@blamejs/blamejs-shop 0.4.87 → 0.4.89

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/SECURITY.md +22 -9
  3. package/lib/asset-manifest.json +1 -1
  4. package/lib/gift-card-ledger.js +72 -15
  5. package/lib/store-credit.js +340 -89
  6. package/lib/vendor/MANIFEST.json +53 -31
  7. package/lib/vendor/blamejs/.clusterfuzzlite/Dockerfile +7 -2
  8. package/lib/vendor/blamejs/.github/dependabot.yml +12 -0
  9. package/lib/vendor/blamejs/.github/workflows/ci.yml +16 -12
  10. package/lib/vendor/blamejs/.github/workflows/npm-publish.yml +3 -1
  11. package/lib/vendor/blamejs/.github/workflows/release-container.yml +23 -0
  12. package/lib/vendor/blamejs/CHANGELOG.md +6 -0
  13. package/lib/vendor/blamejs/api-snapshot.json +10 -2
  14. package/lib/vendor/blamejs/examples/wiki/Dockerfile +19 -2
  15. package/lib/vendor/blamejs/lib/atomic-file.js +32 -9
  16. package/lib/vendor/blamejs/lib/middleware/api-encrypt.js +105 -40
  17. package/lib/vendor/blamejs/lib/middleware/dpop.js +54 -31
  18. package/lib/vendor/blamejs/lib/middleware/span-http-server.js +7 -0
  19. package/lib/vendor/blamejs/lib/network-tls.js +12 -2
  20. package/lib/vendor/blamejs/lib/queue-local.js +123 -46
  21. package/lib/vendor/blamejs/lib/queue.js +13 -9
  22. package/lib/vendor/blamejs/lib/request-helpers.js +90 -0
  23. package/lib/vendor/blamejs/lib/self-update-standalone-verifier.js +69 -7
  24. package/lib/vendor/blamejs/lib/self-update.js +11 -2
  25. package/lib/vendor/blamejs/lib/vendor/MANIFEST.json +11 -11
  26. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.dat +6 -2
  27. package/lib/vendor/blamejs/lib/vendor/public-suffix-list.data.js +689 -688
  28. package/lib/vendor/blamejs/oss-fuzz/projects/blamejs/Dockerfile +5 -0
  29. package/lib/vendor/blamejs/package.json +1 -1
  30. package/lib/vendor/blamejs/release-notes/v0.15.17.json +52 -0
  31. package/lib/vendor/blamejs/release-notes/v0.15.18.json +49 -0
  32. package/lib/vendor/blamejs/release-notes/v0.15.19.json +18 -0
  33. package/lib/vendor/blamejs/scripts/check-vendor-currency.js +24 -0
  34. package/lib/vendor/blamejs/test/integration/queue-cluster-mysql.test.js +419 -0
  35. package/lib/vendor/blamejs/test/integration/queue-cluster-pg.test.js +471 -0
  36. package/lib/vendor/blamejs/test/layer-0-primitives/api-encrypt-rejection-envelope.test.js +309 -0
  37. package/lib/vendor/blamejs/test/layer-0-primitives/api-encrypt.test.js +35 -8
  38. package/lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read-errorfor-bypass.test.js +138 -0
  39. package/lib/vendor/blamejs/test/layer-0-primitives/codebase-patterns.test.js +26 -0
  40. package/lib/vendor/blamejs/test/layer-0-primitives/dpop-htu-peergating.test.js +227 -0
  41. package/lib/vendor/blamejs/test/layer-0-primitives/queue-flow-repeat.test.js +83 -0
  42. package/lib/vendor/blamejs/test/layer-0-primitives/self-update-poll-asset-digest.test.js +90 -0
  43. package/lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier-ecdsa-encoding.test.js +274 -0
  44. package/lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-freshness.test.js +192 -0
  45. package/lib/vendor/blamejs/test/layer-0-primitives/vendor-currency-classify.test.js +36 -0
  46. package/package.json +1 -1
@@ -3,8 +3,8 @@
3
3
  "_about": "blamejs.shop vendors a single framework — blamejs — which itself bundles every server-side crypto/identity dependency. The transitive packages blamejs ships are surfaced in its own MANIFEST.json at lib/vendor/blamejs/lib/vendor/MANIFEST.json — Trivy / Grype rely on that nested data for CVE attribution.",
4
4
  "packages": {
5
5
  "blamejs": {
6
- "version": "0.15.16",
7
- "tag": "v0.15.16",
6
+ "version": "0.15.19",
7
+ "tag": "v0.15.19",
8
8
  "license": "Apache-2.0",
9
9
  "author": "blamejs contributors",
10
10
  "source": "https://github.com/blamejs/blamejs",
@@ -837,6 +837,9 @@
837
837
  "release-notes/v0.15.14.json": "lib/vendor/blamejs/release-notes/v0.15.14.json",
838
838
  "release-notes/v0.15.15.json": "lib/vendor/blamejs/release-notes/v0.15.15.json",
839
839
  "release-notes/v0.15.16.json": "lib/vendor/blamejs/release-notes/v0.15.16.json",
840
+ "release-notes/v0.15.17.json": "lib/vendor/blamejs/release-notes/v0.15.17.json",
841
+ "release-notes/v0.15.18.json": "lib/vendor/blamejs/release-notes/v0.15.18.json",
842
+ "release-notes/v0.15.19.json": "lib/vendor/blamejs/release-notes/v0.15.19.json",
840
843
  "release-notes/v0.15.2.json": "lib/vendor/blamejs/release-notes/v0.15.2.json",
841
844
  "release-notes/v0.15.3.json": "lib/vendor/blamejs/release-notes/v0.15.3.json",
842
845
  "release-notes/v0.15.4.json": "lib/vendor/blamejs/release-notes/v0.15.4.json",
@@ -938,6 +941,8 @@
938
941
  "test/integration/object-store-worm-lock.test.js": "lib/vendor/blamejs/test/integration/object-store-worm-lock.test.js",
939
942
  "test/integration/pqc-pkcs8-forward-compat.test.js": "lib/vendor/blamejs/test/integration/pqc-pkcs8-forward-compat.test.js",
940
943
  "test/integration/pubsub.test.js": "lib/vendor/blamejs/test/integration/pubsub.test.js",
944
+ "test/integration/queue-cluster-mysql.test.js": "lib/vendor/blamejs/test/integration/queue-cluster-mysql.test.js",
945
+ "test/integration/queue-cluster-pg.test.js": "lib/vendor/blamejs/test/integration/queue-cluster-pg.test.js",
941
946
  "test/integration/queue-redis.test.js": "lib/vendor/blamejs/test/integration/queue-redis.test.js",
942
947
  "test/integration/queue-sqs.test.js": "lib/vendor/blamejs/test/integration/queue-sqs.test.js",
943
948
  "test/integration/redis-client-tls.test.js": "lib/vendor/blamejs/test/integration/redis-client-tls.test.js",
@@ -976,6 +981,7 @@
976
981
  "test/layer-0-primitives/ai-pref.test.js": "lib/vendor/blamejs/test/layer-0-primitives/ai-pref.test.js",
977
982
  "test/layer-0-primitives/ai-prompt.test.js": "lib/vendor/blamejs/test/layer-0-primitives/ai-prompt.test.js",
978
983
  "test/layer-0-primitives/ai-quota.test.js": "lib/vendor/blamejs/test/layer-0-primitives/ai-quota.test.js",
984
+ "test/layer-0-primitives/api-encrypt-rejection-envelope.test.js": "lib/vendor/blamejs/test/layer-0-primitives/api-encrypt-rejection-envelope.test.js",
979
985
  "test/layer-0-primitives/api-encrypt.test.js": "lib/vendor/blamejs/test/layer-0-primitives/api-encrypt.test.js",
