@blamejs/blamejs-shop 0.4.86 → 0.4.88

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/SECURITY.md +8 -0
  3. package/lib/asset-manifest.json +1 -1
  4. package/lib/cart.js +75 -0
  5. package/lib/storefront.js +8 -1
  6. package/lib/vendor/MANIFEST.json +53 -31
  7. package/lib/vendor/blamejs/.clusterfuzzlite/Dockerfile +7 -2
  8. package/lib/vendor/blamejs/.github/dependabot.yml +12 -0
  9. package/lib/vendor/blamejs/.github/workflows/ci.yml +16 -12
  10. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +3 -1
  11. package/lib/vendor/blamejs/.github/workflows/release-container.yml +23 -0
  12. package/lib/vendor/blamejs/CHANGELOG.md +6 -0
  13. package/lib/vendor/blamejs/api-snapshot.json +10 -2
  14. package/lib/vendor/blamejs/examples/wiki/Dockerfile +19 -2
  15. package/lib/vendor/blamejs/lib/atomic-file.js +32 -9
  16. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +105 -40
  17. package/lib/vendor/blamejs/lib/middleware/dpop.js +54 -31
  18. package/lib/vendor/blamejs/lib/middleware/span-http-server.js +7 -0
  19. package/lib/vendor/blamejs/lib/network-tls.js +12 -2
  20. package/lib/vendor/blamejs/lib/queue-local.js +123 -46
  21. package/lib/vendor/blamejs/lib/queue.js +13 -9
  22. package/lib/vendor/blamejs/lib/request-helpers.js +90 -0
  23. package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +69 -7
  24. package/lib/vendor/blamejs/lib/self-update.js +11 -2
  25. package/lib/vendor/blamejs/lib/vendor/MANIFEST.json +11 -11
  26. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.dat +6 -2
  27. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.data.js +689 -688
  28. package/lib/vendor/blamejs/oss-fuzz/projects/blamejs/Dockerfile +5 -0
  29. package/lib/vendor/blamejs/package.json +1 -1
  30. package/lib/vendor/blamejs/release-notes/v0.15.17.json +52 -0
  31. package/lib/vendor/blamejs/release-notes/v0.15.18.json +49 -0
  32. package/lib/vendor/blamejs/release-notes/v0.15.19.json +18 -0
  33. package/lib/vendor/blamejs/scripts/check-vendor-currency.js +24 -0
  34. package/lib/vendor/blamejs/test/integration/queue-cluster-mysql.test.js +419 -0
  35. package/lib/vendor/blamejs/test/integration/queue-cluster-pg.test.js +471 -0
  36. package/lib/vendor/blamejs/test/layer-0-primitives/api-encrypt-rejection-envelope.test.js +309 -0
  37. package/lib/vendor/blamejs/test/layer-0-primitives/api-encrypt.test.js +35 -8
  38. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read-errorfor-bypass.test.js +138 -0
  39. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +26 -0
  40. package/lib/vendor/blamejs/test/layer-0-primitives/dpop-htu-peergating.test.js +227 -0
  41. package/lib/vendor/blamejs/test/layer-0-primitives/queue-flow-repeat.test.js +83 -0
  42. package/lib/vendor/blamejs/test/layer-0-primitives/self-update-poll-asset-digest.test.js +90 -0
  43. package/lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier-ecdsa-encoding.test.js +274 -0
  44. package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-freshness.test.js +192 -0
  45. package/lib/vendor/blamejs/test/layer-0-primitives/vendor-currency-classify.test.js +36 -0
  46. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
8
8
 
9
9
  ## v0.4.x
10
10
 
11
+ - v0.4.88 (2026-06-24) — **Refreshes the vendored framework to 0.15.19 and makes the vendored-dependency SBOM a committed, drift-guarded artifact.** Two supply-chain changes, no application configuration changes. The vendored blamejs framework moves from 0.15.16 to 0.15.19, picking up a set of upstream correctness and confidentiality fixes that ride inside the primitives the store already composes: a rejection on an established encrypted-API session is now returned inside the encrypted session envelope instead of disclosing which check failed in cleartext; stapled-OCSP response-freshness validation is restored; the DPoP proof's request-URI reconstruction now peer-gates forwarded scheme/host headers; the bundled public-suffix list is refreshed; and a family of credential/certificate verifiers continues to fail closed on an unparseable timestamp. Separately, the vendored-dependency SBOM (sbom.vendored.cdx.json) is now committed to the repository and mechanically projected from the vendored manifest, so its component versions can never silently fall behind what actually ships under lib/vendor/: a build gate fails on any drift, and the published, signed SBOM is the same verified file rather than one regenerated at publish time. Upgrade to pick both up. **Added:** *Vendored-dependency SBOM is a committed, drift-guarded artifact* — sbom.vendored.cdx.json — the CycloneDX 1.6 SBOM describing what ships under lib/vendor/ — is now committed to the repository and generated as a deterministic projection of lib/vendor/MANIFEST.json (the source of truth for the vendored version, license, and source). The vendor refresh regenerates it automatically, and a build gate fails if the committed SBOM drifts from the vendored manifest, so its component versions can never silently fall behind the vendored tree — the same protection the changelog, the release-notes rollup, and the asset-manifest already carry. The signed SBOM published as a release asset is now this same verified file rather than one regenerated at publish time, so the artifact downstream scanners consume is byte-reproducible from the committed source. **Changed:** *Vendored blamejs framework refreshed to 0.15.19* — The vendored framework moves from 0.15.16 to 0.15.19. The changes are upstream correctness and confidentiality fixes that ride inside the primitives the store already uses, with no API or configuration change: a rejection on an established encrypted-API session is now encrypted inside the session envelope rather than returned as a cleartext reason that disclosed which check failed; stapled-OCSP response-freshness enforcement (RFC 6960) is restored after a parsing regression had it reject every response; the DPoP htu reconstruction and the new request-host resolver only honor forwarded scheme/host headers from a declared trusted proxy; the bundled Mozilla public-suffix list (used for cookie-scope and same-site decisions) is refreshed to current upstream; and the credential/certificate validity-window verifiers continue to refuse a present-but-unparseable timestamp instead of skipping the check.
12
+
13
+ - v0.4.87 (2026-06-22) — **Adding a bundle now charges the advertised bundle price even when a member item is already in the cart.** Fixes a pricing bug when adding a product bundle to a cart that already contains one of the bundle's items. Adding a bundle allocates the discounted bundle price across its members and writes each member to the cart at its allocated per-unit price. But when a member variant was already in the cart on its own, the add merged into the existing line and kept that line's standalone list price, so the cart subtotal came out above the advertised bundle price — the shopper was quoted the discounted bundle but charged closer to the full sum of parts. Adding a bundle now adds the bundle's units at the bundle price while preserving any units already in the cart: a fresh bundle add realizes exactly the advertised bundle price, and a bundle added on top of a standalone item keeps that item and adds the bundle at its discounted price (rather than dropping the item or extending the discount to it). No configuration changes; upgrade to pick it up. **Fixed:** *Bundle add honors the bundle price without disturbing existing cart units* — Adding a bundle now adds each member's units at the bundle's allocated per-unit price. On a fresh line the realized subtotal is exactly the advertised bundle price. When the variant is already in the cart, its existing units are kept at their value and the bundle's units are added at the bundle price, so the shopper is neither overcharged (the previous behavior charged the standalone list price for the bundle unit) nor has their existing quantity dropped. Adding the same bundle twice adds two bundles' worth of units. Direct add-to-cart of a standalone item is unchanged.
14
+
11
15
  - v0.4.86 (2026-06-22) — **Failed outbound webhook deliveries are now retried automatically on the backoff schedule, not only by a manual click.** Restores the automatic retry guarantee for outbound webhooks. When an order-lifecycle or low-stock delivery to a subscriber endpoint fails, the delivery already records its next retry time and walks a backoff schedule toward the dead-letter queue — but nothing was ever driving those retries, so a delivery only re-attempted when an operator hand-clicked retry in the admin console. A briefly-unreachable receiver (a deploy, a load-balancer reload) therefore lost every event in the gap. A scheduled tick now re-attempts every due delivery once a minute, so a failed delivery is retried automatically — at one minute, five minutes, thirty minutes, four hours, then a day — until it succeeds or lands in the dead-letter queue, with no manual intervention. The manual retry remains available as an immediate override. No configuration changes; upgrade to pick it up. **Fixed:** *Outbound webhook retries now run automatically* — A scheduled retry pass re-attempts every delivery whose backoff has come due, advancing it through the retry schedule to success or to the dead-letter queue without an operator click. Each delivery is claimed atomically before it is attempted, so two overlapping passes can never re-send the same delivery twice, and a receiver that recovers within the backoff window now receives the events it missed. An operator can still force an immediate retry from the admin console. **Security:** *Bundled framework refreshed to blamejs 0.15.16* — Picks up a broad fail-closed and resource-exhaustion hardening pass that rides inside the composed primitives: a present-but-unparseable timestamp on a credential or certificate verifier (DKIM, ARC, SAML NotBefore, FIDO/BIMI/S-MIME validity windows) now refuses the credential instead of silently skipping the check; DMARC refuses a record with no usable policy rather than defaulting a failing message to delivery; outbound clients enforce an overall wall-clock timeout (not only an idle timer) so a byte-trickling peer can no longer hold a request open indefinitely; DNS lookups gain a default deadline; and append-only log sinks refuse a symlinked path. No configuration changes.
