@blamejs/blamejs-shop 0.4.85 → 0.4.87
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/asset-manifest.json +1 -1
- package/lib/cart.js +75 -0
- package/lib/order.js +4 -2
- package/lib/security-middleware.js +1 -0
- package/lib/storefront.js +8 -1
- package/lib/vendor/MANIFEST.json +71 -39
- package/lib/vendor/blamejs/CHANGELOG.md +2 -0
- package/lib/vendor/blamejs/api-snapshot.json +11 -3
- package/lib/vendor/blamejs/lib/atomic-file.js +34 -0
- package/lib/vendor/blamejs/lib/auth/fido-mds3.js +10 -0
- package/lib/vendor/blamejs/lib/auth/password.js +1 -0
- package/lib/vendor/blamejs/lib/auth/saml.js +11 -3
- package/lib/vendor/blamejs/lib/daemon.js +4 -1
- package/lib/vendor/blamejs/lib/external-db.js +131 -0
- package/lib/vendor/blamejs/lib/graphql-federation.js +25 -15
- package/lib/vendor/blamejs/lib/log-stream-cloudwatch.js +1 -0
- package/lib/vendor/blamejs/lib/log-stream-local.js +14 -1
- package/lib/vendor/blamejs/lib/log-stream-otlp.js +1 -0
- package/lib/vendor/blamejs/lib/log-stream-webhook.js +1 -0
- package/lib/vendor/blamejs/lib/mail-auth.js +69 -14
- package/lib/vendor/blamejs/lib/mail-bimi.js +6 -0
- package/lib/vendor/blamejs/lib/mail-crypto-smime.js +10 -0
- package/lib/vendor/blamejs/lib/mail-dkim.js +68 -15
- package/lib/vendor/blamejs/lib/mail.js +39 -0
- package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +6 -2
- package/lib/vendor/blamejs/lib/network-dns-resolver.js +61 -11
- package/lib/vendor/blamejs/lib/network-dns.js +47 -2
- package/lib/vendor/blamejs/lib/network-nts.js +16 -0
- package/lib/vendor/blamejs/lib/network-proxy.js +55 -2
- package/lib/vendor/blamejs/lib/object-store/azure-blob-bucket-ops.js +1 -0
- package/lib/vendor/blamejs/lib/object-store/gcs-bucket-ops.js +1 -0
- package/lib/vendor/blamejs/lib/object-store/http-request.js +4 -0
- package/lib/vendor/blamejs/lib/outbox.js +29 -0
- package/lib/vendor/blamejs/lib/queue-sqs.js +1 -0
- package/lib/vendor/blamejs/lib/request-helpers.js +25 -6
- package/lib/vendor/blamejs/lib/session-device-binding.js +46 -24
- package/lib/vendor/blamejs/lib/session.js +85 -28
- package/lib/vendor/blamejs/package.json +1 -1
- package/lib/vendor/blamejs/release-notes/v0.15.16.json +94 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/api-encrypt.test.js +51 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-append-nofollow.test.js +87 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +48 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/external-db-non-atomic-backend.test.js +200 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/fido-mds3-cert-bad-validity.test.js +159 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/graphql-federation.test.js +49 -2
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-auth-dmarc-policy-failclosed.test.js +139 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-bimi-cert-validity-unparseable.test.js +137 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime-bad-validity.test.js +134 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-dkim-numericdate-failclosed.test.js +155 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/mail-proxy-framing-bounds.test.js +263 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-lookup-timeout-default.test.js +116 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-dns-resolver-timeout.test.js +126 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/network-nts-handshake-byte-cap.test.js +127 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notbefore.test.js +238 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-destroy-all-store-backed.test.js +128 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding-ipv6-canonical-and-no-store.test.js +202 -0
- package/lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js +18 -9
- package/lib/vendor/blamejs/test/layer-0-primitives/webhook-verify-nonce-atomic.test.js +169 -0
- package/lib/webhooks.js +38 -9
- package/package.json +1 -1
package/lib/vendor/MANIFEST.json
CHANGED
|
@@ -3,8 +3,8 @@
|
|
|
3
3
|
"_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
|
|
4
4
|
"packages": {
|
|
5
5
|
"blamejs": {
|
|
6
|
-
"version": "0.15.
|
|
7
|
-
"tag": "v0.15.
|
|
6
|
+
"version": "0.15.16",
|
|
7
|
+
"tag": "v0.15.16",
|
|
8
8
|
"license": "Apache-2.0",
|
|
9
9
|
"author": "blamejs contributors",
|
|
10
10
|
"source": "https://github.com/blamejs/blamejs",
|
|
@@ -836,6 +836,7 @@
|
|
|
836
836
|
"release-notes/v0.15.13.json": "lib/vendor/blamejs/release-notes/v0.15.13.json",
|
|
837
837
|
"release-notes/v0.15.14.json": "lib/vendor/blamejs/release-notes/v0.15.14.json",
|
|
838
838
|
"release-notes/v0.15.15.json": "lib/vendor/blamejs/release-notes/v0.15.15.json",
|
|
839
|
+
"release-notes/v0.15.16.json": "lib/vendor/blamejs/release-notes/v0.15.16.json",
|
|
839
840
|
"release-notes/v0.15.2.json": "lib/vendor/blamejs/release-notes/v0.15.2.json",
|
|
840
841
|
"release-notes/v0.15.3.json": "lib/vendor/blamejs/release-notes/v0.15.3.json",
|
|
841
842
|
"release-notes/v0.15.4.json": "lib/vendor/blamejs/release-notes/v0.15.4.json",
|
|
@@ -992,6 +993,7 @@
|
|
|
992
993
|
"test/layer-0-primitives/atomic-file-conflict-path.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-conflict-path.test.js",
|
|
993
994
|
"test/layer-0-primitives/atomic-file-exclusive-temp.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-exclusive-temp.test.js",
|
|
994
995
|
"test/layer-0-primitives/atomic-file-fd-read.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js",
|
|
996
|
+
"test/layer-0-primitives/atomic-file-open-append-nofollow.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-append-nofollow.test.js",
|
|
995
997
|
"test/layer-0-primitives/atomic-file-open-nofollow.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-nofollow.test.js",
|
|
996
998
|
"test/layer-0-primitives/atomic-file-rename-retry.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-rename-retry.test.js",
|
|
997
999
|
"test/layer-0-primitives/atomic-file-write-excl.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-write-excl.test.js",
|
|
@@ -1167,6 +1169,7 @@
|
|
|
1167
1169
|
"test/layer-0-primitives/exploit-replay.test.js": "lib/vendor/blamejs/test/layer-0-primitives/exploit-replay.test.js",
|
|
1168
1170
|
"test/layer-0-primitives/external-db-hardening.test.js": "lib/vendor/blamejs/test/layer-0-primitives/external-db-hardening.test.js",
|
|
1169
1171
|
"test/layer-0-primitives/external-db-migrate.test.js": "lib/vendor/blamejs/test/layer-0-primitives/external-db-migrate.test.js",
|
|
1172
|
+
"test/layer-0-primitives/external-db-non-atomic-backend.test.js": "lib/vendor/blamejs/test/layer-0-primitives/external-db-non-atomic-backend.test.js",
|
|
1170
1173
|
"test/layer-0-primitives/external-db-routing.test.js": "lib/vendor/blamejs/test/layer-0-primitives/external-db-routing.test.js",
|
|
1171
1174
|
"test/layer-0-primitives/fal.test.js": "lib/vendor/blamejs/test/layer-0-primitives/fal.test.js",
|
|
1172
1175
|
"test/layer-0-primitives/fapi2.test.js": "lib/vendor/blamejs/test/layer-0-primitives/fapi2.test.js",
|
|
@@ -1175,6 +1178,7 @@
|
|
|
1175
1178
|
"test/layer-0-primitives/fedcm-dbsc.test.js": "lib/vendor/blamejs/test/layer-0-primitives/fedcm-dbsc.test.js",
|
|
1176
1179
|
"test/layer-0-primitives/federation-vc-suite.test.js": "lib/vendor/blamejs/test/layer-0-primitives/federation-vc-suite.test.js",
|
|
1177
1180
|
"test/layer-0-primitives/fetch-metadata.test.js": "lib/vendor/blamejs/test/layer-0-primitives/fetch-metadata.test.js",
|
|
1181
|
+
"test/layer-0-primitives/fido-mds3-cert-bad-validity.test.js": "lib/vendor/blamejs/test/layer-0-primitives/fido-mds3-cert-bad-validity.test.js",
|
|
1178
1182
|
"test/layer-0-primitives/fido-mds3.test.js": "lib/vendor/blamejs/test/layer-0-primitives/fido-mds3.test.js",
|
|
1179
1183
|
"test/layer-0-primitives/file-type.test.js": "lib/vendor/blamejs/test/layer-0-primitives/file-type.test.js",
|
|
1180
1184
|
"test/layer-0-primitives/file-upload-content-safety-skip-audit.test.js": "lib/vendor/blamejs/test/layer-0-primitives/file-upload-content-safety-skip-audit.test.js",
|
|
@@ -1262,16 +1266,20 @@
|
|
|
1262
1266
|
"test/layer-0-primitives/lro.test.js": "lib/vendor/blamejs/test/layer-0-primitives/lro.test.js",
|
|
1263
1267
|
"test/layer-0-primitives/mail-agent.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-agent.test.js",
|
|
1264
1268
|
"test/layer-0-primitives/mail-arf.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-arf.test.js",
|
|
1269
|
+
"test/layer-0-primitives/mail-auth-dmarc-policy-failclosed.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-auth-dmarc-policy-failclosed.test.js",
|
|
1265
1270
|
"test/layer-0-primitives/mail-auth.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-auth.test.js",
|
|
1271
|
+
"test/layer-0-primitives/mail-bimi-cert-validity-unparseable.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-bimi-cert-validity-unparseable.test.js",
|
|
1266
1272
|
"test/layer-0-primitives/mail-bimi.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-bimi.test.js",
|
|
1267
1273
|
"test/layer-0-primitives/mail-bounce.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-bounce.test.js",
|
|
1268
1274
|
"test/layer-0-primitives/mail-canspam.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-canspam.test.js",
|
|
1269
1275
|
"test/layer-0-primitives/mail-crypto-pgp-experimental.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp-experimental.test.js",
|
|
1270
1276
|
"test/layer-0-primitives/mail-crypto-pgp.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-pgp.test.js",
|
|
1277
|
+
"test/layer-0-primitives/mail-crypto-smime-bad-validity.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime-bad-validity.test.js",
|
|
1271
1278
|
"test/layer-0-primitives/mail-crypto-smime.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-crypto-smime.test.js",
|
|
1272
1279
|
"test/layer-0-primitives/mail-dav.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-dav.test.js",
|
|
1273
1280
|
"test/layer-0-primitives/mail-deploy-tlsrpt.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-deploy-tlsrpt.test.js",
|
|
1274
1281
|
"test/layer-0-primitives/mail-deploy.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-deploy.test.js",
|
|
1282
|
+
"test/layer-0-primitives/mail-dkim-numericdate-failclosed.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-dkim-numericdate-failclosed.test.js",
|
|
1275
1283
|
