@blamejs/blamejs-shop 0.4.69 → 0.4.70
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +2 -0
- package/lib/admin.js +8 -6
- package/lib/asset-manifest.json +1 -1
- package/lib/security-middleware.js +65 -23
- package/lib/storefront.js +10 -7
- package/lib/vendor/MANIFEST.json +319 -267
- package/lib/vendor/blamejs/CHANGELOG.md +2 -0
- package/lib/vendor/blamejs/api-snapshot.json +58 -5
- package/lib/vendor/blamejs/examples/wiki/README.md +1 -1
- package/lib/vendor/blamejs/examples/wiki/docker-compose.prod.yml +9 -8
- package/lib/vendor/blamejs/examples/wiki/docker-compose.yml +10 -9
- package/lib/vendor/blamejs/examples/wiki/env-snapshot.json +4 -3
- package/lib/vendor/blamejs/examples/wiki/lib/build-app.js +33 -17
- package/lib/vendor/blamejs/examples/wiki/routes/admin.js +7 -10
- package/lib/vendor/blamejs/examples/wiki/server.js +5 -4
- package/lib/vendor/blamejs/examples/wiki/test/e2e.js +5 -0
- package/lib/vendor/blamejs/lib/a2a-tasks.js +38 -6
- package/lib/vendor/blamejs/lib/agent-event-bus.js +13 -0
- package/lib/vendor/blamejs/lib/agent-idempotency.js +5 -1
- package/lib/vendor/blamejs/lib/agent-snapshot.js +32 -2
- package/lib/vendor/blamejs/lib/ai-aedt-bias-audit.js +2 -1
- package/lib/vendor/blamejs/lib/ai-content-detect.js +1 -3
- package/lib/vendor/blamejs/lib/ai-frontier-protocol.js +1 -1
- package/lib/vendor/blamejs/lib/ai-model-manifest.js +1 -1
- package/lib/vendor/blamejs/lib/ai-output.js +16 -7
- package/lib/vendor/blamejs/lib/api-snapshot.js +4 -1
- package/lib/vendor/blamejs/lib/app-shutdown.js +7 -1
- package/lib/vendor/blamejs/lib/archive-gz.js +9 -0
- package/lib/vendor/blamejs/lib/archive-read.js +9 -7
- package/lib/vendor/blamejs/lib/archive-tar-read.js +51 -8
- package/lib/vendor/blamejs/lib/archive.js +4 -2
- package/lib/vendor/blamejs/lib/asn1-der.js +70 -22
- package/lib/vendor/blamejs/lib/atomic-file.js +204 -2
- package/lib/vendor/blamejs/lib/audit-chain.js +54 -5
- package/lib/vendor/blamejs/lib/audit-daily-review.js +12 -2
- package/lib/vendor/blamejs/lib/audit-sign.js +2 -1
- package/lib/vendor/blamejs/lib/audit-tools.js +108 -23
- package/lib/vendor/blamejs/lib/audit.js +7 -2
- package/lib/vendor/blamejs/lib/auth/access-lock.js +2 -2
- package/lib/vendor/blamejs/lib/auth/bot-challenge.js +1 -1
- package/lib/vendor/blamejs/lib/auth/ciba.js +43 -4
- package/lib/vendor/blamejs/lib/auth/dpop.js +6 -1
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +5 -1
- package/lib/vendor/blamejs/lib/auth/jwt.js +2 -2
- package/lib/vendor/blamejs/lib/auth/lockout.js +18 -2
- package/lib/vendor/blamejs/lib/auth/passkey.js +1 -1
- package/lib/vendor/blamejs/lib/auth/password.js +1 -1
- package/lib/vendor/blamejs/lib/auth/saml.js +33 -13
- package/lib/vendor/blamejs/lib/auth/sd-jwt-vc.js +24 -4
- package/lib/vendor/blamejs/lib/auth/status-list.js +14 -2
- package/lib/vendor/blamejs/lib/auth/step-up.js +9 -1
- package/lib/vendor/blamejs/lib/auth-bot-challenge.js +21 -2
- package/lib/vendor/blamejs/lib/backup/bundle.js +7 -2
- package/lib/vendor/blamejs/lib/backup/crypto.js +23 -8
- package/lib/vendor/blamejs/lib/backup/index.js +41 -20
- package/lib/vendor/blamejs/lib/backup/manifest.js +7 -1
- package/lib/vendor/blamejs/lib/break-glass.js +41 -22
- package/lib/vendor/blamejs/lib/cbor.js +34 -11
- package/lib/vendor/blamejs/lib/cdn-cache-control.js +7 -3
- package/lib/vendor/blamejs/lib/cert.js +5 -3
- package/lib/vendor/blamejs/lib/cli.js +5 -1
- package/lib/vendor/blamejs/lib/cloud-events.js +3 -2
- package/lib/vendor/blamejs/lib/cluster-storage.js +7 -3
- package/lib/vendor/blamejs/lib/codepoint-class.js +17 -0
- package/lib/vendor/blamejs/lib/compliance-eaa.js +1 -1
- package/lib/vendor/blamejs/lib/compliance-sanctions.js +9 -7
- package/lib/vendor/blamejs/lib/compliance.js +1 -1
- package/lib/vendor/blamejs/lib/config-drift.js +22 -8
- package/lib/vendor/blamejs/lib/content-credentials.js +11 -8
- package/lib/vendor/blamejs/lib/content-digest.js +11 -4
- package/lib/vendor/blamejs/lib/cookies.js +10 -2
- package/lib/vendor/blamejs/lib/cose.js +20 -0
- package/lib/vendor/blamejs/lib/crdt.js +2 -1
- package/lib/vendor/blamejs/lib/crypto-field.js +29 -23
- package/lib/vendor/blamejs/lib/crypto.js +18 -4
- package/lib/vendor/blamejs/lib/csp.js +4 -0
- package/lib/vendor/blamejs/lib/daemon.js +4 -1
- package/lib/vendor/blamejs/lib/data-act.js +27 -4
- package/lib/vendor/blamejs/lib/db-file-lifecycle.js +14 -6
- package/lib/vendor/blamejs/lib/db-query.js +69 -9
- package/lib/vendor/blamejs/lib/db.js +32 -15
- package/lib/vendor/blamejs/lib/dora.js +43 -13
- package/lib/vendor/blamejs/lib/dr-runbook.js +1 -1
- package/lib/vendor/blamejs/lib/dsa.js +2 -1
- package/lib/vendor/blamejs/lib/dsr.js +22 -8
- package/lib/vendor/blamejs/lib/early-hints.js +19 -0
- package/lib/vendor/blamejs/lib/eat.js +5 -1
- package/lib/vendor/blamejs/lib/external-db.js +60 -4
- package/lib/vendor/blamejs/lib/fda-21cfr11.js +30 -5
- package/lib/vendor/blamejs/lib/flag-providers.js +6 -2
- package/lib/vendor/blamejs/lib/forms.js +1 -1
- package/lib/vendor/blamejs/lib/gate-contract.js +46 -5
- package/lib/vendor/blamejs/lib/gdpr-ropa.js +18 -9
- package/lib/vendor/blamejs/lib/graphql-federation.js +17 -4
- package/lib/vendor/blamejs/lib/guard-all.js +2 -2
- package/lib/vendor/blamejs/lib/guard-dsn.js +1 -1
- package/lib/vendor/blamejs/lib/guard-envelope.js +1 -1
- package/lib/vendor/blamejs/lib/guard-html.js +9 -11
- package/lib/vendor/blamejs/lib/guard-imap-command.js +1 -1
- package/lib/vendor/blamejs/lib/guard-jmap.js +1 -1
- package/lib/vendor/blamejs/lib/guard-json.js +14 -6
- package/lib/vendor/blamejs/lib/guard-mail-move.js +1 -1
- package/lib/vendor/blamejs/lib/guard-managesieve-command.js +1 -1
- package/lib/vendor/blamejs/lib/guard-pop3-command.js +1 -1
- package/lib/vendor/blamejs/lib/guard-smtp-command.js +1 -1
- package/lib/vendor/blamejs/lib/guard-svg.js +8 -9
- package/lib/vendor/blamejs/lib/html-balance.js +7 -3
- package/lib/vendor/blamejs/lib/http-client-cookie-jar.js +33 -12
- package/lib/vendor/blamejs/lib/http-client.js +225 -53
- package/lib/vendor/blamejs/lib/iab-tcf.js +3 -2
- package/lib/vendor/blamejs/lib/importmap-integrity.js +41 -1
- package/lib/vendor/blamejs/lib/incident-report.js +9 -6
- package/lib/vendor/blamejs/lib/json-patch.js +1 -1
- package/lib/vendor/blamejs/lib/json-path.js +24 -3
- package/lib/vendor/blamejs/lib/jtd.js +2 -2
- package/lib/vendor/blamejs/lib/legal-hold.js +24 -8