12
16
 
13
17
  - v0.4.85 (2026-06-22) — **Stock-transfer reconciliation credits the destination exactly once, even when retried after a mid-operation failure.** Fixes an inventory-integrity bug in stock-transfer reconciliation. Reconciling a received transfer credits each line's received quantity to the destination shelf and then records the line's discrepancy. If that discrepancy write failed partway through the transfer, reconciliation rolled its own state back so the operator could retry — but the retry credited the already-credited lines a second time, inflating the destination shelf with stock that was never received and could then be oversold. The destination credit is now keyed and idempotent: a retry recognizes a line it has already credited and skips it, so the shelf is credited exactly once no matter how many times reconciliation runs. The release adds one additive, backward-compatible database migration; apply pending migrations on upgrade. **Fixed:** *Stock-transfer reconciliation no longer double-credits the destination on retry* — Reconciling a received transfer credited each line to the destination shelf before stamping the line's discrepancy. A failure between those two steps rolled the transfer back to 'received' for a clean retry, but the retry re-credited every line whose discrepancy had not yet been stamped — including lines already credited on the failed attempt — minting phantom inventory at the destination. The per-line destination credit is now idempotent and keyed to the transfer and line, so re-running reconciliation after any partial failure credits each line exactly once; the discrepancy stamp is no longer load-bearing for correctness. **Migration:** *inventory_adjustments gains a nullable idempotency key* — Adds a nullable idempotency_key column to inventory_adjustments and a unique index over it, so a keyed stock credit records that it has already been applied and a retry that re-presents the key credits nothing. The column is NULL for every existing row and for plain stock adjustments, which already apply atomically; only keyed credits set it. The change is additive and backward-compatible — apply pending D1 migrations on upgrade.
package/SECURITY.md CHANGED
@@ -59,6 +59,14 @@ cosign verify-blob sbom.cdx.json \
59
59
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'
60
60
  ```
61
61
 
62
+ `sbom.vendored.cdx.json` is committed to the repository and generated
63
+ as a deterministic projection of `lib/vendor/MANIFEST.json`. The vendor
64
+ refresh regenerates it, and a build gate (`build-vendored-sbom.js
65
+ --check`) fails if it drifts from the vendored manifest, so the signed
66
+ SBOM you verify is byte-reproducible from the committed source — its
67
+ component versions can never silently fall behind what ships under
68
+ `lib/vendor/`.
69
+
62
70
  ### 4. Byte digests + ML-DSA-65 signature (PQC-first)
63
71
 
64
72
  The release tarball ships with three digest / signature sidecars
@@ -1,5 +1,5 @@
1
1
  {
2
- "version": "0.4.86",
2
+ "version": "0.4.88",
3
3
  "assets": {
4
4
  "css/admin.css": {
5
5
  "integrity": "sha384-imfe0otYErcB8rr2h6KLSGTtStirysptpXETSPY4zLv3bZoIT75Lo1dOvkOav+xL",
package/lib/cart.js CHANGED
@@ -233,6 +233,81 @@ function create(opts) {
233
233
  return { id: id, cart_id: cartId, variant_id: input.variant_id, sku: variantRow.sku, qty: input.qty, unit_amount_minor: unitAmount, unit_currency: unitCurrency, added_at: ts, updated_at: ts };
234
234
  },
235
235
 
236
+ // Add a bundle member's units at the bundle's allocated price. addLine is a
237
+ // qty-bump that KEEPS the existing line's price, so a member already in the
238
+ // cart standalone would charge the standalone list price for the bundle's
239
+ // unit too — pushing the cart subtotal above the advertised bundle price.
240
+ // setBundleLine instead ADDS the bundle's units to the line (preserving any
241
+ // quantity already there) and prices the line so the existing units keep
242
+ // their value and the bundle's units are added at the bundle price: the new
243
+ // line carries the COMBINED value (existing qty x existing price + bundle
244
+ // qty x bundle price) as a single integer per-unit price. The cart stores
245
+ // one price per variant line — UNIQUE(cart_id, variant_id) — so a
246
+ // pre-existing line and the bundle's units cannot carry separate prices;
247
+ // blending the combined value onto one line is the faithful single-line
248
+ // representation. It neither drops the shopper's existing units (charging
249
+ // less) nor leaks the bundle discount onto units they already had at list
250
+ // (charging less). On a fresh line the price is exactly the bundle's
251
+ // allocated price. Re-adding the same bundle adds another bundle's worth of
252
+ // units (it is NOT idempotent — two adds is two bundles). Rounding the
253
+ // blended unit to a whole minor unit can leave a sub-unit residual on a
254
+ // mixed line (bounded to under one unit); it rounds up so the line never
255
+ // charges below the combined value. The price snapshot is REQUIRED — the
256
+ // bundle pricer is authoritative, there is no catalog fallback.
257
+ setBundleLine: async function (cartId, input) {
258
+ _uuid(cartId, "cart_id");
259
+ if (!input || typeof input !== "object") throw new TypeError("cart.setBundleLine: input object required");
260
+ _uuid(input.variant_id, "variant_id");
261
+ _qty(input.qty);
262
+ if (!Number.isInteger(input.unit_amount_minor) || input.unit_amount_minor < 0) {
263
+ throw new TypeError("cart.setBundleLine: unit_amount_minor must be a non-negative integer");
264
+ }
265
+ if (typeof input.unit_currency !== "string" || !CURRENCY_RE.test(input.unit_currency)) {
266
+ throw new TypeError("cart.setBundleLine: unit_currency must be a 3-letter ISO 4217 code");
267
+ }
268
+ var cartRow = (await query("SELECT * FROM carts WHERE id = ?1", [cartId])).rows[0];
269
+ if (!cartRow) throw new TypeError("cart.setBundleLine: cart " + cartId + " not found");
270
+ if (cartRow.status !== "active") throw new TypeError("cart.setBundleLine: cart status is " + cartRow.status + ", cannot modify");
271
+ var variantRow = (await query("SELECT sku FROM variants WHERE id = ?1", [input.variant_id])).rows[0];
272
+ if (!variantRow) throw new TypeError("cart.setBundleLine: variant " + input.variant_id + " not found");
273
+ var existing = (await query(
274
+ "SELECT * FROM cart_lines WHERE cart_id = ?1 AND variant_id = ?2 LIMIT 1",
275
+ [cartId, input.variant_id],
276
+ )).rows[0];
277
+ var ts = _now();
278
+ if (existing) {
279
+ var mergedQty = existing.qty + input.qty;
280
+ _qty(mergedQty);
281
+ // Combined value of the units already on the line plus the bundle's
282
+ // units at the bundle price, expressed as one integer per-unit price.
283
+ // Round up so a non-divisible blend never charges below the combined
284
+ // value (a sub-unit residual, never the standalone list price).
285
+ var mergedTotal = (existing.qty * existing.unit_amount_minor) + (input.qty * input.unit_amount_minor);
286
+ var blendedUnit = Math.ceil(mergedTotal / mergedQty);
287
+ await query(
288
+ "UPDATE cart_lines SET qty = ?1, unit_amount_minor = ?2, unit_currency = ?3, updated_at = ?4 WHERE id = ?5",
289
+ [mergedQty, blendedUnit, input.unit_currency, ts, existing.id],
290
+ );
291
+ await query("UPDATE carts SET updated_at = ?1 WHERE id = ?2", [ts, cartId]);
292
+ return Object.assign({}, existing, {
293
+ qty: mergedQty, unit_amount_minor: blendedUnit,
294
+ unit_currency: input.unit_currency, updated_at: ts,
295
+ });
296
+ }
297
+ var id = b.uuid.v7();
298
+ await query(
299
+ "INSERT INTO cart_lines (id, cart_id, variant_id, sku, qty, unit_amount_minor, unit_currency, added_at, updated_at) " +
300
+ "VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?8)",
301
+ [id, cartId, input.variant_id, variantRow.sku, input.qty, input.unit_amount_minor, input.unit_currency, ts],
302
+ );
303
+ await query("UPDATE carts SET updated_at = ?1 WHERE id = ?2", [ts, cartId]);
304
+ return {
305
+ id: id, cart_id: cartId, variant_id: input.variant_id, sku: variantRow.sku,
306
+ qty: input.qty, unit_amount_minor: input.unit_amount_minor,
307
+ unit_currency: input.unit_currency, added_at: ts, updated_at: ts,
308
+ };
309
+ },
310
+
236
311
  // Scope the mutation to (lineId, cartId): a caller who learns
237
312
  // another visitor's cart_lines.id (it's rendered in their own cart
238
313
  // HTML as the update/remove form action) can't mutate it because
package/lib/storefront.js CHANGED
@@ -21236,7 +21236,14 @@ function mount(router, deps) {
21236
21236
  try {
21237
21237
  for (var k = 0; k < members.length; k += 1) {
21238
21238
  var mk = members[k];
21239
- await deps.cart.addLine(resolved.cart.id, {
21239
+ // Add each member's units at the bundle's allocated price. addLine
21240
+ // would qty-bump a pre-existing standalone line and keep its list
21241
+ // price, charging list for the bundle's unit and overcharging the
21242
+ // bundle; setBundleLine adds the bundle units while preserving any
21243
+ // units already on the line (see its contract for the mixed-line
21244
+ // pricing). On a fresh line the price is exactly the allocated price,
21245
+ // so a clean bundle add realizes the advertised bundle total.