980
986
  "test/layer-0-primitives/app-shutdown.test.js": "lib/vendor/blamejs/test/layer-0-primitives/app-shutdown.test.js",
981
987
  "test/layer-0-primitives/archive-gz.test.js": "lib/vendor/blamejs/test/layer-0-primitives/archive-gz.test.js",
@@ -992,6 +998,7 @@
992
998
  "test/layer-0-primitives/asyncapi.test.js": "lib/vendor/blamejs/test/layer-0-primitives/asyncapi.test.js",
993
999
  "test/layer-0-primitives/atomic-file-conflict-path.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-conflict-path.test.js",
994
1000
  "test/layer-0-primitives/atomic-file-exclusive-temp.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-exclusive-temp.test.js",
1001
+ "test/layer-0-primitives/atomic-file-fd-read-errorfor-bypass.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read-errorfor-bypass.test.js",
995
1002
  "test/layer-0-primitives/atomic-file-fd-read.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-fd-read.test.js",
996
1003
  "test/layer-0-primitives/atomic-file-open-append-nofollow.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-append-nofollow.test.js",
997
1004
  "test/layer-0-primitives/atomic-file-open-nofollow.test.js": "lib/vendor/blamejs/test/layer-0-primitives/atomic-file-open-nofollow.test.js",
@@ -1156,6 +1163,7 @@
1156
1163
  "test/layer-0-primitives/dnssec.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dnssec.test.js",
1157
1164
  "test/layer-0-primitives/dora.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dora.test.js",
1158
1165
  "test/layer-0-primitives/dpop-alg-kty.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dpop-alg-kty.test.js",
1166
+ "test/layer-0-primitives/dpop-htu-peergating.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dpop-htu-peergating.test.js",
1159
1167
  "test/layer-0-primitives/dpop-middleware-replaystore-required.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dpop-middleware-replaystore-required.test.js",
1160
1168
  "test/layer-0-primitives/dr-runbook.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dr-runbook.test.js",
1161
1169
  "test/layer-0-primitives/dsa.test.js": "lib/vendor/blamejs/test/layer-0-primitives/dsa.test.js",
@@ -1430,6 +1438,8 @@
1430
1438
  "test/layer-0-primitives/security-headers.test.js": "lib/vendor/blamejs/test/layer-0-primitives/security-headers.test.js",
1431
1439
  "test/layer-0-primitives/security-txt.test.js": "lib/vendor/blamejs/test/layer-0-primitives/security-txt.test.js",
1432
1440
  "test/layer-0-primitives/seeders.test.js": "lib/vendor/blamejs/test/layer-0-primitives/seeders.test.js",
1441
+ "test/layer-0-primitives/self-update-poll-asset-digest.test.js": "lib/vendor/blamejs/test/layer-0-primitives/self-update-poll-asset-digest.test.js",
1442
+ "test/layer-0-primitives/self-update-standalone-verifier-ecdsa-encoding.test.js": "lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier-ecdsa-encoding.test.js",
1433
1443
  "test/layer-0-primitives/self-update-standalone-verifier.test.js": "lib/vendor/blamejs/test/layer-0-primitives/self-update-standalone-verifier.test.js",
1434
1444
  "test/layer-0-primitives/self-update.test.js": "lib/vendor/blamejs/test/layer-0-primitives/self-update.test.js",
1435
1445
  "test/layer-0-primitives/server-timing.test.js": "lib/vendor/blamejs/test/layer-0-primitives/server-timing.test.js",
@@ -1467,6 +1477,7 @@
1467
1477
  "test/layer-0-primitives/time.test.js": "lib/vendor/blamejs/test/layer-0-primitives/time.test.js",
1468
1478
  "test/layer-0-primitives/tls-exporter.test.js": "lib/vendor/blamejs/test/layer-0-primitives/tls-exporter.test.js",
1469
1479
  "test/layer-0-primitives/tls-ocsp-ct.test.js": "lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-ct.test.js",
1480
+ "test/layer-0-primitives/tls-ocsp-freshness.test.js": "lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-freshness.test.js",
1470
1481
  "test/layer-0-primitives/tls-ocsp-verify.test.js": "lib/vendor/blamejs/test/layer-0-primitives/tls-ocsp-verify.test.js",
1471
1482
  "test/layer-0-primitives/tls-pinset-drift.test.js": "lib/vendor/blamejs/test/layer-0-primitives/tls-pinset-drift.test.js",
1472
1483
  "test/layer-0-primitives/tls-preferred-groups.test.js": "lib/vendor/blamejs/test/layer-0-primitives/tls-preferred-groups.test.js",
@@ -1505,9 +1516,9 @@
1505
1516
  "test/smoke.js": "lib/vendor/blamejs/test/smoke.js"
1506
1517
  },
1507
1518
  "bundler": "shallow git clone of release tag from github.com/blamejs/blamejs",
1508
- "bundledAt": "2026-06-22",
1519
+ "bundledAt": "2026-06-24",
1509
1520
  "hashes": {
1510
- ".clusterfuzzlite/Dockerfile": "sha256:c0f51f4c7d592caea19fdcb658778fe3beda648bb95c3e8809622e1209a18cf1",
1521
+ ".clusterfuzzlite/Dockerfile": "sha256:1eed98fcc49172efc1c1a7740dba20ce6cfcb3830cccd9f28cf114b4b39794f3",
1511
1522
  ".clusterfuzzlite/build.sh": "sha256:b9f5a627272c65f6569fa20dcbb32c383ca3a1183ce2562d481408a2fbaf9881",
1512
1523
  ".clusterfuzzlite/project.yaml": "sha256:8eafa9380e6f975b0b56350f37e5096db283d44c1ea448b25fde1958586e06e0",
1513
1524
  ".dockerignore": "sha256:37cd6917661eb77d1a056640ca92c50b0330aafe79b7b7eb648e464de38b9e01",
@@ -1519,14 +1530,14 @@
1519
1530
  ".github/ISSUE_TEMPLATE/feature_request.md": "sha256:97d28b8dbbdd40018ca3ff3c43a1beaab1fe3ed906de0e9e3653b27c7e615266",
1520
1531
  ".github/PULL_REQUEST_TEMPLATE.md": "sha256:943ded5b67dccff1cda27ee5c4cf1377e5185ec9130b01fa6085789042955640",
1521
1532
  ".github/codeql/codeql-config.yml": "sha256:f1c7fb934ebfefcc1096ba2a4b79b1451e4a0435ac7bd5e31a375649a34c1980",
1522
- ".github/dependabot.yml": "sha256:cbd6f3458d494ca70d3c760e2c43a2f86addeb618143cd490c708a0db2b2dda0",
1533
+ ".github/dependabot.yml": "sha256:657e51fb662ea796b78252453757ded815eb31a84555d7f0e8bd2fefb0179c1e",
1523
1534
  ".github/workflows/actions-lint.yml": "sha256:4645422e39b087eef80db9d27d04cc907ff0c45e957631d51484061ea0feca2f",
1524
1535
  ".github/workflows/cflite_batch.yml": "sha256:dc9117537e7350781b4cf2d3c05120f43810cd226642ecb2a02fac5813ba61c6",
1525
1536
  ".github/workflows/cflite_pr.yml": "sha256:d18ec0c50915b4a20006463946e577484e8a0248250d1bde16805465818d76b8",
1526
- ".github/workflows/ci.yml": "sha256:02cffa1ca54f29e7f4326dc6ee98a72631aa5cb3cfc146149ce83a208465f35e",