- package/lib/vendor/blamejs/lib/log.js +2 -2
- package/lib/vendor/blamejs/lib/mail-agent.js +2 -2
- package/lib/vendor/blamejs/lib/mail-arf.js +1 -1
- package/lib/vendor/blamejs/lib/mail-auth.js +3 -3
- package/lib/vendor/blamejs/lib/mail-bimi.js +16 -16
- package/lib/vendor/blamejs/lib/mail-bounce.js +3 -3
- package/lib/vendor/blamejs/lib/mail-crypto-smime.js +71 -6
- package/lib/vendor/blamejs/lib/mail-deploy.js +9 -5
- package/lib/vendor/blamejs/lib/mail-greylist.js +2 -4
- package/lib/vendor/blamejs/lib/mail-helo.js +2 -4
- package/lib/vendor/blamejs/lib/mail-journal.js +11 -8
- package/lib/vendor/blamejs/lib/mail-mdn.js +8 -4
- package/lib/vendor/blamejs/lib/mail-rbl.js +2 -4
- package/lib/vendor/blamejs/lib/mail-scan.js +3 -5
- package/lib/vendor/blamejs/lib/mail-server-jmap.js +4 -1
- package/lib/vendor/blamejs/lib/mail-server-registry.js +1 -1
- package/lib/vendor/blamejs/lib/mail-server-tls.js +9 -2
- package/lib/vendor/blamejs/lib/mail-spam-score.js +2 -4
- package/lib/vendor/blamejs/lib/mail-store-fts.js +1 -1
- package/lib/vendor/blamejs/lib/mail.js +22 -2
- package/lib/vendor/blamejs/lib/markup-tokenizer.js +24 -0
- package/lib/vendor/blamejs/lib/mcp.js +6 -4
- package/lib/vendor/blamejs/lib/mdoc.js +26 -3
- package/lib/vendor/blamejs/lib/metrics.js +14 -3
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +2 -2
- package/lib/vendor/blamejs/lib/middleware/body-parser.js +10 -4
- package/lib/vendor/blamejs/lib/middleware/bot-guard.js +26 -18
- package/lib/vendor/blamejs/lib/middleware/clear-site-data.js +5 -1
- package/lib/vendor/blamejs/lib/middleware/compression.js +9 -0
- package/lib/vendor/blamejs/lib/middleware/cors.js +32 -23
- package/lib/vendor/blamejs/lib/middleware/csrf-protect.js +60 -21
- package/lib/vendor/blamejs/lib/middleware/daily-byte-quota.js +6 -4
- package/lib/vendor/blamejs/lib/middleware/fetch-metadata.js +28 -4
- package/lib/vendor/blamejs/lib/middleware/network-allowlist.js +61 -30
- package/lib/vendor/blamejs/lib/middleware/rate-limit.js +25 -16
- package/lib/vendor/blamejs/lib/middleware/scim-server.js +2 -1
- package/lib/vendor/blamejs/lib/middleware/security-headers.js +24 -6
- package/lib/vendor/blamejs/lib/middleware/speculation-rules.js +6 -3
- package/lib/vendor/blamejs/lib/middleware/tus-upload.js +2 -2
- package/lib/vendor/blamejs/lib/money.js +1 -1
- package/lib/vendor/blamejs/lib/mtls-ca.js +10 -6
- package/lib/vendor/blamejs/lib/network-dns-resolver.js +1 -1
- package/lib/vendor/blamejs/lib/network-dns.js +9 -2
- package/lib/vendor/blamejs/lib/network-dnssec.js +2 -1
- package/lib/vendor/blamejs/lib/network-smtp-policy.js +23 -5
- package/lib/vendor/blamejs/lib/network-tls.js +27 -5
- package/lib/vendor/blamejs/lib/network-tsig.js +2 -2
- package/lib/vendor/blamejs/lib/nis2-report.js +1 -1
- package/lib/vendor/blamejs/lib/nist-crosswalk.js +1 -1
- package/lib/vendor/blamejs/lib/ntp-check.js +28 -0
- package/lib/vendor/blamejs/lib/numeric-bounds.js +9 -0
- package/lib/vendor/blamejs/lib/object-store/azure-blob.js +1 -2
- package/lib/vendor/blamejs/lib/object-store/gcs-bucket-ops.js +4 -2
- package/lib/vendor/blamejs/lib/object-store/gcs.js +6 -4
- package/lib/vendor/blamejs/lib/object-store/http-put.js +1 -2
- package/lib/vendor/blamejs/lib/object-store/http-request.js +30 -1
- package/lib/vendor/blamejs/lib/object-store/local.js +37 -17
- package/lib/vendor/blamejs/lib/object-store/sigv4.js +1 -2
- package/lib/vendor/blamejs/lib/observability-otlp-exporter.js +20 -4
- package/lib/vendor/blamejs/lib/outbox.js +11 -4
- package/lib/vendor/blamejs/lib/parsers/safe-xml.js +1 -1
- package/lib/vendor/blamejs/lib/parsers/safe-yaml.js +21 -3
- package/lib/vendor/blamejs/lib/queue-local.js +10 -3
- package/lib/vendor/blamejs/lib/redact.js +7 -3
- package/lib/vendor/blamejs/lib/request-helpers.js +201 -23
- package/lib/vendor/blamejs/lib/resource-access-lock.js +3 -3
- package/lib/vendor/blamejs/lib/restore-bundle.js +46 -18
- package/lib/vendor/blamejs/lib/restore-rollback.js +10 -4
- package/lib/vendor/blamejs/lib/restore.js +19 -0
- package/lib/vendor/blamejs/lib/retention.js +20 -4
- package/lib/vendor/blamejs/lib/router.js +17 -4
- package/lib/vendor/blamejs/lib/safe-ical.js +2 -2
- package/lib/vendor/blamejs/lib/safe-icap.js +1 -1
- package/lib/vendor/blamejs/lib/safe-json.js +44 -0
- package/lib/vendor/blamejs/lib/safe-sieve.js +1 -1
- package/lib/vendor/blamejs/lib/safe-vcard.js +1 -1
- package/lib/vendor/blamejs/lib/sandbox-worker.js +6 -0
- package/lib/vendor/blamejs/lib/sandbox.js +1 -1
- package/lib/vendor/blamejs/lib/scheduler.js +17 -1
- package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +16 -0
- package/lib/vendor/blamejs/lib/session.js +27 -3
- package/lib/vendor/blamejs/lib/sql.js +3 -3
- package/lib/vendor/blamejs/lib/static.js +65 -13
- package/lib/vendor/blamejs/lib/template.js +7 -5
- package/lib/vendor/blamejs/lib/tenant-quota.js +52 -19
- package/lib/vendor/blamejs/lib/tsa.js +5 -2
- package/lib/vendor/blamejs/lib/vault/index.js +5 -0
- package/lib/vendor/blamejs/lib/vault/passphrase-ops.js +22 -26
- package/lib/vendor/blamejs/lib/vault/passphrase-source.js +8 -3
- package/lib/vendor/blamejs/lib/vault/rotate.js +13 -18
- package/lib/vendor/blamejs/lib/vault/seal-pem-file.js +4 -1
- package/lib/vendor/blamejs/lib/vc.js +1 -1
- package/lib/vendor/blamejs/lib/vendor/MANIFEST.json +10 -10
- package/lib/vendor/blamejs/lib/vendor/public-suffix-list.dat +23 -10
- package/lib/vendor/blamejs/lib/vendor/public-suffix-list.data.js +5498 -5494
- package/lib/vendor/blamejs/lib/webhook.js +16 -1
- package/lib/vendor/blamejs/lib/websocket.js +1 -1
- package/lib/vendor/blamejs/lib/worm.js +1 -1
- package/lib/vendor/blamejs/lib/ws-client.js +57 -46
- package/lib/vendor/blamejs/lib/x509-chain.js +44 -0
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.15.14.json +122 -0
- package/lib/vendor/blamejs/scripts/check-vendor-currency.js +119 -4
- package/lib/vendor/blamejs/test/00-primitives.js +5 -1
- package/lib/vendor/blamejs/test/integration/mail-crypto-smime.test.js +18 -4