21246
+ await deps.cart.setBundleLine(resolved.cart.id, {
21240
21247
  variant_id: mk.variant_id,
21241
21248
  qty: mk.qty,
21242
21249
  unit_amount_minor: mk.unit,
@@ -3,8 +3,8 @@
3
3
  "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
4
4
  "packages": {
5
5
  "blamejs": {
6
- "version": "0.15.16",
7
- "tag": "v0.15.16",
6
+ "version": "0.15.19",
7
+ "tag": "v0.15.19",
8
8
  "license": "Apache-2.0",
9
9
  "author": "blamejs contributors",
10
10
  "source": "https://github.com/blamejs/blamejs",
@@ -837,6 +837,9 @@
837
837
  "release-notes/v0.15.14.json": "lib/vendor/blamejs/release-notes/v0.15.14.json",
838
838
  "release-notes/v0.15.15.json": "lib/vendor/blamejs/release-notes/v0.15.15.json",
839
839
  "release-notes/v0.15.16.json": "lib/vendor/blamejs/release-notes/v0.15.16.json",
840
+ "release-notes/v0.15.17.json": "lib/vendor/blamejs/release-notes/v0.15.17.json",
841
+ "release-notes/v0.15.18.json": "lib/vendor/blamejs/release-notes/v0.15.18.json",
842
+ "release-notes/v0.15.19.json": "lib/vendor/blamejs/release-notes/v0.15.19.json",
840
843
  "release-notes/v0.15.2.json": "lib/vendor/blamejs/release-notes/v0.15.2.json",
841
844
  "release-notes/v0.15.3.json": "lib/vendor/blamejs/release-notes/v0.15.3.json",
842
845
  "release-notes/v0.15.4.json": "lib/vendor/blamejs/release-notes/v0.15.4.json",
@@ -938,6 +941,8 @@
938
941
  "test/integration/object-store-worm-lock.test.js": "lib/vendor/blamejs/test/integration/object-store-worm-lock.test.js",
939
942
  "test/integration/pqc-pkcs8-forward-compat.test.js": "lib/vendor/blamejs/test/integration/pqc-pkcs8-forward-compat.test.js",
940
943
  "test/integration/pubsub.test.js": "lib/vendor/blamejs/test/integration/pubsub.test.js",
944
+ "test/integration/queue-cluster-mysql.test.js": "lib/vendor/blamejs/test/integration/queue-cluster-mysql.test.js",
945
+ "test/integration/queue-cluster-pg.test.js": "lib/vendor/blamejs/test/integration/queue-cluster-pg.test.js",
941
946
  "test/integration/queue-redis.test.js": "lib/vendor/blamejs/test/integration/queue-redis.test.js",
942
947
  "test/integration/queue-sqs.test.js": "lib/vendor/blamejs/test/integration/queue-sqs.test.js",
943
948
  "test/integration/redis-client-tls.test.js": "lib/vendor/blamejs/test/integration/redis-client-tls.test.js",
@@ -976,6 +981,7 @@
976
981
  "test/layer-0-primitives/ai-pref.test.js": "lib/vendor/blamejs/test/layer-0-primitives/ai-pref.test.js",
977
982
  "test/layer-0-primitives/ai-prompt.test.js": "lib/vendor/blamejs/test/layer-0-primitives/ai-prompt.test.js",
978
983
  "test/layer-0-primitives/ai-quota.test.js": "lib/vendor/blamejs/test/layer-0-primitives/ai-quota.test.js",
984
+ "test/layer-0-primitives/api-encrypt-rejection-envelope.test.js": "lib/vendor/blamejs/test/layer-0-primitives/api-encrypt-rejection-envelope.test.js",
979
985
  "test/layer-0-primitives/api-encrypt.test.js": "lib/vendor/blamejs/test/layer-0-primitives/api-encrypt.test.js",
980
986
  "test/layer-0-primitives/app-shutdown.test.js": "lib/vendor/blamejs/test/layer-0-primitives/app-shutdown.test.js",
981
987
  "test/layer-0-primitives/archive-gz.test.js": "lib/vendor/blamejs/test/layer-0-primitives/archive-gz.test.js",
@@ -992,6 +998,7 @@
992
998
  "test/layer-0-primitives/asyncapi.test.js": "lib/vendor/blamejs/test/layer-0-primitives/asyncapi.test.js",
993
999
  "test/layer-0-primitives/atomic-file-conflict-path.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-conflict-path.test.js",
994
1000
  "test/layer-0-primitives/atomic-file-exclusive-temp.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-exclusive-temp.test.js",
1001
+ "test/layer-0-primitives/atomic-file-fd-read-errorfor-bypass.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read-errorfor-bypass.test.js",
995
1002
  "test/layer-0-primitives/atomic-file-fd-read.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js",
996
1003
  "test/layer-0-primitives/atomic-file-open-append-nofollow.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-append-nofollow.test.js",
997
1004
  "test/layer-0-primitives/atomic-file-open-nofollow.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-nofollow.test.js",
@@ -1156,6 +1163,7 @@
1156
1163
  "test/layer-0-primitives/dnssec.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dnssec.test.js",
1157
1164
  "test/layer-0-primitives/dora.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dora.test.js",
1158
1165
  "test/layer-0-primitives/dpop-alg-kty.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dpop-alg-kty.test.js",
1166
+ "test/layer-0-primitives/dpop-htu-peergating.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dpop-htu-peergating.test.js",
1159
1167
  "test/layer-0-primitives/dpop-middleware-replaystore-required.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dpop-middleware-replaystore-required.test.js",
1160
1168
  "test/layer-0-primitives/dr-runbook.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dr-runbook.test.js",
1161
1169
  "test/layer-0-primitives/dsa.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dsa.test.js",
@@ -1430,6 +1438,8 @@
1430
1438
  "test/layer-0-primitives/security-headers.test.js": "lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js",
1431
1439
  "test/layer-0-primitives/security-txt.test.js": "lib/vendor/blamejs/test/layer-0-primitives/security-txt.test.js",
1432
1440
  "test/layer-0-primitives/seeders.test.js": "lib/vendor/blamejs/test/layer-0-primitives/seeders.test.js",
1441
+ "test/layer-0-primitives/self-update-poll-asset-digest.test.js": "lib/vendor/blamejs/test/layer-0-primitives/self-update-poll-asset-digest.test.js",
1442
+ "test/layer-0-primitives/self-update-standalone-verifier-ecdsa-encoding.test.js": "lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier-ecdsa-encoding.test.js",
1433
1443
  "test/layer-0-primitives/self-update-standalone-verifier.test.js": "lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier.test.js",
1434
1444
  "test/layer-0-primitives/self-update.test.js": "lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js",
1435
1445
  "test/layer-0-primitives/server-timing.test.js": "lib/vendor/blamejs/test/layer-0-primitives/server-timing.test.js",
@@ -1467,6 +1477,7 @@
1467
1477
  "test/layer-0-primitives/time.test.js": "lib/vendor/blamejs/test/layer-0-primitives/time.test.js",
1468
1478
  "test/layer-0-primitives/tls-exporter.test.js": "lib/vendor/blamejs/test/layer-0-primitives/tls-exporter.test.js",
1469
1479
  "test/layer-0-primitives/tls-ocsp-ct.test.js": "lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-ct.test.js",
1480
+ "test/layer-0-primitives/tls-ocsp-freshness.test.js": "lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-freshness.test.js",
1470
1481
