@blamejs/blamejs-shop 0.4.73 → 0.4.75
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/asset-manifest.json +1 -1
- package/lib/customers.js +5 -2
- package/lib/storefront.js +41 -8
- package/lib/vendor/MANIFEST.json +48 -44
- package/lib/vendor/blamejs/CHANGELOG.md +2 -0
- package/lib/vendor/blamejs/api-snapshot.json +23 -2
- package/lib/vendor/blamejs/examples/wiki/lib/build-app.js +5 -1
- package/lib/vendor/blamejs/examples/wiki/lib/harvest-vendored-deps.js +6 -1
- package/lib/vendor/blamejs/examples/wiki/test/codebase-patterns.test.js +8 -4
- package/lib/vendor/blamejs/index.js +2 -0
- package/lib/vendor/blamejs/lib/auth/ciba.js +32 -8
- package/lib/vendor/blamejs/lib/auth/dpop.js +9 -0
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +25 -12
- package/lib/vendor/blamejs/lib/auth/jwt.js +19 -3
- package/lib/vendor/blamejs/lib/auth/oauth.js +8 -2
- package/lib/vendor/blamejs/lib/auth/saml.js +19 -9
- package/lib/vendor/blamejs/lib/crypto-field.js +19 -1
- package/lib/vendor/blamejs/lib/csp.js +9 -0
- package/lib/vendor/blamejs/lib/db-query.js +33 -2
- package/lib/vendor/blamejs/lib/mail-auth.js +24 -1
- package/lib/vendor/blamejs/lib/mail-dkim.js +20 -7
- package/lib/vendor/blamejs/lib/middleware/compose-pipeline.js +39 -5
- package/lib/vendor/blamejs/lib/pipl-cn.js +11 -8
- package/lib/vendor/blamejs/lib/request-helpers.js +146 -13
- package/lib/vendor/blamejs/lib/safe-json.js +26 -0
- package/lib/vendor/blamejs/lib/session.js +35 -117
- package/lib/vendor/blamejs/lib/sql.js +22 -0
- package/lib/vendor/blamejs/lib/ws-client.js +26 -0
- package/lib/vendor/blamejs/lib/x509-chain.js +71 -24
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.15.15.json +73 -0
- package/lib/vendor/blamejs/test/00-primitives.js +54 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/auth-jwt-defenses.test.js +22 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ciba-authreqid-binding.test.js +130 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +37 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/csp-builder.test.js +21 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/db-raw-residency-gate.test.js +22 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fido-mds3.test.js +40 -1
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js +29 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js +46 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/middleware-compose-pipeline.test.js +74 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/pipl-cn.test.js +12 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/request-helpers.test.js +46 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js +77 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js +74 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/sql.test.js +19 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/ws-client.test.js +32 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/x509-chain-ca-enforcement.test.js +11 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
|
|
|
8
8
|
|
|
9
9
|
## v0.4.x
|
|
10
10
|
|
|
11
|
+
- v0.4.75 (2026-06-21) — **Bundled framework refreshed to blamejs 0.15.15 — more authentication checks fail closed and a blocked-traffic memory leak is fixed.** Refreshes the vendored framework the store is built on from blamejs 0.15.14 to 0.15.15, a correctness-and-hardening release. The protections the store already composes now refuse more malformed or unbound credentials, and a request-pipeline leak under sustained blocked traffic is fixed. The most directly felt change for an operator: when the bot guard, rate limiter, or CSRF check halts a request by writing its response without continuing the chain, the pipeline now settles instead of holding the request closure open forever — under a flood of blocked requests that previously grew memory without bound. On the sign-in surface, the passkey, OAuth, and any token verifiers the store routes through inherit stricter checks: an OAuth ID-token nonce is no longer skipped when empty, an authenticator's current certification status is honored rather than the highest it ever held, a JWT issuer presented as an array no longer satisfies a single-issuer expectation, and a malformed JOSE header raises a typed error instead of crashing the verifier. The content-security-policy builder now refuses a source value containing whitespace or a semicolon (so a malformed provider host can't smuggle a second directive), the SQL builder refuses an always-false equality against NULL and validates every element of an IN-list, and the WebSocket client bounds a fragmented message as it arrives rather than only at the final frame. No store configuration changes; upgrade to pick up the refreshed framework. **Changed:** *Bundled framework updated to blamejs 0.15.15* — The vendored framework is refreshed from 0.15.14 to 0.15.15. The store carries zero runtime npm dependencies and builds entirely on this bundled framework, so its correctness and hardening improvements apply to the store on upgrade with no configuration change. **Security:** *A blocked request no longer leaks its closure for the life of the process* — When the bot guard, rate limiter, CSRF check, or any middleware halts a request by writing the response without advancing the chain — the intended way to block — the request pipeline now settles its promise instead of leaving it pending forever. Previously each blocked request retained its request/response closure, so sustained blocked traffic grew memory without bound. The store's request lifecycle composes this pipeline directly, so the fix applies to every blocked request. · *Sign-in credential verifiers fail closed on more malformed inputs* — The authentication primitives the store routes sign-in through now refuse more unbound or malformed credentials: an OAuth ID-token nonce check is no longer skipped when the supplied nonce is empty, an authenticator's current certification status is honored over the highest level it ever held, a JWT issuer presented as an array no longer satisfies a single-issuer expectation, and a JOSE header or payload that decodes to a non-object raises a typed authentication error instead of an uncaught crash. · *The content-security-policy builder refuses a directive-injecting source* — A CSP source is a single non-whitespace token; the builder now rejects a source containing whitespace or a semicolon. Because sources are space-joined and directives semicolon-joined, a malformed value could otherwise have injected a second, live directive. The store's provider hosts (payment, captcha) are already clean single tokens, so this is defense against a future misconfiguration. · *The SQL builder refuses an always-false NULL equality and validates IN-list elements* — An equality against NULL (always false in SQL; the IS NULL form is required) is now refused rather than silently matching nothing, and every element of an IN-list is validated across all database backends. This narrows the room for a query that quietly returns the wrong rows. · *WebSocket fragmented-message reassembly is bounded as it arrives* — A fragmented incoming message is now bounded by its running total on each frame instead of only when the final frame arrives, so a peer can no longer stream unbounded continuation frames to exhaust memory before the size limit is checked, and a frame arriving after close is ignored.
|
|
12
|
+
|
|
13
|
+
- v0.4.74 (2026-06-21) — **Sign-in links are built from the configured origin, and signing out invalidates every device's session.** Two account-security hardenings. The passwordless sign-in (magic) link was assembled from the request's Host header, so a request that reached the app carrying a forged Host could produce a link pointing at another domain while still carrying the customer's single-use sign-in token. The link is now built from the operator-configured trusted origin — the same source the referral links, back-in-stock links, and the OAuth redirect already use — so the link always points at the real storefront regardless of the request Host. Separately, signing out cleared the session cookie only in the responding browser; because the sealed auth cookie is stateless for its full lifetime, a copy captured before sign-out stayed valid until it naturally expired. Explicit sign-out now moves the account's server-side session-revocation boundary forward, so every live session cookie for the account is invalidated at once. **Fixed:** *Magic-link sign-in URLs are built from the configured origin, not the request Host* — The passwordless sign-in link and the post-checkout account-claim link now derive their origin from the operator's configured trusted origin first, falling back to the request origin only when none is configured (single-host dev). A forged Host header can no longer redirect a credential-bearing sign-in link to another domain. Both email-link sends share one origin resolver, matching the referral, back-in-stock, and OAuth-redirect discipline. · *Signing out invalidates every live session, not just the current browser* — POST /account/logout now moves the customer's server-side session-revocation boundary forward before clearing the cookie, so every sealed auth cookie issued for the account — including a copy captured on another device or before sign-out — fails its next request and signs out. Previously the stateless cookie was only cleared in the responding browser and remained valid elsewhere for its full lifetime.
|
|
14
|
+
|
|
11
15
|
- v0.4.73 (2026-06-21) — **Subject-access exports now carry every operator note, question, quote and rating — not the first page.** A data-subject-access (GDPR Art. 15) export read only the first 100 rows of four sections — operator CRM notes, product questions, RFQ quotes, and post-fulfilment ratings — yet the bundle's completeness manifest still reported each of those sections as fully exported. A customer with a long history (most plausibly a long-tenured account carrying many operator notes) received a bundle that silently dropped the remainder while presenting as complete. The export now drains the operator-notes and product-question sections to the last row by following each reader's own cursor, and pulls the quotes and ratings sections up to the primitive's maximum of 500 rows — beyond any realistic per-customer count — so a subject-access bundle carries the customer's complete record. Both the assembled bundle and the streamed download share the same readers, so both are now complete. **Fixed:** *Export sections drain past the first 100 rows* — The operator-notes and product-question export sections now follow their reader's cursor to exhaustion, so every row reaches the bundle; the quotes and ratings sections read up to the 500-row primitive maximum, which a single customer's RFQ or rating history never exceeds in practice. A long-tenured customer's subject-access export no longer omits rows past the first page while reporting the section complete.
|
|
12
16
|
|
|
13
17
|
- v0.4.72 (2026-06-21) — **Cycle counting no longer strands a finalized count when a shelf adjustment fails midway.** When a cycle count was finalized with shelf adjustments, it advanced the count to finalized first and then applied each per-location adjustment in an unguarded loop. If one adjustment failed partway — most plausibly a negative (shrinkage) variance that would drive a location below the units already held for paid orders — the lines before it stayed applied, the lines after it never applied, and the count was left stuck finalized: a retry was refused and the header's aggregate totals were never stamped, so a tool whose whole job is to close shelf-vs-record drift instead baked in an unrecoverable partial drift. finalizeCount now mirrors the inventory-audit finalize it diverged from: it computes every variance first, claims the finalize transition AND stamps the aggregate totals in one statement, then applies each shelf adjustment reconciling against what already landed under the count's own reason — so a retry lands only the remaining delta and never doubles — and passes the hold-aware guard so a shrinkage debit can't drop a shelf below its outstanding holds. On any failure the count re-opens to in_progress, so the operator clears the blocker and re-runs to completion. **Fixed:** *A failed shelf adjustment re-opens the count instead of stranding it finalized* — finalizeCount now computes and persists every line's variance before claiming the finalize transition, stamps the aggregate variance totals in the same statement as the status flip (so a finalized count is never left with empty totals), and applies the per-location adjustments in a guarded pass that reconciles each against the deltas already recorded under the count's reason. If an adjustment throws, the count re-opens to in_progress and the error surfaces; a re-run applies only the remaining delta, so the lines that already moved are never double-applied. · *Shrinkage adjustments respect outstanding holds* — A negative cycle-count variance now debits the shelf with the hold-aware guard, matching the inventory-audit and write-off paths, so a count that records less stock than the record believed can no longer drop a location below the units already held for paid orders and strand a later fulfilment.
|
package/lib/asset-manifest.json
CHANGED
package/lib/customers.js
CHANGED
|
@@ -635,8 +635,11 @@ function create(opts) {
|
|
|
635
635
|
// and every pre-`iat` cookie once a boundary exists — fails the
|
|
636
636
|
// revocation check on its next authenticated request and signs out.
|
|
637
637
|
// Idempotent and monotonic: a later bump only ever moves the boundary
|
|
638
|
-
// forward, so two concurrent revokes can't roll it backwards.
|
|
639
|
-
//
|
|
638
|
+
// forward, so two concurrent revokes can't roll it backwards. Called by
|
|
639
|
+
// the storefront's explicit sign-out (POST /account/logout) so a sealed
|
|
640
|
+
// cookie copied before sign-out can't outlive it. Erasure moves the same
|
|
641
|
+
// boundary forward directly via _bumpSessionRevocation
|
|
642
|
+
// (eraseAuthForCustomer), so an erased account's live cookies die too.
|
|
640
643
|
revokeSessionsForCustomer: async function (id, at) {
|
|
641
644
|
_uuid(id, "customer id");
|
|
642
645
|
var boundary = (at == null) ? _now() : at;
|
package/lib/storefront.js
CHANGED
|
@@ -12922,6 +12922,24 @@ function mount(router, deps) {
|
|
|
12922
12922
|
return origin + "/r/" + encodeURIComponent(code);
|
|
12923
12923
|
}
|
|
12924
12924
|
|
|
12925
|
+
// The absolute origin for a credential-bearing email link (the magic-link /
|
|
12926
|
+
// portal sign-in URL). A single-use sign-in token in that link authenticates
|
|
12927
|
+
// on its own, so the link must point at the REAL site, never a host an
|
|
12928
|
+
// attacker forged into the request `Host`: it prefers the operator's
|
|
12929
|
+
// configured trusted origin (deps.shop_origin / SHOP_ORIGIN) — the same
|
|
12930
|
+
// discipline _referralLink, _stockAlertOrigin, and the OAuth redirectUri
|
|
12931
|
+
// already follow. Falls back to the request's own origin only when
|
|
12932
|
+
// shop_origin isn't configured (dev / single-host deploys, where the Host is
|
|
12933
|
+
// the loopback the operator is already on). Request-shape reader — returns a
|
|
12934
|
+
// string, never throws.