- package/lib/vendor/blamejs/test/layer-0-primitives/a2a-tasks.test.js +42 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-event-bus.test.js +36 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-idempotency.test.js +0 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/agent-snapshot.test.js +47 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-gz.test.js +24 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/archive-tar-hardening.test.js +160 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/asn1-der.test.js +45 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js +30 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-nofollow.test.js +79 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-excl.test.js +132 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-stream.test.js +181 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-corrupted-anchor.test.js +65 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-chain-incremental-verify.test.js +83 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-daily-review.test.js +48 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-signing-key-rotation.test.js +13 -3
- package/lib/vendor/blamejs/test/layer-0-primitives/audit-verifybundle-tamper.test.js +122 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-bot-challenge.test.js +37 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-jwt-defenses.test.js +5 -3
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-lockout.test.js +21 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-status-list.test.js +73 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/bot-guard.test.js +17 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/break-glass.test.js +62 -3
- package/lib/vendor/blamejs/test/layer-0-primitives/clear-site-data.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/cluster-storage.test.js +40 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +146 -5
- package/lib/vendor/blamejs/test/layer-0-primitives/compliance-sanctions.test.js +14 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/compression-range.test.js +115 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/content-credentials.test.js +17 -5
- package/lib/vendor/blamejs/test/layer-0-primitives/cors.test.js +27 -5
- package/lib/vendor/blamejs/test/layer-0-primitives/crypto-field-per-row-key.test.js +83 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csrf-protect.test.js +58 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/data-act.test.js +30 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-raw-residency-gate.test.js +74 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dora.test.js +20 -6
- package/lib/vendor/blamejs/test/layer-0-primitives/dpop-alg-kty.test.js +64 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/dsr.test.js +32 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fda-21cfr11.test.js +43 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fetch-metadata.test.js +30 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +33 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-html.test.js +34 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/guard-json.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-client-stream.test.js +72 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/http-client-throttle-transform.test.js +88 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/importmap-integrity.test.js +25 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/legal-hold.test.js +28 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime.test.js +20 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-header-injection.test.js +58 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-journal.test.js +63 -9
- package/lib/vendor/blamejs/test/layer-0-primitives/mdoc.test.js +41 -14
- package/lib/vendor/blamejs/test/layer-0-primitives/network-allowlist.test.js +61 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/object-store-range-header.test.js +51 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/otlp-attr-redaction.test.js +35 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/output-header-hardening.test.js +102 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/parser-verify-hardening.test.js +191 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/proto-shadow-allowlist.test.js +120 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/rate-limit-xff-spoofing.test.js +75 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +128 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/restore-blob-remap.test.js +128 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/retention-sweep-termination.test.js +104 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/router-body-validation.test.js +98 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/safe-json-stringify-for-script.test.js +43 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js +48 -5
- package/lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js +23 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sd-jwt-vc.test.js +54 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +24 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/static.test.js +42 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/step-up.test.js +7 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/template-escape-html.test.js +43 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/tenant-quota.test.js +15 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vault-default-store.test.js +48 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/vendor-currency-classify.test.js +77 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js +50 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ws-client.test.js +22 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/x509-chain-ca-enforcement.test.js +149 -0
- package/lib/vendor/blamejs/test/layer-5-integration/external-db-residency.test.js +34 -0
- package/package.json +1 -1
|
@@ -38,6 +38,7 @@
|
|
|
38
38
|
var nodeFs = require("node:fs");
|
|
39
39
|
var nodePath = require("node:path");
|
|
40
40
|
var atomicFile = require("../atomic-file");
|
|
41
|
+
var C = require("../constants");
|
|
41
42
|
var frameworkFiles = require("../framework-files");
|
|
42
43
|
var vaultWrap = require("./wrap");
|
|
43
44
|
var { defineClass } = require("../framework-error");
|
|
@@ -75,17 +76,6 @@ function _requirePassphrase(opts, fieldName) {
|
|
|
75
76
|
}
|
|
76
77
|
}
|
|
77
78
|
|
|
78
|
-
// fsync-by-path semantic: open then sync then close. atomicFile.fsync
|
|
79
|
-
// expects an already-open fd; this wrapper opens the file we just
|
|
80
|
-
// wrote, flushes its contents, and closes — the right shape when we
|
|
81
|
-
// don't have the original write fd around.