  "test/layer-0-primitives/tls-ocsp-verify.test.js": "lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-verify.test.js",
1471
1482
  "test/layer-0-primitives/tls-pinset-drift.test.js": "lib/vendor/blamejs/test/layer-0-primitives/tls-pinset-drift.test.js",
1472
1483
  "test/layer-0-primitives/tls-preferred-groups.test.js": "lib/vendor/blamejs/test/layer-0-primitives/tls-preferred-groups.test.js",
@@ -1505,9 +1516,9 @@
1505
1516
  "test/smoke.js": "lib/vendor/blamejs/test/smoke.js"
1506
1517
  },
1507
1518
  "bundler": "shallow git clone of release tag from github.com/blamejs/blamejs",
1508
- "bundledAt": "2026-06-22",
1519
+ "bundledAt": "2026-06-24",
1509
1520
  "hashes": {
1510
- ".clusterfuzzlite/Dockerfile": "sha256:c0f51f4c7d592caea19fdcb658778fe3beda648bb95c3e8809622e1209a18cf1",
1521
+ ".clusterfuzzlite/Dockerfile": "sha256:1eed98fcc49172efc1c1a7740dba20ce6cfcb3830cccd9f28cf114b4b39794f3",
1511
1522
  ".clusterfuzzlite/build.sh": "sha256:b9f5a627272c65f6569fa20dcbb32c383ca3a1183ce2562d481408a2fbaf9881",
1512
1523
  ".clusterfuzzlite/project.yaml": "sha256:8eafa9380e6f975b0b56350f37e5096db283d44c1ea448b25fde1958586e06e0",
1513
1524
  ".dockerignore": "sha256:37cd6917661eb77d1a056640ca92c50b0330aafe79b7b7eb648e464de38b9e01",
@@ -1519,14 +1530,14 @@
1519
1530
  ".github/ISSUE_TEMPLATE/feature_request.md": "sha256:97d28b8dbbdd40018ca3ff3c43a1beaab1fe3ed906de0e9e3653b27c7e615266",
1520
1531
  ".github/PULL_REQUEST_TEMPLATE.md": "sha256:943ded5b67dccff1cda27ee5c4cf1377e5185ec9130b01fa6085789042955640",
1521
1532
  ".github/codeql/codeql-config.yml": "sha256:f1c7fb934ebfefcc1096ba2a4b79b1451e4a0435ac7bd5e31a375649a34c1980",
1522
- ".github/dependabot.yml": "sha256:cbd6f3458d494ca70d3c760e2c43a2f86addeb618143cd490c708a0db2b2dda0",
1533
+ ".github/dependabot.yml": "sha256:657e51fb662ea796b78252453757ded815eb31a84555d7f0e8bd2fefb0179c1e",
1523
1534
  ".github/workflows/actions-lint.yml": "sha256:4645422e39b087eef80db9d27d04cc907ff0c45e957631d51484061ea0feca2f",
1524
1535
  ".github/workflows/cflite_batch.yml": "sha256:dc9117537e7350781b4cf2d3c05120f43810cd226642ecb2a02fac5813ba61c6",
1525
1536
  ".github/workflows/cflite_pr.yml": "sha256:d18ec0c50915b4a20006463946e577484e8a0248250d1bde16805465818d76b8",
1526
- ".github/workflows/ci.yml": "sha256:02cffa1ca54f29e7f4326dc6ee98a72631aa5cb3cfc146149ce83a208465f35e",
1537
+ ".github/workflows/ci.yml": "sha256:3c6346aa39163ae8d4ec80e6091dd2395ab442317244e1f6fcef7d5d78eda904",
1527
1538
  ".github/workflows/codeql.yml": "sha256:e990dcab0c70133bc1316eb035babb0cb8d9d948aff1a361c90fcf802a8d0339",
1528
- ".github/workflows/npm-publish.yml": "sha256:c8478fb59b2945605007d76b7a585a3f5592896d9a8402bac09b10fdf0dcfa68",
1529
- ".github/workflows/release-container.yml": "sha256:7de9005f5ecbdf1ac30a577bc986a417ea56415fc73503ab75d3c96908d64bed",
1539
+ ".github/workflows/npm-publish.yml": "sha256:3d8d1f64c1e2c253a2fd2b8f283cd7887fb984bf514194d4737ebdbeb8f832cb",
1540
+ ".github/workflows/release-container.yml": "sha256:a5a428981abbf7c13179a76cb59e5199a5152b315bc274305838b97c2000fe80",
1530
1541
  ".github/workflows/scorecard.yml": "sha256:0395433ffddc1abbac5dad5f8251ddddb6a9ac2c03f65cb2b8d7f84253825004",
1531
1542
  ".github/workflows/sha-to-tag-verify.yml": "sha256:6ed546bdb518514c79a69aa9afe87c92903a8663afb57d4d07b5e81fbda8b844",
1532
1543
  ".github/zizmor.yml": "sha256:fe08e66c5763dfb4edf1ea33e715f04e514b1baceb3a242241d8a60793db51d2",
@@ -1536,7 +1547,7 @@
1536
1547
  ".npmrc": "sha256:66f104e7d07c496d2d0409988225e8c0e4ceb8d247dbcac3be75b2128d20ce66",
1537
1548
  ".pinact.yaml": "sha256:0213ffda55961dc49b64c0a5dfa3c0567419633b1499d57eaf7c8d842d7da6c7",
1538
1549
  "ARCHITECTURE.md": "sha256:9b1c8d2b1b7a41838eb348b0a008e4b4369718fd72bfe2974b37155f7536d35b",
1539
- "CHANGELOG.md": "sha256:388b50ed32f785a21b9ef31b0b83a83b9a4da01fe15e1dca69b3ce91c4d7b84e",
1550
+ "CHANGELOG.md": "sha256:ebd9e3a79a0dce5518430a52c9c6e24cbf7bad0406bbed2c4e7ad5eb1ab297c6",
1540
1551
  "CODE_OF_CONDUCT.md": "sha256:148a281960fff7c2fe6554dab66da572c72245ddeb00b0d14811558397bff386",
1541
1552
  "CONTRIBUTING.md": "sha256:bb4dbdbc8598da31dbce653a8ed322e08ff46560173f2eb67a4d684653948332",
1542
1553
  "GOVERNANCE.md": "sha256:906df6afb1f552b27b9acb50f7f96c47b917a2f1021cd4e987dbf4ee0e0a821b",
@@ -1546,7 +1557,7 @@
1546
1557
  "NOTICE": "sha256:f487fa47a11aca0f89e2615cdd3c713e9842abf7a30d8d328eeeae1c864aa774",
1547
1558
  "README.md": "sha256:3ddcc197b003da0b02db8bdd1aef1e943c94f7eab613c633d6a45bb11d0a80e9",
1548
1559
  "SECURITY.md": "sha256:23f7ee4a44f21e433ed1d3c6f414575eb3e30f66a328422973a1109a276c537b",
1549
- "api-snapshot.json": "sha256:fb9df9dec00549ae9a669c304afa57a3b81e49ddb49bd2ada5f4ea37c71550a9",
1560
+ "api-snapshot.json": "sha256:719da0f2483fb5672ee09e398f4d85304c875f6f9df96f21ad32cdc3aa1cc3b5",
1550
1561
  "assets/BlameJS_Logo.png": "sha256:3c65699753c771b48ef9ac7f45bb40815ec19a23afcdd0cd30ef4601bbbe293e",
1551
1562
  "assets/BlameJS_Logo.svg": "sha256:dda44f3fb1343d5de9db6b1fcdb75fc649c57e7a99a8e8239fcf852e3841e1a8",
1552
1563
  "bench/README.md": "sha256:74202f2507fd840bfc1ac6c681975d9273cf36cca6e0f72655f138337304033c",
@@ -1584,7 +1595,7 @@
1584
1595
  "eslint.config.mjs": "sha256:532a857418bf2cf0b709e0227414b2ec6f73de450d2a6e27904924fd43d08a2d",
1585
1596
  "examples/wiki/Caddyfile": "sha256:6428e568e2c30c5cc014822725df6998b5eb102c92e0bf7f556ab39532c96690",
1586
1597
  "examples/wiki/DEPLOY.md": "sha256:a6d7a3b0edc37ccf767146816137aa03b09bef66051e89f7e062aa379e6d0bf3",
1587
- "examples/wiki/Dockerfile": "sha256:5f9589f2327ba1e3b47782bb5c0e41a4d001f8c0d4d59c90cad15c2318209a8f",
1598
+ "examples/wiki/Dockerfile": "sha256:63284d227872a39d267ed158000cc3b8307da5733e9500085a29671fd9ca603e",
1588
1599
  "examples/wiki/README.md": "sha256:74319ff6cbdb16c7d0eb2aa3ef1b33f9692f778f36a3688b0ee88d6154ea3ae5",
1589
1600
  "examples/wiki/cli-snapshot.json": "sha256:9fc00825db2a12172d8a91a687c0e8b96a276191db36f1d437bf7e5cb45b8954",
1590
1601
  "examples/wiki/docker-compose.prod.yml": "sha256:33280a0039be004195ef0197db94c233a12742cb653f2d7473c8265cf4ee3faf",
@@ -1791,7 +1802,7 @@
1791
1802
  "lib/asyncapi-bindings.js": "sha256:2f6f3d7ea836d0483e40f08b8202d78bae54bdc3d76b5faf57d918e699ebeac8",
1792
1803
  "lib/asyncapi-traits.js": "sha256:82ec58b77f0a65ef1b5e8b67ee9555e9cb984de769c3393fe5c6d4d0640546f0",
1793
1804
  "lib/asyncapi.js": "sha256:c26da54ab6760da0043178abb85960e857b6e8f77f31dc3ced8db95760e25a00",
1794
- "lib/atomic-file.js": "sha256:70be6c998a1de20342c0cec0d6137e4a80d195287ff9073c43bc2c7ad28aca4c",
1805
+ "lib/atomic-file.js": "sha256:b93b008c121f785d149d4450681467b18785781c3a82b9b001bb2a7d636c3ad1",
1795
1806
  "lib/audit-chain.js": "sha256:1c9895a2bbf6ce3b4c546b1b3c95ac9d5ed55d82a2b58c0de4e3ecc1947c3c31",
