamejs/lib/mcp.js +6 -4
  139. package/lib/vendor/blamejs/lib/mdoc.js +26 -3
  140. package/lib/vendor/blamejs/lib/metrics.js +14 -3
  141. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +2 -2
  142. package/lib/vendor/blamejs/lib/middleware/body-parser.js +10 -4
  143. package/lib/vendor/blamejs/lib/middleware/bot-guard.js +26 -18
  144. package/lib/vendor/blamejs/lib/middleware/clear-site-data.js +5 -1
  145. package/lib/vendor/blamejs/lib/middleware/compression.js +9 -0
  146. package/lib/vendor/blamejs/lib/middleware/cors.js +32 -23
  147. package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +60 -21
  148. package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -4
  149. package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +28 -4
  150. package/lib/vendor/blamejs/lib/middleware/network-allowlist.js +61 -30
  151. package/lib/vendor/blamejs/lib/middleware/rate-limit.js +25 -16
  152. package/lib/vendor/blamejs/lib/middleware/scim-server.js +2 -1
  153. package/lib/vendor/blamejs/lib/middleware/security-headers.js +24 -6
  154. package/lib/vendor/blamejs/lib/middleware/speculation-rules.js +6 -3
  155. package/lib/vendor/blamejs/lib/middleware/tus-upload.js +2 -2
  156. package/lib/vendor/blamejs/lib/money.js +1 -1
  157. package/lib/vendor/blamejs/lib/mtls-ca.js +10 -6
  158. package/lib/vendor/blamejs/lib/network-dns-resolver.js +1 -1
  159. package/lib/vendor/blamejs/lib/network-dns.js +9 -2
  160. package/lib/vendor/blamejs/lib/network-dnssec.js +2 -1
  161. package/lib/vendor/blamejs/lib/network-smtp-policy.js +23 -5
  162. package/lib/vendor/blamejs/lib/network-tls.js +27 -5
  163. package/lib/vendor/blamejs/lib/network-tsig.js +2 -2
  164. package/lib/vendor/blamejs/lib/nis2-report.js +1 -1
  165. package/lib/vendor/blamejs/lib/nist-crosswalk.js +1 -1
  166. package/lib/vendor/blamejs/lib/ntp-check.js +28 -0
  167. package/lib/vendor/blamejs/lib/numeric-bounds.js +9 -0
  168. package/lib/vendor/blamejs/lib/object-store/azure-blob.js +1 -2
  169. package/lib/vendor/blamejs/lib/object-store/gcs-bucket-ops.js +4 -2
  170. package/lib/vendor/blamejs/lib/object-store/gcs.js +6 -4
  171. package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -2
  172. package/lib/vendor/blamejs/lib/object-store/http-request.js +30 -1
  173. package/lib/vendor/blamejs/lib/object-store/local.js +37 -17
  174. package/lib/vendor/blamejs/lib/object-store/sigv4.js +1 -2
  175. package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +20 -4
  176. package/lib/vendor/blamejs/lib/outbox.js +11 -4
  177. package/lib/vendor/blamejs/lib/parsers/safe-xml.js +1 -1
  178. package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +21 -3
  179. package/lib/vendor/blamejs/lib/queue-local.js +10 -3
  180. package/lib/vendor/blamejs/lib/redact.js +7 -3
  181. package/lib/vendor/blamejs/lib/request-helpers.js +201 -23
  182. package/lib/vendor/blamejs/lib/resource-access-lock.js +3 -3
  183. package/lib/vendor/blamejs/lib/restore-bundle.js +46 -18
  184. package/lib/vendor/blamejs/lib/restore-rollback.js +10 -4
  185. package/lib/vendor/blamejs/lib/restore.js +19 -0
  186. package/lib/vendor/blamejs/lib/retention.js +20 -4
  187. package/lib/vendor/blamejs/lib/router.js +17 -4
  188. package/lib/vendor/blamejs/lib/safe-ical.js +2 -2
  189. package/lib/vendor/blamejs/lib/safe-icap.js +1 -1
  190. package/lib/vendor/blamejs/lib/safe-json.js +44 -0
  191. package/lib/vendor/blamejs/lib/safe-sieve.js +1 -1
  192. package/lib/vendor/blamejs/lib/safe-vcard.js +1 -1
  193. package/lib/vendor/blamejs/lib/sandbox-worker.js +6 -0
  194. package/lib/vendor/blamejs/lib/sandbox.js +1 -1
  195. package/lib/vendor/blamejs/lib/scheduler.js +17 -1
  196. package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +16 -0
  197. package/lib/vendor/blamejs/lib/session.js +27 -3
  198. package/lib/vendor/blamejs/lib/sql.js +3 -3
  199. package/lib/vendor/blamejs/lib/static.js +65 -13
  200. package/lib/vendor/blamejs/lib/template.js +7 -5
  201. package/lib/vendor/blamejs/lib/tenant-quota.js +52 -19
  202. package/lib/vendor/blamejs/lib/tsa.js +5 -2