|
|
82
|
-
function _fsyncPath(p) {
|
|
83
|
-
try {
|
|
84
|
-
var fd = nodeFs.openSync(p, "r+");
|
|
85
|
-
try { atomicFile.fsync(fd); } finally { nodeFs.closeSync(fd); }
|
|
86
|
-
} catch (_e) { /* best-effort across filesystems */ }
|
|
87
|
-
}
|
|
88
|
-
|
|
89
79
|
// ---- Pre-flight checks (no side effects) ----
|
|
90
80
|
|
|
91
81
|
function preflightSealable(opts) {
|
|
@@ -142,16 +132,18 @@ async function seal(opts) {
|
|
|
142
132
|
var p = _paths(opts.dataDir);
|
|
143
133
|
var keepPlaintext = !!opts.keepPlaintext;
|
|
144
134
|
|
|
145
|
-
var plainBytes =
|
|
135
|
+
var plainBytes = atomicFile.fdSafeReadSync(p.plaintext, { maxBytes: C.BYTES.kib(64) });
|
|
146
136
|
var sealedBytes = await vaultWrap.wrap(plainBytes, opts.passphrase);
|
|
147
137
|
|
|
148
|
-
// Step 1: write sealed.tmp +
|
|
149
|
-
|
|
150
|
-
|
|
138
|
+
// Step 1: write sealed.tmp (exclusive + no-follow create, fsynced) — a
|
|
139
|
+
// bare writeFileSync to this PREDICTABLE temp name would follow a symlink
|
|
140
|
+
// pre-planted at sealed.tmp (CWE-59); writeExclSync clears any stale entry
|
|
141
|
+
// then creates with O_EXCL | O_NOFOLLOW and fsyncs the bytes.
|
|
142
|
+
atomicFile.writeExclSync(p.sealedTmp, sealedBytes, { fileMode: 0o600 });
|
|
151
143
|
atomicFile.fsyncDir(opts.dataDir);
|
|
152
144
|
|
|
153
145
|
// Step 2: round-trip verify the .tmp before committing the rename
|
|
154
|
-
var verifyBytes =
|
|
146
|
+
var verifyBytes = atomicFile.fdSafeReadSync(p.sealedTmp, { maxBytes: C.BYTES.kib(64) });
|
|
155
147
|
var unwrapped;
|
|
156
148
|
try {
|
|
157
149
|
unwrapped = await vaultWrap.unwrap(verifyBytes, opts.passphrase);
|
|
@@ -195,7 +187,7 @@ async function unseal(opts) {
|
|
|
195
187
|
}
|
|
196
188
|
var p = _paths(opts.dataDir);
|
|
197
189
|
|
|
198
|
-
var sealedBytes =
|
|
190
|
+
var sealedBytes = atomicFile.fdSafeReadSync(p.sealed, { maxBytes: C.BYTES.kib(64) });
|
|
199
191
|
var plainBytes;
|
|
200
192
|
try {
|
|
201
193
|
plainBytes = await vaultWrap.unwrap(sealedBytes, opts.passphrase);
|
|
@@ -205,13 +197,15 @@ async function unseal(opts) {
|
|
|
205
197
|
" — " + SEALED_NAME + " is UNCHANGED");
|
|
206
198
|
}
|
|
207
199
|
|
|
208
|
-
// Step 1: write plaintext.tmp +
|
|
209
|
-
|
|
210
|
-
|
|
200
|
+
// Step 1: write plaintext.tmp (exclusive + no-follow create, fsynced) — a
|
|
201
|
+
// bare writeFileSync to this PREDICTABLE temp name would follow a symlink
|
|
202
|
+
// pre-planted at plaintext.tmp (CWE-59); writeExclSync clears any stale
|
|
203
|
+
// entry then creates with O_EXCL | O_NOFOLLOW and fsyncs the bytes.