1796
1807
  "lib/audit-daily-review.js": "sha256:61cebe47d6e5eeeedcab45515473acfaab623217810a7ab3629b3aeca5028519",
1797
1808
  "lib/audit-emit.js": "sha256:1171699027269e154fd247141a549e65bcdb566e52ed00b993c7dfb9a293ba0f",
@@ -2081,7 +2092,7 @@
2081
2092
  "lib/metrics.js": "sha256:edc2a3f08a48ab67c9e805cb75839cc9d326ac334478b0f30db0423102ee5713",
2082
2093
  "lib/middleware/age-gate.js": "sha256:dc8c61a4d41f4a781220c9c97eb475fb2867f5ee444eb2756badcbc5b8411795",
2083
2094
  "lib/middleware/ai-act-disclosure.js": "sha256:6fc62940d85813019b31c586fc86853570329a939565a6947f81052d50977c42",
2084
- "lib/middleware/api-encrypt.js": "sha256:8807759081c1427ee9daa40edd5ecfe588bc43cf7c989c0b7c5f27df8a523d12",
2095
+ "lib/middleware/api-encrypt.js": "sha256:f90210bfc4fe04b50f6d72e14676a140c5759e255ed359567066a1e80ab5fb63",
2085
2096
  "lib/middleware/assetlinks.js": "sha256:bb36f8d53991668b4ae1557d0cab3ec8b479a16f9133c43f9adc07963c8b4750",
2086
2097
  "lib/middleware/asyncapi-serve.js": "sha256:a0f0b62b264a5cd8a24e3cfddae722a84b5e2206729f77403906a1d1cfcd7c7b",
2087
2098
  "lib/middleware/attach-user.js": "sha256:776424918bf302378da99a85ff20c91a42f8c9f528ab435cd7a06b95ec523d6d",
@@ -2100,7 +2111,7 @@
2100
2111
  "lib/middleware/daily-byte-quota.js": "sha256:204b0535b9ebee864118be4407d67a3dd09802c93cde4f4e9ede1ac0ee64111d",
2101
2112
  "lib/middleware/db-role-for.js": "sha256:b9879c17dbf7fa3d299f402043592a133176a74ac1bcb49b0b717253d4ad1d3a",
2102
2113
  "lib/middleware/deny-response.js": "sha256:073d78a1b64f18a846ab0162c7797d88eda56f3de1b8239664464e3fde8aceea",
2103
- "lib/middleware/dpop.js": "sha256:4494b53af018669f79766511a3a94e68b378fb0c3ffb555a2d3e5de466a5588e",
2114
+ "lib/middleware/dpop.js": "sha256:32987396e36252ce4ea57e9d0d8e8bbd755de1c4f4d6089e7e3eaa413a575e4b",
2104
2115
  "lib/middleware/error-handler.js": "sha256:7c0baf2e6b37f1c9330775396bc46a87943a253ceba540379db4785d305c396c",
2105
2116
  "lib/middleware/fetch-metadata.js": "sha256:5c7c6afe0f82004a2410ef3be5dfd8e4ea51b4aa194193a1b64acba535707d75",
2106
2117
  "lib/middleware/flag-context.js": "sha256:76fefb869244267f3b2bf24c4dd0b40fcba0988552b62d8b48208d116b85ee3f",
@@ -2128,7 +2139,7 @@
2128
2139
  "lib/middleware/scim-server.js": "sha256:2f38d77c7e949df9e219e4b351a6eb047dc85a7337aca932ac4b598e953c471d",
2129
2140
  "lib/middleware/security-headers.js": "sha256:87506e572454033b33955d58d9f0cbfdc14edc63c1cbe7e01f0dc4f07753c64d",
2130
2141
  "lib/middleware/security-txt.js": "sha256:3140d6537aa09a7052d83088840358949dd36393697fa2215f8f915d31aaa112",
2131
- "lib/middleware/span-http-server.js": "sha256:9fb94fa14c41b2969cce5bc9877ce49de3576d3991cfc7cc64ef2129fdec2cb6",
2142
+ "lib/middleware/span-http-server.js": "sha256:6ab5561e779192fedf4d25e708240a38457164096912e11b528b87b10dc8a2b7",
2132
2143
  "lib/middleware/speculation-rules.js": "sha256:ca102beebd529ec42244d9d709d3c4cb9dd27669bc324bb707ea508294250b63",
2133
2144
  "lib/middleware/sse.js": "sha256:d0094cb33fced9bc748edd1f6d55fba6029ff3bff6da735d72ad5d10806f02f7",
2134
2145
  "lib/middleware/trace-log-correlation.js": "sha256:f6a36bfcb666cee5434867b1841092793491491bb9da7bc92626dd93cfa7b0d0",
@@ -2151,7 +2162,7 @@
2151
2162
  "lib/network-nts.js": "sha256:90ce47584ad58c171e8029eb1d5df8ba4ba130c4038d1fe260109685c34c8f75",
2152
2163
  "lib/network-proxy.js": "sha256:9342c534863f905000d2432b67c26dd7a5ea02be25aaf9ebe05976079e61d4c9",
2153
2164
  "lib/network-smtp-policy.js": "sha256:a7b6c91983b312a16c436d3e15259f8f6a84579e2e55f64106285b22795e1510",
2154
- "lib/network-tls.js": "sha256:d39d7e56d3fe987dbb1bd5b4caed2425adc9105a4491b7305a27e1dbe4a6ea31",
2165
+ "lib/network-tls.js": "sha256:e3207b0fbeaf209b9fa678aff7a7bb465c3258f6696fb70e96507cfd57d654a0",
2155
2166
  "lib/network-tsig.js": "sha256:41dc85a6e816cce1c58c36891dfc6bafc612b68978936107a09a5a553563e0d7",
2156
2167
  "lib/network.js": "sha256:40cb01627bf45741cac22ef79f5985f69323e47732d54cf3ce28c06882830c25",
2157
2168
  "lib/nis2-report.js": "sha256:fa106a4f95dd9301d7da966c5792197bdbebac477a4f1d2fd2ac2481fbd818fd",
@@ -2205,14 +2216,14 @@
2205
2216
  "lib/pubsub-cluster.js": "sha256:9068e6819807fe75e5c4306bceb44eee82d877b19df20fb7d0b9ad445b1632bf",
2206
2217
  "lib/pubsub-redis.js": "sha256:342bff39d7e27cb8a20dec8f4e0ec4ad2f3d014f2081a1236d68276e7f3ae803",
2207
2218
  "lib/pubsub.js": "sha256:c2b5394a64081c92ed61cdaa5c98a9a403c403fca64b0ff409e0ca29df7c9525",
2208
- "lib/queue-local.js": "sha256:6fa51df760cab698cad2c442d8e2ef0256b31ba7cf5f4c8fcdbe412e099d4516",
2219
+ "lib/queue-local.js": "sha256:d26c2ffcf70ea5255f9da64246e68eaf84802d5434b8b202d5cb3b605d76448f",
2209
2220
  "lib/queue-redis.js": "sha256:c30d2c7201a7cc0519d39c675730c0b857f5dfa83c5fdd7235a6d3d51ee86996",
2210
2221
  "lib/queue-sqs.js": "sha256:0868647c6ff66619b828ca0f5aa9ab0e72fbc1450853efa2f63c971c8f456fed",
2211
- "lib/queue.js": "sha256:e9bc41e04f2fd1bec7c11dcb2d0e1259c59d62cf39c789103d6ed7345891c604",
2222
+ "lib/queue.js": "sha256:27b0e2399f5e3646a2ee26c5780fc37ff6da164c58bfb2c39b55b16ed8e4dec6",
2212
2223
  "lib/redact.js": "sha256:1cd102db31eb48ffbc677c39013ddc1b829db7597d808785a7b202a5e0dc691d",
2213
2224
  "lib/redis-client.js": "sha256:9f8168b11b81ce7b649b2e0658ceeb7134a257435b611f4917d36e1ed178a3e5",
2214
2225
  "lib/render.js": "sha256:1890c0cce371ea93c1820f70ea544dee25d8d9bd427fdfd6688d7cb17720ed8b",
2215
- "lib/request-helpers.js": "sha256:def9efbbcb6a3f66ef605eb46887decabcd82ea59d0c4c3a495f9d4536189317",
2226
+ "lib/request-helpers.js": "sha256:a27c87b949d98bb8aff1ab1b6d250e8fb4540f1dc749371c40b930bc3b47f2e7",
2216
2227
  "lib/resource-access-lock.js": "sha256:868d2c0a59d2ca2757a334858779d23e0cde9c18bf63c535350d8ebd6ae20b53",
2217
2228
  "lib/restore-bundle.js": "sha256:c2a9c3af19434a2072ea4cc721211119f71ba363bbbad9df7ac34a3ff03e43e2",
2218
2229
  "lib/restore-rollback.js": "sha256:f00e2f40e2e6a14bc6687afe8c112e367d83314eb04592d9ba399cb699fb0e03",
@@ -2248,8 +2259,8 @@
2248
2259
  "lib/sec-cyber.js": "sha256:569cd22e4e3133a114188e6327d33f314c592d14721407df56266d294609f9d9",
2249
2260
  "lib/security-assert.js": "sha256:4a98cec339c0b421534fc650c9500fe8a1b39f89181d651a58a13e2ff9a8ae0f",
2250
2261
  "lib/seeders.js": "sha256:cf27cf0d88bf9b6d8ba34d65af983e11aa8949f00c6df984dfbb73a1553a7767",
2251
- "lib/self-update-standalone-verifier.js": "sha256:8309b2dcafe705f1e545b4b0c640cd1ecac5930959f116e2c30d5ceb41777eee",
2252
- "lib/self-update.js": "sha256:4b2403f36d949ce632ef003e0eac29c245d6c5fc8c83ca3cd47069753b2c7af2",
2262
+ "lib/self-update-standalone-verifier.js": "sha256:0b3781c6bb80c59e3e483c94a3acac6be04ba6c2ad74c8fac404763d788f6dd8",
2263
+ "lib/self-update.js": "sha256:d7d3a9e405dd51f9ecbbc9dc6029080c138765ccb91d80ce724745c8ed2b0b73",