"test/layer-0-primitives/mail-dkim.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-dkim.test.js",
|
|
1276
1284
|
"test/layer-0-primitives/mail-feedback-id.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-feedback-id.test.js",
|
|
1277
1285
|
"test/layer-0-primitives/mail-greylist.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-greylist.test.js",
|
|
@@ -1279,6 +1287,7 @@
|
|
|
1279
1287
|
"test/layer-0-primitives/mail-helo.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-helo.test.js",
|
|
1280
1288
|
"test/layer-0-primitives/mail-journal.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-journal.test.js",
|
|
1281
1289
|
"test/layer-0-primitives/mail-mdn.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-mdn.test.js",
|
|
1290
|
+
"test/layer-0-primitives/mail-proxy-framing-bounds.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-proxy-framing-bounds.test.js",
|
|
1282
1291
|
"test/layer-0-primitives/mail-rbl.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-rbl.test.js",
|
|
1283
1292
|
"test/layer-0-primitives/mail-require-tls.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-require-tls.test.js",
|
|
1284
1293
|
"test/layer-0-primitives/mail-scan.test.js": "lib/vendor/blamejs/test/layer-0-primitives/mail-scan.test.js",
|
|
@@ -1312,9 +1321,12 @@
|
|
|
1312
1321
|
"test/layer-0-primitives/nel.test.js": "lib/vendor/blamejs/test/layer-0-primitives/nel.test.js",
|
|
1313
1322
|
"test/layer-0-primitives/network-allowlist.test.js": "lib/vendor/blamejs/test/layer-0-primitives/network-allowlist.test.js",
|
|
1314
1323
|
"test/layer-0-primitives/network-byte-quota.test.js": "lib/vendor/blamejs/test/layer-0-primitives/network-byte-quota.test.js",
|
|
1324
|
+
"test/layer-0-primitives/network-dns-lookup-timeout-default.test.js": "lib/vendor/blamejs/test/layer-0-primitives/network-dns-lookup-timeout-default.test.js",
|
|
1325
|
+
"test/layer-0-primitives/network-dns-resolver-timeout.test.js": "lib/vendor/blamejs/test/layer-0-primitives/network-dns-resolver-timeout.test.js",
|
|
1315
1326
|
"test/layer-0-primitives/network-dns-resolver.test.js": "lib/vendor/blamejs/test/layer-0-primitives/network-dns-resolver.test.js",
|
|
1316
1327
|
"test/layer-0-primitives/network-dns.test.js": "lib/vendor/blamejs/test/layer-0-primitives/network-dns.test.js",
|
|
1317
1328
|
"test/layer-0-primitives/network-heartbeat-passive.test.js": "lib/vendor/blamejs/test/layer-0-primitives/network-heartbeat-passive.test.js",
|
|
1329
|
+
"test/layer-0-primitives/network-nts-handshake-byte-cap.test.js": "lib/vendor/blamejs/test/layer-0-primitives/network-nts-handshake-byte-cap.test.js",
|
|
1318
1330
|
"test/layer-0-primitives/network-tls-build-options.test.js": "lib/vendor/blamejs/test/layer-0-primitives/network-tls-build-options.test.js",
|
|
1319
1331
|
"test/layer-0-primitives/network-tls-ct-inclusion.test.js": "lib/vendor/blamejs/test/layer-0-primitives/network-tls-ct-inclusion.test.js",
|
|
1320
1332
|
"test/layer-0-primitives/network-tls.test.js": "lib/vendor/blamejs/test/layer-0-primitives/network-tls.test.js",
|
|
@@ -1403,6 +1415,7 @@
|
|
|
1403
1415
|
"test/layer-0-primitives/safe-vcard.test.js": "lib/vendor/blamejs/test/layer-0-primitives/safe-vcard.test.js",
|
|
1404
1416
|
"test/layer-0-primitives/safe-xml.test.js": "lib/vendor/blamejs/test/layer-0-primitives/safe-xml.test.js",
|
|
1405
1417
|
"test/layer-0-primitives/saml-slo.test.js": "lib/vendor/blamejs/test/layer-0-primitives/saml-slo.test.js",
|
|
1418
|
+
"test/layer-0-primitives/saml-subjectconfirmation-notbefore.test.js": "lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notbefore.test.js",
|
|
1406
1419
|
"test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js": "lib/vendor/blamejs/test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js",
|
|
1407
1420
|
"test/layer-0-primitives/sandbox.test.js": "lib/vendor/blamejs/test/layer-0-primitives/sandbox.test.js",
|
|
1408
1421
|
"test/layer-0-primitives/scheduler-exactly-once.test.js": "lib/vendor/blamejs/test/layer-0-primitives/scheduler-exactly-once.test.js",
|
|
@@ -1420,6 +1433,8 @@
|
|
|
1420
1433
|
"test/layer-0-primitives/self-update-standalone-verifier.test.js": "lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier.test.js",
|
|
1421
1434
|
"test/layer-0-primitives/self-update.test.js": "lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js",
|
|
1422
1435
|
"test/layer-0-primitives/server-timing.test.js": "lib/vendor/blamejs/test/layer-0-primitives/server-timing.test.js",
|
|
1436
|
+
"test/layer-0-primitives/session-destroy-all-store-backed.test.js": "lib/vendor/blamejs/test/layer-0-primitives/session-destroy-all-store-backed.test.js",
|
|
1437
|
+
"test/layer-0-primitives/session-device-binding-ipv6-canonical-and-no-store.test.js": "lib/vendor/blamejs/test/layer-0-primitives/session-device-binding-ipv6-canonical-and-no-store.test.js",
|
|
1423
1438
|
"test/layer-0-primitives/session-device-binding.test.js": "lib/vendor/blamejs/test/layer-0-primitives/session-device-binding.test.js",
|
|
1424
1439
|
"test/layer-0-primitives/session-extensions.test.js": "lib/vendor/blamejs/test/layer-0-primitives/session-extensions.test.js",
|
|
1425
1440
|
"test/layer-0-primitives/session-valid-from.test.js": "lib/vendor/blamejs/test/layer-0-primitives/session-valid-from.test.js",
|
|
@@ -1473,6 +1488,7 @@
|
|
|
1473
1488
|
"test/layer-0-primitives/watcher.test.js": "lib/vendor/blamejs/test/layer-0-primitives/watcher.test.js",
|
|
1474
1489
|
"test/layer-0-primitives/web-push-vapid.test.js": "lib/vendor/blamejs/test/layer-0-primitives/web-push-vapid.test.js",
|
|
1475
1490
|
"test/layer-0-primitives/webhook-dispatcher.test.js": "lib/vendor/blamejs/test/layer-0-primitives/webhook-dispatcher.test.js",
|
|
1491
|
+
"test/layer-0-primitives/webhook-verify-nonce-atomic.test.js": "lib/vendor/blamejs/test/layer-0-primitives/webhook-verify-nonce-atomic.test.js",
|
|
1476
1492
|
"test/layer-0-primitives/webhook.test.js": "lib/vendor/blamejs/test/layer-0-primitives/webhook.test.js",
|
|
1477
1493
|
"test/layer-0-primitives/websocket-channels.test.js": "lib/vendor/blamejs/test/layer-0-primitives/websocket-channels.test.js",
|
|
1478
1494
|
"test/layer-0-primitives/websocket-extension-header.test.js": "lib/vendor/blamejs/test/layer-0-primitives/websocket-extension-header.test.js",
|
|
@@ -1489,7 +1505,7 @@
|
|
|
1489
1505
|
"test/smoke.js": "lib/vendor/blamejs/test/smoke.js"
|
|
1490
1506
|
},
|
|
1491
1507
|
"bundler": "shallow git clone of release tag from github.com/blamejs/blamejs",
|
|
1492
|
-
"bundledAt": "2026-06-
|
|
1508
|
+
"bundledAt": "2026-06-22",
|
|
1493
1509
|
"hashes": {
|
|
1494
1510
|
".clusterfuzzlite/Dockerfile": "sha256:c0f51f4c7d592caea19fdcb658778fe3beda648bb95c3e8809622e1209a18cf1",
|
|
1495
1511
|
".clusterfuzzlite/build.sh": "sha256:b9f5a627272c65f6569fa20dcbb32c383ca3a1183ce2562d481408a2fbaf9881",
|
|
@@ -1520,7 +1536,7 @@
|
|
|
1520
1536
|
".npmrc": "sha256:66f104e7d07c496d2d0409988225e8c0e4ceb8d247dbcac3be75b2128d20ce66",
|
|
1521
1537
|
".pinact.yaml": "sha256:0213ffda55961dc49b64c0a5dfa3c0567419633b1499d57eaf7c8d842d7da6c7",
|
|
1522
1538
|
"ARCHITECTURE.md": "sha256:9b1c8d2b1b7a41838eb348b0a008e4b4369718fd72bfe2974b37155f7536d35b",
|
|
1523
|
-
"CHANGELOG.md": "sha256:
|
|
1539
|
+
"CHANGELOG.md": "sha256:388b50ed32f785a21b9ef31b0b83a83b9a4da01fe15e1dca69b3ce91c4d7b84e",
|
|
1524
1540
|
"CODE_OF_CONDUCT.md": "sha256:148a281960fff7c2fe6554dab66da572c72245ddeb00b0d14811558397bff386",
|
|
1525
1541
|
"CONTRIBUTING.md": "sha256:bb4dbdbc8598da31dbce653a8ed322e08ff46560173f2eb67a4d684653948332",
|
|
1526
1542
|
"GOVERNANCE.md": "sha256:906df6afb1f552b27b9acb50f7f96c47b917a2f1021cd4e987dbf4ee0e0a821b",
|
|
@@ -1530,7 +1546,7 @@
|
|
|
1530
1546
|
"NOTICE": "sha256:f487fa47a11aca0f89e2615cdd3c713e9842abf7a30d8d328eeeae1c864aa774",
|
|
1531
1547
|
"README.md": "sha256:3ddcc197b003da0b02db8bdd1aef1e943c94f7eab613c633d6a45bb11d0a80e9",
|
|
1532
1548
|
"SECURITY.md": "sha256:23f7ee4a44f21e433ed1d3c6f414575eb3e30f66a328422973a1109a276c537b",
|
|
1533
|
-
"api-snapshot.json": "sha256:
|
|
1549
|
+
"api-snapshot.json": "sha256:fb9df9dec00549ae9a669c304afa57a3b81e49ddb49bd2ada5f4ea37c71550a9",
|
|
1534
1550
|
"assets/BlameJS_Logo.png": "sha256:3c65699753c771b48ef9ac7f45bb40815ec19a23afcdd0cd30ef4601bbbe293e",
|
|
1535
1551
|
"assets/BlameJS_Logo.svg": "sha256:dda44f3fb1343d5de9db6b1fcdb75fc649c57e7a99a8e8239fcf852e3841e1a8",
|
|
1536
1552
|
"bench/README.md": "sha256:74202f2507fd840bfc1ac6c681975d9273cf36cca6e0f72655f138337304033c",
|
|
@@ -1775,7 +1791,7 @@
|
|
|
1775
1791
|
"lib/asyncapi-bindings.js": "sha256:2f6f3d7ea836d0483e40f08b8202d78bae54bdc3d76b5faf57d918e699ebeac8",
|
|
1776
1792
|
"lib/asyncapi-traits.js": "sha256:82ec58b77f0a65ef1b5e8b67ee9555e9cb984de769c3393fe5c6d4d0640546f0",
|
|
1777
1793
|
"lib/asyncapi.js": "sha256:c26da54ab6760da0043178abb85960e857b6e8f77f31dc3ced8db95760e25a00",
|
|
1778
|
-
"lib/atomic-file.js": "sha256:
|
|
1794
|
+
"lib/atomic-file.js": "sha256:70be6c998a1de20342c0cec0d6137e4a80d195287ff9073c43bc2c7ad28aca4c",
|
|
1779
1795
|
"lib/audit-chain.js": "sha256:1c9895a2bbf6ce3b4c546b1b3c95ac9d5ed55d82a2b58c0de4e3ecc1947c3c31",
|
|
1780
1796
|
"lib/audit-daily-review.js": "sha256:61cebe47d6e5eeeedcab45515473acfaab623217810a7ab3629b3aeca5028519",
|
|
1781
1797
|
"lib/audit-emit.js": "sha256:1171699027269e154fd247141a549e65bcdb566e52ed00b993c7dfb9a293ba0f",
|
|
@@ -1794,7 +1810,7 @@
|
|
|
1794
1810
|
"lib/auth/dpop.js": "sha256:13d2098e2042dbab61baa93ec371b45357e691576232f08f6e99ea67fa64e200",
|
|
1795
1811
|
"lib/auth/elevation-grant.js": "sha256:cf1c498359073a29d0192f390fe767731025d7cd65c5272298ae06ee10e307e7",
|
|
1796
1812
|
"lib/auth/fal.js": "sha256:aabf6d8095dd41dcda8a2efdb48e00e95bffe70c78991c93fbef827816918692",
|
|
1797
|
-
"lib/auth/fido-mds3.js": "sha256:
|
|
1813
|
+
"lib/auth/fido-mds3.js": "sha256:c511f91a19a3d30e3f48af1e9949e5d1f7a9f4cbc39b68faa15f068a54f29a91",
|
|
1798
1814
|
"lib/auth/jar.js": "sha256:f333f25a87b8c60f5f19c51d68aefba8ae8ed304e0f54a957560475359e11f7f",
|
|
1799
1815
|
"lib/auth/jwt-external.js": "sha256:4b0073de3b72e3215534613781f16892736b4433f7c9b4fd9f5968a106bb777d",
|
|
1800
1816
|
"lib/auth/jwt.js": "sha256:e018192d8578c4b1d549fdb14a93852d153f75ecf0443301d6227b6fd72d7d31",
|
|
@@ -1804,8 +1820,8 @@
|
|
|
1804
1820
|
"lib/auth/oid4vp.js": "sha256:96aee801f9e47491c8eb47f50f21d395aacabbf948cafe2477f876051ac1ef3d",
|
|
1805
1821
|