|
|
204
|
+
atomicFile.writeExclSync(p.plaintextTmp, plainBytes, { fileMode: 0o600 });
|
|
211
205
|
atomicFile.fsyncDir(opts.dataDir);
|
|
212
206
|
|
|
213
207
|
// Step 2: round-trip sanity — re-read tmp and verify
|
|
214
|
-
var verifyBytes =
|
|
208
|
+
var verifyBytes = atomicFile.fdSafeReadSync(p.plaintextTmp, { maxBytes: C.BYTES.kib(64) });
|
|
215
209
|
if (Buffer.compare(verifyBytes, plainBytes) !== 0) {
|
|
216
210
|
try { nodeFs.unlinkSync(p.plaintextTmp); } catch (_e) { /* cleanup */ }
|
|
217
211
|
throw new VaultPassphraseError("vault-passphrase/verify-mismatch",
|
|
@@ -246,7 +240,7 @@ async function rotate(opts) {
|
|
|
246
240
|
}
|
|
247
241
|
var p = _paths(opts.dataDir);
|
|
248
242
|
|
|
249
|
-
var sealedBytes =
|
|
243
|
+
var sealedBytes = atomicFile.fdSafeReadSync(p.sealed, { maxBytes: C.BYTES.kib(64) });
|
|
250
244
|
var plainBytes;
|
|
251
245
|
try {
|
|
252
246
|
plainBytes = await vaultWrap.unwrap(sealedBytes, opts.oldPassphrase);
|
|
@@ -257,14 +251,16 @@ async function rotate(opts) {
|
|
|
257
251
|
}
|
|
258
252
|
var newSealedBytes = await vaultWrap.wrap(plainBytes, opts.newPassphrase);
|
|
259
253
|
|
|
260
|
-
// Step 1: write new sealed.tmp +
|
|
261
|
-
|
|
262
|
-
|
|
254
|
+
// Step 1: write new sealed.tmp (exclusive + no-follow create, fsynced) — a
|
|
255
|
+
// bare writeFileSync to this PREDICTABLE temp name would follow a symlink
|
|
256
|
+
// pre-planted at sealed.tmp (CWE-59); writeExclSync clears any stale entry
|
|
257
|
+
// then creates with O_EXCL | O_NOFOLLOW and fsyncs the bytes.
|
|
258
|
+
atomicFile.writeExclSync(p.sealedTmp, newSealedBytes, { fileMode: 0o600 });
|
|
263
259
|
atomicFile.fsyncDir(opts.dataDir);
|
|
264
260
|
|
|
265
261
|
// Step 2: round-trip verify with NEW passphrase, AND assert unwrap
|
|
266
262
|
// with the OLD passphrase fails — otherwise the rotation didn't take.
|
|
267
|
-
var verifyBytes =
|
|
263
|
+
var verifyBytes = atomicFile.fdSafeReadSync(p.sealedTmp, { maxBytes: C.BYTES.kib(64) });
|
|
268
264
|
var verifyPlain;
|
|
269
265
|
try { verifyPlain = await vaultWrap.unwrap(verifyBytes, opts.newPassphrase); }
|
|
270
266
|
catch (e) {
|
|
@@ -23,10 +23,10 @@
|
|
|
23
23
|
* exposure to later env-dump surfaces. This doesn't zero the memory
|
|
24
24
|
* (JavaScript can't) but does remove the env-object reference.
|
|
25
25
|
*/
|
|
26
|
-
var nodeFs = require("node:fs");
|
|
27
26
|
var readline = require("node:readline");
|
|
28
27
|
var safeEnv = require("../parsers/safe-env");
|
|
29
28
|
var safeBuffer = require("../safe-buffer");
|
|
29
|
+
var atomicFile = require("../atomic-file");
|
|
30
30
|
|
|
31
31
|
var MAX_PASSPHRASE_BYTES = 4096;
|
|
32
32
|
|
|
@@ -83,9 +83,14 @@ async function fromFile(filePath, opts) {
|
|
|
83
83
|
}
|
|
84
84
|
var raw;
|
|
85
85
|
try {
|
|
86
|
-
|
|
86
|
+
// Cap the passphrase-file read at MAX_PASSPHRASE_BYTES at READ time (was only
|
|
87
|
+
// checked AFTER the whole file was in memory), so a swapped multi-GiB target
|
|
88
|
+
// can't OOM boot before validatePassphraseBuffer. NO refuseSymlink: the
|
|
89
|
+
// BLAMEJS_VAULT_PASSPHRASE_FILE is frequently a k8s projected-secret mount,
|
|
90
|
+
// which is a symlink chain — following it is correct.
|
|
91
|
+
raw = atomicFile.fdSafeReadSync(filePath, { maxBytes: MAX_PASSPHRASE_BYTES });
|
|
87
92
|
} catch (e) {
|
|
88
|
-
throw new Error("failed to read " + envVars.file + " (" + filePath + "): " + e.code);
|
|
93
|
+
throw new Error("failed to read " + envVars.file + " (" + filePath + "): " + (e.code || e.message));
|
|
89
94
|
}
|
|
90
95
|
var buf = trimTrailingNewlines(raw);
|
|
91
96
|
validatePassphraseBuffer(buf, "file source (" + filePath + ")");
|
|
@@ -493,16 +493,11 @@ function _emit(cb, ev) {
|
|
|
493
493
|
// staging dir is already 0o700 owner-only, so this is defense in depth
|
|
494
494
|
// against a same-user pre-plant / symlink swap (CWE-377 / CWE-379 / CWE-59).
|
|
495
495
|
function _writeStagedFileExclusive(p, data) {
|
|
496
|
-
|
|
497
|
-
|
|
498
|
-
|
|
499
|
-
|
|
500
|
-
|
|
501
|
-
nodeFs.writeFileSync(fd, data);
|
|
502
|
-
nodeFs.fsyncSync(fd);
|
|
503
|
-
} finally {
|
|
504
|
-
nodeFs.closeSync(fd);
|
|
505
|
-
}
|
|
496
|
+
// The clear-stale + O_EXCL|O_NOFOLLOW create + write + fsync sequence now
|
|
497
|
+
// lives in the atomic-file primitive (also used by the vault passphrase
|
|
498
|
+
// seal/unseal staging writes) so every staged exclusive write shares one
|
|
499
|
+
// implementation.
|
|
500
|
+
atomicFile.writeExclSync(p, data, { fileMode: 0o600 });
|
|
506
501
|
}
|
|
507
502
|
|
|
508
503
|
function _reSealValue(sealedValue, oldKeys, newKeys) {
|
|
@@ -759,7 +754,7 @@ async function rotate(opts) {
|
|
|
759
754
|
// Stage via the exclusive-create + fsync helper rather than a plain copy,
|
|
760
755
|
// so the verbatim file is durable at write time (no later by-path fsync)
|
|
761
756
|
// and a pre-planted file/symlink at the staging path hard-fails.