1537
+ ".github/workflows/ci.yml": "sha256:3c6346aa39163ae8d4ec80e6091dd2395ab442317244e1f6fcef7d5d78eda904",
1527
1538
  ".github/workflows/codeql.yml": "sha256:e990dcab0c70133bc1316eb035babb0cb8d9d948aff1a361c90fcf802a8d0339",
1528
- ".github/workflows/npm-publish.yml": "sha256:c8478fb59b2945605007d76b7a585a3f5592896d9a8402bac09b10fdf0dcfa68",
1529
- ".github/workflows/release-container.yml": "sha256:7de9005f5ecbdf1ac30a577bc986a417ea56415fc73503ab75d3c96908d64bed",
1539
+ ".github/workflows/npm-publish.yml": "sha256:3d8d1f64c1e2c253a2fd2b8f283cd7887fb984bf514194d4737ebdbeb8f832cb",
1540
+ ".github/workflows/release-container.yml": "sha256:a5a428981abbf7c13179a76cb59e5199a5152b315bc274305838b97c2000fe80",
1530
1541
  ".github/workflows/scorecard.yml": "sha256:0395433ffddc1abbac5dad5f8251ddddb6a9ac2c03f65cb2b8d7f84253825004",
1531
1542
  ".github/workflows/sha-to-tag-verify.yml": "sha256:6ed546bdb518514c79a69aa9afe87c92903a8663afb57d4d07b5e81fbda8b844",
1532
1543
  ".github/zizmor.yml": "sha256:fe08e66c5763dfb4edf1ea33e715f04e514b1baceb3a242241d8a60793db51d2",
@@ -1536,7 +1547,7 @@
1536
1547
  ".npmrc": "sha256:66f104e7d07c496d2d0409988225e8c0e4ceb8d247dbcac3be75b2128d20ce66",
1537
1548
  ".pinact.yaml": "sha256:0213ffda55961dc49b64c0a5dfa3c0567419633b1499d57eaf7c8d842d7da6c7",
1538
1549
  "ARCHITECTURE.md": "sha256:9b1c8d2b1b7a41838eb348b0a008e4b4369718fd72bfe2974b37155f7536d35b",
1539
- "CHANGELOG.md": "sha256:388b50ed32f785a21b9ef31b0b83a83b9a4da01fe15e1dca69b3ce91c4d7b84e",
1550
+ "CHANGELOG.md": "sha256:ebd9e3a79a0dce5518430a52c9c6e24cbf7bad0406bbed2c4e7ad5eb1ab297c6",
1540
1551
  "CODE_OF_CONDUCT.md": "sha256:148a281960fff7c2fe6554dab66da572c72245ddeb00b0d14811558397bff386",
1541
1552
  "CONTRIBUTING.md": "sha256:bb4dbdbc8598da31dbce653a8ed322e08ff46560173f2eb67a4d684653948332",
1542
1553
  "GOVERNANCE.md": "sha256:906df6afb1f552b27b9acb50f7f96c47b917a2f1021cd4e987dbf4ee0e0a821b",
@@ -1546,7 +1557,7 @@
1546
1557
  "NOTICE": "sha256:f487fa47a11aca0f89e2615cdd3c713e9842abf7a30d8d328eeeae1c864aa774",
1547
1558
  "README.md": "sha256:3ddcc197b003da0b02db8bdd1aef1e943c94f7eab613c633d6a45bb11d0a80e9",
1548
1559
  "SECURITY.md": "sha256:23f7ee4a44f21e433ed1d3c6f414575eb3e30f66a328422973a1109a276c537b",
1549
- "api-snapshot.json": "sha256:fb9df9dec00549ae9a669c304afa57a3b81e49ddb49bd2ada5f4ea37c71550a9",
1560
+ "api-snapshot.json": "sha256:719da0f2483fb5672ee09e398f4d85304c875f6f9df96f21ad32cdc3aa1cc3b5",
1550
1561
  "assets/BlameJS_Logo.png": "sha256:3c65699753c771b48ef9ac7f45bb40815ec19a23afcdd0cd30ef4601bbbe293e",
1551
1562
  "assets/BlameJS_Logo.svg": "sha256:dda44f3fb1343d5de9db6b1fcdb75fc649c57e7a99a8e8239fcf852e3841e1a8",
1552
1563
  "bench/README.md": "sha256:74202f2507fd840bfc1ac6c681975d9273cf36cca6e0f72655f138337304033c",
@@ -1584,7 +1595,7 @@
1584
1595
  "eslint.config.mjs": "sha256:532a857418bf2cf0b709e0227414b2ec6f73de450d2a6e27904924fd43d08a2d",
1585
1596
  "examples/wiki/Caddyfile": "sha256:6428e568e2c30c5cc014822725df6998b5eb102c92e0bf7f556ab39532c96690",
1586
1597
  "examples/wiki/DEPLOY.md": "sha256:a6d7a3b0edc37ccf767146816137aa03b09bef66051e89f7e062aa379e6d0bf3",
1587
- "examples/wiki/Dockerfile": "sha256:5f9589f2327ba1e3b47782bb5c0e41a4d001f8c0d4d59c90cad15c2318209a8f",
1598
+ "examples/wiki/Dockerfile": "sha256:63284d227872a39d267ed158000cc3b8307da5733e9500085a29671fd9ca603e",
1588
1599
  "examples/wiki/README.md": "sha256:74319ff6cbdb16c7d0eb2aa3ef1b33f9692f778f36a3688b0ee88d6154ea3ae5",
1589
1600
  "examples/wiki/cli-snapshot.json": "sha256:9fc00825db2a12172d8a91a687c0e8b96a276191db36f1d437bf7e5cb45b8954",
1590
1601
  "examples/wiki/docker-compose.prod.yml": "sha256:33280a0039be004195ef0197db94c233a12742cb653f2d7473c8265cf4ee3faf",
@@ -1791,7 +1802,7 @@
1791
1802
  "lib/asyncapi-bindings.js": "sha256:2f6f3d7ea836d0483e40f08b8202d78bae54bdc3d76b5faf57d918e699ebeac8",
1792
1803
  "lib/asyncapi-traits.js": "sha256:82ec58b77f0a65ef1b5e8b67ee9555e9cb984de769c3393fe5c6d4d0640546f0",
1793
1804
  "lib/asyncapi.js": "sha256:c26da54ab6760da0043178abb85960e857b6e8f77f31dc3ced8db95760e25a00",
1794
- "lib/atomic-file.js": "sha256:70be6c998a1de20342c0cec0d6137e4a80d195287ff9073c43bc2c7ad28aca4c",
1805
+ "lib/atomic-file.js": "sha256:b93b008c121f785d149d4450681467b18785781c3a82b9b001bb2a7d636c3ad1",
1795
1806
  "lib/audit-chain.js": "sha256:1c9895a2bbf6ce3b4c546b1b3c95ac9d5ed55d82a2b58c0de4e3ecc1947c3c31",
1796
1807
  "lib/audit-daily-review.js": "sha256:61cebe47d6e5eeeedcab45515473acfaab623217810a7ab3629b3aeca5028519",
1797
1808
  "lib/audit-emit.js": "sha256:1171699027269e154fd247141a549e65bcdb566e52ed00b993c7dfb9a293ba0f",
@@ -2081,7 +2092,7 @@
2081
2092
  "lib/metrics.js": "sha256:edc2a3f08a48ab67c9e805cb75839cc9d326ac334478b0f30db0423102ee5713",
2082
2093
  "lib/middleware/age-gate.js": "sha256:dc8c61a4d41f4a781220c9c97eb475fb2867f5ee444eb2756badcbc5b8411795",
2083
2094
  "lib/middleware/ai-act-disclosure.js": "sha256:6fc62940d85813019b31c586fc86853570329a939565a6947f81052d50977c42",
2084
- "lib/middleware/api-encrypt.js": "sha256:8807759081c1427ee9daa40edd5ecfe588bc43cf7c989c0b7c5f27df8a523d12",
2095
+ "lib/middleware/api-encrypt.js": "sha256:f90210bfc4fe04b50f6d72e14676a140c5759e255ed359567066a1e80ab5fb63",
2085
2096
  "lib/middleware/assetlinks.js": "sha256:bb36f8d53991668b4ae1557d0cab3ec8b479a16f9133c43f9adc07963c8b4750",
2086
2097
  "lib/middleware/asyncapi-serve.js": "sha256:a0f0b62b264a5cd8a24e3cfddae722a84b5e2206729f77403906a1d1cfcd7c7b",
2087
2098
  "lib/middleware/attach-user.js": "sha256:776424918bf302378da99a85ff20c91a42f8c9f528ab435cd7a06b95ec523d6d",
@@ -2100,7 +2111,7 @@
2100
2111
  "lib/middleware/daily-byte-quota.js": "sha256:204b0535b9ebee864118be4407d67a3dd09802c93cde4f4e9ede1ac0ee64111d",
2101
2112
  "lib/middleware/db-role-for.js": "sha256:b9879c17dbf7fa3d299f402043592a133176a74ac1bcb49b0b717253d4ad1d3a",
2102
2113
  "lib/middleware/deny-response.js": "sha256:073d78a1b64f18a846ab0162c7797d88eda56f3de1b8239664464e3fde8aceea",
2103
- "lib/middleware/dpop.js": "sha256:4494b53af018669f79766511a3a94e68b378fb0c3ffb555a2d3e5de466a5588e",
2114
+ "lib/middleware/dpop.js": "sha256:32987396e36252ce4ea57e9d0d8e8bbd755de1c4f4d6089e7e3eaa413a575e4b",