"lib/auth/openid-federation.js": "sha256:2644424c3802382c2922dd018d6674790263d77bf0e7b6c80502d8e1e6535e4f",
|
|
1806
1822
|
"lib/auth/passkey.js": "sha256:14cc2a5f15a4748a03e703d3f6db0a7aaf408d7b277a8388506907e45da4a1f3",
|
|
1807
|
-
"lib/auth/password.js": "sha256:
|
|
1808
|
-
"lib/auth/saml.js": "sha256:
|
|
1823
|
+
"lib/auth/password.js": "sha256:a3cdbe292d2c803cd42a0e693314bda3b2c3ed4695b2b1f002d7fd440a8254e9",
|
|
1824
|
+
"lib/auth/saml.js": "sha256:1b903b30c52bc16bcb7017fbc46b329bc696470c9681a968656a0717da8add3c",
|
|
1809
1825
|
"lib/auth/sd-jwt-vc-disclosure.js": "sha256:bc1eff5def71d2eedb6f17c8bede650050af9d790145e8697871c75ddc8431ae",
|
|
1810
1826
|
"lib/auth/sd-jwt-vc-holder.js": "sha256:9d22b691e6a698aa2240c3ac611bc91e5b8d6acaa4b8fa03e28077ddb5fd56df",
|
|
1811
1827
|
"lib/auth/sd-jwt-vc-issuer.js": "sha256:8cbfd25af7df5db7e7f61d004059530c46cc18fd1afbcebbe94f8f81f503c413",
|
|
@@ -1874,7 +1890,7 @@
|
|
|
1874
1890
|
"lib/csp.js": "sha256:b7a4d24f721767edecb7bc0c7a28c7824b7dda596c2edb3be387304684a8698a",
|
|
1875
1891
|
"lib/csv.js": "sha256:eca5d01409e72f5f73c5a954f3019826ed5da06f72103a5117016aeb0654f17c",
|
|
1876
1892
|
"lib/cwt.js": "sha256:1c39f6ea999ecdb2cb119933b497af9cbfd512aeaa73261076f12018f0393e80",
|
|
1877
|
-
"lib/daemon.js": "sha256:
|
|
1893
|
+
"lib/daemon.js": "sha256:9441d845c9a2d4b2808cdd6bf18915d89338a3dd75fa304c4b38c047b9f47a54",
|
|
1878
1894
|
"lib/dark-patterns.js": "sha256:e54cc6fb591748b937627560ccdfd84da0e84974da5189e15b911e00b3c7e51b",
|
|
1879
1895
|
"lib/data-act.js": "sha256:9d8f276393bef93e90ddf471f6c424cf95728a9c67fc8416fc5e3ccc99f690ee",
|
|
1880
1896
|
"lib/db-collection.js": "sha256:cb7aa1f7cf6b7f6bd86829cc54fc27999e97422370283b258e54e4c05c6f0388",
|
|
@@ -1900,7 +1916,7 @@
|
|
|
1900
1916
|
"lib/error-page.js": "sha256:4ed2e8a118b35d3dc76a072b233713ae1fdaedb54334df68ad081e19f765cb88",
|
|
1901
1917
|
"lib/events.js": "sha256:b5f0034fda33285f571b9b247db50bff08f632762d9bf69b83784b435eeea75c",
|
|
1902
1918
|
"lib/external-db-migrate.js": "sha256:990014016e71a818672b3f2c32eaa2ff6815553feb52efafb88ec765df9a570a",
|
|
1903
|
-
"lib/external-db.js": "sha256:
|
|
1919
|
+
"lib/external-db.js": "sha256:92b0e0df9da2ad17c5a6b29a1cacbc15412b11003773e6c662fe92737b4d7cb9",
|
|
1904
1920
|
"lib/fapi2.js": "sha256:6ae4679931675a629fa3f9e9efba71172fe69251dec2dd5d8c995cfb9dcad8f7",
|
|
1905
1921
|
"lib/fda-21cfr11.js": "sha256:9256bcea7d526a7280d5d3b1beed5be1daf2402ded2d5a18d602466d01a7884c",
|
|
1906
1922
|
"lib/fdx.js": "sha256:67a29b140b6d07a767da31d6b55d1db0c2219cdaa780531fdec0fec63a5c551c",
|
|
@@ -1920,7 +1936,7 @@
|
|
|
1920
1936
|
"lib/fsm.js": "sha256:6b5df56768a9ecf432f1bb44083a0ec7d4bec9a29bc156dbaa020263d172eaa6",
|
|
1921
1937
|
"lib/gate-contract.js": "sha256:ae5551c721867d51656559181c4bbcc91051b5cfad09d51f76d772d531c1cf74",
|
|
1922
1938
|
"lib/gdpr-ropa.js": "sha256:d0fb72fc7a68186f233832965afa1ffc7c4ce3c514894656c04c327a88f54925",
|
|
1923
|
-
"lib/graphql-federation.js": "sha256:
|
|
1939
|
+
"lib/graphql-federation.js": "sha256:ce625ea629850a8e2bb2e6139e078c3b0f20c281c2fac00a631672b252504898",
|
|
1924
1940
|
"lib/guard-agent-registry.js": "sha256:ea4330c2b2af5975ec01b5e704827e5ba1abbcf23b39425c9e15e241ee20d713",
|
|
1925
1941
|
"lib/guard-all.js": "sha256:a4fefe738be68211c03bad95625fdc83f58742a70e03fa96ae65b31c444f9967",
|
|
1926
1942
|
"lib/guard-archive.js": "sha256:f63eafbbb4a6e823b084ea2c5f866c4cc1e01b0ae4cce024b131c7c246179028",
|
|
@@ -2011,27 +2027,27 @@
|
|
|
2011
2027
|
"lib/legal-hold.js": "sha256:58ed5d0295c5b99ed2d9014ed232301f1b969af21def8b6f9090a9e1aeccfd8d",
|
|
2012
2028
|
"lib/link-header.js": "sha256:145387aeccc1eb6cfa63d42a7690c166673df5b0fc2dd77b69654d293f36a153",
|
|
2013
2029
|
"lib/local-db-thin.js": "sha256:387adb8396afbabe41d1b1fd8fc943162916b607c970843d0a0e79e7841403fc",
|
|
2014
|
-
"lib/log-stream-cloudwatch.js": "sha256:
|
|
2015
|
-
"lib/log-stream-local.js": "sha256:
|
|
2030
|
+
"lib/log-stream-cloudwatch.js": "sha256:a52797a50778832eff42d921929dc66c78e174a575428726fc059a25c460dab3",
|
|
2031
|
+
"lib/log-stream-local.js": "sha256:191f6b63626def1baf1d1dfc2e8ffdfbeab7a4190e8d9c3a1ef093e11820421a",
|
|
2016
2032
|
"lib/log-stream-otlp-grpc.js": "sha256:f330886b81cfa3299e12bae771e35bf3ee47c48e477853920d61805645c91da1",
|
|
2017
|
-
"lib/log-stream-otlp.js": "sha256:
|
|
2033
|
+
"lib/log-stream-otlp.js": "sha256:ae9b1ebc6539007acb55b4ed46778f1791695c6452ca1c5082e79d740b0a2840",
|
|
2018
2034
|
"lib/log-stream-syslog.js": "sha256:da9648a760c35a609a673419ead08b3f21daf72749ef6365f0c40256304e9bfc",
|
|
2019
|
-
"lib/log-stream-webhook.js": "sha256:
|
|
2035
|
+
"lib/log-stream-webhook.js": "sha256:aaec51da99ec52b62c217ff589558bdb73f7f1439a2d1f750e4ee1826be99a19",
|
|
2020
2036
|
"lib/log-stream.js": "sha256:9ffda79044835670fba447876b617b1d5cef0592abf08b52167e2ae7b6bcdba7",
|
|
2021
2037
|
"lib/log.js": "sha256:8902694b381a2c17b100af8c1b9b707248d2879c95ce92e14ff1869a5cd23a5a",
|
|
2022
2038
|
"lib/lro.js": "sha256:da9baf47f27c422c32d51495b2896c887ec3ac283875712efcd7528fd396868b",
|
|
2023
2039
|
"lib/mail-agent.js": "sha256:4ca93408c03873796d285d002067ffa54fa70859ad5437215d6001d90c0f76ea",
|
|
2024
2040
|
"lib/mail-arc-sign.js": "sha256:872f31e16321f8629e3af3cac31d3deb460804748b25a7fbb427164a2ad88f84",
|
|
2025
2041
|
"lib/mail-arf.js": "sha256:47d02905b58c6c0733114e58594034adedd73799de39b93420459dbb04d22050",
|
|
2026
|
-
"lib/mail-auth.js": "sha256:
|
|
2027
|
-
"lib/mail-bimi.js": "sha256:
|
|
2042
|
+
"lib/mail-auth.js": "sha256:da409e8f2b3bae1308f1d008b6df27f468075a83ceaeae8ee7cda0ab9c4a1027",
|
|
2043
|
+
"lib/mail-bimi.js": "sha256:b22afc5e8ad04503fee7e41f3b34c05c9f0759579436bfbe5f7706180c466155",
|
|
2028
2044
|
"lib/mail-bounce.js": "sha256:461e885dd2ea0664e9a4af39ae5c36f3a5d9c7dc914dad4c40641b705952fd04",
|
|
2029
2045
|
"lib/mail-crypto-pgp.js": "sha256:045f1f3a2eea809e5f22fa00d7e8fe99f688b1356341cf7819ad2fe30729a4b6",
|
|
2030
|
-
"lib/mail-crypto-smime.js": "sha256:
|
|
2046
|
+
"lib/mail-crypto-smime.js": "sha256:066d0456f385c470000dd05dcf978592c369298675dd8a25263592c8f15c7934",
|
|
2031
2047
|
"lib/mail-crypto.js": "sha256:19d5f2a9fe6376d2ed6b0153a944dd1d05d8b893172bad173e2df9733c0dafd3",
|
|
2032
2048
|
"lib/mail-dav.js": "sha256:3bfe6d8c0fa1c0a5d56d78a07778de932828eeebd6e091d2f988ebeaabcf451a",
|
|
2033
2049
|
"lib/mail-deploy.js": "sha256:2377fe9e80af1c0fa9fb84269f1e7f8386008119b64be92b74263dda8c074d87",
|
|
2034
|
-
"lib/mail-dkim.js": "sha256:
|
|
2050
|
+
"lib/mail-dkim.js": "sha256:a4bacee3eb62373decb28f09a0a8c0ec7bd2a6c4d5ff3c8e9d2da35c818d2406",
|
|
2035
2051
|
"lib/mail-greylist.js": "sha256:7e8a727e446cbad522ca4902834312c07564365e989c7344a878f4406000fc7b",
|
|
2036
2052
|
"lib/mail-helo.js": "sha256:196c3b8f3720fdd7fef2321dc5e3f29297128d1f0c4f47a062b5e28d75359aa5",
|
|
2037
2053
|
"lib/mail-journal.js": "sha256:58ddcbd652c93b626c38060c97a653dc34b993659e13f41c6da5638d80b3f9f3",
|
|
@@ -2056,7 +2072,7 @@
|
|
|
2056
2072
|
"lib/mail-store-fts.js": "sha256:d7cb4c571fa9709328fa484a4da61e2ba948dd739f09944f8fc1fc5e02ee4b51",
|
|
2057
2073
|
"lib/mail-store.js": "sha256:e7a5e591ae2d98f5a6b6ab6f04e0c4a0822f100b0d03a676d5e804a184be5a26",
|
|
2058
2074
|
"lib/mail-unsubscribe.js": "sha256:2944fd1103f00a202d704b0f3479f96c6aa3345be8cbafa2e0711ded111a3109",
|
|
2059
|
-
"lib/mail.js": "sha256:
|
|
2075
|
+
"lib/mail.js": "sha256:e43a6cb34813920f5001d3a2f335e57195c7befa9f177103eb971c6546e1041a",
|
|
2060
2076
|
"lib/markup-escape.js": "sha256:a76e8c77f30ae456caa53c33afeb2dd0b27f7b8799ac857beac86ea038f17d9a",
|
|
2061
2077
|
"lib/markup-tokenizer.js": "sha256:8aa91d3e173c8d3d4df4dac00e892a359863be7295c5b1846cf322bc7bfc9510",
|
|
2062
2078
|
"lib/mcp-tool-registry.js": "sha256:df3480e6a0d29a9734bdb19d322f83bff5ebfdd756620f947cf593878dea8776",
|
|
@@ -2065,7 +2081,7 @@
|
|
|
2065
2081
|
"lib/metrics.js": "sha256:edc2a3f08a48ab67c9e805cb75839cc9d326ac334478b0f30db0423102ee5713",
|
|
2066
2082
|
"lib/middleware/age-gate.js": "sha256:dc8c61a4d41f4a781220c9c97eb475fb2867f5ee444eb2756badcbc5b8411795",
|
|
2067
2083
|
"lib/middleware/ai-act-disclosure.js": "sha256:6fc62940d85813019b31c586fc86853570329a939565a6947f81052d50977c42",
|
|
2068
|
-
"lib/middleware/api-encrypt.js": "sha256:
|
|
2084
|
+
"lib/middleware/api-encrypt.js": "sha256:8807759081c1427ee9daa40edd5ecfe588bc43cf7c989c0b7c5f27df8a523d12",
|
|
2069
2085
|
"lib/middleware/assetlinks.js": "sha256:bb36f8d53991668b4ae1557d0cab3ec8b479a16f9133c43f9adc07963c8b4750",
|
|
2070
2086
|
"lib/middleware/asyncapi-serve.js": "sha256:a0f0b62b264a5cd8a24e3cfddae722a84b5e2206729f77403906a1d1cfcd7c7b",
|
|
2071
2087
|
"lib/middleware/attach-user.js": "sha256:776424918bf302378da99a85ff20c91a42f8c9f528ab435cd7a06b95ec523d6d",
|
|
@@ -2128,12 +2144,12 @@
|
|
|
2128
2144
|
"lib/mtls-engine-default.js": "sha256:bb2e47de5b8a6fa03f433c4c8ecc02fc7e7841f9eff97a36e7a4379880c81cd7",
|
|
2129
2145
|
"lib/network-byte-quota.js": "sha256:79eafbf602a10ced990d89cfd26bea3992e42b177407b8e512bd4790999d17e3",
|
|
2130
2146
|
"lib/network-dane.js": "sha256:1f60a47618bd99a487d6c2faad423546896f753e33b516bdbc354138438d06f8",
|
|
2131
|
-
"lib/network-dns-resolver.js": "sha256:
|
|
2132
|
-
"lib/network-dns.js": "sha256:
|
|
2147
|
+
"lib/network-dns-resolver.js": "sha256:3fd08605a077a8de1c15b3f436d2c2910af77e0078d27ce9d62fdce2e5949b7e",
|
|
2148
|
+
"lib/network-dns.js": "sha256:b9d92448d25c220ad784a4540da04747797bfc5e4edc2c8ff20de827574af136",
|
|
2133
2149
|
"lib/network-dnssec.js": "sha256:2b0758d09d5af89b49c69892fabaebabba125c3f9f162996c12b9abbbbae4bca",
|
|
2134
2150
|
"lib/network-heartbeat.js": "sha256:f14ec7fa4667cbb04477d91ae59d6253b6c9ccc43071bc558e737cc672f43975",
|
|
2135
|
-
"lib/network-nts.js": "sha256:
|
|
2136
|
-
"lib/network-proxy.js": "sha256:
|
|
2151
|
+
"lib/network-nts.js": "sha256:90ce47584ad58c171e8029eb1d5df8ba4ba130c4038d1fe260109685c34c8f75",
|
|
2152
|
+
"lib/network-proxy.js": "sha256:9342c534863f905000d2432b67c26dd7a5ea02be25aaf9ebe05976079e61d4c9",
|
|
2137
2153
|
"lib/network-smtp-policy.js": "sha256:a7b6c91983b312a16c436d3e15259f8f6a84579e2e55f64106285b22795e1510",
|
|
2138
2154
|
"lib/network-tls.js": "sha256:d39d7e56d3fe987dbb1bd5b4caed2425adc9105a4491b7305a27e1dbe4a6ea31",
|
|
2139
2155
|
"lib/network-tsig.js": "sha256:41dc85a6e816cce1c58c36891dfc6bafc612b68978936107a09a5a553563e0d7",
|
|
@@ -2145,12 +2161,12 @@
|
|
|
2145
2161
|
"lib/ntp-check.js": "sha256:4cd90b033e0df88992fdb251c323957e37ec5bee23c14e0d6dc9a8f41891f134",