  203. package/lib/vendor/blamejs/lib/vault/index.js +5 -0
  204. package/lib/vendor/blamejs/lib/vault/passphrase-ops.js +22 -26
  205. package/lib/vendor/blamejs/lib/vault/passphrase-source.js +8 -3
  206. package/lib/vendor/blamejs/lib/vault/rotate.js +13 -18
  207. package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +4 -1
  208. package/lib/vendor/blamejs/lib/vc.js +1 -1
  209. package/lib/vendor/blamejs/lib/vendor/MANIFEST.json +10 -10
  210. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.dat +23 -10
  211. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.data.js +5498 -5494
  212. package/lib/vendor/blamejs/lib/webhook.js +16 -1
  213. package/lib/vendor/blamejs/lib/websocket.js +1 -1
  214. package/lib/vendor/blamejs/lib/worm.js +1 -1
  215. package/lib/vendor/blamejs/lib/ws-client.js +57 -46
  216. package/lib/vendor/blamejs/lib/x509-chain.js +44 -0
  217. package/lib/vendor/blamejs/package.json +1 -1
  218. package/lib/vendor/blamejs/release-notes/v0.15.14.json +122 -0
  219. package/lib/vendor/blamejs/scripts/check-vendor-currency.js +119 -4
  220. package/lib/vendor/blamejs/test/00-primitives.js +5 -1
  221. package/lib/vendor/blamejs/test/integration/mail-crypto-smime.test.js +18 -4
  222. package/lib/vendor/blamejs/test/layer-0-primitives/a2a-tasks.test.js +42 -0
  223. package/lib/vendor/blamejs/test/layer-0-primitives/agent-event-bus.test.js +36 -0
  224. package/lib/vendor/blamejs/test/layer-0-primitives/agent-idempotency.test.js +0 -0
  225. package/lib/vendor/blamejs/test/layer-0-primitives/agent-snapshot.test.js +47 -0
  226. package/lib/vendor/blamejs/test/layer-0-primitives/archive-gz.test.js +24 -0
  227. package/lib/vendor/blamejs/test/layer-0-primitives/archive-tar-hardening.test.js +160 -0
  228. package/lib/vendor/blamejs/test/layer-0-primitives/asn1-der.test.js +45 -0
  229. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +30 -0
  230. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-nofollow.test.js +79 -0
  231. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-excl.test.js +132 -0
  232. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-stream.test.js +181 -0
  233. package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-corrupted-anchor.test.js +65 -0
  234. package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-incremental-verify.test.js +83 -0
  235. package/lib/vendor/blamejs/test/layer-0-primitives/audit-daily-review.test.js +48 -1
  236. package/lib/vendor/blamejs/test/layer-0-primitives/audit-signing-key-rotation.test.js +13 -3
  237. package/lib/vendor/blamejs/test/layer-0-primitives/audit-verifybundle-tamper.test.js +122 -0
  238. package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge.test.js +37 -0
  239. package/lib/vendor/blamejs/test/layer-0-primitives/auth-jwt-defenses.test.js +5 -3
  240. package/lib/vendor/blamejs/test/layer-0-primitives/auth-lockout.test.js +21 -0
  241. package/lib/vendor/blamejs/test/layer-0-primitives/auth-status-list.test.js +73 -0
  242. package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +17 -0
  243. package/lib/vendor/blamejs/test/layer-0-primitives/break-glass.test.js +62 -3
  244. package/lib/vendor/blamejs/test/layer-0-primitives/clear-site-data.test.js +12 -0
  245. package/lib/vendor/blamejs/test/layer-0-primitives/cluster-storage.test.js +40 -0
  246. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +146 -5
  247. package/lib/vendor/blamejs/test/layer-0-primitives/compliance-sanctions.test.js +14 -0
  248. package/lib/vendor/blamejs/test/layer-0-primitives/compression-range.test.js +115 -0
  249. package/lib/vendor/blamejs/test/layer-0-primitives/content-credentials.test.js +17 -5
  250. package/lib/vendor/blamejs/test/layer-0-primitives/cors.test.js +27 -5
  251. package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-per-row-key.test.js +83 -0
  252. package/lib/vendor/blamejs/test/layer-0-primitives/csrf-protect.test.js +58 -0
  253. package/lib/vendor/blamejs/test/layer-0-primitives/data-act.test.js +30 -0
  254. package/lib/vendor/blamejs/test/layer-0-primitives/db-raw-residency-gate.test.js +74 -0