2104
2115
  "lib/middleware/error-handler.js": "sha256:7c0baf2e6b37f1c9330775396bc46a87943a253ceba540379db4785d305c396c",
2105
2116
  "lib/middleware/fetch-metadata.js": "sha256:5c7c6afe0f82004a2410ef3be5dfd8e4ea51b4aa194193a1b64acba535707d75",
2106
2117
  "lib/middleware/flag-context.js": "sha256:76fefb869244267f3b2bf24c4dd0b40fcba0988552b62d8b48208d116b85ee3f",
@@ -2128,7 +2139,7 @@
2128
2139
  "lib/middleware/scim-server.js": "sha256:2f38d77c7e949df9e219e4b351a6eb047dc85a7337aca932ac4b598e953c471d",
2129
2140
  "lib/middleware/security-headers.js": "sha256:87506e572454033b33955d58d9f0cbfdc14edc63c1cbe7e01f0dc4f07753c64d",
2130
2141
  "lib/middleware/security-txt.js": "sha256:3140d6537aa09a7052d83088840358949dd36393697fa2215f8f915d31aaa112",
2131
- "lib/middleware/span-http-server.js": "sha256:9fb94fa14c41b2969cce5bc9877ce49de3576d3991cfc7cc64ef2129fdec2cb6",
2142
+ "lib/middleware/span-http-server.js": "sha256:6ab5561e779192fedf4d25e708240a38457164096912e11b528b87b10dc8a2b7",
2132
2143
  "lib/middleware/speculation-rules.js": "sha256:ca102beebd529ec42244d9d709d3c4cb9dd27669bc324bb707ea508294250b63",
2133
2144
  "lib/middleware/sse.js": "sha256:d0094cb33fced9bc748edd1f6d55fba6029ff3bff6da735d72ad5d10806f02f7",
2134
2145
  "lib/middleware/trace-log-correlation.js": "sha256:f6a36bfcb666cee5434867b1841092793491491bb9da7bc92626dd93cfa7b0d0",
@@ -2151,7 +2162,7 @@
2151
2162
  "lib/network-nts.js": "sha256:90ce47584ad58c171e8029eb1d5df8ba4ba130c4038d1fe260109685c34c8f75",
2152
2163
  "lib/network-proxy.js": "sha256:9342c534863f905000d2432b67c26dd7a5ea02be25aaf9ebe05976079e61d4c9",
2153
2164
  "lib/network-smtp-policy.js": "sha256:a7b6c91983b312a16c436d3e15259f8f6a84579e2e55f64106285b22795e1510",
2154
- "lib/network-tls.js": "sha256:d39d7e56d3fe987dbb1bd5b4caed2425adc9105a4491b7305a27e1dbe4a6ea31",
2165
+ "lib/network-tls.js": "sha256:e3207b0fbeaf209b9fa678aff7a7bb465c3258f6696fb70e96507cfd57d654a0",
2155
2166
  "lib/network-tsig.js": "sha256:41dc85a6e816cce1c58c36891dfc6bafc612b68978936107a09a5a553563e0d7",
2156
2167
  "lib/network.js": "sha256:40cb01627bf45741cac22ef79f5985f69323e47732d54cf3ce28c06882830c25",
2157
2168
  "lib/nis2-report.js": "sha256:fa106a4f95dd9301d7da966c5792197bdbebac477a4f1d2fd2ac2481fbd818fd",
@@ -2205,14 +2216,14 @@
2205
2216
  "lib/pubsub-cluster.js": "sha256:9068e6819807fe75e5c4306bceb44eee82d877b19df20fb7d0b9ad445b1632bf",
2206
2217
  "lib/pubsub-redis.js": "sha256:342bff39d7e27cb8a20dec8f4e0ec4ad2f3d014f2081a1236d68276e7f3ae803",
2207
2218
  "lib/pubsub.js": "sha256:c2b5394a64081c92ed61cdaa5c98a9a403c403fca64b0ff409e0ca29df7c9525",
2208
- "lib/queue-local.js": "sha256:6fa51df760cab698cad2c442d8e2ef0256b31ba7cf5f4c8fcdbe412e099d4516",
2219
+ "lib/queue-local.js": "sha256:d26c2ffcf70ea5255f9da64246e68eaf84802d5434b8b202d5cb3b605d76448f",
2209
2220
  "lib/queue-redis.js": "sha256:c30d2c7201a7cc0519d39c675730c0b857f5dfa83c5fdd7235a6d3d51ee86996",
2210
2221
  "lib/queue-sqs.js": "sha256:0868647c6ff66619b828ca0f5aa9ab0e72fbc1450853efa2f63c971c8f456fed",
2211
- "lib/queue.js": "sha256:e9bc41e04f2fd1bec7c11dcb2d0e1259c59d62cf39c789103d6ed7345891c604",
2222
+ "lib/queue.js": "sha256:27b0e2399f5e3646a2ee26c5780fc37ff6da164c58bfb2c39b55b16ed8e4dec6",
2212
2223
  "lib/redact.js": "sha256:1cd102db31eb48ffbc677c39013ddc1b829db7597d808785a7b202a5e0dc691d",
2213
2224
  "lib/redis-client.js": "sha256:9f8168b11b81ce7b649b2e0658ceeb7134a257435b611f4917d36e1ed178a3e5",
2214
2225
  "lib/render.js": "sha256:1890c0cce371ea93c1820f70ea544dee25d8d9bd427fdfd6688d7cb17720ed8b",
2215
- "lib/request-helpers.js": "sha256:def9efbbcb6a3f66ef605eb46887decabcd82ea59d0c4c3a495f9d4536189317",
2226
+ "lib/request-helpers.js": "sha256:a27c87b949d98bb8aff1ab1b6d250e8fb4540f1dc749371c40b930bc3b47f2e7",
2216
2227
  "lib/resource-access-lock.js": "sha256:868d2c0a59d2ca2757a334858779d23e0cde9c18bf63c535350d8ebd6ae20b53",
2217
2228
  "lib/restore-bundle.js": "sha256:c2a9c3af19434a2072ea4cc721211119f71ba363bbbad9df7ac34a3ff03e43e2",
2218
2229
  "lib/restore-rollback.js": "sha256:f00e2f40e2e6a14bc6687afe8c112e367d83314eb04592d9ba399cb699fb0e03",
@@ -2248,8 +2259,8 @@
2248
2259
  "lib/sec-cyber.js": "sha256:569cd22e4e3133a114188e6327d33f314c592d14721407df56266d294609f9d9",
2249
2260
  "lib/security-assert.js": "sha256:4a98cec339c0b421534fc650c9500fe8a1b39f89181d651a58a13e2ff9a8ae0f",
2250
2261
  "lib/seeders.js": "sha256:cf27cf0d88bf9b6d8ba34d65af983e11aa8949f00c6df984dfbb73a1553a7767",
2251
- "lib/self-update-standalone-verifier.js": "sha256:8309b2dcafe705f1e545b4b0c640cd1ecac5930959f116e2c30d5ceb41777eee",
2252
- "lib/self-update.js": "sha256:4b2403f36d949ce632ef003e0eac29c245d6c5fc8c83ca3cd47069753b2c7af2",
2262
+ "lib/self-update-standalone-verifier.js": "sha256:0b3781c6bb80c59e3e483c94a3acac6be04ba6c2ad74c8fac404763d788f6dd8",
2263
+ "lib/self-update.js": "sha256:d7d3a9e405dd51f9ecbbc9dc6029080c138765ccb91d80ce724745c8ed2b0b73",
2253
2264
  "lib/server-timing.js": "sha256:74f2556480363c860a7c80a3f2bc1adb68fee53aa4335059069fae66a1eb627c",
2254
2265
  "lib/session-device-binding.js": "sha256:4365c1449498fdcc0f0619200ea9522febe071ec445ab9f4e165614953340d53",
2255
2266
  "lib/session-stores.js": "sha256:b79de919061a2bfeb090185bcc511919fb01d3e7a495fe0a7c711cf6cf65137b",
@@ -2287,7 +2298,7 @@
2287
2298
  "lib/vc.js": "sha256:554cf29ea712b231256e1eaa75f6b1f1d39c392aac86b33e818d52e956ea83ae",
2288
2299
  "lib/vendor-data.js": "sha256:ddb77b33d89a2c5345deca98eacb45695d4c8a70014bc5df22c7393f52e11416",
2289
2300
  "lib/vendor/.vendor-data-pubkey": "sha256:73a935b8c72f55d821c22ddb8188453bab324f80d229d033a0a1549819a1f096",
2290
- "lib/vendor/MANIFEST.json": "sha256:14a34884bb8b8a2096f92d5e5cdc02b2630930fa4d4d7aa66bb9b62c49b5f03c",
2301
+ "lib/vendor/MANIFEST.json": "sha256:09194d50f99999485fb525da118afd815c475be0ef4f6e58fbc3f41ffd91d1dd",
2291
2302
  "lib/vendor/bimi-trust-anchors.data.js": "sha256:aa7a4d33b65a68422a2a2c1670177689f66fdcaa08bd2514d78798b827bd1608",
2292
2303
  "lib/vendor/bimi-trust-anchors.pem": "sha256:81ff9f5ab3c9774132c845684e783be95cf73146f8b670d964105f0a3765b4b4",
2293
2304
  "lib/vendor/common-passwords-top-10000.data.js": "sha256:87b223beca89f33d2c2c32a2cfda0bc187e58061de40e7127bb5ffc4258c6e2a",