|
|
2146
2162
|
"lib/numeric-bounds.js": "sha256:09bd70ab5f971ca7db28a0caf053145dd6b1562276591fe601758c61c41b16a6",
|
|
2147
2163
|
"lib/numeric-checks.js": "sha256:acc5af6141e942415476b43dfb92dcb8ae243d24d022b619f5e092d15fd6894e",
|
|
2148
|
-
"lib/object-store/azure-blob-bucket-ops.js": "sha256:
|
|
2164
|
+
"lib/object-store/azure-blob-bucket-ops.js": "sha256:5af8f5e1eb4f815dfa075e67be92121f2b29cfc1ea1cccb9c37328281f5f10d3",
|
|
2149
2165
|
"lib/object-store/azure-blob.js": "sha256:c28f0c5d07958c4dc3bde2475fc511162ef1501b67b72aab217d18b0786683b5",
|
|
2150
|
-
"lib/object-store/gcs-bucket-ops.js": "sha256:
|
|
2166
|
+
"lib/object-store/gcs-bucket-ops.js": "sha256:e2e2f61380b7e9c750f0ee4428a7e35034e177bb8aaaf0c97dcd35fb1ffd96f5",
|
|
2151
2167
|
"lib/object-store/gcs.js": "sha256:d66736fd0519d8fc67e7a9a3e08ec6a06ac703103a71419edaf9e5518e323b2b",
|
|
2152
2168
|
"lib/object-store/http-put.js": "sha256:545c9339d0972052b9ab1868d0cae6bc4ba3f0eb156423766873224ea6aa27e6",
|
|
2153
|
-
"lib/object-store/http-request.js": "sha256:
|
|
2169
|
+
"lib/object-store/http-request.js": "sha256:1ca977bff2ef4b2d05a7c88f3461d4d189caac9cc5ca9b032fa00c0e648faa10",
|
|
2154
2170
|
"lib/object-store/index.js": "sha256:53d91d27e19a6a75e3b96fa9a01376dbd6e19dd215cca5b4a0c65a777dd1e42b",
|
|
2155
2171
|
"lib/object-store/local.js": "sha256:32cdf105ec0d32428ecea7c3d7da2fe82c910ec57093e562483a9c512a6a66bc",
|
|
2156
2172
|
"lib/object-store/sigv4-bucket-ops.js": "sha256:d54ae720586b595f16d7dd856d0d599d1fa122137a5bdb2d398a7757efcd55cc",
|
|
@@ -2164,7 +2180,7 @@
|
|
|
2164
2180
|
"lib/openapi-yaml.js": "sha256:25b03bcd1c3d0c336aa597eaf79879c840a6b87b729195c573620a47cadaa0b4",
|
|
2165
2181
|
"lib/openapi.js": "sha256:94280b4945d8ddbe7f7484e8b425789f6380264f0a7f3ed8c0d9dc1c179140b8",
|
|
2166
2182
|
"lib/otel-export.js": "sha256:c2f33ee7584638b5b27e2c52223eef111e1486da056d4cc5ef19e2e8a0322d9d",
|
|
2167
|
-
"lib/outbox.js": "sha256:
|
|
2183
|
+
"lib/outbox.js": "sha256:7ce4a9540fc6a6f0b78897647e7b3cc1f4df900341b0966142228f45c6504486",
|
|
2168
2184
|
"lib/pagination.js": "sha256:0b5141bc978dd727707cf4006fc928282c1c88508c8a4dec5bc7c42585d2e303",
|
|
2169
2185
|
"lib/parsers/index.js": "sha256:abb1ac7e2aeb2d566d78c749b389fa75c278cc4bf60af3621c650a220a64fcaf",
|
|
2170
2186
|
"lib/parsers/safe-env.js": "sha256:c02273d9f0299e9409b234c1a7e550a4eb61001588292d71c0a7cce33dc562a4",
|
|
@@ -2191,12 +2207,12 @@
|
|
|
2191
2207
|
"lib/pubsub.js": "sha256:c2b5394a64081c92ed61cdaa5c98a9a403c403fca64b0ff409e0ca29df7c9525",
|
|
2192
2208
|
"lib/queue-local.js": "sha256:6fa51df760cab698cad2c442d8e2ef0256b31ba7cf5f4c8fcdbe412e099d4516",
|
|
2193
2209
|
"lib/queue-redis.js": "sha256:c30d2c7201a7cc0519d39c675730c0b857f5dfa83c5fdd7235a6d3d51ee86996",
|
|
2194
|
-
"lib/queue-sqs.js": "sha256:
|
|
2210
|
+
"lib/queue-sqs.js": "sha256:0868647c6ff66619b828ca0f5aa9ab0e72fbc1450853efa2f63c971c8f456fed",
|
|
2195
2211
|
"lib/queue.js": "sha256:e9bc41e04f2fd1bec7c11dcb2d0e1259c59d62cf39c789103d6ed7345891c604",
|
|
2196
2212
|
"lib/redact.js": "sha256:1cd102db31eb48ffbc677c39013ddc1b829db7597d808785a7b202a5e0dc691d",
|
|
2197
2213
|
"lib/redis-client.js": "sha256:9f8168b11b81ce7b649b2e0658ceeb7134a257435b611f4917d36e1ed178a3e5",
|
|
2198
2214
|
"lib/render.js": "sha256:1890c0cce371ea93c1820f70ea544dee25d8d9bd427fdfd6688d7cb17720ed8b",
|
|
2199
|
-
"lib/request-helpers.js": "sha256:
|
|
2215
|
+
"lib/request-helpers.js": "sha256:def9efbbcb6a3f66ef605eb46887decabcd82ea59d0c4c3a495f9d4536189317",
|
|
2200
2216
|
"lib/resource-access-lock.js": "sha256:868d2c0a59d2ca2757a334858779d23e0cde9c18bf63c535350d8ebd6ae20b53",
|
|
2201
2217
|
"lib/restore-bundle.js": "sha256:c2a9c3af19434a2072ea4cc721211119f71ba363bbbad9df7ac34a3ff03e43e2",
|
|
2202
2218
|
"lib/restore-rollback.js": "sha256:f00e2f40e2e6a14bc6687afe8c112e367d83314eb04592d9ba399cb699fb0e03",
|
|
@@ -2235,9 +2251,9 @@
|
|
|
2235
2251
|
"lib/self-update-standalone-verifier.js": "sha256:8309b2dcafe705f1e545b4b0c640cd1ecac5930959f116e2c30d5ceb41777eee",
|
|
2236
2252
|
"lib/self-update.js": "sha256:4b2403f36d949ce632ef003e0eac29c245d6c5fc8c83ca3cd47069753b2c7af2",
|
|
2237
2253
|
"lib/server-timing.js": "sha256:74f2556480363c860a7c80a3f2bc1adb68fee53aa4335059069fae66a1eb627c",
|
|
2238
|
-
"lib/session-device-binding.js": "sha256:
|
|
2254
|
+
"lib/session-device-binding.js": "sha256:4365c1449498fdcc0f0619200ea9522febe071ec445ab9f4e165614953340d53",
|
|
2239
2255
|
"lib/session-stores.js": "sha256:b79de919061a2bfeb090185bcc511919fb01d3e7a495fe0a7c711cf6cf65137b",
|
|
2240
|
-
"lib/session.js": "sha256:
|
|
2256
|
+
"lib/session.js": "sha256:dc3fcfd31edb04f25ce128ca8eb7106978f6b985c6558c6e1179613b8771930f",
|
|
2241
2257
|
"lib/slug.js": "sha256:bcebb078559528e6bb50a6244633d425ffdd861bb7a708c2b201eae3b3c44b35",
|
|
2242
2258
|
"lib/sql.js": "sha256:0bd253186224b8757dc35e3933462773f40f9e08dc8930fa7985ad28fa79f27c",
|
|
2243
2259
|
"lib/sse.js": "sha256:5e4fca52ddb92ab1c13ad7434c6b13d5c4ef0f7fc3845b003f8c3603c1629dbf",
|
|
@@ -2301,7 +2317,7 @@
|
|
|
2301
2317
|
"oss-fuzz/projects/blamejs/README.md": "sha256:ae13b7bb79ed8d69b1b3276e5562807a0349fb6e6b7d11cf1f683aad1eafdb4b",
|
|
2302
2318
|
"oss-fuzz/projects/blamejs/build.sh": "sha256:0ced1cf21782c97be7f8d74faf5e27a308b60b2f858836fb5ca3b8c4e939a8f7",
|
|
2303
2319
|
"oss-fuzz/projects/blamejs/project.yaml": "sha256:59f2cb83aa622325a175b77416fe155be15b70a9c798bd1a78bba05763b1b03d",
|
|
2304
|
-
"package.json": "sha256:
|
|
2320
|
+
"package.json": "sha256:ff50471bd603fb8a5194e5283800f7d8616e848b49b2b8907bd3b2560d923d86",
|
|
2305
2321
|
"release-notes/v0.0.x.json": "sha256:7a49819f30068ee119000cad7010194882bb8bfaa12acbdab4dfc066efb7982f",
|
|
2306
2322
|
"release-notes/v0.1.x.json": "sha256:6742a8c17f947c5cb76f69dead7eea86b942d80621d914b774ba5488e09937e5",
|
|
2307
2323
|
"release-notes/v0.10.x.json": "sha256:fe498045daf88337bd3d987e5964aa42c99a50e1685b6f09e51f698b8687726f",
|
|
@@ -2317,6 +2333,7 @@
|
|
|
2317
2333
|
"release-notes/v0.15.13.json": "sha256:afac0388fe6f6094f2d6bcc34c167bf41c5016cef001e9d32393c57cd5f0ea0c",
|
|
2318
2334
|
"release-notes/v0.15.14.json": "sha256:13e065666436b6d852d1e9e17933d7ee2327bbe7b3d6adc5cec846c858140f34",
|
|
2319
2335
|
"release-notes/v0.15.15.json": "sha256:5e8f3456e4efa180e8ba368b92616f9f3e57745cdca5fad9bba1c013f728632b",
|
|
2336
|
+
"release-notes/v0.15.16.json": "sha256:6b3b7872fbdfd527dbcc74f2015776808d2af55a9452054f6086c8c8bc2e4a42",
|
|
2320
2337
|
"release-notes/v0.15.2.json": "sha256:36e1423dda94ed4e55c660e0fae882019005d8de3ee5e3b6ac4f38ccf8e744a2",
|
|
2321
2338
|
"release-notes/v0.15.3.json": "sha256:19a0074c445545468ca3cc411b21ec8bdb27be2669ae1950347cc244f6aa348c",
|
|
2322
2339
|
"release-notes/v0.15.4.json": "sha256:6ac7fa0ef1728c27e71b2050d1b07a810f9b4b1440ccddbf28ad56e2f54d8585",
|
|
@@ -2456,7 +2473,7 @@
|
|
|
2456
2473
|
"test/layer-0-primitives/ai-pref.test.js": "sha256:c80d19bc1bbaf36925614e38a65b0fe8cabad7f27ee525638924d07812bae27d",
|
|
2457
2474
|
"test/layer-0-primitives/ai-prompt.test.js": "sha256:102a2f1d52a86f9d5bb86eea0b701ff919aa531833fb93b024be56868439cdd4",
|
|
2458
2475
|
"test/layer-0-primitives/ai-quota.test.js": "sha256:53f96ce0e68c4f09956eb2ee22cca53d1a48ec5da7c026de58e116b78091fb78",
|
|
2459
|
-
"test/layer-0-primitives/api-encrypt.test.js": "sha256:
|
|
2476
|
+
"test/layer-0-primitives/api-encrypt.test.js": "sha256:ea7dd8e5fc4c0923e11993da405eb09d83741bf621c96425dd89e43dedd791ec",
|
|
2460
2477
|
"test/layer-0-primitives/app-shutdown.test.js": "sha256:e4036095036971bb830217f1cc9efd43d697f7d85958eab5fa7fa5d0c176be57",
|
|
2461
2478
|
"test/layer-0-primitives/archive-gz.test.js": "sha256:69ec18221fbc89094dec16dc92d9eb1af359a2a9f0df5c2d1f9ff60506e1b8af",
|
|
2462
2479
|
"test/layer-0-primitives/archive-read.test.js": "sha256:ecc0f7100b94a239023cbc857d1fe025768a5d123c73133c714cda3550a2a451",
|
|
@@ -2473,6 +2490,7 @@
|
|
|
2473
2490
|
"test/layer-0-primitives/atomic-file-conflict-path.test.js": "sha256:b1e95ff12e5f6871762cc23ed6b862b4cf18097b743e5d4f90abaa4e53601794",
|
|
2474
2491
|
"test/layer-0-primitives/atomic-file-exclusive-temp.test.js": "sha256:9a0a6193b8051caf1a5e34a7f0be6b12ec92abcadb26468384b0484c55984144",
|
|
2475
2492
|
"test/layer-0-primitives/atomic-file-fd-read.test.js": "sha256:f94032960507df635acb5676022b13bfe284ba383f2c301f773a74e9876ecb08",
|
|
2493
|
+
"test/layer-0-primitives/atomic-file-open-append-nofollow.test.js": "sha256:39dc85cd84fba390d13ccb2f9cbe8f0e17bb9f24048550706e1bd456711abb82",
|
|
2476
2494
|
"test/layer-0-primitives/atomic-file-open-nofollow.test.js": "sha256:25bccec5c4ac37f6b273c3a23d2c202b45b028a42f00eacd1999e8057a24d1b4",
|
|
2477
2495
|
"test/layer-0-primitives/atomic-file-rename-retry.test.js": "sha256:4669ec79347c38427d4d2229a884d705c1deddb3a88e2b55376a3420ae0c7f4c",
|
|
2478
2496
|
"test/layer-0-primitives/atomic-file-write-excl.test.js": "sha256:80890106b36b988f77df2f124ae6762e9fba94220a2daf4ace92f8dd6f891190",
|
|
@@ -2558,7 +2576,7 @@
|
|
|
2558
2576
|
"test/layer-0-primitives/cluster-storage.test.js": "sha256:238b3b3db0eba3e6312a863710533178f566347b90e161e564481aa826707647",
|
|
2559
2577
|
"test/layer-0-primitives/cluster-vault-rotation.test.js": "sha256:3514e9e71d6c39e805248f58ad2f41528d091e196c0f3766a032675677161b2d",
|
|
2560
2578
|
"test/layer-0-primitives/cms-codec.test.js": "sha256:7e46078ed82be5b69d22c48f22dba37ea5015371c2a8cf5f94fb1a792fb7bb78",
|
|
2561
|
-
"test/layer-0-primitives/codebase-patterns.test.js": "sha256:
|
|
2579
|
+
"test/layer-0-primitives/codebase-patterns.test.js": "sha256:3c1e23573b17d69c0edaa6d963ee00cfafc251803d3bd4007c932c31a72e3a70",
|
|
2562
2580
|
"test/layer-0-primitives/codepoint-class.test.js": "sha256:19764d50264a98cb8fb28575dd82ff7a97e857922c42d9efe886e13d5063e0c5",
|
|
2563
2581
|
"test/layer-0-primitives/compliance-ai-act.test.js": "sha256:5ee4ad05d12233cb3c5457ef10a727833710bbc1ce1318838f9f9ef5d2cb8d4b",
|
|
2564
2582
|
"test/layer-0-primitives/compliance-cascade.test.js": "sha256:ee02cf14541a837a9d7977c6ea6bf7f9210bed293925d93c976e31f270aebec4",
|
|
@@ -2648,6 +2666,7 @@
|
|
|
2648
2666
|
"test/layer-0-primitives/exploit-replay.test.js": "sha256:b0ce85798ae23e9de9ba1d5ac4e3da8b67b26e1dccbd130ff0759c927aec764b",
|
|
2649
2667
|
"test/layer-0-primitives/external-db-hardening.test.js": "sha256:2b593fd96a13ffec1c8400afda2ca5fd8e9577523fb085ffb6250d07b380c43a",
|
|
2650
2668
|