  255. package/lib/vendor/blamejs/test/layer-0-primitives/dora.test.js +20 -6
  256. package/lib/vendor/blamejs/test/layer-0-primitives/dpop-alg-kty.test.js +64 -0
  257. package/lib/vendor/blamejs/test/layer-0-primitives/dsr.test.js +32 -0
  258. package/lib/vendor/blamejs/test/layer-0-primitives/fda-21cfr11.test.js +43 -0
  259. package/lib/vendor/blamejs/test/layer-0-primitives/fetch-metadata.test.js +30 -0
  260. package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +33 -0
  261. package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +34 -0
  262. package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +12 -0
  263. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-stream.test.js +72 -0
  264. package/lib/vendor/blamejs/test/layer-0-primitives/http-client-throttle-transform.test.js +88 -0
  265. package/lib/vendor/blamejs/test/layer-0-primitives/importmap-integrity.test.js +25 -0
  266. package/lib/vendor/blamejs/test/layer-0-primitives/legal-hold.test.js +28 -0
  267. package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime.test.js +20 -0
  268. package/lib/vendor/blamejs/test/layer-0-primitives/mail-header-injection.test.js +58 -0
  269. package/lib/vendor/blamejs/test/layer-0-primitives/mail-journal.test.js +63 -9
  270. package/lib/vendor/blamejs/test/layer-0-primitives/mdoc.test.js +41 -14
  271. package/lib/vendor/blamejs/test/layer-0-primitives/network-allowlist.test.js +61 -0
  272. package/lib/vendor/blamejs/test/layer-0-primitives/object-store-range-header.test.js +51 -0
  273. package/lib/vendor/blamejs/test/layer-0-primitives/otlp-attr-redaction.test.js +35 -0
  274. package/lib/vendor/blamejs/test/layer-0-primitives/output-header-hardening.test.js +102 -0
  275. package/lib/vendor/blamejs/test/layer-0-primitives/parser-verify-hardening.test.js +191 -0
  276. package/lib/vendor/blamejs/test/layer-0-primitives/proto-shadow-allowlist.test.js +120 -0
  277. package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-xff-spoofing.test.js +75 -0
  278. package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +128 -0
  279. package/lib/vendor/blamejs/test/layer-0-primitives/restore-blob-remap.test.js +128 -0
  280. package/lib/vendor/blamejs/test/layer-0-primitives/retention-sweep-termination.test.js +104 -0
  281. package/lib/vendor/blamejs/test/layer-0-primitives/router-body-validation.test.js +98 -0
  282. package/lib/vendor/blamejs/test/layer-0-primitives/safe-json-stringify-for-script.test.js +43 -0
  283. package/lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js +48 -5
  284. package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +23 -0
  285. package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc.test.js +54 -0
  286. package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +24 -0
  287. package/lib/vendor/blamejs/test/layer-0-primitives/static.test.js +42 -1
  288. package/lib/vendor/blamejs/test/layer-0-primitives/step-up.test.js +7 -0
  289. package/lib/vendor/blamejs/test/layer-0-primitives/template-escape-html.test.js +43 -0
  290. package/lib/vendor/blamejs/test/layer-0-primitives/tenant-quota.test.js +15 -0
  291. package/lib/vendor/blamejs/test/layer-0-primitives/vault-default-store.test.js +48 -0
  292. package/lib/vendor/blamejs/test/layer-0-primitives/vendor-currency-classify.test.js +77 -0
  293. package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +50 -0
  294. package/lib/vendor/blamejs/test/layer-0-primitives/ws-client.test.js +22 -0
  295. package/lib/vendor/blamejs/test/layer-0-primitives/x509-chain-ca-enforcement.test.js +149 -0
  296. package/lib/vendor/blamejs/test/layer-5-integration/external-db-residency.test.js +34 -0
  297. package/package.json +1 -1
@@ -38,6 +38,7 @@
38
38
  var nodeFs = require("node:fs");
39
39
  var nodePath = require("node:path");
40
40
  var atomicFile = require("../atomic-file");
41
+ var C = require("../constants");
41
42
  var frameworkFiles = require("../framework-files");
42
43
  var vaultWrap = require("./wrap");
43
44
  var { defineClass } = require("../framework-error");
@@ -75,17 +76,6 @@ function _requirePassphrase(opts, fieldName) {
75
76
  }
76
77
  }
77
78
 