|
|
762
|
-
_writeStagedFileExclusive(dest,
|
|
757
|
+
_writeStagedFileExclusive(dest, atomicFile.fdSafeReadSync(src, { maxBytes: C.BYTES.mib(64) }));
|
|
763
758
|
}
|
|
764
759
|
for (var vd = 0; vd < paths.verbatimDirs.length; vd++) {
|
|
765
760
|
var dent = paths.verbatimDirs[vd];
|
|
@@ -797,7 +792,7 @@ async function rotate(opts) {
|
|
|
797
792
|
var dbKeySealedPath = nodePath.join(dataDir, paths.dbKeySealed);
|
|
798
793
|
var dbKey = null;
|
|
799
794
|
if (nodeFs.existsSync(dbKeySealedPath)) {
|
|
800
|
-
var sealedKey =
|
|
795
|
+
var sealedKey = atomicFile.fdSafeReadSync(dbKeySealedPath, { maxBytes: C.BYTES.kib(64), encoding: "utf8" }).trim();
|
|
801
796
|
if (vaultAad.isAadSealed(sealedKey)) {
|
|
802
797
|
// AAD-bound db.key.enc (db.js since v0.14.7): unseal under the OLD
|
|
803
798
|
// root with the deployment-context AAD, then re-emit under the NEW
|
|
@@ -832,7 +827,7 @@ async function rotate(opts) {
|
|
|
832
827
|
}
|
|
833
828
|
continue;
|
|
834
829
|
}
|
|
835
|
-
var current =
|
|
830
|
+
var current = atomicFile.fdSafeReadSync(asSrc, { maxBytes: C.BYTES.mib(1), encoding: "utf8" }).trim();
|
|
836
831
|
if (current.indexOf(C.VAULT_PREFIX) !== 0) {
|
|
837
832
|
throw new VaultRotateError("vault-rotate/bad-sealed",
|
|
838
833
|
"rotate: sealed file does not start with the vault prefix: " + ase.relativePath);
|
|
@@ -854,11 +849,11 @@ async function rotate(opts) {
|
|
|
854
849
|
// Stage via the exclusive-create + fsync helper (not a plain copy) so the
|
|
855
850
|
// salt is durable at write time and no later by-path fsync is needed.
|
|
856
851
|
_writeStagedFileExclusive(nodePath.join(stagingDir, "vault.derived-hash-salt"),
|
|
857
|
-
|
|
852
|
+
atomicFile.fdSafeReadSync(saltSrc, { maxBytes: C.BYTES.kib(4) }));
|
|
858
853
|
}
|
|
859
854
|
var macSrc = nodePath.join(dataDir, "vault.derived-hash-mac.sealed");
|
|
860
855
|
if (nodeFs.existsSync(macSrc)) {
|
|
861
|
-
var macCurrent =
|
|
856
|
+
var macCurrent = atomicFile.fdSafeReadSync(macSrc, { maxBytes: C.BYTES.kib(64), encoding: "utf8" }).trim();
|
|
862
857
|
if (macCurrent.indexOf(C.VAULT_PREFIX) === 0) {
|
|
863
858
|
_writeStagedFileExclusive(nodePath.join(stagingDir, "vault.derived-hash-mac.sealed"),
|
|
864
859
|
_reSealValue(macCurrent, oldKeys, newKeys));
|
|
@@ -873,7 +868,7 @@ async function rotate(opts) {
|
|
|
873
868
|
var verifyResult = null;
|
|
874
869
|
|
|
875
870
|
if (nodeFs.existsSync(encDbPath) && dbKey) {
|
|
876
|
-
var packed =
|
|
871
|
+
var packed = atomicFile.fdSafeReadSync(encDbPath, { maxBytes: C.BYTES.gib(2) });
|
|
877
872
|
// db.enc is XChaCha20-Poly1305-sealed AAD-bound to its dataDir
|
|
878
873
|
// (db.js _dbEncAad). Read with the dataDir AAD; retry without AAD for
|
|
879
874
|
// pre-AAD envelopes (mirrors db.js:765-768). The in-place swap keeps
|
|
@@ -945,7 +940,7 @@ async function rotate(opts) {
|
|
|
945
940
|
// _writeStagedFileExclusive — exclusive + no-follow create, owner-only
|
|
946
941
|
// 0o600 — so a same-user pre-plant or symlink swap is a hard failure
|
|
947
942
|
// rather than a followed write, and the bytes never inherit a wider mode.
|
|
948
|
-
var rotatedBytes =
|
|
943
|
+
var rotatedBytes = atomicFile.fdSafeReadSync(tmpDbPath, { maxBytes: C.BYTES.gib(2) });
|
|
949
944
|
// Re-encrypt under the SAME dataDir AAD so db.init's AAD-first open
|
|
950
945
|
// succeeds after the staged dir is swapped over dataDir in place.
|
|
951
946
|
_writeStagedFileExclusive(nodePath.join(stagingDir, paths.encryptedDb),
|
|
@@ -956,7 +951,7 @@ async function rotate(opts) {
|
|
|
956
951
|
_emit(progress, { phase: "verify" });
|
|
957
952
|
var verifyTmp = nodePath.join(stagingDir, "_blamejs_verify.tmp.db");
|
|
958
953
|
_writeStagedFileExclusive(verifyTmp,
|
|
959
|
-
bCrypto.decryptPacked(
|
|
954
|
+
bCrypto.decryptPacked(atomicFile.fdSafeReadSync(nodePath.join(stagingDir, paths.encryptedDb), { maxBytes: C.BYTES.gib(2) }), dbKey, dbEncAad));
|
|
960
955
|
var vdb = new DatabaseSync(verifyTmp);
|
|
961
956
|
try {
|
|
962
957
|
verifyResult = verify({ keys: newKeys, db: vdb, oldKeys: oldKeys });
|
|
@@ -232,7 +232,10 @@ function sealPemFile(opts) {
|
|
|
232
232
|
}
|
|
233
233
|
}
|
|
234
234
|
var sealed = vault().seal(plaintextBytes);
|
|
235
|
-
|
|
235
|
+
// Atomic, symlink-refusing marker write (matches the destination write
|
|
236
|
+
// just below) — a bare writeFileSync would follow a symlink planted at
|
|
237
|
+
// markerPath (CWE-59).