@@ -2296,8 +2307,8 @@
2296
2307
  "lib/vendor/noble-curves.cjs": "sha256:ebf254d5eb56aef8705a1c4af9603f47987b4870a9bb5e657e06907b701e2731",
2297
2308
  "lib/vendor/noble-post-quantum.cjs": "sha256:f9190309daadca4c2e2cc2b76beaa6b96e463429cc3c390bd9f0ceaf7b588c68",
2298
2309
  "lib/vendor/pki.cjs": "sha256:9bbc191afaaa2b1e5757f00480457c08134cdc2c55d541df18d9155bba9cbf77",
2299
- "lib/vendor/public-suffix-list.dat": "sha256:927884952ea8857ba3608eefe617f3c8acd63ad94be7b0bfb7586632cfc59560",
2300
- "lib/vendor/public-suffix-list.data.js": "sha256:c2f67f5e7f7306eb5ec26548ea275673c652cfdd830b909fd63ed2b39e4838f6",
2310
+ "lib/vendor/public-suffix-list.dat": "sha256:0adddeb62057d8d40799dffb29fe14f65dd009259afe02eb2f0b4602b791aae6",
2311
+ "lib/vendor/public-suffix-list.data.js": "sha256:82af512cacf0fd2c60925e63f877b69477b1b2f7bb5af698fd862af61369902e",
2301
2312
  "lib/vendor/simplewebauthn-server.cjs": "sha256:f359a782ac57e3ff56ac71083d17f5c082f88ab49d645fc2bede398b47adebdb",
2302
2313
  "lib/vendor/vendor-data-pubkey.js": "sha256:a12afa34cd7472e2eaebad2fcd44714102d3edd0601e45769404124a513926d0",
2303
2314
  "lib/vex.js": "sha256:b45c1c9729dfc69f2140478d46eec91f47da94b5f440be36fa825cb733a718fc",
@@ -2313,11 +2324,11 @@
2313
2324
  "lib/ws-client.js": "sha256:e92abc9749576b8f93327e89bf3171dc3799e8dd427d2071b1ac362222c95faa",
2314
2325
  "lib/x509-chain.js": "sha256:fdc0ecd264d9de0e039f348e819675fdf3838d61097a97a0e3e119def338722a",
2315
2326
  "lib/xml-c14n.js": "sha256:01a27d20df99ebd6eaefbff0aad933a2231049f65a54ae994236694d4146ce5d",
2316
- "oss-fuzz/projects/blamejs/Dockerfile": "sha256:277c9e93cf2e8746b0a6d09a0678b35cbe700e9c2373bdc1b2177ed2167b7359",
2327
+ "oss-fuzz/projects/blamejs/Dockerfile": "sha256:6c48ec4d81f4b1836a6b43701a2497cf737002413dd0da6a10892be1498b0766",
2317
2328
  "oss-fuzz/projects/blamejs/README.md": "sha256:ae13b7bb79ed8d69b1b3276e5562807a0349fb6e6b7d11cf1f683aad1eafdb4b",
2318
2329
  "oss-fuzz/projects/blamejs/build.sh": "sha256:0ced1cf21782c97be7f8d74faf5e27a308b60b2f858836fb5ca3b8c4e939a8f7",
2319
2330
  "oss-fuzz/projects/blamejs/project.yaml": "sha256:59f2cb83aa622325a175b77416fe155be15b70a9c798bd1a78bba05763b1b03d",
2320
- "package.json": "sha256:ff50471bd603fb8a5194e5283800f7d8616e848b49b2b8907bd3b2560d923d86",
2331
+ "package.json": "sha256:c625373887cfae872dde0fca9ea6955278d6fc721128c04bbd01a31986b9d409",
2321
2332
  "release-notes/v0.0.x.json": "sha256:7a49819f30068ee119000cad7010194882bb8bfaa12acbdab4dfc066efb7982f",
2322
2333
  "release-notes/v0.1.x.json": "sha256:6742a8c17f947c5cb76f69dead7eea86b942d80621d914b774ba5488e09937e5",
2323
2334
  "release-notes/v0.10.x.json": "sha256:fe498045daf88337bd3d987e5964aa42c99a50e1685b6f09e51f698b8687726f",
@@ -2334,6 +2345,9 @@
2334
2345
  "release-notes/v0.15.14.json": "sha256:13e065666436b6d852d1e9e17933d7ee2327bbe7b3d6adc5cec846c858140f34",
2335
2346
  "release-notes/v0.15.15.json": "sha256:5e8f3456e4efa180e8ba368b92616f9f3e57745cdca5fad9bba1c013f728632b",
2336
2347
  "release-notes/v0.15.16.json": "sha256:6b3b7872fbdfd527dbcc74f2015776808d2af55a9452054f6086c8c8bc2e4a42",
2348
+ "release-notes/v0.15.17.json": "sha256:b9d01a1e9acb55af09d8f8671ec1814b98e20c576b61f6bdf69ea65c269295be",
2349
+ "release-notes/v0.15.18.json": "sha256:c8b3ce7af0f7863cdc3f5179f0525469331720a80b741b73236fdd6f4243bbaa",
2350
+ "release-notes/v0.15.19.json": "sha256:8c6a745accd2c551953464991bb23547e8cf87286d57938c57080755785e58b5",
2337
2351
  "release-notes/v0.15.2.json": "sha256:36e1423dda94ed4e55c660e0fae882019005d8de3ee5e3b6ac4f38ccf8e744a2",
2338
2352
  "release-notes/v0.15.3.json": "sha256:19a0074c445545468ca3cc411b21ec8bdb27be2669ae1950347cc244f6aa348c",
2339
2353
  "release-notes/v0.15.4.json": "sha256:6ac7fa0ef1728c27e71b2050d1b07a810f9b4b1440ccddbf28ad56e2f54d8585",
@@ -2356,7 +2370,7 @@
2356
2370
  "scripts/check-changelog-extract.js": "sha256:ac1e74b090cb8b5e0b3fc9d65a1484ce184eca9ba9ccc512a61540d854bfc81d",
2357
2371
  "scripts/check-pack-against-gitignore.js": "sha256:42cbd1e329ab7469984a30d6bc3e9b0af4defffced6dcf970c4f8cb7ad35da4c",
2358
2372
  "scripts/check-services.js": "sha256:8c07b049fc899827c2d1ef2c136a3d0c3c43143b1546f28e44739ecec187f777",
2359
- "scripts/check-vendor-currency.js": "sha256:d21f9d1c831d3d0be56817bd35d74d8ca1ee1d0934b6736fec96959dc0282f9f",
2373
+ "scripts/check-vendor-currency.js": "sha256:48c88ab874cabb6e8eb2ffa373037ae870279ff38061cf96fe49b3f07cfcacd4",
2360
2374
  "scripts/consolidate-release-notes.js": "sha256:620de442c834fa99a7b668b93cf8788384a0aa802ce419953459c88451d8ec73",
2361
2375
  "scripts/gen-migrating.js": "sha256:2177f6b9bf60d6e9c161a0419caa248d2bef9eb7beb5223a10e8cab3ecc555b1",
2362
2376
  "scripts/generate-changelog-entry.js": "sha256:2c0a1a395d2d1b30c1679883c694e27dc6f8e73d950c4deeb118ef5a4f01fd12",
@@ -2435,6 +2449,8 @@
2435
2449
  "test/integration/object-store-worm-lock.test.js": "sha256:106f4187ee31db531166c6eccc91a63881bc602afc2fef64dee1be187a7f27c2",
2436
2450
  "test/integration/pqc-pkcs8-forward-compat.test.js": "sha256:e638c657bdb91e85a1fa2f81e0c0b266ffe5454e57b08069b615a292dec56230",
2437
2451
  "test/integration/pubsub.test.js": "sha256:0a4233eb01466e3f162e136ee716f90ab6db19943e3597a1edbe7aa3c2755962",
2452
+ "test/integration/queue-cluster-mysql.test.js": "sha256:45392a3af2475d1ffac255b1d75166ddbbc6a9e1a1676b13d9bc89542a8d19cf",
2453
+ "test/integration/queue-cluster-pg.test.js": "sha256:08014d3c0fb9cd5a741921f6940aa7e21a416b5cf8613e9341e8b2c25ff69304",
2438
2454
  "test/integration/queue-redis.test.js": "sha256:bc8d2f9974ca787cfc2f53869638ea2f985da49f3fe7f2322410e99e3758129a",
2439
2455
  "test/integration/queue-sqs.test.js": "sha256:75a30b1249032bd21d7357074d6fe046043dfac0794f7ab0536c834b21801699",
2440
2456
  "test/integration/redis-client-tls.test.js": "sha256:634f43b764f4aa55e753b01ccb8fe4a43eebc5e7c1b3e17926d80114e55584b3",
@@ -2473,7 +2489,8 @@
2473
2489
  "test/layer-0-primitives/ai-pref.test.js": "sha256:c80d19bc1bbaf36925614e38a65b0fe8cabad7f27ee525638924d07812bae27d",
2474
2490
  "test/layer-0-primitives/ai-prompt.test.js": "sha256:102a2f1d52a86f9d5bb86eea0b701ff919aa531833fb93b024be56868439cdd4",
2475
2491
  "test/layer-0-primitives/ai-quota.test.js": "sha256:53f96ce0e68c4f09956eb2ee22cca53d1a48ec5da7c026de58e116b78091fb78",