|
|
12935
|
+
function _emailLinkOrigin(req) {
|
|
12936
|
+
if (typeof deps.shop_origin === "string" && deps.shop_origin) {
|
|
12937
|
+
return deps.shop_origin.replace(/\/$/, "");
|
|
12938
|
+
}
|
|
12939
|
+
try { return new URL(_requestUrls(req).canonical_url).origin || ""; }
|
|
12940
|
+
catch (_e) { return ""; }
|
|
12941
|
+
}
|
|
12942
|
+
|
|
12925
12943
|
// The signed-in customer's sealed-cookie envelope, or null. Shared by
|
|
12926
12944
|
// the PDP view recorder (mounted outside the `if (deps.customers)`
|
|
12927
12945
|
// block) and the account routes inside it, so there's one auth-cookie
|
|
@@ -15787,9 +15805,9 @@ function mount(router, deps) {
|
|
|
15787
15805
|
customer_id: customer.id,
|
|
15788
15806
|
scope: "full",
|
|
15789
15807
|
});
|
|
15790
|
-
|
|
15791
|
-
|
|
15792
|
-
|
|
15808
|
+
// Trusted-origin-first so a forged Host can't poison the
|
|
15809
|
+
// single-use portal sign-in link (see _emailLinkOrigin).
|
|
15810
|
+
var origin = _emailLinkOrigin(req);
|
|
15793
15811
|
var linkUrl = origin + "/account/portal/" + encodeURIComponent(minted.plaintext_token);
|
|
15794
15812
|
await deps.customerPortalEmail.sendMagicLink({
|
|
15795
15813
|
customer_email: email,
|
|
@@ -16083,10 +16101,9 @@ function mount(router, deps) {
|
|
|
16083
16101
|
|
|
16084
16102
|
// Resolve the absolute origin while the request is in hand (the
|
|
16085
16103
|
// mint + send below runs after the response, but reads no further
|
|
16086
|
-
// request state).
|
|
16087
|
-
|
|
16088
|
-
|
|
16089
|
-
catch (_e2) { origin = ""; }
|
|
16104
|
+
// request state). Trusted-origin-first so a forged Host can't poison
|
|
16105
|
+
// the single-use sign-in link (see _emailLinkOrigin).
|
|
16106
|
+
var origin = _emailLinkOrigin(req);
|
|
16090
16107
|
|
|
16091
16108
|
// SECURITY (no account-existence oracle): send the generic
|
|
16092
16109
|
// confirmation 303 BEFORE any matched-only work, so a registered
|
|
@@ -16688,7 +16705,23 @@ function mount(router, deps) {
|
|
|
16688
16705
|
});
|
|
16689
16706
|
}
|
|
16690
16707
|
|
|
16691
|
-
router.post("/account/logout", function (req, res) {
|
|
16708
|
+
router.post("/account/logout", async function (req, res) {
|
|
16709
|
+
// Move this customer's server-side session-revocation boundary forward
|
|
16710
|
+
// BEFORE wiping the cookie, so an explicit sign-out invalidates EVERY
|
|
16711
|
+
// live sealed cookie for the account — not just the copy in the
|
|
16712
|
+
// responding browser. The auth cookie is stateless for its full TTL, so
|
|
16713
|
+
// clearing it here only signs out THIS browser; a cookie copied or
|
|
16714
|
+
// exfiltrated before sign-out would otherwise stay valid until it
|
|
16715
|
+
// naturally expires. Drop-silent + best-effort: a signed-out or already-
|
|
16716
|
+
// revoked caller resolves to null and we simply clear the cookie, and a
|
|
16717
|
+
// failed bump never blocks the local sign-out below.
|
|
16718
|
+
try {
|
|
16719
|
+
var auth = await _currentCustomer(req);
|
|
16720
|
+
if (auth && auth.customer_id && deps.customers &&
|
|
16721
|
+
typeof deps.customers.revokeSessionsForCustomer === "function") {
|
|
16722
|
+
await deps.customers.revokeSessionsForCustomer(auth.customer_id);
|
|
16723
|
+
}
|
|
16724
|
+
} catch (_eRev) { /* drop-silent — the cookie clear below still signs out this browser */ }
|
|
16692
16725
|
// Wipe the browser's client-side state for the origin on sign-out
|
|
16693
16726
|
// (cookies, storage, cache, execution contexts) — defense-in-depth so a
|
|
16694
16727
|
// shared or public browser can't carry a cached authenticated page or
|
package/lib/vendor/MANIFEST.json
CHANGED
|
@@ -3,8 +3,8 @@
|
|
|
3
3
|
"_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
|
|
4
4
|
"packages": {
|
|
5
5
|
"blamejs": {
|
|
6
|
-
"version": "0.15.
|
|
7
|
-
"tag": "v0.15.
|
|
6
|
+
"version": "0.15.15",
|
|
7
|
+
"tag": "v0.15.15",
|
|
8
8
|
"license": "Apache-2.0",
|
|
9
9
|
"author": "blamejs contributors",
|
|
10
10
|
"source": "https://github.com/blamejs/blamejs",
|
|
@@ -835,6 +835,7 @@
|
|
|
835
835
|
"release-notes/v0.15.12.json": "lib/vendor/blamejs/release-notes/v0.15.12.json",
|
|
836
836
|
"release-notes/v0.15.13.json": "lib/vendor/blamejs/release-notes/v0.15.13.json",
|
|
837
837
|
"release-notes/v0.15.14.json": "lib/vendor/blamejs/release-notes/v0.15.14.json",
|
|
838
|
+
"release-notes/v0.15.15.json": "lib/vendor/blamejs/release-notes/v0.15.15.json",
|
|
838
839
|
"release-notes/v0.15.2.json": "lib/vendor/blamejs/release-notes/v0.15.2.json",
|
|
839
840
|
"release-notes/v0.15.3.json": "lib/vendor/blamejs/release-notes/v0.15.3.json",
|
|
840
841
|
"release-notes/v0.15.4.json": "lib/vendor/blamejs/release-notes/v0.15.4.json",
|
|
@@ -1056,6 +1057,7 @@
|
|
|
1056
1057
|
"test/layer-0-primitives/cdn-cache-control.test.js": "lib/vendor/blamejs/test/layer-0-primitives/cdn-cache-control.test.js",
|
|
1057
1058
|
"test/layer-0-primitives/cert.test.js": "lib/vendor/blamejs/test/layer-0-primitives/cert.test.js",
|
|
1058
1059
|
"test/layer-0-primitives/chain-writer-multichain.test.js": "lib/vendor/blamejs/test/layer-0-primitives/chain-writer-multichain.test.js",
|
|
1060
|
+
"test/layer-0-primitives/ciba-authreqid-binding.test.js": "lib/vendor/blamejs/test/layer-0-primitives/ciba-authreqid-binding.test.js",
|
|
1059
1061
|
"test/layer-0-primitives/clear-site-data.test.js": "lib/vendor/blamejs/test/layer-0-primitives/clear-site-data.test.js",
|
|
1060
1062
|
"test/layer-0-primitives/cli-api-key.test.js": "lib/vendor/blamejs/test/layer-0-primitives/cli-api-key.test.js",
|
|
1061
1063
|
"test/layer-0-primitives/cli-audit-verify-chain.test.js": "lib/vendor/blamejs/test/layer-0-primitives/cli-audit-verify-chain.test.js",
|
|
@@ -1518,7 +1520,7 @@
|
|
|
1518
1520
|
".npmrc": "sha256:66f104e7d07c496d2d0409988225e8c0e4ceb8d247dbcac3be75b2128d20ce66",
|
|
1519
1521
|
".pinact.yaml": "sha256:0213ffda55961dc49b64c0a5dfa3c0567419633b1499d57eaf7c8d842d7da6c7",
|
|
1520
1522
|
"ARCHITECTURE.md": "sha256:9b1c8d2b1b7a41838eb348b0a008e4b4369718fd72bfe2974b37155f7536d35b",
|
|
1521
|
-
"CHANGELOG.md": "sha256:
|
|
1523
|
+
"CHANGELOG.md": "sha256:f88149cf913c47900c01f48f4528fedfba9796cae8888352a69dd24059255c07",
|
|
1522
1524
|
"CODE_OF_CONDUCT.md": "sha256:148a281960fff7c2fe6554dab66da572c72245ddeb00b0d14811558397bff386",
|
|
1523
1525
|
"CONTRIBUTING.md": "sha256:bb4dbdbc8598da31dbce653a8ed322e08ff46560173f2eb67a4d684653948332",
|
|
1524
1526
|
"GOVERNANCE.md": "sha256:906df6afb1f552b27b9acb50f7f96c47b917a2f1021cd4e987dbf4ee0e0a821b",
|
|
@@ -1528,7 +1530,7 @@
|
|
|
1528
1530
|
"NOTICE": "sha256:f487fa47a11aca0f89e2615cdd3c713e9842abf7a30d8d328eeeae1c864aa774",
|
|
1529
1531
|
"README.md": "sha256:3ddcc197b003da0b02db8bdd1aef1e943c94f7eab613c633d6a45bb11d0a80e9",
|
|
1530
1532
|
"SECURITY.md": "sha256:23f7ee4a44f21e433ed1d3c6f414575eb3e30f66a328422973a1109a276c537b",
|
|
1531
|
-
"api-snapshot.json": "sha256:
|
|
1533
|
+
"api-snapshot.json": "sha256:b8ec69df950d762a3ed60508021464d3c7867179152f3c63e0a767474d1b6ed4",
|
|
1532
1534
|
"assets/BlameJS_Logo.png": "sha256:3c65699753c771b48ef9ac7f45bb40815ec19a23afcdd0cd30ef4601bbbe293e",
|
|
1533
1535
|
"assets/BlameJS_Logo.svg": "sha256:dda44f3fb1343d5de9db6b1fcdb75fc649c57e7a99a8e8239fcf852e3841e1a8",
|
|
1534
1536
|
"bench/README.md": "sha256:74202f2507fd840bfc1ac6c681975d9273cf36cca6e0f72655f138337304033c",
|
|
@@ -1573,11 +1575,11 @@
|
|
|
1573
1575
|
"examples/wiki/docker-compose.yml": "sha256:c27bddfc07f3293c5e78ad11c31624dd85d225cef08b47b89147f2d5c2d37522",
|
|
1574
1576
|
"examples/wiki/env-snapshot.json": "sha256:e538ed640078ba8779972238c3f8802e2a826fa1c0b720112cf879b643a2c09f",
|
|
1575
1577
|
"examples/wiki/lib/auto-site-entries.js": "sha256:4776889b61588b0979fa9ccade88cfa687b640e84a961dc104ce1f3a938e07f9",
|
|
1576
|
-
"examples/wiki/lib/build-app.js": "sha256:
|
|
1578
|
+
"examples/wiki/lib/build-app.js": "sha256:510f209de9b745b0d88488a3c5d0f9a178c0c649ca4fcf5e017dfdb15533415c",
|
|
1577
1579
|
"examples/wiki/lib/harvest-cli.js": "sha256:ad388ce0782efb23e5a068368ebd02ad921bb645c6288b034bb0fb7a42fa823d",
|
|
1578
1580
|
"examples/wiki/lib/harvest-env-vars.js": "sha256:b3113ba195b0dff7d1e42dd07259a092d96fe5aed4dad0cda601134fdf794046",
|
|
1579
1581
|
"examples/wiki/lib/harvest-errors.js": "sha256:0c7dd6a1857ee04b584c1105f656bc964474be770f22f94a784ba2a99e702caf",
|
|
1580
|
-
"examples/wiki/lib/harvest-vendored-deps.js": "sha256:
|
|
1582
|
+
"examples/wiki/lib/harvest-vendored-deps.js": "sha256:11fc8f1b3359d9e49e92a037b9ef8051516cb8e74bf5dbda34fd2c6293d2e513",
|
|
1581
1583
|
"examples/wiki/lib/html-entities.js": "sha256:1afa873a5eba49a9206530868ffdccdd2cf67d00afdb53ea88ae585526caeee8",
|
|
1582
1584
|
"examples/wiki/lib/nav.js": "sha256:d56f262733ff72e80c24b121fe244dff4a827cb2f24698b0fe63b8edae582d28",
|
|
1583
1585
|
"examples/wiki/lib/opts-resolver.js": "sha256:d5a7f1153e265a267b899515a42726afad6ecd8921f22fe5f3d17e9b81783c05",
|
|
@@ -1609,7 +1611,7 @@
|
|
|
1609
1611
|
"examples/wiki/src/editor.js": "sha256:92ec81b8fe090dde49d348e91cec9472ffad4d122898e257b61d2d45b3b69b72",
|
|
1610
1612
|
"examples/wiki/src/wiki.js": "sha256:d27db30436ce441f13ff91cc8f7c4fa59a115b644748cd1fdfd855a8f910a797",
|
|
1611
1613
|
"examples/wiki/test/AUDIT.md": "sha256:28868e102852aa5c0981421035066a1da6676ec5ed8d0f4b88571614dc3301ab",
|
|
1612
|
-
"examples/wiki/test/codebase-patterns.test.js": "sha256:
|
|
1614
|
+
"examples/wiki/test/codebase-patterns.test.js": "sha256:2973f4c766dd038eff4054a8a5f0fd4df4ba7577f23b1cf52f885cc5d1be6a67",
|
|
1613
1615
|
"examples/wiki/test/e2e.js": "sha256:33507660f39f29d3acbdca9c0223a3568ce524065ecddc5fdd1680993c92aa5f",
|
|
1614
1616
|
"examples/wiki/test/find-missing-pages.js": "sha256:092c92b400d8f528df47ab4400f83834dd7a561269bd602e57f05eb740d9126a",
|
|
1615
1617
|
"examples/wiki/test/integration.js": "sha256:f5d1ce3fce33036ddf98c0328608ce6b5ac57ef613d388c62724de54c209ef56",
|
|
@@ -1725,7 +1727,7 @@
|
|
|
1725
1727
|
"fuzz/safe-url_seed_corpus/05-ipv6.txt": "sha256:b210575d6e9f91b70d1616c89a38bf81e66e4356dcf204a3d40f1932961d01cc",
|
|
1726
1728
|
"fuzz/safe-url_seed_corpus/06-idn.txt": "sha256:9f163641afe7046491b09f95684e30aac38b3cbf243afb115c556ae4fc0339f0",
|
|
1727
1729
|
"fuzz/safe-vcard.fuzz.js": "sha256:20ef167055ea75b6138bc6dc9d8cbdcf108d92be2792571a0162b849671354bd",
|
|
1728
|
-
"index.js": "sha256:
|
|
1730
|
+
"index.js": "sha256:c974edbb64be300691c1cc03c98672c975025158a7fba9ab67301edb53534925",
|
|
1729
1731
|