|
|
238
|
+
atomicFile.writeSync(markerPath, String(Date.now()), { fileMode: 0o600 }); // POSIX file mode
|
|
236
239
|
try {
|
|
237
240
|
atomicFile.writeSync(destination, sealed, { fileMode: 0o600 }); // POSIX file mode
|
|
238
241
|
} catch (e) {
|
|
@@ -226,7 +226,7 @@ function _verifyJose(token, opts, expectedTyp) {
|
|
|
226
226
|
throw new VcError("vc/crit-unsupported",
|
|
227
227
|
"vc.verify: JWS 'crit' header lists extensions this verifier does not support (RFC 7515 §4.1.11)");
|
|
228
228
|
}
|
|
229
|
-
if (header.alg === "none" || !JOSE_ALGS
|
|
229
|
+
if (header.alg === "none" || !Object.prototype.hasOwnProperty.call(JOSE_ALGS, header.alg)) {
|
|
230
230
|
throw new VcError("vc/bad-alg", "vc.verify: unsupported or unsecured JWS alg '" + header.alg + "'");
|
|
231
231
|
}
|
|
232
232
|
if (opts.algorithms.indexOf(header.alg) === -1) {
|
|
@@ -18,7 +18,7 @@
|
|
|
18
18
|
"hashes": {
|
|
19
19
|
"server": "sha256:5d539dfc9ef47121d4c09bd7256d76448a1f5ac47ee09ac44c78ff6a062af9ab"
|
|
20
20
|
},
|
|
21
|
-
"refreshedAt": "2026-
|
|
21
|
+
"refreshedAt": "2026-06-20T04:17:15.833Z"
|
|
22
22
|
},
|
|
23
23
|
"@noble/curves": {
|
|
24
24
|
"version": "2.2.0",
|
|
@@ -40,7 +40,7 @@
|
|
|
40
40
|
"hashes": {
|
|
41
41
|
"server": "sha256:ebf254d5eb56aef8705a1c4af9603f47987b4870a9bb5e657e06907b701e2731"
|
|
42
42
|
},
|
|
43
|
-
"refreshedAt": "2026-
|
|
43
|
+
"refreshedAt": "2026-06-20T04:17:15.833Z"
|
|
44
44
|
},
|
|
45
45
|
"@noble/post-quantum": {
|
|
46
46
|
"version": "0.6.1",
|
|
@@ -71,7 +71,7 @@
|
|
|
71
71
|
"hashes": {
|
|
72
72
|
"server": "sha256:f9190309daadca4c2e2cc2b76beaa6b96e463429cc3c390bd9f0ceaf7b588c68"
|
|
73
73
|
},
|
|
74
|
-
"refreshedAt": "2026-
|
|
74
|
+
"refreshedAt": "2026-06-20T04:17:15.833Z"
|
|
75
75
|
},
|
|
76
76
|
"@simplewebauthn/server": {
|
|
77
77
|
"version": "13.3.1",
|
|
@@ -94,7 +94,7 @@
|
|
|
94
94
|
"hashes": {
|
|
95
95
|
"server": "sha256:f359a782ac57e3ff56ac71083d17f5c082f88ab49d645fc2bede398b47adebdb"
|
|
96
96
|
},
|
|
97
|
-
"refreshedAt": "2026-
|
|
97
|
+
"refreshedAt": "2026-06-20T04:17:15.833Z"
|
|
98
98
|
},
|
|
99
99
|
"SecLists-common-passwords-top-10000": {
|
|
100
100
|
"version": "10k-most-common (master)",
|
|
@@ -114,7 +114,7 @@
|
|
|
114
114
|
},
|
|
115
115
|
"runtime_artifact": "lib/vendor/common-passwords-top-10000.data.js",
|
|
116
116
|
"integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)",
|
|
117
|
-
"refreshedAt": "2026-
|
|
117
|
+
"refreshedAt": "2026-06-20T04:17:15.833Z"
|
|
118
118
|
},
|
|
119
119
|
"bimi-trust-anchors": {
|
|
120
120
|
"version": "operator-managed",
|
|
@@ -139,7 +139,7 @@
|
|
|
139
139
|
},
|
|
140
140
|
"runtime_artifact": "lib/vendor/bimi-trust-anchors.data.js",
|
|
141
141
|
"integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)",
|
|
142
|
-
"refreshedAt": "2026-
|
|
142
|
+
"refreshedAt": "2026-06-20T04:17:15.833Z"
|
|
143
143
|
},
|
|
144
144
|
"publicsuffix-list": {
|
|
145
145
|
"version": "master",
|
|
@@ -154,12 +154,12 @@
|
|
|
154
154
|
"bundler": "curl https://publicsuffix.org/list/public_suffix_list.dat",
|
|
155
155
|
"bundledAt": "2026-05-13T00:00:00Z",
|
|
156
156
|
"hashes": {
|
|
157
|
-
"server": "sha256:
|
|
158
|
-
"data_js": "sha256:
|
|
157
|
+
"server": "sha256:927884952ea8857ba3608eefe617f3c8acd63ad94be7b0bfb7586632cfc59560",
|
|
158
|
+
"data_js": "sha256:c2f67f5e7f7306eb5ec26548ea275673c652cfdd830b909fd63ed2b39e4838f6"
|
|
159
159
|
},
|
|
160
160
|
"runtime_artifact": "lib/vendor/public-suffix-list.data.js",
|
|
161
161
|
"integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)",
|
|
162
|
-
"refreshedAt": "2026-
|
|
162
|
+
"refreshedAt": "2026-06-20T04:17:15.833Z"
|
|
163
163
|
},
|
|
164
164
|
"peculiar-pki": {
|
|
165
165
|
"version": "2.0.0+pkijs-3.4.0",
|
|
@@ -190,7 +190,7 @@
|
|
|
190
190
|
"hashes": {
|
|
191
191
|
"server": "sha256:9bbc191afaaa2b1e5757f00480457c08134cdc2c55d541df18d9155bba9cbf77"
|
|
192
192
|
},
|
|
193
|
-
"refreshedAt": "2026-
|
|
193
|
+
"refreshedAt": "2026-06-20T04:17:15.833Z"
|
|
194
194
|
}
|
|
195
195
|
}
|
|
196
196
|
}
|
|
@@ -5,8 +5,8 @@
|
|
|
5
5
|
// Please pull this list from, and only from https://publicsuffix.org/list/public_suffix_list.dat,
|
|
6
6
|
// rather than any other VCS sites. Pulling from any other URL is not guaranteed to be supported.
|
|
7
7
|
|
|
8
|
-
// VERSION: 2026-
|
|
9
|
-
// COMMIT:
|
|
8
|
+
// VERSION: 2026-06-13_21-47-18_UTC
|
|
9
|
+
// COMMIT: 9186eeeda85cef35b1551d00731464939c765cab
|
|
10
10
|
|
|
11
11
|
// Instructions on pulling and using this list can be found at https://publicsuffix.org/list/.