2253
2264
  "lib/server-timing.js": "sha256:74f2556480363c860a7c80a3f2bc1adb68fee53aa4335059069fae66a1eb627c",
2254
2265
  "lib/session-device-binding.js": "sha256:4365c1449498fdcc0f0619200ea9522febe071ec445ab9f4e165614953340d53",
2255
2266
  "lib/session-stores.js": "sha256:b79de919061a2bfeb090185bcc511919fb01d3e7a495fe0a7c711cf6cf65137b",
@@ -2287,7 +2298,7 @@
2287
2298
  "lib/vc.js": "sha256:554cf29ea712b231256e1eaa75f6b1f1d39c392aac86b33e818d52e956ea83ae",
2288
2299
  "lib/vendor-data.js": "sha256:ddb77b33d89a2c5345deca98eacb45695d4c8a70014bc5df22c7393f52e11416",
2289
2300
  "lib/vendor/.vendor-data-pubkey": "sha256:73a935b8c72f55d821c22ddb8188453bab324f80d229d033a0a1549819a1f096",
2290
- "lib/vendor/MANIFEST.json": "sha256:14a34884bb8b8a2096f92d5e5cdc02b2630930fa4d4d7aa66bb9b62c49b5f03c",
2301
+ "lib/vendor/MANIFEST.json": "sha256:09194d50f99999485fb525da118afd815c475be0ef4f6e58fbc3f41ffd91d1dd",
2291
2302
  "lib/vendor/bimi-trust-anchors.data.js": "sha256:aa7a4d33b65a68422a2a2c1670177689f66fdcaa08bd2514d78798b827bd1608",
2292
2303
  "lib/vendor/bimi-trust-anchors.pem": "sha256:81ff9f5ab3c9774132c845684e783be95cf73146f8b670d964105f0a3765b4b4",
2293
2304
  "lib/vendor/common-passwords-top-10000.data.js": "sha256:87b223beca89f33d2c2c32a2cfda0bc187e58061de40e7127bb5ffc4258c6e2a",
@@ -2296,8 +2307,8 @@
2296
2307
  "lib/vendor/noble-curves.cjs": "sha256:ebf254d5eb56aef8705a1c4af9603f47987b4870a9bb5e657e06907b701e2731",
2297
2308
  "lib/vendor/noble-post-quantum.cjs": "sha256:f9190309daadca4c2e2cc2b76beaa6b96e463429cc3c390bd9f0ceaf7b588c68",
2298
2309
  "lib/vendor/pki.cjs": "sha256:9bbc191afaaa2b1e5757f00480457c08134cdc2c55d541df18d9155bba9cbf77",
2299
- "lib/vendor/public-suffix-list.dat": "sha256:927884952ea8857ba3608eefe617f3c8acd63ad94be7b0bfb7586632cfc59560",
2300
- "lib/vendor/public-suffix-list.data.js": "sha256:c2f67f5e7f7306eb5ec26548ea275673c652cfdd830b909fd63ed2b39e4838f6",
2310
+ "lib/vendor/public-suffix-list.dat": "sha256:0adddeb62057d8d40799dffb29fe14f65dd009259afe02eb2f0b4602b791aae6",
2311
+ "lib/vendor/public-suffix-list.data.js": "sha256:82af512cacf0fd2c60925e63f877b69477b1b2f7bb5af698fd862af61369902e",
2301
2312
  "lib/vendor/simplewebauthn-server.cjs": "sha256:f359a782ac57e3ff56ac71083d17f5c082f88ab49d645fc2bede398b47adebdb",
2302
2313
  "lib/vendor/vendor-data-pubkey.js": "sha256:a12afa34cd7472e2eaebad2fcd44714102d3edd0601e45769404124a513926d0",
2303
2314
  "lib/vex.js": "sha256:b45c1c9729dfc69f2140478d46eec91f47da94b5f440be36fa825cb733a718fc",
@@ -2313,11 +2324,11 @@
2313
2324
  "lib/ws-client.js": "sha256:e92abc9749576b8f93327e89bf3171dc3799e8dd427d2071b1ac362222c95faa",
2314
2325
  "lib/x509-chain.js": "sha256:fdc0ecd264d9de0e039f348e819675fdf3838d61097a97a0e3e119def338722a",
2315
2326
  "lib/xml-c14n.js": "sha256:01a27d20df99ebd6eaefbff0aad933a2231049f65a54ae994236694d4146ce5d",
2316
- "oss-fuzz/projects/blamejs/Dockerfile": "sha256:277c9e93cf2e8746b0a6d09a0678b35cbe700e9c2373bdc1b2177ed2167b7359",
2327
+ "oss-fuzz/projects/blamejs/Dockerfile": "sha256:6c48ec4d81f4b1836a6b43701a2497cf737002413dd0da6a10892be1498b0766",
2317
2328
  "oss-fuzz/projects/blamejs/README.md": "sha256:ae13b7bb79ed8d69b1b3276e5562807a0349fb6e6b7d11cf1f683aad1eafdb4b",
2318
2329
  "oss-fuzz/projects/blamejs/build.sh": "sha256:0ced1cf21782c97be7f8d74faf5e27a308b60b2f858836fb5ca3b8c4e939a8f7",
2319
2330
  "oss-fuzz/projects/blamejs/project.yaml": "sha256:59f2cb83aa622325a175b77416fe155be15b70a9c798bd1a78bba05763b1b03d",
2320
- "package.json": "sha256:ff50471bd603fb8a5194e5283800f7d8616e848b49b2b8907bd3b2560d923d86",
2331
+ "package.json": "sha256:c625373887cfae872dde0fca9ea6955278d6fc721128c04bbd01a31986b9d409",
2321
2332
  "release-notes/v0.0.x.json": "sha256:7a49819f30068ee119000cad7010194882bb8bfaa12acbdab4dfc066efb7982f",
2322
2333
  "release-notes/v0.1.x.json": "sha256:6742a8c17f947c5cb76f69dead7eea86b942d80621d914b774ba5488e09937e5",
2323
2334
  "release-notes/v0.10.x.json": "sha256:fe498045daf88337bd3d987e5964aa42c99a50e1685b6f09e51f698b8687726f",
@@ -2334,6 +2345,9 @@
2334
2345
  "release-notes/v0.15.14.json": "sha256:13e065666436b6d852d1e9e17933d7ee2327bbe7b3d6adc5cec846c858140f34",
2335
2346
  "release-notes/v0.15.15.json": "sha256:5e8f3456e4efa180e8ba368b92616f9f3e57745cdca5fad9bba1c013f728632b",
2336
2347
  "release-notes/v0.15.16.json": "sha256:6b3b7872fbdfd527dbcc74f2015776808d2af55a9452054f6086c8c8bc2e4a42",
2348
+ "release-notes/v0.15.17.json": "sha256:b9d01a1e9acb55af09d8f8671ec1814b98e20c576b61f6bdf69ea65c269295be",
2349
+ "release-notes/v0.15.18.json": "sha256:c8b3ce7af0f7863cdc3f5179f0525469331720a80b741b73236fdd6f4243bbaa",
2350
+ "release-notes/v0.15.19.json": "sha256:8c6a745accd2c551953464991bb23547e8cf87286d57938c57080755785e58b5",
2337
2351
  "release-notes/v0.15.2.json": "sha256:36e1423dda94ed4e55c660e0fae882019005d8de3ee5e3b6ac4f38ccf8e744a2",
2338
2352
  "release-notes/v0.15.3.json": "sha256:19a0074c445545468ca3cc411b21ec8bdb27be2669ae1950347cc244f6aa348c",
2339
2353
  "release-notes/v0.15.4.json": "sha256:6ac7fa0ef1728c27e71b2050d1b07a810f9b4b1440ccddbf28ad56e2f54d8585",
@@ -2356,7 +2370,7 @@
2356
2370
  "scripts/check-changelog-extract.js": "sha256:ac1e74b090cb8b5e0b3fc9d65a1484ce184eca9ba9ccc512a61540d854bfc81d",
2357
2371
  "scripts/check-pack-against-gitignore.js": "sha256:42cbd1e329ab7469984a30d6bc3e9b0af4defffced6dcf970c4f8cb7ad35da4c",
2358
2372
  "scripts/check-services.js": "sha256:8c07b049fc899827c2d1ef2c136a3d0c3c43143b1546f28e44739ecec187f777",
2359
- "scripts/check-vendor-currency.js": "sha256:d21f9d1c831d3d0be56817bd35d74d8ca1ee1d0934b6736fec96959dc0282f9f",
2373
+ "scripts/check-vendor-currency.js": "sha256:48c88ab874cabb6e8eb2ffa373037ae870279ff38061cf96fe49b3f07cfcacd4",
2360
2374
  "scripts/consolidate-release-notes.js": "sha256:620de442c834fa99a7b668b93cf8788384a0aa802ce419953459c88451d8ec73",
2361
2375
  "scripts/gen-migrating.js": "sha256:2177f6b9bf60d6e9c161a0419caa248d2bef9eb7beb5223a10e8cab3ecc555b1",
2362
2376
  "scripts/generate-changelog-entry.js": "sha256:2c0a1a395d2d1b30c1679883c694e27dc6f8e73d950c4deeb118ef5a4f01fd12",
@@ -2435,6 +2449,8 @@
2435
2449
  "test/integration/object-store-worm-lock.test.js": "sha256:106f4187ee31db531166c6eccc91a63881bc602afc2fef64dee1be187a7f27c2",
2436
2450
  "test/integration/pqc-pkcs8-forward-compat.test.js": "sha256:e638c657bdb91e85a1fa2f81e0c0b266ffe5454e57b08069b615a292dec56230",
2437
2451
  "test/integration/pubsub.test.js": "sha256:0a4233eb01466e3f162e136ee716f90ab6db19943e3597a1edbe7aa3c2755962",
2452
+ "test/integration/queue-cluster-mysql.test.js": "sha256:45392a3af2475d1ffac255b1d75166ddbbc6a9e1a1676b13d9bc89542a8d19cf",
2453