"test/layer-0-primitives/external-db-migrate.test.js": "sha256:7c469502efdbe71788ccb4eb9e1a554003b834c1aada657acb2002b3809df6d4",
|
|
2669
|
+
"test/layer-0-primitives/external-db-non-atomic-backend.test.js": "sha256:aaff044af7bff81675a668821fb949a23ddfd1073a402d3fc7e0e39a0fdfa992",
|
|
2651
2670
|
"test/layer-0-primitives/external-db-routing.test.js": "sha256:bce6254542cf13ba0648452a37768b5e7346013238a7cafd1a09d212a56defde",
|
|
2652
2671
|
"test/layer-0-primitives/fal.test.js": "sha256:613ebf51d4bde737d277c6db8a40487c25c89fcfc4ce68e784699768f967398b",
|
|
2653
2672
|
"test/layer-0-primitives/fapi2.test.js": "sha256:bd077f0ec6de953b4deaeef1c8e1dd76f1c756d6242635137ed65b50e5bd4492",
|
|
@@ -2656,6 +2675,7 @@
|
|
|
2656
2675
|
"test/layer-0-primitives/fedcm-dbsc.test.js": "sha256:4e918c5234e8db4cd84882d577d3be70b6704fb1d3edd836351a45d037e9b44d",
|
|
2657
2676
|
"test/layer-0-primitives/federation-vc-suite.test.js": "sha256:8d76e5800e5625db3eef4a37e3fafa3cb258c3d830f2ee90a4a051f87f050341",
|
|
2658
2677
|
"test/layer-0-primitives/fetch-metadata.test.js": "sha256:9b99953d3f1556b05597e30f65ba32d77f65a5a336e4de32fbbd2dfcec054b16",
|
|
2678
|
+
"test/layer-0-primitives/fido-mds3-cert-bad-validity.test.js": "sha256:8c553ff60d8c8f6bea27bd54552401ff097c57c44a7eb2f498ec9519dc4c593c",
|
|
2659
2679
|
"test/layer-0-primitives/fido-mds3.test.js": "sha256:b363a3f2e6036d6356ffd506f2de7a099bdb4ded77b6c183134d2c1acbeefb25",
|
|
2660
2680
|
"test/layer-0-primitives/file-type.test.js": "sha256:ba6bb725857cbf7b165f4391e3aa126c9fc4286c5afb92d1964ff1d0dfd2b57c",
|
|
2661
2681
|
"test/layer-0-primitives/file-upload-content-safety-skip-audit.test.js": "sha256:ad13f7f84a33899b4f4e66b74c896f606e070bfe5df769b0acd109cfb7ab38c7",
|
|
@@ -2665,7 +2685,7 @@
|
|
|
2665
2685
|
"test/layer-0-primitives/gate-contract-content-gate.test.js": "sha256:d9f8b94231efb0e02a94b7934bf58a3f8e343829ce11346b7302e69e13efd551",
|
|
2666
2686
|
"test/layer-0-primitives/gcs-bucket-ops.test.js": "sha256:2261e3ac2d66d48e4e436d2f43f9f48f45822930824fa48888f0fc9cfabcf908",
|
|
2667
2687
|
"test/layer-0-primitives/gdpr-ropa.test.js": "sha256:ebed2f001ddc79e42a9cd0ee5319536662dcb4c601b3eb65077161ab81e243a4",
|
|
2668
|
-
"test/layer-0-primitives/graphql-federation.test.js": "sha256:
|
|
2688
|
+
"test/layer-0-primitives/graphql-federation.test.js": "sha256:c920cdc6f8740733b712d139d11da08c4fa5c8add3b0749fa74c6fbce04965cf",
|
|
2669
2689
|
"test/layer-0-primitives/guard-agent-registry.test.js": "sha256:d432339273cde552cde8101ac1b32df44c36e7dd9381a328669f63884ac9016b",
|
|
2670
2690
|
"test/layer-0-primitives/guard-all.test.js": "sha256:fdd9a746ecfa6e29f0e5f727fbd66c5ab2e29a263ef0d8c2c1d62fc430cdd59f",
|
|
2671
2691
|
"test/layer-0-primitives/guard-archive.test.js": "sha256:f8c6be677cc69e5b782bb27e4891bcb18fc91d6890ce694ca06cc63c4d374b16",
|
|
@@ -2743,16 +2763,20 @@
|
|
|
2743
2763
|
"test/layer-0-primitives/lro.test.js": "sha256:134407dc88a84450d69e15c23ff9d47617466f23a436b3d61339e6836e0c42ce",
|
|
2744
2764
|
"test/layer-0-primitives/mail-agent.test.js": "sha256:51725784bab6849cb02f1e94e0ba97c2b8e7e101780a26ae7ec19f9d894640ef",
|
|
2745
2765
|
"test/layer-0-primitives/mail-arf.test.js": "sha256:2279aebee547903a8c1415c9fc1c9c194757b3917e869bfddb43dd0375e68a93",
|
|
2766
|
+
"test/layer-0-primitives/mail-auth-dmarc-policy-failclosed.test.js": "sha256:22066c238cdb9c4f84377f56f2d69e387bcb4a601ef384cc874fc55249fbfaa6",
|
|
2746
2767
|
"test/layer-0-primitives/mail-auth.test.js": "sha256:4b967c9921ad3e9e84f87eca1a6077d7d089750c4e919ec3ea09e4a11cd06884",
|
|
2768
|
+
"test/layer-0-primitives/mail-bimi-cert-validity-unparseable.test.js": "sha256:d14d66d801b5767372ce7014617841f8710f7ad95107984da058ade794fd4d8f",
|
|
2747
2769
|
"test/layer-0-primitives/mail-bimi.test.js": "sha256:3e12e211e1f75f07d1ba43ada69c9adcd205902194f983d8ae24293b1acd1cd5",
|
|
2748
2770
|
"test/layer-0-primitives/mail-bounce.test.js": "sha256:d4ef09adc71e1c9e336a9fc5b059e6b264d9abcd0c032023bfa7b15a9173a4b7",
|
|
2749
2771
|
"test/layer-0-primitives/mail-canspam.test.js": "sha256:c21dec043c9984d191af0b1f3425e85953b559ec6dfdf281a5f746f7121eb281",
|
|
2750
2772
|
"test/layer-0-primitives/mail-crypto-pgp-experimental.test.js": "sha256:5b00a55d58cc48eb2864c6f7c6386ce44423e478b1033e5b11bb5130b4bb60c5",
|
|
2751
2773
|
"test/layer-0-primitives/mail-crypto-pgp.test.js": "sha256:e7b399a99e2ea3d443a409a2a7ddba9d0871c8383a821414a1b1b1122757e3cb",
|
|
2774
|
+
"test/layer-0-primitives/mail-crypto-smime-bad-validity.test.js": "sha256:e7bdef1d3d3aafacfd328a7fb7e0dacb45bf66103e18ad19d97d6e308e4aee31",
|
|
2752
2775
|
"test/layer-0-primitives/mail-crypto-smime.test.js": "sha256:2b840ad3706840a8d206c9fa09337e0c13ecb83a7ea4d97fceb49d4fb4454dfa",
|
|
2753
2776
|
"test/layer-0-primitives/mail-dav.test.js": "sha256:5b4dcb1b9d8942f0cc2235a99487b076cf4f984933c609d737bb40471ae7333c",
|
|
2754
2777
|
"test/layer-0-primitives/mail-deploy-tlsrpt.test.js": "sha256:3063225653b0cc3a6c8653b6e6ebd1e4ffbb3939b51d21f710d718426a3eeaa4",
|
|
2755
2778
|
"test/layer-0-primitives/mail-deploy.test.js": "sha256:b3e85993397ada25ee86b43403a9307f4e8c0b87e9252967e944bd9c733baaf7",
|
|
2779
|
+
"test/layer-0-primitives/mail-dkim-numericdate-failclosed.test.js": "sha256:a0fee8759d974b7f72bb7b191c307ff737e90c6123b662c3ead73cbfecbccb27",
|
|
2756
2780
|
"test/layer-0-primitives/mail-dkim.test.js": "sha256:84b0aeb3b9e7c3852e06998ff6af5427bd4445d247b73ec8e2511a8c1cd21e9d",
|
|
2757
2781
|
"test/layer-0-primitives/mail-feedback-id.test.js": "sha256:f4890df9aa9650680abe99dacb5072b0e4b207be178d1be0e6e139c697185329",
|
|
2758
2782
|
"test/layer-0-primitives/mail-greylist.test.js": "sha256:ef3e1618a2bea628a09405ad8751e63a1de47e92aeb2d1b421702fd4eae5e768",
|
|
@@ -2760,6 +2784,7 @@
|
|
|
2760
2784
|
"test/layer-0-primitives/mail-helo.test.js": "sha256:5b06bd53db5aff44ee97d0108cd67d10b931562df33ef289f616957e7184eac1",
|
|
2761
2785
|
"test/layer-0-primitives/mail-journal.test.js": "sha256:e18b0b46ccedcd5599ae88b341a67f5dc6cefe38514aa4a5305bb48084d5b562",
|
|
2762
2786
|
"test/layer-0-primitives/mail-mdn.test.js": "sha256:4e24d8ba7ee777593024b2bb564995f4dd19f863ef1effdd05a4c593f2ac405f",
|
|
2787
|
+
"test/layer-0-primitives/mail-proxy-framing-bounds.test.js": "sha256:de9d958b360a7e23cf6c4dd5577f3bd2a89c16bce45770c7d5e20b6bd996d334",
|
|
2763
2788
|
"test/layer-0-primitives/mail-rbl.test.js": "sha256:43a1f12c03f949cf4d9f2474d0853fefa6f963f0f15360cd330ff38cb4ba7af4",
|
|
2764
2789
|
"test/layer-0-primitives/mail-require-tls.test.js": "sha256:ffb888e81770c02e69f99ba54808802d53e5880a6fbe82349a914aaae20b016c",
|
|
2765
2790
|
"test/layer-0-primitives/mail-scan.test.js": "sha256:060758532a2b75e53b28b3b99542c5ea9b0a149986501a0e32cd1f660a7a569f",
|
|
@@ -2793,9 +2818,12 @@
|
|
|
2793
2818
|
"test/layer-0-primitives/nel.test.js": "sha256:1b074316a1172d23da880ee6c9fa99b5548ae28322ea43a7f91adbdb260375ca",
|
|
2794
2819
|
"test/layer-0-primitives/network-allowlist.test.js": "sha256:bfd447e56b6f19ee2cf1ed4ca7b34e03ecd6de89df46093e9dc89d93beeaf976",
|
|
2795
2820
|
"test/layer-0-primitives/network-byte-quota.test.js": "sha256:c53f6a7435472bd02debbd3c2679254bef2dc6bec8a0c0bf5f9c53c956a313e6",
|
|
2821
|
+
"test/layer-0-primitives/network-dns-lookup-timeout-default.test.js": "sha256:6251b8d093f6402a13d08afea2d7164fccdb8d2edbbbe63915b88b4e2bcba47b",
|
|
2822
|
+
"test/layer-0-primitives/network-dns-resolver-timeout.test.js": "sha256:9ba8ca49b8095ec4780959134520ac869c80ca9b9664b5beadce2d135037777d",
|
|
2796
2823
|
"test/layer-0-primitives/network-dns-resolver.test.js": "sha256:8966ba1b24c9ceb5754a3ef21a6d6e61a6cade983367bece1034110b7928fc1c",
|
|
2797
2824
|
"test/layer-0-primitives/network-dns.test.js": "sha256:062716b26d49b29b5002787597ad61622b4bfd05c346076ba90ab18e2efc5074",
|
|
2798
2825
|
"test/layer-0-primitives/network-heartbeat-passive.test.js": "sha256:4dae1d9f61c85489d1a91a6f4a242198d0bee89fdbacff9efba143e78e882ad0",
|
|
2826
|
+
"test/layer-0-primitives/network-nts-handshake-byte-cap.test.js": "sha256:97e95dc14c494b846270abe545dd3995c0f0905aed209f600ac670fad10956fb",
|
|
2799
2827
|
"test/layer-0-primitives/network-tls-build-options.test.js": "sha256:0380ef886acc0a3bb0f7bc032c11991891fe9f19648e9f8d38829c7ea16b61b0",
|
|
2800
2828
|
"test/layer-0-primitives/network-tls-ct-inclusion.test.js": "sha256:951b5eeded5762f667c534c0433e4b5f4b0a6a48c7c66a88492c0d4cebd21636",
|
|
2801
2829
|
"test/layer-0-primitives/network-tls.test.js": "sha256:75605314bf5093ab040c46cdc17327cd609145c4b0b7a17fbbaa9679b94a3b46",
|
|
@@ -2884,6 +2912,7 @@
|
|
|
2884
2912
|
"test/layer-0-primitives/safe-vcard.test.js": "sha256:10a0695050afee64599411352b34382e15b8f9bd9045ed3951cc6bc561918c89",
|
|
2885
2913
|
"test/layer-0-primitives/safe-xml.test.js": "sha256:dc94bdc968449a87843a2403e4f9d402cd22fb7479cae30ae42e297ffec5a449",
|
|
2886
2914
|
"test/layer-0-primitives/saml-slo.test.js": "sha256:b8b3a5e71ad28a0a3e9b69bca9f570410bc8b8eab6a7fdfd186fdf12cd90854f",
|
|
2915
|
+
"test/layer-0-primitives/saml-subjectconfirmation-notbefore.test.js": "sha256:2deac25891a4eb2c5d1073d99c352a01322e6fab6497616209ec6a15cc1fbf71",
|
|
2887
2916
|
"test/layer-0-primitives/saml-subjectconfirmation-notonorafter.test.js": "sha256:1396afcc34135ab025880ac74738f3eb1984f5725dcf2e676e6a2f1bd7f852c2",
|
|
2888
2917
|
"test/layer-0-primitives/sandbox.test.js": "sha256:9e4173ff52b2de662c9ca489c723df899f7dfa82526f0c67154de516b2e4f0e7",
|
|
2889
2918
|
"test/layer-0-primitives/scheduler-exactly-once.test.js": "sha256:f269740eba98d12f05f6fa50c7aa4f6ac49a5a69e1dff23898257405a51089fa",
|
|
@@ -2901,7 +2930,9 @@
|
|
|
2901
2930
|
"test/layer-0-primitives/self-update-standalone-verifier.test.js": "sha256:01a603efc2ad576fd2a958bc6fb0bf9738c628b9f73ca706089fb2ddfb4b8796",
|
|
2902
2931
|
"test/layer-0-primitives/self-update.test.js": "sha256:8f0b956a24a609913d14a25a39c03ac4e148f9ae88dcbaa28fbc8fa72517b249",
|
|
2903
2932
|
"test/layer-0-primitives/server-timing.test.js": "sha256:03fbad2878a8d629c0abf59c175d6de7b113e49b3eaffbdcd950b03920e54693",
|
|
2904
|
-
"test/layer-0-primitives/session-
|
|
2933
|
+
"test/layer-0-primitives/session-destroy-all-store-backed.test.js": "sha256:a00e2a0a0508e59cef00813884ecdb3cf124b385d8bab9222040441c23112416",
|
|
2934
|
+
"test/layer-0-primitives/session-device-binding-ipv6-canonical-and-no-store.test.js": "sha256:00444e12ce114b9e6103f06279387ba453fdab32b0216e0f437f6c93dda7a606",
|
|
2935
|
+
"test/layer-0-primitives/session-device-binding.test.js": "sha256:c1d5ab76e6bcc971dcbfa9bb435902b87b3d99143e2f09b04158fdf5237025d1",