78
- // fsync-by-path semantic: open then sync then close. atomicFile.fsync
79
- // expects an already-open fd; this wrapper opens the file we just
80
- // wrote, flushes its contents, and closes — the right shape when we
81
- // don't have the original write fd around.
82
- function _fsyncPath(p) {
83
- try {
84
- var fd = nodeFs.openSync(p, "r+");
85
- try { atomicFile.fsync(fd); } finally { nodeFs.closeSync(fd); }
86
- } catch (_e) { /* best-effort across filesystems */ }
87
- }
88
-
89
79
  // ---- Pre-flight checks (no side effects) ----
90
80
 
91
81
  function preflightSealable(opts) {
@@ -142,16 +132,18 @@ async function seal(opts) {
142
132
  var p = _paths(opts.dataDir);
143
133
  var keepPlaintext = !!opts.keepPlaintext;
144
134
 
145
- var plainBytes = nodeFs.readFileSync(p.plaintext);
135
+ var plainBytes = atomicFile.fdSafeReadSync(p.plaintext, { maxBytes: C.BYTES.kib(64) });
146
136
  var sealedBytes = await vaultWrap.wrap(plainBytes, opts.passphrase);
147
137
 
148
- // Step 1: write sealed.tmp + fsync
149
- nodeFs.writeFileSync(p.sealedTmp, sealedBytes, { mode: 0o600 });
150
- _fsyncPath(p.sealedTmp);
138
+ // Step 1: write sealed.tmp (exclusive + no-follow create, fsynced) — a
139
+ // bare writeFileSync to this PREDICTABLE temp name would follow a symlink
140
+ // pre-planted at sealed.tmp (CWE-59); writeExclSync clears any stale entry
141
+ // then creates with O_EXCL | O_NOFOLLOW and fsyncs the bytes.
142
+ atomicFile.writeExclSync(p.sealedTmp, sealedBytes, { fileMode: 0o600 });
151
143
  atomicFile.fsyncDir(opts.dataDir);
152
144
 