|
|
12
12
|
|
|
@@ -1403,6 +1403,7 @@ video.hu
|
|
|
1403
1403
|
// id : https://www.iana.org/domains/root/db/id.html
|
|
1404
1404
|
id
|
|
1405
1405
|
ac.id
|
|
1406
|
+
ai.id
|
|
1406
1407
|
biz.id
|
|
1407
1408
|
co.id
|
|
1408
1409
|
desa.id
|
|
@@ -6157,7 +6158,6 @@ k12.mo.us
|
|
|
6157
6158
|
k12.ms.us
|
|
6158
6159
|
k12.mt.us
|
|
6159
6160
|
k12.nc.us
|
|
6160
|
-
// k12.nd.us - Bug 1028347 - Removed at request of Travis Rosso <trossow@nd.gov>
|
|
6161
6161
|
k12.ne.us
|
|
6162
6162
|
k12.nh.us
|
|
6163
6163
|
k12.nj.us
|
|
@@ -6239,8 +6239,6 @@ cc.mt.us
|
|
|
6239
6239
|
lib.mt.us
|
|
6240
6240
|
cc.nc.us
|
|
6241
6241
|
lib.nc.us
|
|
6242
|
-
cc.nd.us
|
|
6243
|
-
lib.nd.us
|
|
6244
6242
|
cc.ne.us
|
|
6245
6243
|
lib.ne.us
|
|
6246
6244
|
cc.nh.us
|
|
@@ -6824,7 +6822,7 @@ org.zw
|
|
|
6824
6822
|
|
|
6825
6823
|
// newGTLDs
|
|
6826
6824
|
|
|
6827
|
-
// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2026-
|
|
6825
|
+
// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2026-06-13T16:12:40Z
|
|
6828
6826
|
// This list is auto-generated, don't edit it manually.
|
|
6829
6827
|
// aaa : American Automobile Association, Inc.
|
|
6830
6828
|
// https://www.iana.org/domains/root/db/aaa.html
|
|
@@ -10878,7 +10876,7 @@ xin
|
|
|
10878
10876
|
// https://www.iana.org/domains/root/db/xn--5su34j936bgsg.html
|
|
10879
10877
|
香格里拉
|
|
10880
10878
|
|
|
10881
|
-
// xn--5tzm5g :
|
|
10879
|
+
// xn--5tzm5g : Jolly Host, LLC
|
|
10882
10880
|
// https://www.iana.org/domains/root/db/xn--5tzm5g.html
|
|
10883
10881
|
网站
|
|
10884
10882
|
|
|
@@ -12577,10 +12575,12 @@ cafjs.com
|
|
|
12577
12575
|
// Submitted by Joel Aquilina <publicsuffixlist@canva.com>
|
|
12578
12576
|
canva-apps.cn
|
|
12579
12577
|
my.canvasite.cn
|
|
12578
|
+
khsj.cn
|
|
12580
12579
|
canva-apps.com
|
|
12581
12580
|
canva-hosted-embed.com
|
|
12582
12581
|
canvacode.com
|
|
12583
12582
|
rice-labs.com
|
|
12583
|
+
canva.link
|
|
12584
12584
|
canva.run
|
|
12585
12585
|
my.canva.site
|
|
12586
12586
|
|
|
@@ -13894,6 +13894,10 @@ whitesnow.jp
|
|
|
13894
13894
|
zombie.jp
|
|
13895
13895
|
heteml.net
|
|
13896
13896
|
|
|
13897
|
+
// GNTC, Inc. : https://gntc.com/
|
|
13898
|
+
// Submitted by VibeHost Security <security@vibehost.com>
|
|
13899
|
+
vibehost.space
|
|
13900
|
+
|
|
13897
13901
|
// GoDaddy Registry : https://registry.godaddy
|
|
13898
13902
|
// Submitted by Rohan Durrant <tldns@registry.godaddy>
|
|
13899
13903
|
graphic.design
|
|
@@ -14061,6 +14065,10 @@ ltd.ng
|
|
|
14061
14065
|
ngo.ng
|
|
14062
14066
|
plc.ng
|
|
14063
14067
|
|
|
14068
|
+
// Hostinger : https://hostinger.com
|
|
14069
|
+
// Submitted by Valentinas Cirba <domains@hostinger.com>
|
|
14070
|
+
hstgr.cloud
|
|
14071
|
+
|
|
14064
14072
|
// HostyHosting : https://hostyhosting.com
|
|
14065
14073
|
hostyhosting.io
|
|
14066
14074
|
|
|
@@ -15048,6 +15056,7 @@ opensocial.site
|
|
|
15048
15056
|
// OpenAI : https://openai.com
|
|
15049
15057
|
// Submitted by Thomas Shadwell <security@openai.com>
|
|
15050
15058
|
*.oaiusercontent.com
|
|
15059
|
+
chatgpt.site
|
|
15051
15060
|
|
|
15052
15061
|
// OpenCraft GmbH : http://opencraft.com/
|
|
15053
15062
|
// Submitted by Sven Marnach <sven@opencraft.com>
|
|
@@ -16005,6 +16014,11 @@ reservd.testing.thingdust.io
|
|
|
16005
16014
|
// Submitted by Christian Franke <it@ticket.io>
|
|
16006
16015
|
tickets.io
|
|
16007
16016
|
|
|
16017
|
+
// Tigris Data, Inc. : https://www.tigrisdata.com
|
|
16018
|
+
// Submitted by Bo Cao <security@tigrisdata.com>
|
|
16019
|
+
t3.storage.dev
|
|
16020
|
+
t3.storageapi.dev
|
|
16021
|
+
|
|
16008
16022
|
// Tlon.io : https://tlon.io
|
|
16009
16023
|
// Submitted by Mark Staarink <mark@tlon.io>
|
|
16010
16024
|
arvo.network
|
|
@@ -16197,11 +16211,10 @@ webflowtest.io
|
|
|
16197
16211
|
*.webhare.dev
|
|
16198
16212
|
|
|
16199
16213
|
// WebHotelier Technologies Ltd : https://www.webhotelier.net/
|
|
16200
|
-
// Submitted by Apostolos Tsakpinis <
|
|
16201
|
-
bookonline.app
|
|
16214
|
+
// Submitted by Apostolos Tsakpinis <cto@webhotelier.net>
|
|
16202
16215
|
hotelwithflight.com
|
|
16203
|
-
reserve-online.com
|
|
16204
16216
|
reserve-online.net
|
|
16217
|
+
book.online
|
|
16205
16218
|
|
|
16206
16219
|
// WebPros International, LLC : https://webpros.com/
|
|
16207
16220
|
// Submitted by Nicolas Rochelemagne <public.suffix@webpros.com>
|