+ "test/integration/queue-cluster-pg.test.js": "sha256:08014d3c0fb9cd5a741921f6940aa7e21a416b5cf8613e9341e8b2c25ff69304",
2438
2454
  "test/integration/queue-redis.test.js": "sha256:bc8d2f9974ca787cfc2f53869638ea2f985da49f3fe7f2322410e99e3758129a",
2439
2455
  "test/integration/queue-sqs.test.js": "sha256:75a30b1249032bd21d7357074d6fe046043dfac0794f7ab0536c834b21801699",
2440
2456
  "test/integration/redis-client-tls.test.js": "sha256:634f43b764f4aa55e753b01ccb8fe4a43eebc5e7c1b3e17926d80114e55584b3",
@@ -2473,7 +2489,8 @@
2473
2489
  "test/layer-0-primitives/ai-pref.test.js": "sha256:c80d19bc1bbaf36925614e38a65b0fe8cabad7f27ee525638924d07812bae27d",
2474
2490
  "test/layer-0-primitives/ai-prompt.test.js": "sha256:102a2f1d52a86f9d5bb86eea0b701ff919aa531833fb93b024be56868439cdd4",
2475
2491
  "test/layer-0-primitives/ai-quota.test.js": "sha256:53f96ce0e68c4f09956eb2ee22cca53d1a48ec5da7c026de58e116b78091fb78",
2476
- "test/layer-0-primitives/api-encrypt.test.js": "sha256:ea7dd8e5fc4c0923e11993da405eb09d83741bf621c96425dd89e43dedd791ec",
2492
+ "test/layer-0-primitives/api-encrypt-rejection-envelope.test.js": "sha256:e410cae39f264fb1ca17709dfb226c5b96650e336a95c2b7046e2f013a9a2af1",
2493
+ "test/layer-0-primitives/api-encrypt.test.js": "sha256:a615fda5be5337098b840fd7982c8256511338e4ffc4216a6d8b18bcca719f3d",
2477
2494
  "test/layer-0-primitives/app-shutdown.test.js": "sha256:e4036095036971bb830217f1cc9efd43d697f7d85958eab5fa7fa5d0c176be57",
2478
2495
  "test/layer-0-primitives/archive-gz.test.js": "sha256:69ec18221fbc89094dec16dc92d9eb1af359a2a9f0df5c2d1f9ff60506e1b8af",
2479
2496
  "test/layer-0-primitives/archive-read.test.js": "sha256:ecc0f7100b94a239023cbc857d1fe025768a5d123c73133c714cda3550a2a451",
@@ -2489,6 +2506,7 @@
2489
2506
  "test/layer-0-primitives/asyncapi.test.js": "sha256:835f999d8cb96d7d94b35d950d71bd1995af088ec6296e82256959972fb4d7fb",
2490
2507
  "test/layer-0-primitives/atomic-file-conflict-path.test.js": "sha256:b1e95ff12e5f6871762cc23ed6b862b4cf18097b743e5d4f90abaa4e53601794",
2491
2508
  "test/layer-0-primitives/atomic-file-exclusive-temp.test.js": "sha256:9a0a6193b8051caf1a5e34a7f0be6b12ec92abcadb26468384b0484c55984144",
2509
+ "test/layer-0-primitives/atomic-file-fd-read-errorfor-bypass.test.js": "sha256:622d809e14d932f0fafdb62f61f1357d6a118fe8076365ccab3077edc47b257b",
2492
2510
  "test/layer-0-primitives/atomic-file-fd-read.test.js": "sha256:f94032960507df635acb5676022b13bfe284ba383f2c301f773a74e9876ecb08",
2493
2511
  "test/layer-0-primitives/atomic-file-open-append-nofollow.test.js": "sha256:39dc85cd84fba390d13ccb2f9cbe8f0e17bb9f24048550706e1bd456711abb82",
2494
2512
  "test/layer-0-primitives/atomic-file-open-nofollow.test.js": "sha256:25bccec5c4ac37f6b273c3a23d2c202b45b028a42f00eacd1999e8057a24d1b4",
@@ -2576,7 +2594,7 @@
2576
2594
  "test/layer-0-primitives/cluster-storage.test.js": "sha256:238b3b3db0eba3e6312a863710533178f566347b90e161e564481aa826707647",
2577
2595
  "test/layer-0-primitives/cluster-vault-rotation.test.js": "sha256:3514e9e71d6c39e805248f58ad2f41528d091e196c0f3766a032675677161b2d",
2578
2596
  "test/layer-0-primitives/cms-codec.test.js": "sha256:7e46078ed82be5b69d22c48f22dba37ea5015371c2a8cf5f94fb1a792fb7bb78",
2579
- "test/layer-0-primitives/codebase-patterns.test.js": "sha256:3c1e23573b17d69c0edaa6d963ee00cfafc251803d3bd4007c932c31a72e3a70",
2597
+ "test/layer-0-primitives/codebase-patterns.test.js": "sha256:a4464c7a07430e0b3627f9bbe71f51ace0c5107bf9a14868c87fc2bfa86d5e24",
2580
2598
  "test/layer-0-primitives/codepoint-class.test.js": "sha256:19764d50264a98cb8fb28575dd82ff7a97e857922c42d9efe886e13d5063e0c5",
2581
2599
  "test/layer-0-primitives/compliance-ai-act.test.js": "sha256:5ee4ad05d12233cb3c5457ef10a727833710bbc1ce1318838f9f9ef5d2cb8d4b",
2582
2600
  "test/layer-0-primitives/compliance-cascade.test.js": "sha256:ee02cf14541a837a9d7977c6ea6bf7f9210bed293925d93c976e31f270aebec4",
@@ -2653,6 +2671,7 @@
2653
2671
  "test/layer-0-primitives/dnssec.test.js": "sha256:aee94082891ee6d72d47dda08c91011bfd3f61d91e5ac204387337cc0c1e5295",
2654
2672
  "test/layer-0-primitives/dora.test.js": "sha256:e046e66ad07fe7b69e8763c53cc7514956362b161500977548bdc47964813fc2",
2655
2673
  "test/layer-0-primitives/dpop-alg-kty.test.js": "sha256:64d7c85ae95d49b82a29bec74d81ce134025917c25a21992bcdf6645b48e19be",
2674
+ "test/layer-0-primitives/dpop-htu-peergating.test.js": "sha256:a328ebe9c97d272de9f4cf15368b03764e75f5afd3d38e1ee59b69aaf089eb87",
2656
2675
  "test/layer-0-primitives/dpop-middleware-replaystore-required.test.js": "sha256:d9545ff47438cc57e0d9d65fdb411d8f064a19d0d23e203e59d2ba41f4a5c829",
2657
2676
  "test/layer-0-primitives/dr-runbook.test.js": "sha256:9665caaa90f356d0237e0e6c6889c56a3467b20c7eaf78d2e2afa51c4b3af2cb",
2658
2677
  "test/layer-0-primitives/dsa.test.js": "sha256:2cdbdd29b9c58d738920bb4f82f73492eab56e7d7f8111f1cdb14838de3a3ab3",
@@ -2867,7 +2886,7 @@
2867
2886
  "test/layer-0-primitives/pubsub.test.js": "sha256:7eb5ecf3fc353696efc0696e63529d467ff3bf6278c859890e3fdcabd6212d13",
2868
2887
  "test/layer-0-primitives/queue-byo-db.test.js": "sha256:d47565249dd7d4ae11eacf158f040f3ce7e36ad5c39de48c65cb99d6e560b0fe",
2869
2888
  "test/layer-0-primitives/queue-dlq-extend-lease.test.js": "sha256:437081c4bb7104e202ce7a36f09ea141b8bfef4df780b9c2877be63c717ac9a1",
2870
- "test/layer-0-primitives/queue-flow-repeat.test.js": "sha256:95188ece064808f914696c8ee191d5716902f4b8318892cca60bfb134416017a",
2889
+ "test/layer-0-primitives/queue-flow-repeat.test.js": "sha256:3b423ccb286e5a70e0f5c6a93c15db909753041fb2f6e6378a44342331757f78",
2871
2890
  "test/layer-0-primitives/queue-priority-rate-progress.test.js": "sha256:c87fea0add1545f2ba39209445346bff9c81916ad1d3bc7c02d73348fb938d80",
2872
2891
  "test/layer-0-primitives/queue-sqs.test.js": "sha256:d3d60ecd1c8a1bbac17a23a4c92b002648fbfae341313f7484ff5a0e9dbf9427",
2873
2892
  "test/layer-0-primitives/rate-limit-cluster.test.js": "sha256:732f28a7737c6696c02f554b5b7e5d4328a3eacb84ab1491b8b058c2ba603ee7",
@@ -2927,6 +2946,8 @@
2927
2946
  "test/layer-0-primitives/security-headers.test.js": "sha256:555c05dc947ecb652cce7ee8ebf55a0550a4d0b70d031e8f4941c29edbf35dcd",
2928
2947
  "test/layer-0-primitives/security-txt.test.js": "sha256:d06a84b0e10b64c1df2f4d0ca423ad7f1a5fddf21f74f2ddf394a3dab04e8b85",
2929
2948
  "test/layer-0-primitives/seeders.test.js": "sha256:b481f73ee88cc703501fafd075865d5be0b58f98080e63984e7f3db762e5fe8e",
2949
+ "test/layer-0-primitives/self-update-poll-asset-digest.test.js": "sha256:6cc8e8e4c50cfc7c092aa82377fb4aaa8bda8ba2ab3b9ff93a43c4070757bd26",
2950
+ "test/layer-0-primitives/self-update-standalone-verifier-ecdsa-encoding.test.js": "sha256:10856013eabb3fbc4c6924bdd98a4e1e32200320e79b8dbb5d4dc41cabca9ed9",
2930
2951