"keys/release-pqc-pub.json": "sha256:38fb7f580ccc06c5682c5c3f12b43441d4fdd3e79cf57afb8b3dab3a73af290d",
|
|
1730
1732
|
"lib/_test/crypto-fixtures.js": "sha256:91470fc813e41eeed06dee1e8fbb92d179af77eb01109c1256f7330cb2fc0980",
|
|
1731
1733
|
"lib/a2a-tasks.js": "sha256:d027609ce0688a307ba7c42e52fb6054b1b076fe4d1f62ccf89373ba73f4df3c",
|
|
@@ -1788,22 +1790,22 @@
|
|
|
1788
1790
|
"lib/auth/ato-kill-switch.js": "sha256:aac3cf32e2e5023fdff2a643c15e168c0e9f9b1bb147d31965c008fd8eb1d79b",
|
|
1789
1791
|
"lib/auth/auth-time-tracker.js": "sha256:c8d545491ef8275fd271ece280c3325f0b455ba87fc3ea9989330bbf8ae4c7eb",
|
|
1790
1792
|
"lib/auth/bot-challenge.js": "sha256:f2ce34a84dc1aa1ce082c472ad580965da4a9c2c2290e18d32a1bae1546dddcc",
|
|
1791
|
-
"lib/auth/ciba.js": "sha256:
|
|
1792
|
-
"lib/auth/dpop.js": "sha256:
|
|
1793
|
+
"lib/auth/ciba.js": "sha256:0032058ca2903b9e2f4c0e25fdbfae4cf85290fb3772ae33054258e961cc8642",
|
|
1794
|
+
"lib/auth/dpop.js": "sha256:13d2098e2042dbab61baa93ec371b45357e691576232f08f6e99ea67fa64e200",
|
|
1793
1795
|
"lib/auth/elevation-grant.js": "sha256:cf1c498359073a29d0192f390fe767731025d7cd65c5272298ae06ee10e307e7",
|
|
1794
1796
|
"lib/auth/fal.js": "sha256:aabf6d8095dd41dcda8a2efdb48e00e95bffe70c78991c93fbef827816918692",
|
|
1795
|
-
"lib/auth/fido-mds3.js": "sha256:
|
|
1797
|
+
"lib/auth/fido-mds3.js": "sha256:8c49af15326ce56b619840e8b06374f980664bac785dcfe7bf42013d4b95ba26",
|
|
1796
1798
|
"lib/auth/jar.js": "sha256:f333f25a87b8c60f5f19c51d68aefba8ae8ed304e0f54a957560475359e11f7f",
|
|
1797
1799
|
"lib/auth/jwt-external.js": "sha256:4b0073de3b72e3215534613781f16892736b4433f7c9b4fd9f5968a106bb777d",
|
|
1798
|
-
"lib/auth/jwt.js": "sha256:
|
|
1800
|
+
"lib/auth/jwt.js": "sha256:e018192d8578c4b1d549fdb14a93852d153f75ecf0443301d6227b6fd72d7d31",
|
|
1799
1801
|
"lib/auth/lockout.js": "sha256:c765cc891ef6c8ce34ba31d4d6044b7c99d529d72ce369a28f1b588bee6829cb",
|
|
1800
|
-
"lib/auth/oauth.js": "sha256:
|
|
1802
|
+
"lib/auth/oauth.js": "sha256:9a1e2f1db05a339bfe620f4d7bb20819db85c0eda647bc9a551617beea89be6b",
|
|
1801
1803
|
"lib/auth/oid4vci.js": "sha256:8f3f5ae5722ef00d7c5885eb49084820e6b8409aa564a52b0c48b1d334d3e49c",
|
|
1802
1804
|
"lib/auth/oid4vp.js": "sha256:96aee801f9e47491c8eb47f50f21d395aacabbf948cafe2477f876051ac1ef3d",
|
|
1803
1805
|
"lib/auth/openid-federation.js": "sha256:2644424c3802382c2922dd018d6674790263d77bf0e7b6c80502d8e1e6535e4f",
|
|
1804
1806
|
"lib/auth/passkey.js": "sha256:14cc2a5f15a4748a03e703d3f6db0a7aaf408d7b277a8388506907e45da4a1f3",
|
|
1805
1807
|
"lib/auth/password.js": "sha256:f5c468f9d8f90128bb25a5a0ece6d33ecb152d1e0b4263ded65862ae29bce03e",
|
|
1806
|
-
"lib/auth/saml.js": "sha256:
|
|
1808
|
+
"lib/auth/saml.js": "sha256:ef97f4e740ad9439a776a95209c9dc0d8e52e7e65406e0eb4d031f4f8d956875",
|
|
1807
1809
|
"lib/auth/sd-jwt-vc-disclosure.js": "sha256:bc1eff5def71d2eedb6f17c8bede650050af9d790145e8697871c75ddc8431ae",
|
|
1808
1810
|
"lib/auth/sd-jwt-vc-holder.js": "sha256:9d22b691e6a698aa2240c3ac611bc91e5b8d6acaa4b8fa03e28077ddb5fd56df",
|
|
1809
1811
|
"lib/auth/sd-jwt-vc-issuer.js": "sha256:8cbfd25af7df5db7e7f61d004059530c46cc18fd1afbcebbe94f8f81f503c413",
|
|
@@ -1863,13 +1865,13 @@
|
|
|
1863
1865
|
"lib/cra-report.js": "sha256:77e6c28bcb00273d652bd9578ca45fccb56d83ef47a18d4cac80929e17d59dff",
|
|
1864
1866
|
"lib/crdt.js": "sha256:be5f4675e072eda28e9bbccf49213ad4350b5f53ae78b1ec28cc1d36bf1ea129",
|
|
1865
1867
|
"lib/credential-hash.js": "sha256:9f4bf10f3ee86f03fba90e32778d99e0f9eb5966b826cbd1dc83e6c55000400e",
|
|
1866
|
-
"lib/crypto-field.js": "sha256:
|
|
1868
|
+
"lib/crypto-field.js": "sha256:c7b92fbe17d11539c0ef7ad5b7df086c95c4840a7d595acb1122fa59776ea363",
|
|
1867
1869
|
"lib/crypto-hpke-pq.js": "sha256:f086e23f4f80de9d0713826890bf8bafc0a8ddfa53fe7e87f5a0fed8ffa35caf",
|
|
1868
1870
|
"lib/crypto-hpke.js": "sha256:e9fb595fc16206237edeb738bfe4b037eeee91de9558e09ffe41e0f1e37558a7",
|
|
1869
1871
|
"lib/crypto-oprf.js": "sha256:5c98b56ba2322d3c3f40ac5c849370d927b76a535f19f76448469f349ac2b408",
|
|
1870
1872
|
"lib/crypto-xwing.js": "sha256:e724e5ea88bdb193f6c601c126230765454618eb2bf91dbf62939be510922a39",
|
|
1871
1873
|
"lib/crypto.js": "sha256:0884094cdfc52e577c10b51622b940e9acc1ce2ef8dd8996d790e51e80b2f9b5",
|
|
1872
|
-
"lib/csp.js": "sha256:
|
|
1874
|
+
"lib/csp.js": "sha256:b7a4d24f721767edecb7bc0c7a28c7824b7dda596c2edb3be387304684a8698a",
|
|
1873
1875
|
"lib/csv.js": "sha256:eca5d01409e72f5f73c5a954f3019826ed5da06f72103a5117016aeb0654f17c",
|
|
1874
1876
|
"lib/cwt.js": "sha256:1c39f6ea999ecdb2cb119933b497af9cbfd512aeaa73261076f12018f0393e80",
|
|
1875
1877
|
"lib/daemon.js": "sha256:8ac929f2529e21c94f5d865a488f99bd83d43640e9194c05217ec16578774104",
|
|
@@ -1879,7 +1881,7 @@
|
|
|
1879
1881
|
"lib/db-declare-row-policy.js": "sha256:aea911d30d8d4108f2f83fd7d91c5f5a3c5be3f1ecec18be4674d7f1f8b39666",
|
|
1880
1882
|
"lib/db-declare-view.js": "sha256:82371eb03f635877f6541850edb617905722c3bcf60f592f28b2d57d44a50bff",
|
|
1881
1883
|
"lib/db-file-lifecycle.js": "sha256:610538b8a6e7ad140b92f257c58fc0c2fdc97d3ef8c002d43987b97fbfd971c0",
|
|
1882
|
-
"lib/db-query.js": "sha256:
|
|
1884
|
+
"lib/db-query.js": "sha256:1f8ebfb7481b58cacb689fe87e92cb5574bd42f2665da5f4d27febb1010e45f2",
|
|
1883
1885
|
"lib/db-role-context.js": "sha256:fa97dd17a8de1278a76a01d7979c3c847295c5efe1f14ab90701ca0e98f9bd3b",
|
|
1884
1886
|
"lib/db-schema.js": "sha256:5aaef5f61f16dc0913225cb3f134e9ef6d05bf917d15ea35360c8cfbb81de1cd",
|
|
1885
1887
|
"lib/db.js": "sha256:0b932ee8c055aec8369f195a1bfc774e380bb019dfc338d84e759db0f687cfa9",
|
|
@@ -2021,7 +2023,7 @@
|
|
|
2021
2023
|
"lib/mail-agent.js": "sha256:4ca93408c03873796d285d002067ffa54fa70859ad5437215d6001d90c0f76ea",
|
|
2022
2024
|
"lib/mail-arc-sign.js": "sha256:872f31e16321f8629e3af3cac31d3deb460804748b25a7fbb427164a2ad88f84",
|
|
2023
2025
|
"lib/mail-arf.js": "sha256:47d02905b58c6c0733114e58594034adedd73799de39b93420459dbb04d22050",
|
|
2024
|
-
"lib/mail-auth.js": "sha256:
|
|
2026
|
+
"lib/mail-auth.js": "sha256:1f32a4458bbd377cf91eb7fa140af95e17ffb76fd9789aab1f4d235e82d6eb80",
|
|
2025
2027
|
"lib/mail-bimi.js": "sha256:f23f250d47ef6b425cf57ff2a7cdaa2ff24ed695b42201d228c0bd52063b4a6f",
|
|
2026
2028
|
"lib/mail-bounce.js": "sha256:461e885dd2ea0664e9a4af39ae5c36f3a5d9c7dc914dad4c40641b705952fd04",
|
|
2027
2029
|
"lib/mail-crypto-pgp.js": "sha256:045f1f3a2eea809e5f22fa00d7e8fe99f688b1356341cf7819ad2fe30729a4b6",
|
|
@@ -2029,7 +2031,7 @@
|
|
|
2029
2031
|
"lib/mail-crypto.js": "sha256:19d5f2a9fe6376d2ed6b0153a944dd1d05d8b893172bad173e2df9733c0dafd3",
|
|
2030
2032
|
"lib/mail-dav.js": "sha256:3bfe6d8c0fa1c0a5d56d78a07778de932828eeebd6e091d2f988ebeaabcf451a",
|
|
2031
2033
|
"lib/mail-deploy.js": "sha256:2377fe9e80af1c0fa9fb84269f1e7f8386008119b64be92b74263dda8c074d87",
|
|
2032
|
-
"lib/mail-dkim.js": "sha256:
|
|
2034
|
+
"lib/mail-dkim.js": "sha256:5e96c3f496a02cd36b0f12671e1b9031c6c299dd8e5ecc221fdbfe081d260144",
|
|
2033
2035
|
"lib/mail-greylist.js": "sha256:7e8a727e446cbad522ca4902834312c07564365e989c7344a878f4406000fc7b",
|
|
2034
2036
|
"lib/mail-helo.js": "sha256:196c3b8f3720fdd7fef2321dc5e3f29297128d1f0c4f47a062b5e28d75359aa5",
|
|
2035
2037
|
"lib/mail-journal.js": "sha256:58ddcbd652c93b626c38060c97a653dc34b993659e13f41c6da5638d80b3f9f3",
|
|
@@ -2072,7 +2074,7 @@
|
|
|
2072
2074
|
"lib/middleware/bot-disclose.js": "sha256:2b98da494ee51ba7c8efc0d5fccbf11ba335649e71726d83847116c340720bf0",
|
|
2073
2075
|
"lib/middleware/bot-guard.js": "sha256:ba724a897f646fcab7c384eb6e5c076e77e83b8e1c8d82a5aab79e8df616af8c",
|
|
2074
2076
|
"lib/middleware/clear-site-data.js": "sha256:9b489c42aa6d4ee9f4b1e6e410b211f5d28134fc1d3933502f7504d64bc68c26",
|
|
2075
|
-
"lib/middleware/compose-pipeline.js": "sha256:
|
|
2077
|
+
"lib/middleware/compose-pipeline.js": "sha256:2288ad3c091d8573f2018d37460494546b1afc30d06127166fa3927b3e67f480",
|
|
2076
2078
|
"lib/middleware/compression.js": "sha256:7de925075ece9c0c6cc4c3db444ec02bf5d4fd8a26b5b5861e798864a1e0286f",
|
|
2077
2079
|
"lib/middleware/cookies.js": "sha256:a286f947b343313c21f620c4a36eed66fe44dea4c8bc32b230559d877aaf9b4c",
|
|
2078
2080
|
"lib/middleware/cors.js": "sha256:7ef687c8c681886838858b65c59d51061f6b70730460470c7173a8210690f1bb",
|
|
@@ -2172,7 +2174,7 @@
|
|
|
2172
2174
|
"lib/parsers/safe-yaml.js": "sha256:96c45432e9cb0c1b78ccf9fa3f4537fe8ce2f9404b8220ba7e0e02e046a41d9e",
|
|
2173
2175
|
"lib/permissions.js": "sha256:86ecd3bbf80c65dacdf4a98101d421fa9d97a8632d11c34e578c9b23334b4e9d",
|
|
2174
2176
|
"lib/pick.js": "sha256:944653b8fe5e4f5d32bc24ace79e4855f11d7f6fb2e0b766c2063f743d038340",
|
|
2175
|
-
"lib/pipl-cn.js": "sha256:
|
|
2177
|
+
"lib/pipl-cn.js": "sha256:6f72e6860ae7dfa8271bc54c104c29b8188845075347aae3fd9485e1807df67c",
|
|
2176
2178
|
"lib/pqc-agent.js": "sha256:47319cf87a43d93ded8e8b4e3e52d156c8d57b0053fe6ca53ed2b8b8d8259c40",
|
|
2177
2179
|
"lib/pqc-gate.js": "sha256:18a8c7bc9f01a5ce2a87f22474e4601ae0ad99d4264f0f7c5c85e5ca0c2c68c2",
|
|
2178
2180
|
"lib/pqc-software.js": "sha256:0945fa073cbf3683b6e524a868155eb966285d7409432cef6de85f7b1a9290e7",
|
|
@@ -2194,7 +2196,7 @@
|
|
|
2194
2196
|
"lib/redact.js": "sha256:1cd102db31eb48ffbc677c39013ddc1b829db7597d808785a7b202a5e0dc691d",
|
|
2195
2197
|
"lib/redis-client.js": "sha256:9f8168b11b81ce7b649b2e0658ceeb7134a257435b611f4917d36e1ed178a3e5",
|
|
2196
2198
|
"lib/render.js": "sha256:1890c0cce371ea93c1820f70ea544dee25d8d9bd427fdfd6688d7cb17720ed8b",
|
|
2197
|
-
"lib/request-helpers.js": "sha256:
|
|
2199
|
+
"lib/request-helpers.js": "sha256:19bb581a59330313bb71507248ff294394d35fbd289004360499fedfd85a010b",
|
|
2198
2200
|
"lib/resource-access-lock.js": "sha256:868d2c0a59d2ca2757a334858779d23e0cde9c18bf63c535350d8ebd6ae20b53",
|
|
2199
2201
|
"lib/restore-bundle.js": "sha256:c2a9c3af19434a2072ea4cc721211119f71ba363bbbad9df7ac34a3ff03e43e2",
|
|
2200
2202
|
"lib/restore-rollback.js": "sha256:f00e2f40e2e6a14bc6687afe8c112e367d83314eb04592d9ba399cb699fb0e03",
|
|
@@ -2210,7 +2212,7 @@
|
|
|
2210
2212
|
"lib/safe-dns.js": "sha256:60fbf77f8dfcc0ac66a943ba94f960a4a4b724c78f07f9150779525d3d460001",
|
|
2211
2213
|
"lib/safe-ical.js": "sha256:a8f40466b21a1416d5aa3a5a09b75cd48c29be2f9aabec6632db26b9b7868e23",
|
|
2212
2214
|
"lib/safe-icap.js": "sha256:23f334de6ee463238e26bf9612fc7bfc623519630674c48bf1590f2952c0568b",
|
|
2213
|
-
"lib/safe-json.js": "sha256:
|
|
2215
|
+
"lib/safe-json.js": "sha256:be211b9ba0da82c95dd655eb764c06e4db6b76b901f4193a886761c062f57c7b",
|
|
2214
2216
|
"lib/safe-jsonpath.js": "sha256:0d5a0191de5cba7564847d6419a63c9949fb310f6a77c5637d2ad7b8ca30623c",