|
|
2905
2936
|
"test/layer-0-primitives/session-extensions.test.js": "sha256:42a43a2e82ee4fb1c576cc6dc2ebfcf531e3cbd05bbb5486a402de0bf1b8d141",
|
|
2906
2937
|
"test/layer-0-primitives/session-valid-from.test.js": "sha256:587bb6aa587d1fbaf84387bd17d0a46fbf0b97ceafc9d2a1416a0e7751e98ab0",
|
|
2907
2938
|
"test/layer-0-primitives/shape-match.test.js": "sha256:ce63e3be16ff7055fe0a24ffd314e6878a8d2145043a2e2bbc3821f3d9d48b7d",
|
|
@@ -2954,6 +2985,7 @@
|
|
|
2954
2985
|
"test/layer-0-primitives/watcher.test.js": "sha256:346ef70ff89e9d4b6ba27f6a1859be0cd782b8224930c7c3d2ead5d495c08dd7",
|
|
2955
2986
|
"test/layer-0-primitives/web-push-vapid.test.js": "sha256:4634dcf1c3fdae300b291d20473285a9d9fe2f49f9c54e4e3a2e149768d3fe32",
|
|
2956
2987
|
"test/layer-0-primitives/webhook-dispatcher.test.js": "sha256:080b999087102eccaa73e070b3f08ec2ab1fecd3a38d25cdcd2937241c9d9689",
|
|
2988
|
+
"test/layer-0-primitives/webhook-verify-nonce-atomic.test.js": "sha256:42441d6d923d2ba9f83da932e1e4715f2e519735c816e6396f1390e87ff378f6",
|
|
2957
2989
|
"test/layer-0-primitives/webhook.test.js": "sha256:8eb792cd1b24f7e4e7380286bb08e0e37489ce6a0fc5c1f0d0aa6caa0e170e48",
|
|
2958
2990
|
"test/layer-0-primitives/websocket-channels.test.js": "sha256:8e1249fd11c4ae1253c8b76cc8638c9cdce2081046d6b80a9a6db0cd71d2716c",
|
|
2959
2991
|
"test/layer-0-primitives/websocket-extension-header.test.js": "sha256:8f3a29eeb269c7393342e4e7966c330413964cd251b76d5cdefd6455aa8883be",
|
|
@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
|
|
|
8
8
|
|
|
9
9
|
## v0.15.x
|
|
10
10
|
|
|
11
|
+
- v0.15.16 (2026-06-22) — **A correctness and hardening release: a broad set of credential and certificate verifiers now fail closed on a present-but-unparseable timestamp instead of silently skipping the check, outbound network clients gain an overall wall-clock timeout and a bounded framing buffer, DMARC refuses a record with no usable policy, append-only log sinks refuse a symlinked path, and the interactive-transaction and replay-store contracts refuse a backend that cannot honor them.** This release closes a family of fail-open and resource-exhaustion gaps without adding opt-ins to the request path. A recurring pattern across the verifiers — a timestamp parsed with a lenient parser, then gated by isFinite() so an unparseable value disables the check — is converted to fail-closed everywhere it appears: DKIM x=/t=/l=, ARC AMS/AS t=/x=, SAML Bearer and holder-of-key NotBefore, and the FIDO MDS3 / BIMI / S/MIME certificate validity windows now refuse a malformed value rather than accepting the credential. DMARC now validates and requires a usable p= policy and never recommends delivery for a failing message with an absent or unrecognized policy. Outbound clients that exposed a single timeout but applied it only as an idle (zero-progress) timer now also enforce it as an overall wall-clock cap, so a peer that trickles bytes within the idle window can no longer hold a request open indefinitely: the encrypted HTTP client, the object-store and SQS request paths, the CloudWatch / OTLP / webhook log sinks, and the password breach check. The DNS resolver and the lower-level DNS client gain a per-query wall-clock deadline that also tears the socket down, the SMTP client and the proxy CONNECT tunnel bound their framing buffers and add an overall deadline, and the NTS key-establishment handshake bounds its accumulator. The append-only local log sink and the daemon log open with O_NOFOLLOW so a symlink planted at the path is refused rather than followed. b.externalDb.transaction and b.outbox now refuse a backend that declares it cannot provide an interactive transaction instead of silently running a non-atomic block, and the GraphQL-federation replay store adopts the framework's atomic check-and-insert contract. **Added:** *b.atomicFile.openAppendNoFollowSync — symlink-refusing append open* — Opens a long-lived append target (an active log file kept open across appends and reopened on rotation) with O_WRONLY | O_APPEND | O_CREAT | O_NOFOLLOW: the file is created or appended normally, but a symlink at the final path component fails the open closed (ELOOP) rather than redirecting writes. The append-sink counterpart to openNoFollowSync (read) and the exclusive-create temp open. · *b.externalDb.supportsTransactions() and stateless-adapter declaration* — A backend adapter may declare supportsTransactions: false (a stateless / autocommit-per-statement adapter) and/or provide a batch(client, statements) hook for an atomic multi-statement path. b.externalDb.supportsTransactions() reports whether the picked backend can provide an interactive transaction, so a consumer built on the dual-write guarantee can refuse a non-atomic backend up front. · *Store-free device fingerprint* — b.sessionDeviceBinding.fingerprint(req, opts) is now a static entry point returning the request-shape digest with no store, and b.sessionDeviceBinding.create() with neither a bindingStore nor storeInSession returns an instance whose stateless fingerprint() works while bind()/verify() throw a clear "no store configured". Soft device binding for self-validating tokens (a sealed cookie or JWT carrying the fingerprint) no longer needs a fabricated no-op store. **Changed:** *Device fingerprint IP masking is canonical* — b.sessionDeviceBinding masked the client IP into its prefix bucket by textual group slicing with no IPv6 normalization, so equivalent forms of one address (a ::-compressed form vs its fully-expanded form) hashed to different fingerprints and a roaming client could be logged out on a false drift. It now masks through the same canonical prefix helper b.session uses, preserving the configured prefix width (the IPv6 default stays /48, and ipPrefixBits is honored). b.requestHelpers.ipPrefix accepts { v4Bits, v6Bits } to override the /24 + /64 default for a function-form fingerprint or other reuse. **Fixed:** *b.session.destroyAllForUser works for pluggable-store consumers* — A consumer configuring sessions through b.session.useStore without calling b.db.init() got a db/not-initialized error from destroyAllForUser — every "log out everywhere" / suspend / delete path rejected with a 500 after the store rows had already been deleted, because the stateless valid-from boundary write was routed only to the framework database. The boundary now prefers the framework database when one is initialized and otherwise falls back to the configured session store (provisioning its table on demand), so store-backed deployments raise the stateless boundary successfully; it still fails closed when neither a framework database nor a store is available. **Security:** *Certificate and credential verifiers fail closed on an unparseable timestamp* — A present-but-unparseable date no longer silently disables a validity check. DKIM x= / t= (signature expiry, future-date, ordering) and l= (body-length cap), ARC AMS/AS t= / x=, SAML Bearer and holder-of-key SubjectConfirmationData NotBefore, and the FIDO MDS3, BIMI, and S/MIME certificate validity windows previously parsed the value, then guarded the comparison with isFinite() — so a value that did not parse (NaN) skipped the check and the credential was accepted. Each now refuses a present-but-unparseable value (a permerror / not-valid result) and only an absent optional field is ignored, matching the existing fail-closed handling of the SAML Conditions block. · *DMARC refuses a record with no usable policy* — The DMARC policy tag p= (and the subdomain sp=) were taken verbatim with no validation and p= was never required, so the disposition mapped a null or typo'd policy to the catch-all "deliver". A failing, unaligned message against a domain whose record omitted p= or carried an unrecognized value was therefore delivered. p= and sp= are now validated against none|quarantine|reject, p= is required for a record to carry a policy at all, an invalid record is a permerror (not a transient temperror), and the disposition is an explicit fail-closed mapping that never delivers a failing message on an absent or unrecognized policy. · *Outbound clients enforce an overall wall-clock timeout, not only an idle timeout* — Several clients exposed a single timeout but forwarded it to the underlying request only as idleTimeoutMs (a zero-progress cap that resets on every received byte), leaving no overall bound — a peer that trickles one byte inside each idle window holds the call open indefinitely. b.httpClient.encrypted (which dropped timeoutMs entirely, and now also forwards the caller's AbortSignal), the object-store request path and Azure/GCS bucket operations, the SQS queue client, the CloudWatch / OTLP / webhook log sinks, and the password HIBP breach check now set the overall wall-clock timeout alongside the idle timeout. · *DNS lookups gain a default wall-clock deadline and tear the socket down* — The DNS resolver's DoH transport had no time bound of any kind and the lower-level DNS client defaulted its lookup timeout to zero (no deadline). A non-responsive or slow-trickle upstream — reachable while resolving DKIM/SPF/BIMI records for inbound mail — held the lookup pending forever. The resolver now takes a per-query timeout (default 10s) wrapping every query and CNAME hop, the DNS client defaults its lookup timeout to 10s (operators opt out with a zero timeout), and the raw DoH/DoT request paths arm a socket timeout that destroys the connection on a stall rather than leaking the descriptor. · *SMTP, proxy-CONNECT, and NTS clients bound their read buffers and add deadlines* — The SMTP client accumulated the server's reply without a byte cap and relied on an idle timer alone; a hostile or broken MX that never sent a line terminator could exhaust memory, and a slow trickle held the transaction open. It now caps the accumulated reply (refusing once it exceeds the response ceiling) and enforces an overall transaction deadline. The proxy CONNECT-tunnel client, which accumulated the proxy's reply unbounded with no socket timeout, now caps the header buffer and times out the connect. The NTS key-establishment handshake reader caps its record accumulator so a server streaming non-terminating records cannot exhaust memory before the handshake timer fires. · *Append-only log sinks refuse a symlinked path* — The local log sink and the daemon log opened the active file