153
145
  // Step 2: round-trip verify the .tmp before committing the rename
154
- var verifyBytes = nodeFs.readFileSync(p.sealedTmp);
146
+ var verifyBytes = atomicFile.fdSafeReadSync(p.sealedTmp, { maxBytes: C.BYTES.kib(64) });
155
147
  var unwrapped;
156
148
  try {
157
149
  unwrapped = await vaultWrap.unwrap(verifyBytes, opts.passphrase);
@@ -195,7 +187,7 @@ async function unseal(opts) {
195
187
  }
196
188
  var p = _paths(opts.dataDir);
197
189
 
198
- var sealedBytes = nodeFs.readFileSync(p.sealed);
190
+ var sealedBytes = atomicFile.fdSafeReadSync(p.sealed, { maxBytes: C.BYTES.kib(64) });
199
191
  var plainBytes;
200
192
  try {
201
193
  plainBytes = await vaultWrap.unwrap(sealedBytes, opts.passphrase);
@@ -205,13 +197,15 @@ async function unseal(opts) {
205
197
  " — " + SEALED_NAME + " is UNCHANGED");
206
198
  }
207
199
 
208
- // Step 1: write plaintext.tmp + fsync
209
- nodeFs.writeFileSync(p.plaintextTmp, plainBytes, { mode: 0o600 });
210
- _fsyncPath(p.plaintextTmp);
200
+ // Step 1: write plaintext.tmp (exclusive + no-follow create, fsynced) — a
201
+ // bare writeFileSync to this PREDICTABLE temp name would follow a symlink
202
+ // pre-planted at plaintext.tmp (CWE-59); writeExclSync clears any stale
203
+ // entry then creates with O_EXCL | O_NOFOLLOW and fsyncs the bytes.
204
+ atomicFile.writeExclSync(p.plaintextTmp, plainBytes, { fileMode: 0o600 });
211
205
  atomicFile.fsyncDir(opts.dataDir);
212
206
 
213
207
  // Step 2: round-trip sanity — re-read tmp and verify
214
- var verifyBytes = nodeFs.readFileSync(p.plaintextTmp);
208
+ var verifyBytes = atomicFile.fdSafeReadSync(p.plaintextTmp, { maxBytes: C.BYTES.kib(64) });
215
209
  if (Buffer.compare(verifyBytes, plainBytes) !== 0) {
216
210
  try { nodeFs.unlinkSync(p.plaintextTmp); } catch (_e) { /* cleanup */ }
217
211
  throw new VaultPassphraseError("vault-passphrase/verify-mismatch",
@@ -246,7 +240,7 @@ async function rotate(opts) {
246
240
  }
247
241
  var p = _paths(opts.dataDir);
248
242
 
249
- var sealedBytes = nodeFs.readFileSync(p.sealed);
243
+ var sealedBytes = atomicFile.fdSafeReadSync(p.sealed, { maxBytes: C.BYTES.kib(64) });
250
244
  var plainBytes;
251
245
  try {
252
246
  plainBytes = await vaultWrap.unwrap(sealedBytes, opts.oldPassphrase);
@@ -257,14 +251,16 @@ async function rotate(opts) {
257
251
  }
258
252
  var newSealedBytes = await vaultWrap.wrap(plainBytes, opts.newPassphrase);
259
253
 
260
- // Step 1: write new sealed.tmp + fsync
261
- nodeFs.writeFileSync(p.sealedTmp, newSealedBytes, { mode: 0o600 });
262
- _fsyncPath(p.sealedTmp);
254
+ // Step 1: write new sealed.tmp (exclusive + no-follow create, fsynced) — a
255
+ // bare writeFileSync to this PREDICTABLE temp name would follow a symlink
256
+ // pre-planted at sealed.tmp (CWE-59); writeExclSync clears any stale entry
257
+ // then creates with O_EXCL | O_NOFOLLOW and fsyncs the bytes.
258
+ atomicFile.writeExclSync(p.sealedTmp, newSealedBytes, { fileMode: 0o600 });
263
259
  atomicFile.fsyncDir(opts.dataDir);
264
260
 
265
261
  // Step 2: round-trip verify with NEW passphrase, AND assert unwrap
266
262
  // with the OLD passphrase fails — otherwise the rotation didn't take.
267
- var verifyBytes = nodeFs.readFileSync(p.sealedTmp);
263
+ var verifyBytes = atomicFile.fdSafeReadSync(p.sealedTmp, { maxBytes: C.BYTES.kib(64) });
268
264
  var verifyPlain;
269
265
  try { verifyPlain = await vaultWrap.unwrap(verifyBytes, opts.newPassphrase); }
270
266
  catch (e) {
@@ -23,10 +23,10 @@
23
23
  * exposure to later env-dump surfaces. This doesn't zero the memory
24
24
  * (JavaScript can't) but does remove the env-object reference.
25
25
  */
26
- var nodeFs = require("node:fs");
27
26
  var readline = require("node:readline");
28
27
  var safeEnv = require("../parsers/safe-env");
29
28
  var safeBuffer = require("../safe-buffer");
29
+ var atomicFile = require("../atomic-file");
30
30
 