|
|
2215
2217
|
"lib/safe-mime.js": "sha256:885bf0b2932d5ad492ec981f21068e1f85bb6738383a140b27e33659b690931e",
|
|
2216
2218
|
"lib/safe-mount-info.js": "sha256:790d047481e0a2c04d3dd1f6f1645e2d6fada2f1dd1efde93ca647d2177ca7d4",
|
|
@@ -2235,9 +2237,9 @@
|
|
|
2235
2237
|
"lib/server-timing.js": "sha256:74f2556480363c860a7c80a3f2bc1adb68fee53aa4335059069fae66a1eb627c",
|
|
2236
2238
|
"lib/session-device-binding.js": "sha256:fa3ea628963f96fe2c233faecb6d1ec482508b121a861f9b4feb9ec0e7e4af62",
|
|
2237
2239
|
"lib/session-stores.js": "sha256:b79de919061a2bfeb090185bcc511919fb01d3e7a495fe0a7c711cf6cf65137b",
|
|
2238
|
-
"lib/session.js": "sha256:
|
|
2240
|
+
"lib/session.js": "sha256:295d6da9aeb1ff299a43670e4cc6127755146f9c6d9c08e5638e584a74d587ed",
|
|
2239
2241
|
"lib/slug.js": "sha256:bcebb078559528e6bb50a6244633d425ffdd861bb7a708c2b201eae3b3c44b35",
|
|
2240
|
-
"lib/sql.js": "sha256:
|
|
2242
|
+
"lib/sql.js": "sha256:0bd253186224b8757dc35e3933462773f40f9e08dc8930fa7985ad28fa79f27c",
|
|
2241
2243
|
"lib/sse.js": "sha256:5e4fca52ddb92ab1c13ad7434c6b13d5c4ef0f7fc3845b003f8c3603c1629dbf",
|
|
2242
2244
|
"lib/ssrf-guard.js": "sha256:65d3d1bf6841064cdf9b9e7ffb5a0a3ac9358e462943f5de09087640353dfac4",
|
|
2243
2245
|
"lib/standard-webhooks.js": "sha256:e604534d48202a41f2c9f6954a990731db80d0693794d3a80f371f843490ff57",
|
|
@@ -2292,14 +2294,14 @@
|
|
|
2292
2294
|
"lib/wiki-concepts.js": "sha256:54789790b950d926cbd0657dd51b32435c4988012b520819615df93673680de5",
|
|
2293
2295
|
"lib/worker-pool.js": "sha256:fc35b3c9f83a4c72be0981400f5294b566472bfe187df0500775e37dd71afa4c",
|
|
2294
2296
|
"lib/worm.js": "sha256:f17e24f8ca39295f396f40bd0c4ad1c946f5e41ff646ef1b33e8d50dc8b9435e",
|
|
2295
|
-
"lib/ws-client.js": "sha256:
|
|
2296
|
-
"lib/x509-chain.js": "sha256:
|
|
2297
|
+
"lib/ws-client.js": "sha256:e92abc9749576b8f93327e89bf3171dc3799e8dd427d2071b1ac362222c95faa",
|
|
2298
|
+
"lib/x509-chain.js": "sha256:fdc0ecd264d9de0e039f348e819675fdf3838d61097a97a0e3e119def338722a",
|
|
2297
2299
|
"lib/xml-c14n.js": "sha256:01a27d20df99ebd6eaefbff0aad933a2231049f65a54ae994236694d4146ce5d",
|
|
2298
2300
|
"oss-fuzz/projects/blamejs/Dockerfile": "sha256:277c9e93cf2e8746b0a6d09a0678b35cbe700e9c2373bdc1b2177ed2167b7359",
|
|
2299
2301
|
"oss-fuzz/projects/blamejs/README.md": "sha256:ae13b7bb79ed8d69b1b3276e5562807a0349fb6e6b7d11cf1f683aad1eafdb4b",
|
|
2300
2302
|
"oss-fuzz/projects/blamejs/build.sh": "sha256:0ced1cf21782c97be7f8d74faf5e27a308b60b2f858836fb5ca3b8c4e939a8f7",
|
|
2301
2303
|
"oss-fuzz/projects/blamejs/project.yaml": "sha256:59f2cb83aa622325a175b77416fe155be15b70a9c798bd1a78bba05763b1b03d",
|
|
2302
|
-
"package.json": "sha256:
|
|
2304
|
+
"package.json": "sha256:143094b666ec1ec64477ebd9b73bf214fb1abb91f9d1e3e82f340d9c25dadb42",
|
|
2303
2305
|
"release-notes/v0.0.x.json": "sha256:7a49819f30068ee119000cad7010194882bb8bfaa12acbdab4dfc066efb7982f",
|
|
2304
2306
|
"release-notes/v0.1.x.json": "sha256:6742a8c17f947c5cb76f69dead7eea86b942d80621d914b774ba5488e09937e5",
|
|
2305
2307
|
"release-notes/v0.10.x.json": "sha256:fe498045daf88337bd3d987e5964aa42c99a50e1685b6f09e51f698b8687726f",
|
|
@@ -2314,6 +2316,7 @@
|
|
|
2314
2316
|
"release-notes/v0.15.12.json": "sha256:7d3bec8c06680e4d583ecfae01e36bffb891d2fea7d1852c6016aea174d93794",
|
|
2315
2317
|
"release-notes/v0.15.13.json": "sha256:afac0388fe6f6094f2d6bcc34c167bf41c5016cef001e9d32393c57cd5f0ea0c",
|
|
2316
2318
|
"release-notes/v0.15.14.json": "sha256:13e065666436b6d852d1e9e17933d7ee2327bbe7b3d6adc5cec846c858140f34",
|
|
2319
|
+
"release-notes/v0.15.15.json": "sha256:5e8f3456e4efa180e8ba368b92616f9f3e57745cdca5fad9bba1c013f728632b",
|
|
2317
2320
|
"release-notes/v0.15.2.json": "sha256:36e1423dda94ed4e55c660e0fae882019005d8de3ee5e3b6ac4f38ccf8e744a2",
|
|
2318
2321
|
"release-notes/v0.15.3.json": "sha256:19a0074c445545468ca3cc411b21ec8bdb27be2669ae1950347cc244f6aa348c",
|
|
2319
2322
|
"release-notes/v0.15.4.json": "sha256:6ac7fa0ef1728c27e71b2050d1b07a810f9b4b1440ccddbf28ad56e2f54d8585",
|
|
@@ -2354,7 +2357,7 @@
|
|
|
2354
2357
|
"scripts/vendor-data-gen.js": "sha256:76b627bc6e19b4a122edfca6f514bcb8ca11af02902f0957e641f503337a8a0f",
|
|
2355
2358
|
"scripts/vendor-data-keygen.js": "sha256:94eaa4d8f832b4aac9ccbcb2a07e6b99cd35cf7b044e1412079cebdefc1f4c0e",
|
|
2356
2359
|
"scripts/vendor-update.sh": "sha256:c1c879ee620f064a06d776c1d330749b5128a35581352ef385fa8baf4a35f79a",
|
|
2357
|
-
"test/00-primitives.js": "sha256:
|
|
2360
|
+
"test/00-primitives.js": "sha256:64f3a0ec3678f8b3ab401ed59cdc1139f4e8720f5ed61443a718d8f480f64d5b",
|
|
2358
2361
|
"test/10-state.js": "sha256:7f286e00fda002ccf50ccc59d658b6dce9a4bccee304232984a932a2ceb31c49",
|
|
2359
2362
|
"test/20-db.js": "sha256:241ef6b7ef305d077aeafb22ee3bcc75b6b549a8fa9b1a6b5d6d5fba43b48d7d",
|
|
2360
2363
|
"test/30-chain.js": "sha256:5aec1fb27d1a87ac74fb3613192b0d6b9cb8bb1dbf5cefdd0fc04eceb9fc3d35",
|
|
@@ -2495,7 +2498,7 @@
|
|
|
2495
2498
|
"test/layer-0-primitives/auth-bot-challenge-verifier.test.js": "sha256:082c610cce567f6fb76f030741ace572f770f600d7aa20a35d19b45f8b908ac2",
|
|
2496
2499
|
"test/layer-0-primitives/auth-bot-challenge.test.js": "sha256:710e899f9fdcf0e6c5fc314b39540cd5a5cb0d04d06fc1407eafb297b4ad40e5",
|
|
2497
2500
|
"test/layer-0-primitives/auth-jar.test.js": "sha256:f539217f22205918d22b3a8d651c92a9d837df8279b10a89afae3a7863a10d0e",
|
|
2498
|
-
"test/layer-0-primitives/auth-jwt-defenses.test.js": "sha256:
|
|
2501
|
+
"test/layer-0-primitives/auth-jwt-defenses.test.js": "sha256:8ffb8b666be8887bd1994ed267e1675c936c2ac321e527ebe07e0ebca848bfbd",
|
|
2499
2502
|
"test/layer-0-primitives/auth-lockout.test.js": "sha256:cf409719531f9a4ae43cdf1cb6cd697702d5b729d05fbcc48aa15e28692402fb",
|
|
2500
2503
|
"test/layer-0-primitives/auth-password-audit.test.js": "sha256:9f7152a245d1ba88418402aa6a7e54f4c217f7707e2962998edb1e26d34e067d",
|
|
2501
2504
|
"test/layer-0-primitives/auth-status-list.test.js": "sha256:3a8e24e3d32028e3690c940459f113271980882672f5615e2cfc05e91ef31c83",
|
|
@@ -2535,6 +2538,7 @@
|
|
|
2535
2538
|
"test/layer-0-primitives/cdn-cache-control.test.js": "sha256:25cbc2647ea4df15d24814b33141fe3f13aaa1a019b049eb3e3737228eb9d493",
|
|
2536
2539
|
"test/layer-0-primitives/cert.test.js": "sha256:a96976ab27310bb061fef43d091300541b33d90a070d6e8861a29ab3369965f4",
|
|
2537
2540
|
"test/layer-0-primitives/chain-writer-multichain.test.js": "sha256:0b5b0b46dd93a6c4e562ed2e54248b34ab3d8a2dbe773874817d5fa7d93841f7",
|
|
2541
|
+
"test/layer-0-primitives/ciba-authreqid-binding.test.js": "sha256:9192cb6a45a753b3b3d93e8c6e0ab096d50abc68d6bf98c453a87ca11921b755",
|
|
2538
2542
|
"test/layer-0-primitives/clear-site-data.test.js": "sha256:e4d12d03239d4162bdb755648a353e4af2f5c97df79661c90ffeb7b8734f1587",
|
|
2539
2543
|
"test/layer-0-primitives/cli-api-key.test.js": "sha256:42cdf225829fb90018bbe34cd96d5527d45c05093503ed243e59aafeea09677f",
|
|
2540
2544
|
"test/layer-0-primitives/cli-audit-verify-chain.test.js": "sha256:52d18ab08f5a65458ca72c66ef2c4067f84d329153b21bbb1417e2bfe600f071",
|
|
@@ -2554,7 +2558,7 @@
|
|
|
2554
2558
|
"test/layer-0-primitives/cluster-storage.test.js": "sha256:238b3b3db0eba3e6312a863710533178f566347b90e161e564481aa826707647",
|
|
2555
2559
|
"test/layer-0-primitives/cluster-vault-rotation.test.js": "sha256:3514e9e71d6c39e805248f58ad2f41528d091e196c0f3766a032675677161b2d",
|
|
2556
2560
|
"test/layer-0-primitives/cms-codec.test.js": "sha256:7e46078ed82be5b69d22c48f22dba37ea5015371c2a8cf5f94fb1a792fb7bb78",
|
|
2557
|
-
"test/layer-0-primitives/codebase-patterns.test.js": "sha256:
|
|
2561
|
+
"test/layer-0-primitives/codebase-patterns.test.js": "sha256:be13f11407b7367a7588023cb39fc02acfd1dbf6c9a13ce1c1d7223b8b649523",
|
|
2558
2562
|
"test/layer-0-primitives/codepoint-class.test.js": "sha256:19764d50264a98cb8fb28575dd82ff7a97e857922c42d9efe886e13d5063e0c5",
|
|
2559
2563
|
"test/layer-0-primitives/compliance-ai-act.test.js": "sha256:5ee4ad05d12233cb3c5457ef10a727833710bbc1ce1318838f9f9ef5d2cb8d4b",
|
|
2560
2564
|
"test/layer-0-primitives/compliance-cascade.test.js": "sha256:ee02cf14541a837a9d7977c6ea6bf7f9210bed293925d93c976e31f270aebec4",
|
|
@@ -2592,7 +2596,7 @@
|
|
|
2592
2596
|
"test/layer-0-primitives/crypto-random-int.test.js": "sha256:1fc301c60a2cc2ae273ddcfe576437d469254172be1d4a7665d1500e645a5c2d",
|
|
2593
2597
|
"test/layer-0-primitives/crypto-self-test.test.js": "sha256:4af3bd72841079b6f60d85161491cb85f42878b90cf6680a9382312a3fbf6018",
|
|
2594
2598
|
"test/layer-0-primitives/crypto-xwing.test.js": "sha256:d6b3e7627c33390c9764a344f2896a687a7bf7051116eb920471e67b4f63c512",
|
|
2595
|
-
"test/layer-0-primitives/csp-builder.test.js": "sha256:
|
|
2599
|
+
"test/layer-0-primitives/csp-builder.test.js": "sha256:65c6e6a773863e1f59f36c941912f9907d6bdb9da003ba8afe13243d214b1386",
|
|
2596
2600
|
"test/layer-0-primitives/csp-nonce.test.js": "sha256:5243603cd6d837867386ea073556d4b4b235e0dd56ae8ce12965df91c4fb540b",
|
|
2597
2601
|
"test/layer-0-primitives/csp-report.test.js": "sha256:8bb2e54a31fd4317a6a39a4dc3358147a0102dbfa58b71d85a5743008289a2ff",
|
|
2598
2602
|
"test/layer-0-primitives/csrf-protect.test.js": "sha256:802a8de2fee57c01a03b523cd6701780c181838006356c30a01452b30381225b",
|
|
@@ -2611,7 +2615,7 @@
|
|
|
2611
2615
|
"test/layer-0-primitives/db-query-cross-schema.test.js": "sha256:9a21cab75881299f160032f388e9494232d4d4cade53c9550c734124dde5a785",
|
|
2612
2616
|
"test/layer-0-primitives/db-query-extensions.test.js": "sha256:312e5bf181274bea8017861d9c02b848c8058dde402c9e28cd3b043fb6e5ac78",
|
|
2613
2617
|
"test/layer-0-primitives/db-query-sealed-field-in.test.js": "sha256:7f4eff25fb359564eb5c12cc16b5a3d4b499f54955380599a22aa4fbd46463e3",
|
|
2614
|
-
"test/layer-0-primitives/db-raw-residency-gate.test.js": "sha256:
|
|
2618
|
+
"test/layer-0-primitives/db-raw-residency-gate.test.js": "sha256:1841e4a9b822e51bfe1d2a2565476686299c87e0d8060c319bbf01d5facdbf30",
|
|
2615
2619
|
"test/layer-0-primitives/db-role-for.test.js": "sha256:db17949e409e62b5b5085b5ffc72ceb7d96d590ac65c547580a0ad1adb81b87b",
|
|
2616
2620
|
"test/layer-0-primitives/db-schema-drift.test.js": "sha256:a94e511540f40f78e6cebeb48d91f09c9808cf8cbdf4cdd6b225bcfd9815b1f2",
|
|
2617
2621
|
"test/layer-0-primitives/db-schema-reconcile-emittable.test.js": "sha256:8c8dc6d433341320c4742f6ffc2f27c89172d4daf8c463692373b43b6bcd773e",
|
|
@@ -2652,7 +2656,7 @@
|
|
|
2652
2656
|
"test/layer-0-primitives/fedcm-dbsc.test.js": "sha256:4e918c5234e8db4cd84882d577d3be70b6704fb1d3edd836351a45d037e9b44d",
|
|
2653
2657
|