in append mode without O_NOFOLLOW, so a symlink planted at the log path (including one re-planted in the race window after a caller's pre-check) was followed, redirecting log writes to an attacker-chosen file. Both now open with O_NOFOLLOW via the new b.atomicFile.openAppendNoFollowSync, refusing a symlinked final path component. · *Transaction and replay-store contracts refuse a backend that cannot honor them* — b.externalDb.transaction and b.outbox.create now refuse a backend that declares it cannot provide an interactive transaction (a stateless / autocommit-per-statement adapter) instead of silently running BEGIN, the body, and COMMIT on different sessions — no isolation, no rollback — while reporting success. b.graphqlFederation.guardSdl now consults its replay nonce store through the framework's atomic checkAndInsert(nonce, expireAt) contract (the same one b.webhook and b.nonceStore use) rather than a non-atomic has()-then-remember() check that raced concurrent redeliveries; a store lacking checkAndInsert is refused at construction. **Migration:** *DNS lookups now time out by default* — The lower-level DNS client's lookup timeout previously defaulted to zero (no deadline); it now defaults to 10 seconds. A deployment that intentionally ran DNS lookups with no wall-clock bound must set the lookup timeout to zero explicitly to restore the old behavior. The b.network.dns.resolver default timeout is also 10 seconds and is configurable via its timeoutMs option. · *b.graphqlFederation.guardSdl nonceStore contract* — guardSdl's optional replay nonceStore now requires the atomic checkAndInsert(nonce, expireAt) contract (b.nonceStore.create is the reference store) and refuses the previous { has, remember } shape at construction. Operators using the old shape should pass b.nonceStore.create(...) or an adapter exposing checkAndInsert. · *Interactive transactions on a stateless backend are refused* — If an externalDb backend adapter declares supportsTransactions: false, b.externalDb.transaction and b.outbox.create now throw rather than running a silently non-atomic block. Existing stateful adapters (Postgres / MySQL / SQLite, and any adapter that supplies beginTx/commit/rollback or omits the flag) are unaffected. A stateless / autocommit-per-statement adapter should supply interactive transaction hooks or a batch adapter.
|
|
12
|
+
|
|
11
13
|
- v0.15.15 (2026-06-21) — **A focused correctness and hardening release: more authentication and signature verifiers fail closed (JWT issuer, SAML recipient binding, OAuth nonce, CIBA token binding, FIDO certification level), the WebSocket client bounds a fragmented message before it completes, DMARC resolves the From domain before the policy lookup, and the CSP builder refuses a directive-injecting source; fixes a middleware pipeline promise that never settled on a write-and-halt, and exposes the X.509 CA-bit issuer test, an IP-prefix helper, and a reverse-proxy-aware session fingerprint option.** This release continues to tighten existing protections without adding opt-ins on the request path. A further set of authentication and signature verifiers now refuse malformed or unbound credentials: JWT verify rejects an array-valued issuer claim (an any-match bypass, CVE-2025-30144 class), SAML requires the mandatory Recipient on a Bearer or holder-of-key confirmation and enforces every AudienceRestriction, OAuth no longer skips the ID-token nonce check on an empty nonce, CIBA binds the returned ID token to its auth_req_id, the FIDO MDS3 certification level reflects the authenticator's current status rather than its historical maximum, and a JOSE header that decodes to a non-object is a typed error rather than an uncaught throw. The WebSocket client now bounds a fragmented incoming message by its running total instead of only at the final frame, DMARC validates the From-header domain before the policy lookup, the data-residency write gate compares the residency column case-insensitively, and the SQL builder refuses an equality against NULL and validates every IN-list element. The CSP builder refuses a source token containing whitespace or a semicolon (directive injection). A middleware pipeline that a request handler halted by writing the response without calling next() left its promise pending forever, retaining the request closure — it now settles. New surface is additive and backward compatible: the basicConstraints-enforcing X.509 issuer test is exposed publicly, the session device fingerprint can resolve the client IP through a trusted-proxy allowlist, and the /24+/64 IP-prefix masking it uses is exposed for reuse. **Added:** *b.x509Chain — the CA-bit-enforcing X.509 issuer test* — isCaCert(cert) and issuerValidlyIssued(issuer, subject) are now public. Node's X509Certificate.checkIssued() does not enforce the basicConstraints cA bit (CVE-2002-0862 class), so a non-CA leaf can be accepted as an issuer; these helpers require cA:TRUE and verify the signature, fail closed on any malformed input, and are the same test the framework's own chain walkers use. A consumer validating a chain outside a TLS handshake (an operator-uploaded CA bundle, a non-handshake PQ-signed certificate) can now use the hardened path instead of raw checkIssued(). · *Reverse-proxy-aware session device fingerprint* — b.session.create / verify / rotate accept { trustedProxies } (CIDRs) or { clientIpResolver } so the built-in clientIp / clientIpPrefix fingerprint fields resolve the real client IP behind a trusted proxy, consistent with b.requestHelpers.trustedClientIp. Without the option the fingerprint still binds to the bare socket peer (unchanged default), so existing fingerprints keep matching; pass the same option to create, verify, and rotate. The /24 (IPv4) + /64 (IPv6) subnet masking is exposed as b.requestHelpers.ipPrefix for an operator using a function-form fingerprint field. **Changed:** *DKIM l= is counted over the canonicalized body* — On verify, the l= body-length tag was applied to the raw body before canonicalization, so a legitimate relaxed/relaxed signature whose l= matched the canonicalized length was rejected with a body-hash mismatch whenever relaxed canonicalization changed the byte count within the first l= octets. The body is now canonicalized first and the canonicalized octet stream truncated to l= (RFC 6376 §3.4.5). · *PIPL cross-border security-assessment threshold documentation corrected* — The b.pipl.sccFilingAssessment contract stated the CAC security assessment becomes mandatory above 100,000 cumulative PI subjects (the superseded 2022 figure). The builder enforces the current CAC Provisions on Promoting and Regulating Cross-Border Data Flows — a security assessment above 1,000,000 non-sensitive PI subjects or 10,000 sensitive, with the 100,000–1,000,000 band in the standard-contract / certification tier. The documentation now matches the enforced thresholds. **Fixed:** *composePipeline settles its promise when a middleware halts* — A regular middleware that wrote the response and returned without calling next() — the intended way to halt the chain from an auth / rate-limit / bot block — left the promise returned by b.middleware.composePipeline pending forever, retaining its request/response closure (an unbounded leak under sustained blocked traffic). The halt path now settles the promise without advancing to the route handler; the same applies to an error handler that consumes the error without calling next(). · *Quality-list header parsing is quote-aware* — parseQualityList mis-read a q= substring that appeared inside a quoted media-range or Accept-* parameter, mis-weighting content negotiation. It now parses the q parameter with quote-aware splitting. **Security:** *More authentication and signature verifiers fail closed* — JWT verify rejects an array-valued iss claim (it had passed through a generic any-match built for the legitimately-array aud claim, so a multi-issuer array satisfied a single-issuer expectation — CVE-2025-30144 class), matching the external JWT and OIDC verifiers. SAML verifyResponse requires the Recipient attribute on a Bearer or holder-of-key SubjectConfirmation and confirms it equals the ACS URL (an absent Recipient was silently skipped), and enforces every AudienceRestriction (AND-combined per SAML core). OAuth no longer fails open and skips the ID-token nonce replay check when the supplied nonce is empty. CIBA binds the polled / notified ID token to its auth_req_id so a token minted for another request can't be accepted. The FIDO MDS3 certification level reflects the authenticator's current status, not the highest level it ever held, so a later decertification or downgrade is honored by a step-up policy. A JOSE header or payload that decodes to JSON null or a non-object now raises a typed authentication error instead of an uncaught TypeError. · *WebSocket fragmented-message reassembly is bounded before completion* — The client enforced maxMessageBytes only when a fragmented message's final frame arrived, so a peer could stream unbounded continuation frames and exhaust memory before the limit was ever checked. The running reassembly total is now enforced per frame, and a frame arriving after close is ignored. · *DMARC resolves the From domain before the policy lookup* — The From-header bare addr-spec domain extraction did not reject RFC 5322 group syntax or a trailing semicolon, so a crafted From header could yield a corrupted domain that defeated the DMARC alignment / policy lookup. The domain is now validated (length-bounded, rejecting the group and punctuation forms) before it is used. · *Data-residency and SQL builder correctness* — The per-row data-residency write gate compares the residency column name case-insensitively, so a raw UPDATE that spells the column in a different letter case can no longer slip the cross-border transfer check. The SQL builder refuses an equality against NULL (col = NULL is always false; use IS NULL) and validates every element of an IN-list on the Postgres = ANY(?) path, matching the sqlite / MySQL path. · *CSP builder refuses a directive-injecting source* — A CSP source is a single non-whitespace token. build() and mergeDirectives() now reject a source containing whitespace or a semicolon — because the emitter space-joins sources and semicolon-joins directives, a value like "https://x; script-src https://evil" injected a live directive.