2476
- "test/layer-0-primitives/api-encrypt.test.js": "sha256:ea7dd8e5fc4c0923e11993da405eb09d83741bf621c96425dd89e43dedd791ec",
2492
+ "test/layer-0-primitives/api-encrypt-rejection-envelope.test.js": "sha256:e410cae39f264fb1ca17709dfb226c5b96650e336a95c2b7046e2f013a9a2af1",
2493
+ "test/layer-0-primitives/api-encrypt.test.js": "sha256:a615fda5be5337098b840fd7982c8256511338e4ffc4216a6d8b18bcca719f3d",
2477
2494
  "test/layer-0-primitives/app-shutdown.test.js": "sha256:e4036095036971bb830217f1cc9efd43d697f7d85958eab5fa7fa5d0c176be57",
2478
2495
  "test/layer-0-primitives/archive-gz.test.js": "sha256:69ec18221fbc89094dec16dc92d9eb1af359a2a9f0df5c2d1f9ff60506e1b8af",
2479
2496
  "test/layer-0-primitives/archive-read.test.js": "sha256:ecc0f7100b94a239023cbc857d1fe025768a5d123c73133c714cda3550a2a451",
@@ -2489,6 +2506,7 @@
2489
2506
  "test/layer-0-primitives/asyncapi.test.js": "sha256:835f999d8cb96d7d94b35d950d71bd1995af088ec6296e82256959972fb4d7fb",
2490
2507
  "test/layer-0-primitives/atomic-file-conflict-path.test.js": "sha256:b1e95ff12e5f6871762cc23ed6b862b4cf18097b743e5d4f90abaa4e53601794",
2491
2508
  "test/layer-0-primitives/atomic-file-exclusive-temp.test.js": "sha256:9a0a6193b8051caf1a5e34a7f0be6b12ec92abcadb26468384b0484c55984144",
2509
+ "test/layer-0-primitives/atomic-file-fd-read-errorfor-bypass.test.js": "sha256:622d809e14d932f0fafdb62f61f1357d6a118fe8076365ccab3077edc47b257b",
2492
2510
  "test/layer-0-primitives/atomic-file-fd-read.test.js": "sha256:f94032960507df635acb5676022b13bfe284ba383f2c301f773a74e9876ecb08",
2493
2511
  "test/layer-0-primitives/atomic-file-open-append-nofollow.test.js": "sha256:39dc85cd84fba390d13ccb2f9cbe8f0e17bb9f24048550706e1bd456711abb82",
2494
2512
  "test/layer-0-primitives/atomic-file-open-nofollow.test.js": "sha256:25bccec5c4ac37f6b273c3a23d2c202b45b028a42f00eacd1999e8057a24d1b4",
@@ -2576,7 +2594,7 @@
2576
2594
  "test/layer-0-primitives/cluster-storage.test.js": "sha256:238b3b3db0eba3e6312a863710533178f566347b90e161e564481aa826707647",
2577
2595
  "test/layer-0-primitives/cluster-vault-rotation.test.js": "sha256:3514e9e71d6c39e805248f58ad2f41528d091e196c0f3766a032675677161b2d",
2578
2596
  "test/layer-0-primitives/cms-codec.test.js": "sha256:7e46078ed82be5b69d22c48f22dba37ea5015371c2a8cf5f94fb1a792fb7bb78",
2579
- "test/layer-0-primitives/codebase-patterns.test.js": "sha256:3c1e23573b17d69c0edaa6d963ee00cfafc251803d3bd4007c932c31a72e3a70",
2597
+ "test/layer-0-primitives/codebase-patterns.test.js": "sha256:a4464c7a07430e0b3627f9bbe71f51ace0c5107bf9a14868c87fc2bfa86d5e24",
2580
2598
  "test/layer-0-primitives/codepoint-class.test.js": "sha256:19764d50264a98cb8fb28575dd82ff7a97e857922c42d9efe886e13d5063e0c5",
2581
2599
  "test/layer-0-primitives/compliance-ai-act.test.js": "sha256:5ee4ad05d12233cb3c5457ef10a727833710bbc1ce1318838f9f9ef5d2cb8d4b",
2582
2600
  "test/layer-0-primitives/compliance-cascade.test.js": "sha256:ee02cf14541a837a9d7977c6ea6bf7f9210bed293925d93c976e31f270aebec4",
@@ -2653,6 +2671,7 @@
2653
2671
  "test/layer-0-primitives/dnssec.test.js": "sha256:aee94082891ee6d72d47dda08c91011bfd3f61d91e5ac204387337cc0c1e5295",
2654
2672
  "test/layer-0-primitives/dora.test.js": "sha256:e046e66ad07fe7b69e8763c53cc7514956362b161500977548bdc47964813fc2",
2655
2673
  "test/layer-0-primitives/dpop-alg-kty.test.js": "sha256:64d7c85ae95d49b82a29bec74d81ce134025917c25a21992bcdf6645b48e19be",
2674
+ "test/layer-0-primitives/dpop-htu-peergating.test.js": "sha256:a328ebe9c97d272de9f4cf15368b03764e75f5afd3d38e1ee59b69aaf089eb87",
2656
2675
  "test/layer-0-primitives/dpop-middleware-replaystore-required.test.js": "sha256:d9545ff47438cc57e0d9d65fdb411d8f064a19d0d23e203e59d2ba41f4a5c829",
2657
2676
  "test/layer-0-primitives/dr-runbook.test.js": "sha256:9665caaa90f356d0237e0e6c6889c56a3467b20c7eaf78d2e2afa51c4b3af2cb",
2658
2677
  "test/layer-0-primitives/dsa.test.js": "sha256:2cdbdd29b9c58d738920bb4f82f73492eab56e7d7f8111f1cdb14838de3a3ab3",
@@ -2867,7 +2886,7 @@
2867
2886
  "test/layer-0-primitives/pubsub.test.js": "sha256:7eb5ecf3fc353696efc0696e63529d467ff3bf6278c859890e3fdcabd6212d13",
2868
2887
  "test/layer-0-primitives/queue-byo-db.test.js": "sha256:d47565249dd7d4ae11eacf158f040f3ce7e36ad5c39de48c65cb99d6e560b0fe",
2869
2888
  "test/layer-0-primitives/queue-dlq-extend-lease.test.js": "sha256:437081c4bb7104e202ce7a36f09ea141b8bfef4df780b9c2877be63c717ac9a1",
2870
- "test/layer-0-primitives/queue-flow-repeat.test.js": "sha256:95188ece064808f914696c8ee191d5716902f4b8318892cca60bfb134416017a",
2889
+ "test/layer-0-primitives/queue-flow-repeat.test.js": "sha256:3b423ccb286e5a70e0f5c6a93c15db909753041fb2f6e6378a44342331757f78",
2871
2890
  "test/layer-0-primitives/queue-priority-rate-progress.test.js": "sha256:c87fea0add1545f2ba39209445346bff9c81916ad1d3bc7c02d73348fb938d80",
2872
2891
  "test/layer-0-primitives/queue-sqs.test.js": "sha256:d3d60ecd1c8a1bbac17a23a4c92b002648fbfae341313f7484ff5a0e9dbf9427",
2873
2892
  "test/layer-0-primitives/rate-limit-cluster.test.js": "sha256:732f28a7737c6696c02f554b5b7e5d4328a3eacb84ab1491b8b058c2ba603ee7",
@@ -2927,6 +2946,8 @@
2927
2946
  "test/layer-0-primitives/security-headers.test.js": "sha256:555c05dc947ecb652cce7ee8ebf55a0550a4d0b70d031e8f4941c29edbf35dcd",
2928
2947
  "test/layer-0-primitives/security-txt.test.js": "sha256:d06a84b0e10b64c1df2f4d0ca423ad7f1a5fddf21f74f2ddf394a3dab04e8b85",
2929
2948
  "test/layer-0-primitives/seeders.test.js": "sha256:b481f73ee88cc703501fafd075865d5be0b58f98080e63984e7f3db762e5fe8e",
2949
+ "test/layer-0-primitives/self-update-poll-asset-digest.test.js": "sha256:6cc8e8e4c50cfc7c092aa82377fb4aaa8bda8ba2ab3b9ff93a43c4070757bd26",
2950
+ "test/layer-0-primitives/self-update-standalone-verifier-ecdsa-encoding.test.js": "sha256:10856013eabb3fbc4c6924bdd98a4e1e32200320e79b8dbb5d4dc41cabca9ed9",
2930
2951
  "test/layer-0-primitives/self-update-standalone-verifier.test.js": "sha256:01a603efc2ad576fd2a958bc6fb0bf9738c628b9f73ca706089fb2ddfb4b8796",
2931
2952
  "test/layer-0-primitives/self-update.test.js": "sha256:8f0b956a24a609913d14a25a39c03ac4e148f9ae88dcbaa28fbc8fa72517b249",
2932
2953