"test/layer-0-primitives/federation-vc-suite.test.js": "sha256:8d76e5800e5625db3eef4a37e3fafa3cb258c3d830f2ee90a4a051f87f050341",
|
|
2654
2658
|
"test/layer-0-primitives/fetch-metadata.test.js": "sha256:9b99953d3f1556b05597e30f65ba32d77f65a5a336e4de32fbbd2dfcec054b16",
|
|
2655
|
-
"test/layer-0-primitives/fido-mds3.test.js": "sha256:
|
|
2659
|
+
"test/layer-0-primitives/fido-mds3.test.js": "sha256:b363a3f2e6036d6356ffd506f2de7a099bdb4ded77b6c183134d2c1acbeefb25",
|
|
2656
2660
|
"test/layer-0-primitives/file-type.test.js": "sha256:ba6bb725857cbf7b165f4391e3aa126c9fc4286c5afb92d1964ff1d0dfd2b57c",
|
|
2657
2661
|
"test/layer-0-primitives/file-upload-content-safety-skip-audit.test.js": "sha256:ad13f7f84a33899b4f4e66b74c896f606e070bfe5df769b0acd109cfb7ab38c7",
|
|
2658
2662
|
"test/layer-0-primitives/flag.test.js": "sha256:8b58826342b8c28d90e11e4cfe1a7e266c2296615a90558221cad12e9f6ecb4e",
|
|
@@ -2739,7 +2743,7 @@
|
|
|
2739
2743
|
"test/layer-0-primitives/lro.test.js": "sha256:134407dc88a84450d69e15c23ff9d47617466f23a436b3d61339e6836e0c42ce",
|
|
2740
2744
|
"test/layer-0-primitives/mail-agent.test.js": "sha256:51725784bab6849cb02f1e94e0ba97c2b8e7e101780a26ae7ec19f9d894640ef",
|
|
2741
2745
|
"test/layer-0-primitives/mail-arf.test.js": "sha256:2279aebee547903a8c1415c9fc1c9c194757b3917e869bfddb43dd0375e68a93",
|
|
2742
|
-
"test/layer-0-primitives/mail-auth.test.js": "sha256:
|
|
2746
|
+
"test/layer-0-primitives/mail-auth.test.js": "sha256:4b967c9921ad3e9e84f87eca1a6077d7d089750c4e919ec3ea09e4a11cd06884",
|
|
2743
2747
|
"test/layer-0-primitives/mail-bimi.test.js": "sha256:3e12e211e1f75f07d1ba43ada69c9adcd205902194f983d8ae24293b1acd1cd5",
|
|
2744
2748
|
"test/layer-0-primitives/mail-bounce.test.js": "sha256:d4ef09adc71e1c9e336a9fc5b059e6b264d9abcd0c032023bfa7b15a9173a4b7",
|
|
2745
2749
|
"test/layer-0-primitives/mail-canspam.test.js": "sha256:c21dec043c9984d191af0b1f3425e85953b559ec6dfdf281a5f746f7121eb281",
|
|
@@ -2749,7 +2753,7 @@
|
|
|
2749
2753
|
"test/layer-0-primitives/mail-dav.test.js": "sha256:5b4dcb1b9d8942f0cc2235a99487b076cf4f984933c609d737bb40471ae7333c",
|
|
2750
2754
|
"test/layer-0-primitives/mail-deploy-tlsrpt.test.js": "sha256:3063225653b0cc3a6c8653b6e6ebd1e4ffbb3939b51d21f710d718426a3eeaa4",
|
|
2751
2755
|
"test/layer-0-primitives/mail-deploy.test.js": "sha256:b3e85993397ada25ee86b43403a9307f4e8c0b87e9252967e944bd9c733baaf7",
|
|
2752
|
-
"test/layer-0-primitives/mail-dkim.test.js": "sha256:
|
|
2756
|
+
"test/layer-0-primitives/mail-dkim.test.js": "sha256:84b0aeb3b9e7c3852e06998ff6af5427bd4445d247b73ec8e2511a8c1cd21e9d",
|
|
2753
2757
|
"test/layer-0-primitives/mail-feedback-id.test.js": "sha256:f4890df9aa9650680abe99dacb5072b0e4b207be178d1be0e6e139c697185329",
|
|
2754
2758
|
"test/layer-0-primitives/mail-greylist.test.js": "sha256:ef3e1618a2bea628a09405ad8751e63a1de47e92aeb2d1b421702fd4eae5e768",
|
|
2755
2759
|
"test/layer-0-primitives/mail-header-injection.test.js": "sha256:50f1a6060f458dc414896d10d614ac177df610a1c3e4f0aa4c1fbfdc0a869136",
|
|
@@ -2781,7 +2785,7 @@
|
|
|
2781
2785
|
"test/layer-0-primitives/mdoc.test.js": "sha256:2fe1086192385e71f858554d676b299b86594d34226e1d774ffefc97b5fa03a4",
|
|
2782
2786
|
"test/layer-0-primitives/metrics-shadow-registry.test.js": "sha256:8ea834fd6b549c18976b535660a53aafccb1c6f0b7762086e8dbbc7ab8d832b6",
|
|
2783
2787
|
"test/layer-0-primitives/metrics-snapshot.test.js": "sha256:aa405be22acb6680b062d1de1aa7ce00029e414218a0e4e521e10a14b2254851",
|
|
2784
|
-
"test/layer-0-primitives/middleware-compose-pipeline.test.js": "sha256:
|
|
2788
|
+
"test/layer-0-primitives/middleware-compose-pipeline.test.js": "sha256:a779468bde043b6de4add5d4405a33973163890ee667b833e3330373ee64f77d",
|
|
2785
2789
|
"test/layer-0-primitives/mime-parse.test.js": "sha256:73ccfea7d08b0c3b5fb899215806d4f430c02bf63e21835024a4cdcfc4254b31",
|
|
2786
2790
|
"test/layer-0-primitives/money.test.js": "sha256:c357f8b1cd0c51cf5dc1450449338f41a1bddebbd59f27b3c26b882d13309e8d",
|
|
2787
2791
|
"test/layer-0-primitives/mtls-ca-paths.test.js": "sha256:71518f55b516c202021f62e720af710aa98c86be8aca33bda1decac6afa1218b",
|
|
@@ -2819,7 +2823,7 @@
|
|
|
2819
2823
|
"test/layer-0-primitives/passkey-real-vectors.test.js": "sha256:c8d986440e9c6d7ca78f8b03054d077f7b11af8326b6319aaaa569fb9cebf0bd",
|
|
2820
2824
|
"test/layer-0-primitives/passkey.test.js": "sha256:ae7b213deb42dc8412d496eab91071b4f65518ca0d37e24f17ecb31c095dc7fe",
|
|
2821
2825
|
"test/layer-0-primitives/permissions.test.js": "sha256:b8cc87f2e5b2bc39c784d3cf372620eaa37037e33c43c16addc4ad000c802ba2",
|
|
2822
|
-
"test/layer-0-primitives/pipl-cn.test.js": "sha256:
|
|
2826
|
+
"test/layer-0-primitives/pipl-cn.test.js": "sha256:3e4ea66ea16271f7ec0b24822e6f4a3ce6770283ca66cca26a4efe09d9dd0bf4",
|
|
2823
2827
|
"test/layer-0-primitives/pqc-agent-curve.test.js": "sha256:c0eac9ba5e8eb254661cd8b42b49fa006de626db2d18574550b79b9542b02998",
|
|
2824
2828
|
"test/layer-0-primitives/pqc-software.test.js": "sha256:d744e9640e9ae1acafb7218be446a58c5739707b86b8c64a8c4c1304cca8ff5b",
|
|
2825
2829
|
"test/layer-0-primitives/privacy-pass.test.js": "sha256:54f6002ac9c22df44710c9d1db130cfec292bea98185cc9f819dd3c7d2aeacfa",
|
|
@@ -2844,7 +2848,7 @@
|
|
|
2844
2848
|
"test/layer-0-primitives/rate-limit-xff-spoofing.test.js": "sha256:c0e1fde20c09596e860ff55f3ef148f34d9449c7f104347bb207a4742c28c65e",
|
|
2845
2849
|
"test/layer-0-primitives/redact-dlp.test.js": "sha256:42b80cd22185ce81e8caf71243e6f6bc2f3185a091ebe5fbb776bfab7bab37c3",
|
|
2846
2850
|
"test/layer-0-primitives/redis-client.test.js": "sha256:bb1f192c78311b7f3fededcf90a3e5bc3492fc31c001f64c642dd3eb9b631dd4",
|
|
2847
|
-
"test/layer-0-primitives/request-helpers.test.js": "sha256:
|
|
2851
|
+
"test/layer-0-primitives/request-helpers.test.js": "sha256:3ffecf0e5a23c581fe475b3589f2b6855a43296e3858da0eee71a921a34f2708",
|
|
2848
2852
|
"test/layer-0-primitives/request-log.test.js": "sha256:31479f63311b31a74aa7f636b7f9ef04c2f6bcb152b8b8c465a40d08461cc03f",
|
|
2849
2853
|
"test/layer-0-primitives/require-auth-cache-control.test.js": "sha256:36b9d77791285e2b2606a5d2f8f8c8536a46e7ec1f4f2c5e54ee1b17a3dece3d",
|
|
2850
2854
|
"test/layer-0-primitives/require-mtls.test.js": "sha256:ba041e00d098090b4ffa578bb8b3f01927043842a5057069502dc69ade2dc23d",
|
|
@@ -2880,7 +2884,7 @@
|
|
|
2880
2884
|
"test/layer-0-primitives/safe-vcard.test.js": "sha256:10a0695050afee64599411352b34382e15b8f9bd9045ed3951cc6bc561918c89",
|
|
2881
2885
|
"test/layer-0-primitives/safe-xml.test.js": "sha256:dc94bdc968449a87843a2403e4f9d402cd22fb7479cae30ae42e297ffec5a449",
|
|
2882
2886
|
"test/layer-0-primitives/saml-slo.test.js": "sha256:b8b3a5e71ad28a0a3e9b69bca9f570410bc8b8eab6a7fdfd186fdf12cd90854f",
|
|
2883
|
-
"test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js": "sha256:
|
|
2887
|
+
"test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js": "sha256:1396afcc34135ab025880ac74738f3eb1984f5725dcf2e676e6a2f1bd7f852c2",
|
|
2884
2888
|
"test/layer-0-primitives/sandbox.test.js": "sha256:9e4173ff52b2de662c9ca489c723df899f7dfa82526f0c67154de516b2e4f0e7",
|
|
2885
2889
|
"test/layer-0-primitives/scheduler-exactly-once.test.js": "sha256:f269740eba98d12f05f6fa50c7aa4f6ac49a5a69e1dff23898257405a51089fa",
|
|
2886
2890
|
"test/layer-0-primitives/scheduler-watchdog-stale-settle.test.js": "sha256:7ee8fc92151f36fcfefb7506e5c274599b6f6df8b83639bbe73738b1f263bb43",
|
|
@@ -2898,7 +2902,7 @@
|
|
|
2898
2902
|
"test/layer-0-primitives/self-update.test.js": "sha256:8f0b956a24a609913d14a25a39c03ac4e148f9ae88dcbaa28fbc8fa72517b249",
|
|
2899
2903
|
"test/layer-0-primitives/server-timing.test.js": "sha256:03fbad2878a8d629c0abf59c175d6de7b113e49b3eaffbdcd950b03920e54693",
|
|
2900
2904
|
"test/layer-0-primitives/session-device-binding.test.js": "sha256:92103c0bc7d6e03c01db3289a360ddea4d1eca58f5afffce19463e472ffc7fd3",
|
|
2901
|
-
"test/layer-0-primitives/session-extensions.test.js": "sha256:
|
|
2905
|
+
"test/layer-0-primitives/session-extensions.test.js": "sha256:42a43a2e82ee4fb1c576cc6dc2ebfcf531e3cbd05bbb5486a402de0bf1b8d141",
|
|
2902
2906
|
"test/layer-0-primitives/session-valid-from.test.js": "sha256:587bb6aa587d1fbaf84387bd17d0a46fbf0b97ceafc9d2a1416a0e7751e98ab0",
|
|
2903
2907
|
"test/layer-0-primitives/shape-match.test.js": "sha256:ce63e3be16ff7055fe0a24ffd314e6878a8d2145043a2e2bbc3821f3d9d48b7d",
|
|
2904
2908
|
"test/layer-0-primitives/sigv4-bucket-ops.test.js": "sha256:72891b4f6d053dbbc40d58c6fa413191d71e7d37dea068f46ec0d96299cf7696",
|
|
@@ -2907,7 +2911,7 @@
|
|
|
2907
2911
|
"test/layer-0-primitives/smtp-policy.test.js": "sha256:184fee03f15e5b607ded9ae034143c00561030830cdf7b96a70b3fcc2cb8d419",
|
|
2908
2912
|
"test/layer-0-primitives/source-comment-blocks.test.js": "sha256:83f8fdfc46fd384515932d120e00f76cd5fa041cb6f52e706c43cd5c56592309",
|
|
2909
2913
|
"test/layer-0-primitives/speculation-rules.test.js": "sha256:aa6a5b52d01832fd90db008220c861a412c61a1a5e90bb179f393359e6579598",
|
|
2910
|
-
"test/layer-0-primitives/sql.test.js": "sha256:
|
|
2914
|
+
"test/layer-0-primitives/sql.test.js": "sha256:6e37d279606eaf02645ac1395e8814fde985ce638815b27c15cdc9d027a1700c",
|
|
2911
2915
|
"test/layer-0-primitives/sse-backpressure.test.js": "sha256:a435f5ca7e4b37f80c41da40d20d152cc2ad78d9e57fa020a054474b1feb8050",
|
|
2912
2916
|
"test/layer-0-primitives/sse.test.js": "sha256:ca58bd0149a2b62b7b08aa5003d81edcb9cc14e38cbc5fade1e6a2639a84cfe0",
|
|
2913
2917
|
"test/layer-0-primitives/ssrf-guard.test.js": "sha256:323f48e6ad057ea9977f6b798619ee8f7c74fa2d404a496086a9f61eb2cbd75b",
|
|
@@ -2956,8 +2960,8 @@
|
|
|
2956
2960
|
"test/layer-0-primitives/worker-pool-recycle-race.test.js": "sha256:84f02fb349ac9b10470271a16214b8fc08d4a89757c2958f296e6bd11307e394",
|
|
2957
2961
|
"test/layer-0-primitives/worker-pool.test.js": "sha256:0a3698d862346f64f98eb1c954694ad6a6b4cedbfc569a1f4d93233b7bfa733a",
|
|
2958
2962
|
"test/layer-0-primitives/worm.test.js": "sha256:0908cfbf7228de39ab68796505c29071d3117571b8a6c07cef7d1fa27d0380b8",
|
|
2959
|
-
"test/layer-0-primitives/ws-client.test.js": "sha256:
|
|
2960
|
-
"test/layer-0-primitives/x509-chain-ca-enforcement.test.js": "sha256:
|
|
2963
|
+
"test/layer-0-primitives/ws-client.test.js": "sha256:8cdea56969503e692b2bc2315495301ea51df6c718f98d722893a53715c04598",
|
|
2964
|
+
"test/layer-0-primitives/x509-chain-ca-enforcement.test.js": "sha256:8d68ffe4f8655af99682927524ae5a6c5336f32a57eb7c5c78fef5f2d1b2e6e3",
|
|
2961
2965
|
"test/layer-1-state/api-key.test.js": "sha256:48d641b673a181746adf80dfa995f0ca29187af17aa4735590557fda4350dcb8",