  "test/layer-0-primitives/self-update-standalone-verifier.test.js": "sha256:01a603efc2ad576fd2a958bc6fb0bf9738c628b9f73ca706089fb2ddfb4b8796",
2931
2952
  "test/layer-0-primitives/self-update.test.js": "sha256:8f0b956a24a609913d14a25a39c03ac4e148f9ae88dcbaa28fbc8fa72517b249",
2932
2953
  "test/layer-0-primitives/server-timing.test.js": "sha256:03fbad2878a8d629c0abf59c175d6de7b113e49b3eaffbdcd950b03920e54693",
@@ -2964,6 +2985,7 @@
2964
2985
  "test/layer-0-primitives/time.test.js": "sha256:59f6dcd5753b9bb97508044c30cfca948c4707dd8d107dab5eab53f0dcd91e84",
2965
2986
  "test/layer-0-primitives/tls-exporter.test.js": "sha256:95b68f297c773799ea0cb5b679add3f98be137fc53f6b981aa00c3d135bf7fe3",
2966
2987
  "test/layer-0-primitives/tls-ocsp-ct.test.js": "sha256:7c98ddde33095683a3be527fee9e868501ca99eac74cc40fe1c56ca6018f1660",
2988
+ "test/layer-0-primitives/tls-ocsp-freshness.test.js": "sha256:0d979ecdbc7d9c62bcb32e0f2594fa5425bed4a25ef3793915ad0890398fabf7",
2967
2989
  "test/layer-0-primitives/tls-ocsp-verify.test.js": "sha256:f726bb9387c570cee945a2b927070899bc7ae933ec09ba481c3aa5f0d11d2ba6",
2968
2990
  "test/layer-0-primitives/tls-pinset-drift.test.js": "sha256:6b7c530326a1025819257daec21711d6f889a8523f2766595f7cc28563f5badc",
2969
2991
  "test/layer-0-primitives/tls-preferred-groups.test.js": "sha256:7d3620cbde85289a98a385a3c3ba9d17f0bb2b8e5f5f9398b5641ff9d1e2b181",
@@ -2978,7 +3000,7 @@
2978
3000
  "test/layer-0-primitives/vault-rotate-aad.test.js": "sha256:92a4e0c565d300844e2f302b2c024234f88859259e909713d8167279f73bc459",
2979
3001
  "test/layer-0-primitives/vault-seal-pem-file.test.js": "sha256:33fafcc0b082fb1357f7fbeb446afbfc5852664a1cc6ee40073fd6a68fb2d768",
2980
3002
  "test/layer-0-primitives/vc.test.js": "sha256:504fadbce3c8210c7ecb74e927686bdec03d7581b1dae4150c2ebefc326c182b",
2981
- "test/layer-0-primitives/vendor-currency-classify.test.js": "sha256:8fdcd91963ca0027b8cc6ad8d8991b8f8154075312fdc68cd8dd2b38fb7b30d2",
3003
+ "test/layer-0-primitives/vendor-currency-classify.test.js": "sha256:a56c08cce24a600fa827756d220159365a2c3cc30428ade49df97b19466125a6",
2982
3004
  "test/layer-0-primitives/vendor-data.test.js": "sha256:e216ae83b187c66f1002c419e4af2701573e5743666007b564a0257332bc0c9b",
2983
3005
  "test/layer-0-primitives/vendor-manifest.test.js": "sha256:55685bd11686bf76495ec29769470de05a6aaf4648d2b5722d96f213d9e32587",
2984
3006
  "test/layer-0-primitives/vex.test.js": "sha256:4a06e3e9a6ea8ffe3ab2c0af69cbe2835c1d50768c184308bb2e40638c8998cc",
@@ -9,8 +9,13 @@
9
9
  # fuzz workflows (`.github/workflows/cflite_*.yml`). OSS-Fuzz upstream
10
10
  # uses the project-specific Dockerfile under `oss-fuzz/projects/blamejs/`
11
11
  # which mirrors this shape — keep them in sync.
12
-
13
- FROM gcr.io/oss-fuzz-base/base-builder-javascript
12
+ #
13
+ # The base is digest-pinned for a reproducible CI fuzz toolchain (Dependabot
14
+ # bumps it via the docker ecosystem entry for /.clusterfuzzlite). Note: the
15
+ # oss-fuzz/projects/blamejs/ copy is intentionally left on the floating tag —
16
+ # OSS-Fuzz's own build infra expects projects to track the latest base-builder,
17
+ # so pinning there would diverge from upstream convention.
18
+ FROM gcr.io/oss-fuzz-base/base-builder-javascript@sha256:0588debfb70a08145c31bf744c2ebdd892611679b9cb5689d9c481bf9e11086c
14
19
 
15
20
  # Copy the framework source. ClusterFuzzLite mounts the repo at
16
21
  # $SRC/blamejs, so we COPY everything (including fuzz/) into one
@@ -35,3 +35,15 @@ updates:
35
35
  labels:
36
36
  - "deps"
37
37
  - "docker"
38
+
39
+ # Keeps the digest-pinned oss-fuzz base-builder in .clusterfuzzlite/Dockerfile
40
+ # current (the oss-fuzz/projects/ submission copy is intentionally unpinned —
41
+ # it tracks upstream, see that file's header).
42
+ - package-ecosystem: "docker"
43
+ directory: "/.clusterfuzzlite"
44
+ schedule:
45
+ interval: "weekly"
46
+ open-pull-requests-limit: 3
47
+ labels:
48
+ - "deps"
49
+ - "docker"
@@ -42,11 +42,11 @@ jobs:
42
42
  runs-on: ${{ matrix.os }}
43
43
  # Backstop against a hung child no watchdog reaped (and against the
44
44
  # watchdog logic itself regressing): without this a stuck job rides
45
- # GitHub's 6-hour default. The per-file watchdog allows the heavy
46
- # pattern-catalog file up to 10 minutes on a contended runner, so
47
- # the job budget is sized to the suite (~20-30 min on the slow
48
- # runners) plus that allowance.
49
- timeout-minutes: 40
45
+ # GitHub's 6-hour default. The job budget is sized to the suite plus
46
+ # the per-file watchdog allowance below; the 3-core macOS runner is
47
+ # the long pole (codebase-patterns alone scans the whole lib/ corpus),
48
+ # so the ceiling sits above the per-file watchdog with reporting slack.
49
+ timeout-minutes: 50
50
50
  strategy:
51
51
  fail-fast: false
52
52
  matrix:
@@ -119,13 +119,17 @@ jobs:
119
119
  UV_THREADPOOL_SIZE: "16"
120
120
  # Per-file watchdog budget. codebase-patterns scans the whole
121
121
  # lib/ corpus across eight shingle sizes; on the 3-core
122
- # macos-latest runner that legitimately takes 13-18 min (vs
123
- # ~2.5 min on ubuntu), so the budget must clear the macOS
124
- # worst case with headroom while still failing a genuinely
125
- # stuck file. 25 min sits above the observed macOS high-water
126
- # and below the 40-min job ceiling. (600s guillotined a
127
- # slow-but-passing macOS run.)
128
- SMOKE_FILE_TIMEOUT_MS: "1500000"
122
+ # macos-latest runner that legitimately takes ~20-30 min under
123
+ # the parallel forks (vs ~2.5 min on ubuntu), and that runtime
124
+ # tracks the lib/ corpus, which keeps growing. The budget must
125
+ # clear the macOS worst case with headroom while still failing
126
+ # a genuinely stuck file. 25 min sat right at the grown macOS
127
+ # high-water and began flaking (the heaviest file is starved by
128
+ # the parallel forks, not hung); 35 min restores headroom and
129
+ # stays below the 50-min job ceiling. (Earlier: 600s guillotined
130
+ # a slow-but-passing macOS run; 25 min then held until the
131
+ # corpus outgrew it.)
132
+ SMOKE_FILE_TIMEOUT_MS: "2100000"
129
133
  run: node test/smoke.js
130
134
 
131
135
  wiki-e2e:
@@ -144,7 +144,9 @@ jobs:
144
144
  severity: error
145
145
 
146
146
  - name: Install devDependencies (esbuild + postject for bundler-output smoke gate)
147
- run: npm install --no-audit --no-fund --no-save esbuild postject
147
+ # Exact-version pinned (matching ci.yml) the publish path builds the
148
+ # bundle with deterministic tool versions rather than floating latest.
149
+ run: npm install --no-audit --no-fund --no-save esbuild@0.28.1 postject@1.0.0-alpha.6
148
150
 
149
151
  - name: Show Node + npm version
150
152
  run: |