  "test/layer-0-primitives/server-timing.test.js": "sha256:03fbad2878a8d629c0abf59c175d6de7b113e49b3eaffbdcd950b03920e54693",
@@ -2964,6 +2985,7 @@
2964
2985
  "test/layer-0-primitives/time.test.js": "sha256:59f6dcd5753b9bb97508044c30cfca948c4707dd8d107dab5eab53f0dcd91e84",
2965
2986
  "test/layer-0-primitives/tls-exporter.test.js": "sha256:95b68f297c773799ea0cb5b679add3f98be137fc53f6b981aa00c3d135bf7fe3",
2966
2987
  "test/layer-0-primitives/tls-ocsp-ct.test.js": "sha256:7c98ddde33095683a3be527fee9e868501ca99eac74cc40fe1c56ca6018f1660",
2988
+ "test/layer-0-primitives/tls-ocsp-freshness.test.js": "sha256:0d979ecdbc7d9c62bcb32e0f2594fa5425bed4a25ef3793915ad0890398fabf7",
2967
2989
  "test/layer-0-primitives/tls-ocsp-verify.test.js": "sha256:f726bb9387c570cee945a2b927070899bc7ae933ec09ba481c3aa5f0d11d2ba6",
2968
2990
  "test/layer-0-primitives/tls-pinset-drift.test.js": "sha256:6b7c530326a1025819257daec21711d6f889a8523f2766595f7cc28563f5badc",
2969
2991
  "test/layer-0-primitives/tls-preferred-groups.test.js": "sha256:7d3620cbde85289a98a385a3c3ba9d17f0bb2b8e5f5f9398b5641ff9d1e2b181",
@@ -2978,7 +3000,7 @@
2978
3000
  "test/layer-0-primitives/vault-rotate-aad.test.js": "sha256:92a4e0c565d300844e2f302b2c024234f88859259e909713d8167279f73bc459",
2979
3001
  "test/layer-0-primitives/vault-seal-pem-file.test.js": "sha256:33fafcc0b082fb1357f7fbeb446afbfc5852664a1cc6ee40073fd6a68fb2d768",
2980
3002
  "test/layer-0-primitives/vc.test.js": "sha256:504fadbce3c8210c7ecb74e927686bdec03d7581b1dae4150c2ebefc326c182b",
2981
- "test/layer-0-primitives/vendor-currency-classify.test.js": "sha256:8fdcd91963ca0027b8cc6ad8d8991b8f8154075312fdc68cd8dd2b38fb7b30d2",
3003
+ "test/layer-0-primitives/vendor-currency-classify.test.js": "sha256:a56c08cce24a600fa827756d220159365a2c3cc30428ade49df97b19466125a6",
2982
3004
  "test/layer-0-primitives/vendor-data.test.js": "sha256:e216ae83b187c66f1002c419e4af2701573e5743666007b564a0257332bc0c9b",
2983
3005
  "test/layer-0-primitives/vendor-manifest.test.js": "sha256:55685bd11686bf76495ec29769470de05a6aaf4648d2b5722d96f213d9e32587",
2984
3006
  "test/layer-0-primitives/vex.test.js": "sha256:4a06e3e9a6ea8ffe3ab2c0af69cbe2835c1d50768c184308bb2e40638c8998cc",
@@ -9,8 +9,13 @@
9
9
  # fuzz workflows (`.github/workflows/cflite_*.yml`). OSS-Fuzz upstream
10
10
  # uses the project-specific Dockerfile under `oss-fuzz/projects/blamejs/`
11
11
  # which mirrors this shape — keep them in sync.
12
-
13
- FROM gcr.io/oss-fuzz-base/base-builder-javascript
12
+ #
13
+ # The base is digest-pinned for a reproducible CI fuzz toolchain (Dependabot
14
+ # bumps it via the docker ecosystem entry for /.clusterfuzzlite). Note: the
15
+ # oss-fuzz/projects/blamejs/ copy is intentionally left on the floating tag —
16
+ # OSS-Fuzz's own build infra expects projects to track the latest base-builder,
17
+ # so pinning there would diverge from upstream convention.
18
+ FROM gcr.io/oss-fuzz-base/base-builder-javascript@sha256:0588debfb70a08145c31bf744c2ebdd892611679b9cb5689d9c481bf9e11086c
14
19
 
15
20
  # Copy the framework source. ClusterFuzzLite mounts the repo at
16
21
  # $SRC/blamejs, so we COPY everything (including fuzz/) into one
@@ -35,3 +35,15 @@ updates:
35
35
  labels:
36
36
  - "deps"
37
37
  - "docker"
38
+
39
+ # Keeps the digest-pinned oss-fuzz base-builder in .clusterfuzzlite/Dockerfile
40
+ # current (the oss-fuzz/projects/ submission copy is intentionally unpinned —
41
+ # it tracks upstream, see that file's header).
42
+ - package-ecosystem: "docker"
43
+ directory: "/.clusterfuzzlite"
44
+ schedule:
45
+ interval: "weekly"
46
+ open-pull-requests-limit: 3
47
+ labels:
48
+ - "deps"
49
+ - "docker"
@@ -42,11 +42,11 @@ jobs:
42
42
  runs-on: ${{ matrix.os }}
43
43
  # Backstop against a hung child no watchdog reaped (and against the
44
44
  # watchdog logic itself regressing): without this a stuck job rides
45
- # GitHub's 6-hour default. The per-file watchdog allows the heavy
46
- # pattern-catalog file up to 10 minutes on a contended runner, so
47
- # the job budget is sized to the suite (~20-30 min on the slow
48
- # runners) plus that allowance.
49
- timeout-minutes: 40
45
+ # GitHub's 6-hour default. The job budget is sized to the suite plus
46
+ # the per-file watchdog allowance below; the 3-core macOS runner is
47
+ # the long pole (codebase-patterns alone scans the whole lib/ corpus),
48
+ # so the ceiling sits above the per-file watchdog with reporting slack.
49
+ timeout-minutes: 50
50
50
  strategy:
51
51
  fail-fast: false
52
52
  matrix:
@@ -119,13 +119,17 @@ jobs:
119
119
  UV_THREADPOOL_SIZE: "16"
120
120
  # Per-file watchdog budget. codebase-patterns scans the whole
121
121
  # lib/ corpus across eight shingle sizes; on the 3-core
122
- # macos-latest runner that legitimately takes 13-18 min (vs
123
- # ~2.5 min on ubuntu), so the budget must clear the macOS
124
- # worst case with headroom while still failing a genuinely
125
- # stuck file. 25 min sits above the observed macOS high-water
126
- # and below the 40-min job ceiling. (600s guillotined a
127
- # slow-but-passing macOS run.)
128
- SMOKE_FILE_TIMEOUT_MS: "1500000"
122
+ # macos-latest runner that legitimately takes ~20-30 min under
123
+ # the parallel forks (vs ~2.5 min on ubuntu), and that runtime
124
+ # tracks the lib/ corpus, which keeps growing. The budget must
125
+ # clear the macOS worst case with headroom while still failing
126
+ # a genuinely stuck file. 25 min sat right at the grown macOS
127
+ # high-water and began flaking (the heaviest file is starved by
128
+ # the parallel forks, not hung); 35 min restores headroom and
129
+ # stays below the 50-min job ceiling. (Earlier: 600s guillotined
130
+ # a slow-but-passing macOS run; 25 min then held until the
131
+ # corpus outgrew it.)
132
+ SMOKE_FILE_TIMEOUT_MS: "2100000"
129
133
  run: node test/smoke.js
130
134
 
131
135
  wiki-e2e:
@@ -144,7 +144,9 @@ jobs:
144
144
  severity: error
145
145
 
146
146
  - name: Install devDependencies (esbuild + postject for bundler-output smoke gate)
147
- run: npm install --no-audit --no-fund --no-save esbuild postject
147
+ # Exact-version pinned (matching ci.yml) the publish path builds the
148
+ # bundle with deterministic tool versions rather than floating latest.