|
|
2962
2966
|
"test/layer-5-integration/bundler-output.test.js": "sha256:d54ea7e86cdeb0241d49df70e5c5962ad8a35e3a0a57ff0026361597c4785b0b",
|
|
2963
2967
|
"test/layer-5-integration/external-db-residency.test.js": "sha256:3ff1de115d465f1f35decf207d9263bb1bb5327892662bd992adddb8af9e0f49",
|
|
@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
|
|
|
8
8
|
|
|
9
9
|
## v0.15.x
|
|
10
10
|
|
|
11
|
+
- v0.15.15 (2026-06-21) — **A focused correctness and hardening release: more authentication and signature verifiers fail closed (JWT issuer, SAML recipient binding, OAuth nonce, CIBA token binding, FIDO certification level), the WebSocket client bounds a fragmented message before it completes, DMARC resolves the From domain before the policy lookup, and the CSP builder refuses a directive-injecting source; fixes a middleware pipeline promise that never settled on a write-and-halt, and exposes the X.509 CA-bit issuer test, an IP-prefix helper, and a reverse-proxy-aware session fingerprint option.** This release continues to tighten existing protections without adding opt-ins on the request path. A further set of authentication and signature verifiers now refuse malformed or unbound credentials: JWT verify rejects an array-valued issuer claim (an any-match bypass, CVE-2025-30144 class), SAML requires the mandatory Recipient on a Bearer or holder-of-key confirmation and enforces every AudienceRestriction, OAuth no longer skips the ID-token nonce check on an empty nonce, CIBA binds the returned ID token to its auth_req_id, the FIDO MDS3 certification level reflects the authenticator's current status rather than its historical maximum, and a JOSE header that decodes to a non-object is a typed error rather than an uncaught throw. The WebSocket client now bounds a fragmented incoming message by its running total instead of only at the final frame, DMARC validates the From-header domain before the policy lookup, the data-residency write gate compares the residency column case-insensitively, and the SQL builder refuses an equality against NULL and validates every IN-list element. The CSP builder refuses a source token containing whitespace or a semicolon (directive injection). A middleware pipeline that a request handler halted by writing the response without calling next() left its promise pending forever, retaining the request closure — it now settles. New surface is additive and backward compatible: the basicConstraints-enforcing X.509 issuer test is exposed publicly, the session device fingerprint can resolve the client IP through a trusted-proxy allowlist, and the /24+/64 IP-prefix masking it uses is exposed for reuse. **Added:** *b.x509Chain — the CA-bit-enforcing X.509 issuer test* — isCaCert(cert) and issuerValidlyIssued(issuer, subject) are now public. Node's X509Certificate.checkIssued() does not enforce the basicConstraints cA bit (CVE-2002-0862 class), so a non-CA leaf can be accepted as an issuer; these helpers require cA:TRUE and verify the signature, fail closed on any malformed input, and are the same test the framework's own chain walkers use. A consumer validating a chain outside a TLS handshake (an operator-uploaded CA bundle, a non-handshake PQ-signed certificate) can now use the hardened path instead of raw checkIssued(). · *Reverse-proxy-aware session device fingerprint* — b.session.create / verify / rotate accept { trustedProxies } (CIDRs) or { clientIpResolver } so the built-in clientIp / clientIpPrefix fingerprint fields resolve the real client IP behind a trusted proxy, consistent with b.requestHelpers.trustedClientIp. Without the option the fingerprint still binds to the bare socket peer (unchanged default), so existing fingerprints keep matching; pass the same option to create, verify, and rotate. The /24 (IPv4) + /64 (IPv6) subnet masking is exposed as b.requestHelpers.ipPrefix for an operator using a function-form fingerprint field. **Changed:** *DKIM l= is counted over the canonicalized body* — On verify, the l= body-length tag was applied to the raw body before canonicalization, so a legitimate relaxed/relaxed signature whose l= matched the canonicalized length was rejected with a body-hash mismatch whenever relaxed canonicalization changed the byte count within the first l= octets. The body is now canonicalized first and the canonicalized octet stream truncated to l= (RFC 6376 §3.4.5). · *PIPL cross-border security-assessment threshold documentation corrected* — The b.pipl.sccFilingAssessment contract stated the CAC security assessment becomes mandatory above 100,000 cumulative PI subjects (the superseded 2022 figure). The builder enforces the current CAC Provisions on Promoting and Regulating Cross-Border Data Flows — a security assessment above 1,000,000 non-sensitive PI subjects or 10,000 sensitive, with the 100,000–1,000,000 band in the standard-contract / certification tier. The documentation now matches the enforced thresholds. **Fixed:** *composePipeline settles its promise when a middleware halts* — A regular middleware that wrote the response and returned without calling next() — the intended way to halt the chain from an auth / rate-limit / bot block — left the promise returned by b.middleware.composePipeline pending forever, retaining its request/response closure (an unbounded leak under sustained blocked traffic). The halt path now settles the promise without advancing to the route handler; the same applies to an error handler that consumes the error without calling next(). · *Quality-list header parsing is quote-aware* — parseQualityList mis-read a q= substring that appeared inside a quoted media-range or Accept-* parameter, mis-weighting content negotiation. It now parses the q parameter with quote-aware splitting. **Security:** *More authentication and signature verifiers fail closed* — JWT verify rejects an array-valued iss claim (it had passed through a generic any-match built for the legitimately-array aud claim, so a multi-issuer array satisfied a single-issuer expectation — CVE-2025-30144 class), matching the external JWT and OIDC verifiers. SAML verifyResponse requires the Recipient attribute on a Bearer or holder-of-key SubjectConfirmation and confirms it equals the ACS URL (an absent Recipient was silently skipped), and enforces every AudienceRestriction (AND-combined per SAML core). OAuth no longer fails open and skips the ID-token nonce replay check when the supplied nonce is empty. CIBA binds the polled / notified ID token to its auth_req_id so a token minted for another request can't be accepted. The FIDO MDS3 certification level reflects the authenticator's current status, not the highest level it ever held, so a later decertification or downgrade is honored by a step-up policy. A JOSE header or payload that decodes to JSON null or a non-object now raises a typed authentication error instead of an uncaught TypeError. · *WebSocket fragmented-message reassembly is bounded before completion* — The client enforced maxMessageBytes only when a fragmented message's final frame arrived, so a peer could stream unbounded continuation frames and exhaust memory before the limit was ever checked. The running reassembly total is now enforced per frame, and a frame arriving after close is ignored. · *DMARC resolves the From domain before the policy lookup* — The From-header bare addr-spec domain extraction did not reject RFC 5322 group syntax or a trailing semicolon, so a crafted From header could yield a corrupted domain that defeated the DMARC alignment / policy lookup. The domain is now validated (length-bounded, rejecting the group and punctuation forms) before it is used. · *Data-residency and SQL builder correctness* — The per-row data-residency write gate compares the residency column name case-insensitively, so a raw UPDATE that spells the column in a different letter case can no longer slip the cross-border transfer check. The SQL builder refuses an equality against NULL (col = NULL is always false; use IS NULL) and validates every element of an IN-list on the Postgres = ANY(?) path, matching the sqlite / MySQL path. · *CSP builder refuses a directive-injecting source* — A CSP source is a single non-whitespace token. build() and mergeDirectives() now reject a source containing whitespace or a semicolon — because the emitter space-joins sources and semicolon-joins directives, a value like "https://x; script-src https://evil" injected a live directive.
|
|
12
|
+
|
|
11
13
|
- v0.15.14 (2026-06-20) — **A broad security-hardening release: every request-IP trust decision is peer-gated against the immediate connection (closing an X-Forwarded-For spoofing class — one behavior change, see Migration), a wide set of authentication and signature verifiers now fail closed, pre-auth parsers are hardened against algorithmic-complexity and frame-desync attacks, and untrusted-key allowlist lookups, at-rest encryption binding, and on-disk writes are tightened framework-wide; adds streaming and exclusive atomic-write primitives, a script-context JSON serializer, and HTTP-client bandwidth throttling.** This release tightens existing protections across the framework rather than adding opt-ins. The headline behavior change is how the client IP is trusted: the IP gates that make security decisions (network allowlist, rate limiter, break-glass grant pin) no longer trust a bare leftmost X-Forwarded-For value when trustProxy is set without an explicit proxy allowlist — they resolve the client IP by a peer-gated right-to-left walk anchored at the connecting socket, so a direct caller can no longer forge an allowed address. Operators who terminate behind a proxy now declare its address range in trustedProxies (see Migration). Alongside that, a large set of verifiers that could accept a malformed or unsigned credential now fail closed (SAML audience restriction, FDA electronic-signature, SD-JWT key-binding replay, DPoP, CIBA, mdoc trust anchor, COSE algorithm/curve binding, agent-snapshot plaintext under a regulated posture); pre-authentication parsers that an attacker reaches before any credential check are hardened against quadratic-time and frame-desync denial of service (CBOR, JSONPath, tar/PAX, gzip, YAML, ASN.1 DER, the scheduler's timer math); allowlist and posture lookups keyed by untrusted input can no longer reach Object.prototype; the framework's own file writes are now symlink-refusing and atomic; at-rest and egress paths bind ciphertext to its location and redact nested secrets; and several lost-update races are serialized. New surface is additive: streaming and exclusive atomic-write primitives, a serializer safe to embed in an inline <script>, and download/upload bandwidth throttling on the HTTP client. **Added:** *b.atomicFile.writeStream(filepath, source, opts?) and b.atomicFile.writeExclSync(filepath, data, opts?)