31
31
  var MAX_PASSPHRASE_BYTES = 4096;
32
32
 
@@ -83,9 +83,14 @@ async function fromFile(filePath, opts) {
83
83
  }
84
84
  var raw;
85
85
  try {
86
- raw = nodeFs.readFileSync(filePath);
86
+ // Cap the passphrase-file read at MAX_PASSPHRASE_BYTES at READ time (was only
87
+ // checked AFTER the whole file was in memory), so a swapped multi-GiB target
88
+ // can't OOM boot before validatePassphraseBuffer. NO refuseSymlink: the
89
+ // BLAMEJS_VAULT_PASSPHRASE_FILE is frequently a k8s projected-secret mount,
90
+ // which is a symlink chain — following it is correct.
91
+ raw = atomicFile.fdSafeReadSync(filePath, { maxBytes: MAX_PASSPHRASE_BYTES });
87
92
  } catch (e) {
88
- throw new Error("failed to read " + envVars.file + " (" + filePath + "): " + e.code);
93
+ throw new Error("failed to read " + envVars.file + " (" + filePath + "): " + (e.code || e.message));
89
94
  }
90
95
  var buf = trimTrailingNewlines(raw);
91
96
  validatePassphraseBuffer(buf, "file source (" + filePath + ")");
@@ -493,16 +493,11 @@ function _emit(cb, ev) {
493
493
  // staging dir is already 0o700 owner-only, so this is defense in depth
494
494
  // against a same-user pre-plant / symlink swap (CWE-377 / CWE-379 / CWE-59).
495
495
  function _writeStagedFileExclusive(p, data) {
496
- try { nodeFs.unlinkSync(p); } catch (_e) { /* no stale entry to clear */ }
497
- var fd = nodeFs.openSync(p,
498
- nodeFs.constants.O_WRONLY | nodeFs.constants.O_CREAT |
499
- nodeFs.constants.O_EXCL | (nodeFs.constants.O_NOFOLLOW || 0), 0o600);
500
- try {
501
- nodeFs.writeFileSync(fd, data);
502
- nodeFs.fsyncSync(fd);
503
- } finally {
504
- nodeFs.closeSync(fd);
505
- }
496
+ // The clear-stale + O_EXCL|O_NOFOLLOW create + write + fsync sequence now
497
+ // lives in the atomic-file primitive (also used by the vault passphrase
498
+ // seal/unseal staging writes) so every staged exclusive write shares one
499
+ // implementation.
500
+ atomicFile.writeExclSync(p, data, { fileMode: 0o600 });
506
501
  }
507
502
 
508
503
  function _reSealValue(sealedValue, oldKeys, newKeys) {
@@ -759,7 +754,7 @@ async function rotate(opts) {
759
754
  // Stage via the exclusive-create + fsync helper rather than a plain copy,
760
755
  // so the verbatim file is durable at write time (no later by-path fsync)
761
756
  // and a pre-planted file/symlink at the staging path hard-fails.
762
- _writeStagedFileExclusive(dest, nodeFs.readFileSync(src));
757
+ _writeStagedFileExclusive(dest, atomicFile.fdSafeReadSync(src, { maxBytes: C.BYTES.mib(64) }));
763
758
  }
764
759
  for (var vd = 0; vd < paths.verbatimDirs.length; vd++) {
765
760
  var dent = paths.verbatimDirs[vd];
@@ -797,7 +792,7 @@ async function rotate(opts) {
797
792
  var dbKeySealedPath = nodePath.join(dataDir, paths.dbKeySealed);
798
793
  var dbKey = null;
799
794
  if (nodeFs.existsSync(dbKeySealedPath)) {
800
- var sealedKey = nodeFs.readFileSync(dbKeySealedPath, "utf8").trim();
795
+ var sealedKey = atomicFile.fdSafeReadSync(dbKeySealedPath, { maxBytes: C.BYTES.kib(64), encoding: "utf8" }).trim();
801
796
  if (vaultAad.isAadSealed(sealedKey)) {
802
797
  // AAD-bound db.key.enc (db.js since v0.14.7): unseal under the OLD
803
798
  // root with the deployment-context AAD, then re-emit under the NEW
@@ -832,7 +827,7 @@ async function rotate(opts) {
832
827
  }
833
828
  continue;
834
829
  }
835
- var current = nodeFs.readFileSync(asSrc, "utf8").trim();
830
+ var current = atomicFile.fdSafeReadSync(asSrc, { maxBytes: C.BYTES.mib(1), encoding: "utf8" }).trim();
836
831
  if (current.indexOf(C.VAULT_PREFIX) !== 0) {
837
832
  throw new VaultRotateError("vault-rotate/bad-sealed",
838
833
  "rotate: sealed file does not start with the vault prefix: " + ase.relativePath);
@@ -854,11 +849,11 @@ async function rotate(opts) {
854
849
  // Stage via the exclusive-create + fsync helper (not a plain copy) so the
855
850
  // salt is durable at write time and no later by-path fsync is needed.
856
851
  _writeStagedFileExclusive(nodePath.join(stagingDir, "vault.derived-hash-salt"),
857
- nodeFs.readFileSync(saltSrc));
852
+ atomicFile.fdSafeReadSync(saltSrc, { maxBytes: C.BYTES.kib(4) }));
858
853
  }
859
854
  var macSrc = nodePath.join(dataDir, "vault.derived-hash-mac.sealed");
860
855
  if (nodeFs.existsSync(macSrc)) {
861
- var macCurrent = nodeFs.readFileSync(macSrc, "utf8").trim();
856
+ var macCurrent = atomicFile.fdSafeReadSync(macSrc, { maxBytes: C.BYTES.kib(64), encoding: "utf8" }).trim();
862
857
  if (macCurrent.indexOf(C.VAULT_PREFIX) === 0) {
863
858
  _writeStagedFileExclusive(nodePath.join(stagingDir, "vault.derived-hash-mac.sealed"),
864
859
  _reSealValue(macCurrent, oldKeys, newKeys));
@@ -873,7 +868,7 @@ async function rotate(opts) {
873
868
  var verifyResult = null;
874
869
 