|
|
12
14
|
|
|
13
15
|
- v0.15.14 (2026-06-20) — **A broad security-hardening release: every request-IP trust decision is peer-gated against the immediate connection (closing an X-Forwarded-For spoofing class — one behavior change, see Migration), a wide set of authentication and signature verifiers now fail closed, pre-auth parsers are hardened against algorithmic-complexity and frame-desync attacks, and untrusted-key allowlist lookups, at-rest encryption binding, and on-disk writes are tightened framework-wide; adds streaming and exclusive atomic-write primitives, a script-context JSON serializer, and HTTP-client bandwidth throttling.** This release tightens existing protections across the framework rather than adding opt-ins. The headline behavior change is how the client IP is trusted: the IP gates that make security decisions (network allowlist, rate limiter, break-glass grant pin) no longer trust a bare leftmost X-Forwarded-For value when trustProxy is set without an explicit proxy allowlist — they resolve the client IP by a peer-gated right-to-left walk anchored at the connecting socket, so a direct caller can no longer forge an allowed address. Operators who terminate behind a proxy now declare its address range in trustedProxies (see Migration). Alongside that, a large set of verifiers that could accept a malformed or unsigned credential now fail closed (SAML audience restriction, FDA electronic-signature, SD-JWT key-binding replay, DPoP, CIBA, mdoc trust anchor, COSE algorithm/curve binding, agent-snapshot plaintext under a regulated posture); pre-authentication parsers that an attacker reaches before any credential check are hardened against quadratic-time and frame-desync denial of service (CBOR, JSONPath, tar/PAX, gzip, YAML, ASN.1 DER, the scheduler's timer math); allowlist and posture lookups keyed by untrusted input can no longer reach Object.prototype; the framework's own file writes are now symlink-refusing and atomic; at-rest and egress paths bind ciphertext to its location and redact nested secrets; and several lost-update races are serialized. New surface is additive: streaming and exclusive atomic-write primitives, a serializer safe to embed in an inline <script>, and download/upload bandwidth throttling on the HTTP client. **Added:** *b.atomicFile.writeStream(filepath, source, opts?) and b.atomicFile.writeExclSync(filepath, data, opts?)* — Two atomic-write primitives that complete the read-side fdSafeReadSync family. writeStream writes a stream to a fresh O_EXCL|O_NOFOLLOW temporary file with an output-byte cap, then renames into place; writeExclSync stages a synchronous write through a verify-then-rename (clearing any stale temp under O_EXCL|O_NOFOLLOW first) for the small sealed-state round-trips (vault seal / unseal / rotate). Both refuse to follow a symlink at the destination or temp path, so an attacker who pre-creates a link can't redirect the write. The framework's own predictable-temp and symlink-following write sites now route through them; fdSafeReadSync also gains a withStat option that returns the bound fd's stat alongside the bytes. · *b.safeJson.stringifyForScript(value, opts?)* — A JSON serializer safe to embed directly in an inline <script> block: it escapes <, >, and & and the U+2028 / U+2029 line separators so a value containing </script> or a JS line terminator cannot break out of the script context (DOM-XSS). The import-map helper gains scriptTag(importMap, { nonce }) built on it, and the speculation-rules inline emitter uses it. · *HTTP-client bandwidth throttling* — b.httpClient requests accept a bandwidth limit that interposes a throttling transform on both the download and upload paths, so a large transfer can be rate-shaped without buffering the whole body. Useful for bounding the egress a single outbound call can consume. · *Incremental audit-chain verification* — The audit verifiers accept a from/to range so a long chain can be verified in increments rather than head-to-tail every time, report an accurate rowsVerified count, and keep the newest review when reconciling. b.vault also exposes getDefaultStore() for callers that need the process's default seal/unseal store handle. **Changed:** *DORA major-incident reporting clock is four hours* — The Digital Operational Resilience Act initial-notification deadline is corrected to four hours from classification (it had used the generic 24-hour default), incident classification weighs the affected-client-base percentage, and the deadline anchors to the prior filing where one exists. · *Range and conditional-request correctness* — Compression skips a 206 Partial Content or any Content-Range response (RFC 7233 §4.1), so it can't drop Content-Length over a now-compressed byte interval; static-file conditional handling gives If-None-Match precedence over If-Modified-Since and If-Match over If-Unmodified-Since (RFC 7232); and the object store honors the [start, end] array range contract that previously fell through to a full read. · *Declared request bodies are always validated* — A route that declares a body schema now validates it even when no body was parsed, so an omitted required body is rejected at the router instead of reaching the handler — mirroring the always-run params and query checks. **Fixed:** *Object store getStream works on remote backends* — getStream() returned a stream wrapping an unresolved promise on every remote backend, so it never delivered bytes; it now resolves the object before streaming. · *Queue and body-parser correctness* — The local queue's fail()/complete() paths guard on the current row status so a stale lease can't resurrect or double-process a job, and the body parser's raw() mode no longer matches every content type by default (it had answered 415 to nothing or everything depending on the wildcard). · *Sanctions screening and GraphQL SDL probing no longer under-match* — Sanctions screening no longer skips a candidate whose type doesn't match the query's type filter (a sanctioned entity of an unspecified type was missed) and reports a typeMatch flag; the GraphQL federation guard probes for the _service / _entities introspection fields by word boundary (an aliased field bypassed the prefix check) and over batched-array request bodies. The per-tenant query budget is a true sliding window, so a burst straddling the window boundary can't briefly double the rate. **Security:** *Request-IP trust is peer-gated end to end* — The client-IP resolution that every IP gate depends on is extracted into one trust model (a trustedProxies-aware, peer-gated right-to-left walk) so the network allowlist, rate limiter, break-glass pin, and bot-guard audit attribution all decide identity the same way. X-Forwarded-Proto is peer-gated across the security middleware on the same model, and a WebSocket reconnect to a swapped target is re-validated against the SSRF / blocked-host guard before the connection is reused. See Migration for the one behavior change. · *Authentication and signature verifiers fail closed* — A set of verifiers that could accept a malformed or unsigned credential now refuse it: SAML verifyResponse fails closed on a missing AudienceRestriction or unparseable Conditions; the FDA 21 CFR 11 electronic-signature verify refuses a record with no signature (recordHash alone is self-consistency, not authentication); the SD-JWT key-binding JWT requires an audience and nonce (replay binding) and an expiry when configured; DPoP cross-checks the proof's alg against its embedded JWK key type before importing it; CIBA verifies the ID token on poll and notification; the mdoc trust anchor is enforced (no fail-open); COSE binds the signature algorithm to the key curve; and agent-snapshot refuses allowPlaintext under a regulated compliance posture and gates sealing on vault initialization. · *Pre-auth parsers hardened against complexity and frame-desync denial of service* — Parsers an attacker reaches before any credential check are bounded. CBOR rejects the quadratic-time duplicate-map-key construction (it ran O(n^2) on every COSE / CWT / EAT / mdoc verify) and rejects non-minimal integer/key encodings in canonical mode; JSONPath caps the node-list cross-product that could exhaust memory and rejects the filter expression that could overflow the parser stack; the tar reader caps a random-access entry read and resynchronizes a PAX header whose size field is non-numeric; the gzip reader caps a random-access output size; the YAML scanner replaces a backtracking pattern with a linear scan; the ASN.1 DER reader caps high-tag-number and OID sub-identifier decoding and rejects non-minimal forms; and the scheduler clamps far-future timers so a 32-bit overflow can't make a timer fire immediately or an interval tight-loop. · *Allowlist and posture lookups keyed by untrusted input can't reach the prototype* — Lookups of the form map[untrustedKey] across the framework's allowlist and compliance-posture tables are now own-property checks, so a key like __proto__ or constructor resolves as absent instead of returning an inherited value and walking the gate (CWE-1321). The shared posture-accessor that several guards built by hand is centralized, and an inverse detector flags any re-introduced unguarded indexed lookup. · *Framework file writes are symlink-refusing and atomic* — The predictable-temp and symlink-following write sites (cookie jar, config-drift snapshot, archive extraction, local object store, backup bundle, and the vault passphrase seal/unseal/rotate) now write through the atomic-write primitives above, so a pre-planted symlink at the destination or temp path can no longer redirect a privileged write, and a partial write can't leave a torn file. A re-introduced raw write without the exclusive/no-follow flags is flagged by a detector. · *X.509 issuer chains enforce the CA basic constraint* — Node's checkIssued() does not verify that the issuer certificate is actually a CA (CVE-2002-0862 class), so a leaf signed by a non-CA certificate could be accepted as an issuer. Certificate-chain walking is centralized in one helper that requires the issuer's basicConstraints cA bit and verifies the signature, and every chain consumer (TSA, BIMI, S/MIME, mdoc, content-credentials, the FIDO MDS3 anchor match) routes through it. · *Header, value, and markup injection closed* — Mail rejects CRLF in Reply-To and in custom header keys/values (SMTP header injection); the GDPR data-export CSV writer neutralizes formula-injection prefixes; the content guards decode no-semicolon numeric HTML entities when revealing a dangerous URL scheme (so javascript: is caught); the early-hints emitter rejects CRLF in pushed link values; the HTML/SVG/BIMI comment scanners honor the WHATWG abrupt-comment-close forms (--!>, <!-->) so a mutation-XSS comment can't smuggle markup; and the CSP builder no longer emits a host source alongside 'none'. · *At-rest and egress data is bound to its context* — Backup restore binds each encrypted file blob to its manifest path as additional authenticated data, so a blob remapped to another entry fails the AEAD tag on restore (signed and unsigned bundles alike), and threads the signature-verification options through extraction; the data-subject-request lookup dual-reads the keyed and legacy subject hashes so a subject is still found across the hashing change (GDPR Art. 17); the log redactor collapses a secret nested as an array or object value, not only as a scalar; and the OTLP exporter redacts the span name and status message, not just attributes, before they leave the process. · *Network-protocol verification hardened* — OCSP responses are bound to the requested certificate serial; the WebSocket reader rejects reserved opcodes and reserved bits; the DNS parser refuses a record that reads past the message buffer; the NTP client rejects a reply whose origin timestamp does not echo the request (and the SNTP cookie path was reworked to bind the exchange); DANE TLSA matching is constant-time; and MTA-STS policy fetch fails closed rather than degrading to no-policy on an ambiguous response. · *Byte caps are measured in bytes, and middleware enforcement is per-instance* — Size limits that compared a byte budget against a string's character length (so multibyte input slipped a ~2-4x looser bound) now measure actual bytes — guard-json per-string cap, the per-tenant quota header budget, the JMAP request cap. The CSRF and fetch-metadata middleware track their gate per instance, so mounting a second, stricter instance still enforces (a shared request flag previously let the first, lenient mount disable it); the CSRF cookie is still issued once per response. The WebAssembly global is stripped from the sandbox worker so sandboxed code cannot JIT around the isolation. · *Lost-update races serialized* — Concurrent failure recording in the login lockout and bot-challenge gates is serialized per key, so parallel failed attempts can no longer each read the same pre-write counter and stay under the lockout / challenge threshold. The inline webhook delivery is claimed before the POST so a concurrent retry pass can't double-send it, and a transient transport failure now backs off and retries instead of being dead-lettered. **Migration:** *X-Forwarded-For trust now requires an explicit proxy allowlist* — The IP gates that enforce a security decision — network allowlist, rate limiter, and the break-glass grant IP pin — previously resolved the client IP from the leftmost X-Forwarded-For value whenever trustProxy was truthy. A direct caller could set that header to any address and walk an IP allowlist or evade a rate-limit key (CWE-290 / CWE-348). These gates now fail closed: with trustProxy set but no trustedProxies, they ignore X-Forwarded-For and use the connecting socket's peer address. To keep trusting a forwarded client IP, set trustedProxies to the CIDR(s) of your front proxy/load balancer — the client IP is then resolved by a peer-gated right-to-left walk that stops at the first hop not in the allowlist. For an allowlist / rate-limit / break-glass gate the new default is stricter (it trusts less), so an operator who has not migrated sees tighter enforcement, never looser. Display-only consumers (error pages, request logs) keep the lenient resolution and carry a docstring warning. The wiki example's WIKI_TRUST_PROXY flag is replaced by WIKI_ADMIN_TRUSTED_PROXIES (a CIDR list).
|