* — Two atomic-write primitives that complete the read-side fdSafeReadSync family. writeStream writes a stream to a fresh O_EXCL|O_NOFOLLOW temporary file with an output-byte cap, then renames into place; writeExclSync stages a synchronous write through a verify-then-rename (clearing any stale temp under O_EXCL|O_NOFOLLOW first) for the small sealed-state round-trips (vault seal / unseal / rotate). Both refuse to follow a symlink at the destination or temp path, so an attacker who pre-creates a link can't redirect the write. The framework's own predictable-temp and symlink-following write sites now route through them; fdSafeReadSync also gains a withStat option that returns the bound fd's stat alongside the bytes. · *b.safeJson.stringifyForScript(value, opts?)* — A JSON serializer safe to embed directly in an inline <script> block: it escapes <, >, and & and the U+2028 / U+2029 line separators so a value containing </script> or a JS line terminator cannot break out of the script context (DOM-XSS). The import-map helper gains scriptTag(importMap, { nonce }) built on it, and the speculation-rules inline emitter uses it. · *HTTP-client bandwidth throttling* — b.httpClient requests accept a bandwidth limit that interposes a throttling transform on both the download and upload paths, so a large transfer can be rate-shaped without buffering the whole body. Useful for bounding the egress a single outbound call can consume. · *Incremental audit-chain verification* — The audit verifiers accept a from/to range so a long chain can be verified in increments rather than head-to-tail every time, report an accurate rowsVerified count, and keep the newest review when reconciling. b.vault also exposes getDefaultStore() for callers that need the process's default seal/unseal store handle. **Changed:** *DORA major-incident reporting clock is four hours* — The Digital Operational Resilience Act initial-notification deadline is corrected to four hours from classification (it had used the generic 24-hour default), incident classification weighs the affected-client-base percentage, and the deadline anchors to the prior filing where one exists. · *Range and conditional-request correctness* — Compression skips a 206 Partial Content or any Content-Range response (RFC 7233 §4.1), so it can't drop Content-Length over a now-compressed byte interval; static-file conditional handling gives If-None-Match precedence over If-Modified-Since and If-Match over If-Unmodified-Since (RFC 7232); and the object store honors the [start, end] array range contract that previously fell through to a full read. · *Declared request bodies are always validated* — A route that declares a body schema now validates it even when no body was parsed, so an omitted required body is rejected at the router instead of reaching the handler — mirroring the always-run params and query checks. **Fixed:** *Object store getStream works on remote backends* — getStream() returned a stream wrapping an unresolved promise on every remote backend, so it never delivered bytes; it now resolves the object before streaming. · *Queue and body-parser correctness* — The local queue's fail()/complete() paths guard on the current row status so a stale lease can't resurrect or double-process a job, and the body parser's raw() mode no longer matches every content type by default (it had answered 415 to nothing or everything depending on the wildcard). · *Sanctions screening and GraphQL SDL probing no longer under-match* — Sanctions screening no longer skips a candidate whose type doesn't match the query's type filter (a sanctioned entity of an unspecified type was missed) and reports a typeMatch flag; the GraphQL federation guard probes for the _service / _entities introspection fields by word boundary (an aliased field bypassed the prefix check) and over batched-array request bodies. The per-tenant query budget is a true sliding window, so a burst straddling the window boundary can't briefly double the rate. **Security:** *Request-IP trust is peer-gated end to end* — The client-IP resolution that every IP gate depends on is extracted into one trust model (a trustedProxies-aware, peer-gated right-to-left walk) so the network allowlist, rate limiter, break-glass pin, and bot-guard audit attribution all decide identity the same way. X-Forwarded-Proto is peer-gated across the security middleware on the same model, and a WebSocket reconnect to a swapped target is re-validated against the SSRF / blocked-host guard before the connection is reused. See Migration for the one behavior change. · *Authentication and signature verifiers fail closed* — A set of verifiers that could accept a malformed or unsigned credential now refuse it: SAML verifyResponse fails closed on a missing AudienceRestriction or unparseable Conditions; the FDA 21 CFR 11 electronic-signature verify refuses a record with no signature (recordHash alone is self-consistency, not authentication); the SD-JWT key-binding JWT requires an audience and nonce (replay binding) and an expiry when configured; DPoP cross-checks the proof's alg against its embedded JWK key type before importing it; CIBA verifies the ID token on poll and notification; the mdoc trust anchor is enforced (no fail-open); COSE binds the signature algorithm to the key curve; and agent-snapshot refuses allowPlaintext under a regulated compliance posture and gates sealing on vault initialization. · *Pre-auth parsers hardened against complexity and frame-desync denial of service* — Parsers an attacker reaches before any credential check are bounded. CBOR rejects the quadratic-time duplicate-map-key construction (it ran O(n^2) on every COSE / CWT / EAT / mdoc verify) and rejects non-minimal integer/key encodings in canonical mode; JSONPath caps the node-list cross-product that could exhaust memory and rejects the filter expression that could overflow the parser stack; the tar reader caps a random-access entry read and resynchronizes a PAX header whose size field is non-numeric; the gzip reader caps a random-access output size; the YAML scanner replaces a backtracking pattern with a linear scan; the ASN.1 DER reader caps high-tag-number and OID sub-identifier decoding and rejects non-minimal forms; and the scheduler clamps far-future timers so a 32-bit overflow can't make a timer fire immediately or an interval tight-loop. · *Allowlist and posture lookups keyed by untrusted input can't reach the prototype* — Lookups of the form map[untrustedKey] across the framework's allowlist and compliance-posture tables are now own-property checks, so a key like __proto__ or constructor resolves as absent instead of returning an inherited value and walking the gate (CWE-1321). The shared posture-accessor that several guards built by hand is centralized, and an inverse detector flags any re-introduced unguarded indexed lookup. · *Framework file writes are symlink-refusing and atomic* — The predictable-temp and symlink-following write sites (cookie jar, config-drift snapshot, archive extraction, local object store, backup bundle, and the vault passphrase seal/unseal/rotate) now write through the atomic-write primitives above, so a pre-planted symlink at the destination or temp path can no longer redirect a privileged write, and a partial write can't leave a torn file. A re-introduced raw write without the exclusive/no-follow flags is flagged by a detector. · *X.509 issuer chains enforce the CA basic constraint* — Node's checkIssued() does not verify that the issuer certificate is actually a CA (CVE-2002-0862 class), so a leaf signed by a non-CA certificate could be accepted as an issuer. Certificate-chain walking is centralized in one helper that requires the issuer's basicConstraints cA bit and verifies the signature, and every chain consumer (TSA, BIMI, S/MIME, mdoc, content-credentials, the FIDO MDS3 anchor match) routes through it. · *Header, value, and markup injection closed* — Mail rejects CRLF in Reply-To and in custom header keys/values (SMTP header injection); the GDPR data-export CSV writer neutralizes formula-injection prefixes; the content guards decode no-semicolon numeric HTML entities when revealing a dangerous URL scheme (so javascript: is caught); the early-hints emitter rejects CRLF in pushed link values; the HTML/SVG/BIMI comment scanners honor the WHATWG abrupt-comment-close forms (--!>, <!-->) so a mutation-XSS comment can't smuggle markup; and the CSP builder no longer emits a host source alongside 'none'. · *At-rest and egress data is bound to its context* — Backup restore binds each encrypted file blob to its manifest path as additional authenticated data, so a blob remapped to another entry fails the AEAD tag on restore (signed and unsigned bundles alike), and threads the signature-verification options through extraction; the data-subject-request lookup dual-reads the keyed and legacy subject hashes so a subject is still found across the hashing change (GDPR Art. 17); the log redactor collapses a secret nested as an array or object value, not only as a scalar; and the OTLP exporter redacts the span name and status message, not just attributes, before they leave the process. · *Network-protocol verification hardened* — OCSP responses are bound to the requested certificate serial; the WebSocket reader rejects reserved opcodes and reserved bits; the DNS parser refuses a record that reads past the message buffer; the NTP client rejects a reply whose origin timestamp does not echo the request (and the SNTP cookie path was reworked to bind the exchange); DANE TLSA matching is constant-time; and MTA-STS policy fetch fails closed rather than degrading to no-policy on an ambiguous response. · *Byte caps are measured in bytes, and middleware enforcement is per-instance* — Size limits that compared a byte budget against a string's character length (so multibyte input slipped a ~2-4x looser bound) now measure actual bytes — guard-json per-string cap, the per-tenant quota header budget, the JMAP request cap. The CSRF and fetch-metadata middleware track their gate per instance, so mounting a second, stricter instance still enforces (a shared request flag previously let the first, lenient mount disable