875
870
  if (nodeFs.existsSync(encDbPath) && dbKey) {
876
- var packed = nodeFs.readFileSync(encDbPath);
871
+ var packed = atomicFile.fdSafeReadSync(encDbPath, { maxBytes: C.BYTES.gib(2) });
877
872
  // db.enc is XChaCha20-Poly1305-sealed AAD-bound to its dataDir
878
873
  // (db.js _dbEncAad). Read with the dataDir AAD; retry without AAD for
879
874
  // pre-AAD envelopes (mirrors db.js:765-768). The in-place swap keeps
@@ -945,7 +940,7 @@ async function rotate(opts) {
945
940
  // _writeStagedFileExclusive — exclusive + no-follow create, owner-only
946
941
  // 0o600 — so a same-user pre-plant or symlink swap is a hard failure
947
942
  // rather than a followed write, and the bytes never inherit a wider mode.
948
- var rotatedBytes = nodeFs.readFileSync(tmpDbPath);
943
+ var rotatedBytes = atomicFile.fdSafeReadSync(tmpDbPath, { maxBytes: C.BYTES.gib(2) });
949
944
  // Re-encrypt under the SAME dataDir AAD so db.init's AAD-first open
950
945
  // succeeds after the staged dir is swapped over dataDir in place.
951
946
  _writeStagedFileExclusive(nodePath.join(stagingDir, paths.encryptedDb),
@@ -956,7 +951,7 @@ async function rotate(opts) {
956
951
  _emit(progress, { phase: "verify" });
957
952
  var verifyTmp = nodePath.join(stagingDir, "_blamejs_verify.tmp.db");
958
953
  _writeStagedFileExclusive(verifyTmp,
959
- bCrypto.decryptPacked(nodeFs.readFileSync(nodePath.join(stagingDir, paths.encryptedDb)), dbKey, dbEncAad));
954
+ bCrypto.decryptPacked(atomicFile.fdSafeReadSync(nodePath.join(stagingDir, paths.encryptedDb), { maxBytes: C.BYTES.gib(2) }), dbKey, dbEncAad));
960
955
  var vdb = new DatabaseSync(verifyTmp);
961
956
  try {
962
957
  verifyResult = verify({ keys: newKeys, db: vdb, oldKeys: oldKeys });
@@ -232,7 +232,10 @@ function sealPemFile(opts) {
232
232
  }
233
233
  }
234
234
  var sealed = vault().seal(plaintextBytes);
235
- nodeFs.writeFileSync(markerPath, String(Date.now()), { mode: 0o600 }); // POSIX file mode
235
+ // Atomic, symlink-refusing marker write (matches the destination write
236
+ // just below) — a bare writeFileSync would follow a symlink planted at
237
+ // markerPath (CWE-59).
238
+ atomicFile.writeSync(markerPath, String(Date.now()), { fileMode: 0o600 }); // POSIX file mode
236
239
  try {
237
240
  atomicFile.writeSync(destination, sealed, { fileMode: 0o600 }); // POSIX file mode
238
241
  } catch (e) {
@@ -226,7 +226,7 @@ function _verifyJose(token, opts, expectedTyp) {
226
226
  throw new VcError("vc/crit-unsupported",
227
227
  "vc.verify: JWS 'crit' header lists extensions this verifier does not support (RFC 7515 §4.1.11)");
228
228
  }
229
- if (header.alg === "none" || !JOSE_ALGS[header.alg]) {
229
+ if (header.alg === "none" || !Object.prototype.hasOwnProperty.call(JOSE_ALGS, header.alg)) {
230
230
  throw new VcError("vc/bad-alg", "vc.verify: unsupported or unsecured JWS alg '" + header.alg + "'");
231
231
  }
232
232
  if (opts.algorithms.indexOf(header.alg) === -1) {
@@ -18,7 +18,7 @@
18
18
  "hashes": {
19
19
  "server": "sha256:5d539dfc9ef47121d4c09bd7256d76448a1f5ac47ee09ac44c78ff6a062af9ab"
20
20
  },
21
- "refreshedAt": "2026-05-27T17:51:05.993Z"
21
+ "refreshedAt": "2026-06-20T04:17:15.833Z"
22
22
  },
23
23
  "@noble/curves": {
24
24
  "version": "2.2.0",
@@ -40,7 +40,7 @@
40
40
  "hashes": {
41
41
  "server": "sha256:ebf254d5eb56aef8705a1c4af9603f47987b4870a9bb5e657e06907b701e2731"
42
42
  },
43
- "refreshedAt": "2026-05-27T17:51:05.993Z"
43
+ "refreshedAt": "2026-06-20T04:17:15.833Z"
44
44
  },
45
45
  "@noble/post-quantum": {
46
46
  "version": "0.6.1",
@@ -71,7 +71,7 @@
71
71
  "hashes": {
72
72
  "server": "sha256:f9190309daadca4c2e2cc2b76beaa6b96e463429cc3c390bd9f0ceaf7b588c68"
73
73
  },
74
- "refreshedAt": "2026-05-27T17:51:05.993Z"
74
+ "refreshedAt": "2026-06-20T04:17:15.833Z"
75
75
  },
76
76
  "@simplewebauthn/server": {
77
77
  "version": "13.3.1",
@@ -94,7 +94,7 @@
94
94
  "hashes": {
95
95
  "server": "sha256:f359a782ac57e3ff56ac71083d17f5c082f88ab49d645fc2bede398b47adebdb"
96
96
  },
97
- "refreshedAt": "2026-05-27T17:51:05.993Z"
97
+ "refreshedAt": "2026-06-20T04:17:15.833Z"
98
98
  },
99
99
  "SecLists-common-passwords-top-10000": {
100
100
  "version": "10k-most-common (master)",
@@ -114,7 +114,7 @@
114
114
  },
115
115
  "runtime_artifact": "lib/vendor/common-passwords-top-10000.data.js",
116
116
  "integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)",
117
- "refreshedAt": "2026-05-27T17:51:05.993Z"
117
+ "refreshedAt": "2026-06-20T04:17:15.833Z"
118
118
  },
119
119
  "bimi-trust-anchors": {
120
120
  "version": "operator-managed",
@@ -139,7 +139,7 @@
139
139
  },
140
140
  "runtime_artifact": "lib/vendor/bimi-trust-anchors.data.js",
141
141
  "integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)",
142
- "refreshedAt": "2026-05-27T17:51:05.993Z"
142
+ "refreshedAt": "2026-06-20T04:17:15.833Z"
143
143
  },
144
144
  "publicsuffix-list": {
145
145
  "version": "master",
@@ -154,12 +154,12 @@
154
154
  "bundler": "curl https://publicsuffix.org/list/public_suffix_list.dat",
155
155
  "bundledAt": "2026-05-13T00:00:00Z",
156
156
  "hashes": {
157
- "server": "sha256:f15642cea028662c39d380caa9ddfbe36c81466e3a82f8f4b10703d83760295c",
158
- "data_js": "sha256:b4b6ae76fdacbfe07683c4ea62761326f42894c2ccf4359f253bbcab9826ed04"
157
+ "server": "sha256:927884952ea8857ba3608eefe617f3c8acd63ad94be7b0bfb7586632cfc59560",
158
+ "data_js": "sha256:c2f67f5e7f7306eb5ec26548ea275673c652cfdd830b909fd63ed2b39e4838f6"
159
159
  },
160
160
  "runtime_artifact": "lib/vendor/public-suffix-list.data.js",
161
161
  "integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)",
162
- "refreshedAt": "2026-05-27T17:51:05.993Z"
162
+ "refreshedAt": "2026-06-20T04:17:15.833Z"
163
163
  },
164
164
  "peculiar-pki": {
165
165
  "version": "2.0.0+pkijs-3.4.0",
@@ -190,7 +190,7 @@
190
190
  "hashes": {
191
191
  "server": "sha256:9bbc191afaaa2b1e5757f00480457c08134cdc2c55d541df18d9155bba9cbf77"
192
192
  },
193
- "refreshedAt": "2026-05-27T17:51:05.993Z"
193
+ "refreshedAt": "2026-06-20T04:17:15.833Z"
194
194
  }
195
195
  }
196
196
  }
@@ -5,8 +5,8 @@
5
5
  // Please pull this list from, and only from https://publicsuffix.org/list/public_suffix_list.dat,
6
6
  // rather than any other VCS sites. Pulling from any other URL is not guaranteed to be supported.
7
7
 