it); the CSRF cookie is still issued once per response. The WebAssembly global is stripped from the sandbox worker so sandboxed code cannot JIT around the isolation. · *Lost-update races serialized* — Concurrent failure recording in the login lockout and bot-challenge gates is serialized per key, so parallel failed attempts can no longer each read the same pre-write counter and stay under the lockout / challenge threshold. The inline webhook delivery is claimed before the POST so a concurrent retry pass can't double-send it, and a transient transport failure now backs off and retries instead of being dead-lettered. **Migration:** *X-Forwarded-For trust now requires an explicit proxy allowlist* — The IP gates that enforce a security decision — network allowlist, rate limiter, and the break-glass grant IP pin — previously resolved the client IP from the leftmost X-Forwarded-For value whenever trustProxy was truthy. A direct caller could set that header to any address and walk an IP allowlist or evade a rate-limit key (CWE-290 / CWE-348). These gates now fail closed: with trustProxy set but no trustedProxies, they ignore X-Forwarded-For and use the connecting socket's peer address. To keep trusting a forwarded client IP, set trustedProxies to the CIDR(s) of your front proxy/load balancer — the client IP is then resolved by a peer-gated right-to-left walk that stops at the first hop not in the allowlist. For an allowlist / rate-limit / break-glass gate the new default is stricter (it trusts less), so an operator who has not migrated sees tighter enforcement, never looser. Display-only consumers (error pages, request logs) keep the lenient resolution and carry a docstring warning. The wiki example's WIKI_TRUST_PROXY flag is replaced by WIKI_ADMIN_TRUSTED_PROXIES (a CIDR list).
|
|
12
14
|
|
|
13
15
|
- v0.15.13 (2026-06-19) — **Consolidates a large set of duplicated, security-sensitive code paths — injected-dependency validation, positive-integer option caps, TOCTOU-safe file reads, markup escaping, audit emission, structured-field parsing, and untrusted-JWK import — onto shared hardened primitives, so a fix or guard now applies everywhere at once; adds a TOCTOU-safe file reader; and makes several configuration errors throw typed framework errors instead of a bare Error.** Across the framework, logic that had been hand-rolled in many places (and had quietly drifted between copies) is now single-sourced through shared primitives. The practical effect for operators is consistency: the strongest available guard is applied everywhere a given operation happens, rather than in whichever copy happened to have it. Injected dependencies (stores, backends, vaults, db handles, query objects) are validated through one contract; operator-tunable positive-integer options (pool sizes, byte caps, timeouts, stream limits) validate through one bounds primitive that forwards the caller's non-retryable / HTTP-status flags; the open-fd → fstat → read-fully pattern that several call sites used to defend file reads against a swap-after-stat race (CWE-367) is now the b.atomicFile.fdSafeReadSync primitive, with symlink refusal, inode-equality, a byte cap, and an integrity hash available as options and each caller's exact typed error preserved; and the XML/HTML markup escapers (including the b.guardHtml / b.guardSvg sanitizer output) route through one b.markupEscape so the base & < > " chain can't drift between them. A few configuration-validation paths that threw a bare Error (httpClient.configurePool, b.db stream-limit validation) now throw the module's typed framework error. No security defaults change; this release tightens and unifies existing protections rather than adding opt-ins. **Added:** *b.atomicFile.fdSafeReadSync(filepath, opts?)* — A TOCTOU-safe synchronous file read (CWE-367 / js/file-system-race): it opens the path read-only, then binds the size, content, and integrity measurement to the inode the fd holds open, so a swap between stat and read can't change which bytes are returned. Optional guards layer on top — maxBytes (refuse an over-cap file), refuseSymlink + inodeCheck (refuse a symlink source and any inode swap, the strongest posture for operator-writable paths), expectedHash (SHA3-512), encoding (return a string), allowShortRead — and an errorFor(kind, detail) callback lets each caller keep its own typed error. The framework's own file reads (atomic-file, the TLS certificate-path loader, the sealed-PEM source reader, the backup bundle reader) all route through it. · *Shared substrate primitives for previously-duplicated logic* — A set of shared primitives now back call sites that had each re-implemented the same logic: validateOpts.requireMethods (gains a `permanent` flag) for injected-dependency contract checks; numericBounds positive-finite-int validators (gain an errorOpts { permanent, statusCode }) for tunable integer options; b.markupEscape for the & < > " markup chain; structured-field parsing helpers (parseTagList, forEachKeyValue, splitUnquoted, stripDoubleQuotes, unfoldHeaderContinuations); crypto.importPublicJwk and crypto.makeBase64UrlDecoder; safeSql.toPositional; safeBuffer.makeByteCoercer; nonceStore.enforceReplay; and the audit/observability namespaced emitters. These are mostly invisible substrate — the operator-visible benefit is that a guard or fix added to one of them now covers every caller. **Changed:** *Configuration errors throw typed framework errors* — Two configuration-validation paths that threw a bare `Error` now throw the module's typed framework error: httpClient.configurePool (bad maxSockets / maxFreeSockets / keepAliveMsecs → HttpClientError, code httpclient/bad-opts) and the b.db stream-limit validation (Query.stream → DbQueryError). The thrown error remains an Error subclass, so existing `instanceof Error` / try-catch handling is unaffected; code that matched the old free-text message should match the typed error's `code` instead. Several routed validators also report a slightly more precise message ("positive finite integer" instead of "positive integer"). **Fixed:** *Webhook deliveries retry transient transport failures instead of dead-lettering them* — A delivery that failed with a transient transport error (connection reset, timeout, 5xx) was recorded as permanently failed and dead-lettered rather than retried. The destination-safety check (SSRF / blocked-host guard) now runs in its own step and is the only permanent failure; a transport failure backs off and retries up to the configured limit. · *Webhook deliveries table creates on MySQL* — The pending-delivery index used a partial-index (WHERE) clause that MySQL does not support, so the deliveries table failed to create on a MySQL backend. The index is now dialect-aware — partial on PostgreSQL / SQLite, plain on MySQL. · *Inline webhook delivery can't be double-sent by concurrent retry processing* — An inline delivery is now claimed (status set to in-flight with a claim timestamp) before the POST, so a concurrent retry pass can't pick up and re-send the same delivery; a row left in-flight by a crash is reclaimed after the stale-claim window. · *Audit checkpoint can never be anchored against a replaced database* — close() fires a best-effort final checkpoint as the database shuts down. In a narrow close-then-reopen window that checkpoint's write could resume after a fresh database had opened and anchor the prior database's chain tip into it. checkpoint() now binds to the database it read the tip from and refuses to write (returns null, fail-closed) if that handle has since been closed or replaced — so a checkpoint is only ever written against the database it measured. **Security:** *TOCTOU-safe file reads applied uniformly* — The open-fd → fstat → read pattern that anchors a file read to one inode against a swap-after-stat race is now centralized in b.atomicFile.fdSafeReadSync, and every framework file read routes through it. The sealed-PEM source reader keeps the strongest posture (symlink refusal + inode-equality + byte cap), and those guards are now available as options to any caller — a re-introduced hand-rolled read-loop is flagged by a codebase-pattern detector. · *Injected-dependency and integer-option validation can't silently drift* — Injected stores / backends / vaults / db handles / query objects are validated through one contract (validateOpts.requireMethods), and operator-tunable positive-integer options through one bounds primitive (numericBounds), both forwarding the caller's non-retryable / HTTP-status error flags so a config error stays permanent / carries its 4xx. Inverse detectors flag any re-introduced inline check, so the validation can no longer be partially copied or weakened in one place. · *Single markup-escape chain for the HTML/SVG sanitizers* — The b.guardHtml and b.guardSvg sanitizer output escapers, the AI-Act transparency and mail HTML escapers, and the XML report escapers now share one b.markupEscape for the base & < > " chain (apostrophe form as a parameter; each caller keeps its own input coercion and any extra escapes such as guardHtml.escapeAttr's backtick / = IE-attribute-injection hardening). Byte-for-byte parity with the prior escapers was verified across an XSS-vector corpus, so the consolidation cannot have introduced an escaping gap; a re-inlined & < > " chain anywhere else is flagged by a detector. · *One hardening point for untrusted public-JWK import* — The createPublicKey-from-JWK call that imports attacker-controlled key material (DID publicKeyJwk, DNSKEY, COSE_Key, DPoP / OAuth / OIDC / DBSC proof JWKs) is centralized in b.crypto.importPublicJwk, so the untrusted-key import has a single audited home; each caller keeps its own kty/crv pre-validation and typed error. · *Linear-time Content-Security-Policy header parsing* — The CSP response-header parser split directives on a `/\s*,\s*/` regex that ran in O(n^2) on a long comma-less run of whitespace, letting a crafted header stall a worker (js/polynomial-redos). It now splits on the literal comma and trims each item, which is linear and byte-for-byte equivalent. · *Parsed INI and OpenAPI path maps can't reach Object.prototype* — The INI parser already refuses a `__proto__` / `constructor` / `prototype` section or key (it throws before any write); as defense-in-depth, every parsed node — and the OpenAPI paths map keyed by URL pattern — is now a null-prototype object, so even a future gap could only ever set an own property, never mutate Object.prototype (CWE-1321).
|