8
- // VERSION: 2026-05-07_00-57-25_UTC
9
- // COMMIT: ee780bcf233174cb23ba8575d54c4154d47508e1
8
+ // VERSION: 2026-06-13_21-47-18_UTC
9
+ // COMMIT: 9186eeeda85cef35b1551d00731464939c765cab
10
10
 
11
11
  // Instructions on pulling and using this list can be found at https://publicsuffix.org/list/.
12
12
 
@@ -1403,6 +1403,7 @@ video.hu
1403
1403
  // id : https://www.iana.org/domains/root/db/id.html
1404
1404
  id
1405
1405
  ac.id
1406
+ ai.id
1406
1407
  biz.id
1407
1408
  co.id
1408
1409
  desa.id
@@ -6157,7 +6158,6 @@ k12.mo.us
6157
6158
  k12.ms.us
6158
6159
  k12.mt.us
6159
6160
  k12.nc.us
6160
- // k12.nd.us - Bug 1028347 - Removed at request of Travis Rosso <trossow@nd.gov>
6161
6161
  k12.ne.us
6162
6162
  k12.nh.us
6163
6163
  k12.nj.us
@@ -6239,8 +6239,6 @@ cc.mt.us
6239
6239
  lib.mt.us
6240
6240
  cc.nc.us
6241
6241
  lib.nc.us
6242
- cc.nd.us
6243
- lib.nd.us
6244
6242
  cc.ne.us
6245
6243
  lib.ne.us
6246
6244
  cc.nh.us
@@ -6824,7 +6822,7 @@ org.zw
6824
6822
 
6825
6823
  // newGTLDs
6826
6824
 
6827
- // List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2026-04-30T16:18:08Z
6825
+ // List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2026-06-13T16:12:40Z
6828
6826
  // This list is auto-generated, don't edit it manually.
6829
6827
  // aaa : American Automobile Association, Inc.
6830
6828
  // https://www.iana.org/domains/root/db/aaa.html
@@ -10878,7 +10876,7 @@ xin
10878
10876
  // https://www.iana.org/domains/root/db/xn--5su34j936bgsg.html
10879
10877
  香格里拉
10880
10878
 
10881
- // xn--5tzm5g : Global Website TLD Asia Limited
10879
+ // xn--5tzm5g : Jolly Host, LLC
10882
10880
  // https://www.iana.org/domains/root/db/xn--5tzm5g.html
10883
10881
  网站
10884
10882
 
@@ -12577,10 +12575,12 @@ cafjs.com
12577
12575
  // Submitted by Joel Aquilina <publicsuffixlist@canva.com>
12578
12576
  canva-apps.cn
12579
12577
  my.canvasite.cn
12578
+ khsj.cn
12580
12579
  canva-apps.com
12581
12580
  canva-hosted-embed.com
12582
12581
  canvacode.com
12583
12582
  rice-labs.com
12583
+ canva.link
12584
12584
  canva.run
12585
12585
  my.canva.site
12586
12586
 
@@ -13894,6 +13894,10 @@ whitesnow.jp
13894
13894
  zombie.jp
13895
13895
  heteml.net
13896
13896
 
13897
+ // GNTC, Inc. : https://gntc.com/
13898
+ // Submitted by VibeHost Security <security@vibehost.com>
13899
+ vibehost.space
13900
+
13897
13901
  // GoDaddy Registry : https://registry.godaddy
13898
13902
  // Submitted by Rohan Durrant <tldns@registry.godaddy>
13899
13903
  graphic.design
@@ -14061,6 +14065,10 @@ ltd.ng
14061
14065
  ngo.ng
14062
14066
  plc.ng
14063
14067
 
14068
+ // Hostinger : https://hostinger.com
14069
+ // Submitted by Valentinas Cirba <domains@hostinger.com>
14070
+ hstgr.cloud
14071
+
14064
14072
  // HostyHosting : https://hostyhosting.com
14065
14073
  hostyhosting.io
14066
14074
 
@@ -15048,6 +15056,7 @@ opensocial.site
15048
15056
  // OpenAI : https://openai.com
15049
15057
  // Submitted by Thomas Shadwell <security@openai.com>
15050
15058
  *.oaiusercontent.com
15059
+ chatgpt.site
15051
15060
 
15052
15061
  // OpenCraft GmbH : http://opencraft.com/
15053
15062
  // Submitted by Sven Marnach <sven@opencraft.com>
@@ -16005,6 +16014,11 @@ reservd.testing.thingdust.io
16005
16014
  // Submitted by Christian Franke <it@ticket.io>
16006
16015
  tickets.io
16007
16016
 
16017
+ // Tigris Data, Inc. : https://www.tigrisdata.com
16018
+ // Submitted by Bo Cao <security@tigrisdata.com>
16019
+ t3.storage.dev
16020
+ t3.storageapi.dev
16021
+
16008
16022
  // Tlon.io : https://tlon.io
16009
16023
  // Submitted by Mark Staarink <mark@tlon.io>
16010
16024
  arvo.network
@@ -16197,11 +16211,10 @@ webflowtest.io
16197
16211
  *.webhare.dev
16198
16212
 
16199
16213
  // WebHotelier Technologies Ltd : https://www.webhotelier.net/
16200
- // Submitted by Apostolos Tsakpinis <apostolos.tsakpinis@gmail.com>
16201
- bookonline.app
16214
+ // Submitted by Apostolos Tsakpinis <cto@webhotelier.net>
16202
16215
  hotelwithflight.com
16203
- reserve-online.com
16204
16216
  reserve-online.net
16217
+ book.online
16205
16218
 
16206
16219
  // WebPros International, LLC : https://webpros.com/
16207
16220
  // Submitted by Nicolas Rochelemagne <public.suffix@webpros.com>