149
+ run: npm install --no-audit --no-fund --no-save esbuild@0.28.1 postject@1.0.0-alpha.6
148
150
 
149
151
  - name: Show Node + npm version
150
152
  run: |
@@ -165,6 +165,23 @@ jobs:
165
165
  } >> "$GITHUB_OUTPUT"
166
166
  fi
167
167
 
168
+ # Resolve the rolling Chainguard base tags to concrete digests ONCE,
169
+ # here, and feed them to BOTH the local Trivy build and the multi-arch
170
+ # push below via build-args. This makes the scanned image identical to
171
+ # the published one (no window for Chainguard to move :latest between the
172
+ # two separate builds, and the arm64 variant comes from the same base
173
+ # index Trivy scanned) WITHOUT committing a digest pin that goes stale and
174
+ # trips the release gate. The digest is fresh (current CVE patches).
175
+ - name: Resolve base image digests (scan == publish)
176
+ id: bases
177
+ run: |
178
+ set -euo pipefail
179
+ deps=$(docker buildx imagetools inspect cgr.dev/chainguard/node:latest-dev --format '{{.Manifest.Digest}}')
180
+ runtime=$(docker buildx imagetools inspect cgr.dev/chainguard/node:latest --format '{{.Manifest.Digest}}')
181
+ echo "deps=cgr.dev/chainguard/node:latest-dev@${deps}" >> "$GITHUB_OUTPUT"
182
+ echo "runtime=cgr.dev/chainguard/node:latest@${runtime}" >> "$GITHUB_OUTPUT"
183
+ echo "Resolved deps=${deps}, runtime=${runtime}"
184
+
168
185
  # Build the image into the local Docker daemon (load: true) so
169
186
  # Trivy can scan it. We push only after both Trivy steps pass.
170
187
  # Note: load: true forces single-arch (amd64). The multi-arch
@@ -174,6 +191,9 @@ jobs:
174
191
  with:
175
192
  context: .
176
193
  file: examples/wiki/Dockerfile
194
+ build-args: |
195
+ BASE_DEPS=${{ steps.bases.outputs.deps }}
196
+ BASE_RUNTIME=${{ steps.bases.outputs.runtime }}
177
197
  load: true
178
198
  push: false
179
199
  tags: |
@@ -222,6 +242,9 @@ jobs:
222
242
  with:
223
243
  context: .
224
244
  file: examples/wiki/Dockerfile
245
+ build-args: |
246
+ BASE_DEPS=${{ steps.bases.outputs.deps }}
247
+ BASE_RUNTIME=${{ steps.bases.outputs.runtime }}
225
248
  platforms: linux/amd64,linux/arm64
226
249
  push: true
227
250
  tags: |
@@ -8,6 +8,12 @@ upgrading across more than a few patches at a time.
8
8
 
9
9
  ## v0.15.x
10
10
 
11
+ - v0.15.19 (2026-06-22) — **Restores the wiki container build by keeping its base image on the continuously-patched rolling tag.** A follow-up to 0.15.18. The framework code is unchanged from 0.15.18 — this patch reverts one part of that release's supply-chain pass: the example wiki container's Chainguard base images had been pinned to specific digests, but Chainguard rebuilds those images continuously to ship CVE fixes, so the frozen digest fell behind an upstream fix within hours and the container's Trivy CRITICAL/HIGH release gate rejected the build (a fixed npm/undici denial-of-service the rolling tag already carried). For a deployed, Trivy-gated image, tracking the rolling, always-patched tag is the correct posture; the wiki Dockerfile is back on it. The ClusterFuzzLite fuzz base (not deployed, not release-gated) stays digest-pinned with Dependabot keeping it current. **Fixed:** *Wiki container builds again on a continuously-patched base* — 0.15.18 digest-pinned the example wiki container's Chainguard base images (runtime + builder). Because Chainguard rebuilds those images continuously to ship CVE fixes, the pinned digest went stale within hours and the container's Trivy CRITICAL/HIGH release gate rejected the build over an already-fixed npm/undici DoS (CVE-2026-12151) the rolling tag carried. The wiki Dockerfile tracks the rolling tag again, so the deployed image is always CVE-current and the build passes the release gate. To keep the Trivy-scanned image identical to the multi-arch image that is published (they are built separately), the release workflow resolves the rolling tag to a digest once at build time and feeds it to both builds via build-args — scan-equals-publish without a committed pin that goes stale. (This trades the OSSF Scorecard PinnedDependencies signal for CVE currency on a deployed, gate-scanned image — the right call here; the non-deployed ClusterFuzzLite fuzz base remains digest-pinned with Dependabot bumping it.) The framework package itself is identical to 0.15.18.
12
+
13
+ - v0.15.18 (2026-06-22) — **OCSP response-freshness enforcement is restored, DPoP request-URI reconstruction peer-gates forwarded headers, and container/tool supply-chain pinning is tightened.** Three hardening fixes. The stapled-OCSP evaluator parsed each response's thisUpdate / nextUpdate with Date.parse, but those fields are already numeric (unix-ms), so Date.parse returned NaN — the freshness guard then rejected every signature-valid response, fresh or stale, with a misleading "missing thisUpdate", and the real future-dated / past-nextUpdate window checks (RFC 6960 §4.2.2.1) were unreachable dead code. b.network.tls.ocsp.evaluate / requireGood now read the numeric fields directly: a stale or future-dated response is refused and a fresh "good" response is accepted, so OCSP stapling validation works again. b.middleware.dpop reconstructed the absolute request URI — the cryptographically-bound htu — trusting X-Forwarded-Proto / X-Forwarded-Host from any caller whenever trustForwardedHeaders was set, so a direct attacker could forge the scheme or authority and make a proof signed for one origin validate against another; both now resolve through the peer-gated b.requestHelpers.trustedProtocol / trustedHost (honored only from a declared trusted-proxy peer), matching csrf-protect / security-headers / cors, and the bare trustForwardedHeaders boolean is refused. The supply-chain pass pins the wiki container and ClusterFuzzLite fuzz base images to digests (Dependabot keeps them current) and the npm-publish bundle tools to exact versions. **Added:** *b.requestHelpers.requestHost and b.requestHelpers.trustedHost* — Peer-gated request-authority resolvers — the host companions to requestProtocol / trustedProtocol. trustedHost(opts) returns { resolve(req) => string|null, peerGated }: with trustedProxies (CIDRs) X-Forwarded-Host is honored only from a trusted-proxy peer; with hostResolver(req) the operator owns it; with neither, only the request's own Host header is used and a forged X-Forwarded-Host is ignored. requestHost(req, opts?) is the low-level resolver (default Host-only; a peer predicate gates the forwarded header). For reconstructing an absolute request URL (a DPoP htu, an origin/issuer string, a redirect base) behind a proxy without trusting a forgeable header. **Changed:** *Container and bundle-tool supply-chain pinning tightened* — The wiki container's base images (cgr.dev/chainguard/node runtime + builder stages) and the ClusterFuzzLite fuzz base (gcr.io/oss-fuzz-base/base-builder-javascript) are pinned to image digests; Dependabot's docker ecosystem keeps both current, so the pin is reproducible without freezing CVE patches. The npm-publish workflow's bundle tools (esbuild, postject) are pinned to exact versions, matching CI. The OSS-Fuzz project-submission Dockerfile is intentionally left tracking the upstream base-builder, per OSS-Fuzz convention. **Security:** *OCSP response-freshness enforcement restored (RFC 6960 §4.2.2.1)* — The stapled-OCSP evaluator computed thisUpdate / nextUpdate via Date.parse(), but the parser hands those fields back as unix-ms NUMBERS (Date.UTC(...)). Date.parse() coerces its argument to a string and a bare-integer string is not a recognized date, so the result was always NaN: the !isFinite guard then rejected every signature-valid response — fresh OR stale — with a misleading "missing thisUpdate", and the genuine staleness checks (future-dated thisUpdate, past nextUpdate) sat behind it as unreachable dead code, with the stale-rejection branch latently fail-open. b.network.tls.ocsp.evaluate / requireGood now read the numeric fields directly: a stale (past-nextUpdate) or future-dated response is refused, and a fresh "good" response is accepted — OCSP stapling validation, and its replay defense, work again. · *DPoP htu reconstruction peer-gates X-Forwarded-Proto and X-Forwarded-Host* — b.middleware.dpop rebuilds the absolute request URI (scheme + authority + path) that the proof's cryptographically-bound htu claim (RFC 9449 §4.3) is verified against. When the legacy trustForwardedHeaders: true was set it derived the scheme and host from X-Forwarded-Proto / X-Forwarded-Host trusted from ANY caller, with no immediate-peer check — a direct attacker could forge X-Forwarded-Proto: https or a victim X-Forwarded-Host and make a proof signed for one origin validate against another (htu confusion). Both now resolve through the peer-gated b.requestHelpers.trustedProtocol / trustedHost, which honor the forwarded headers only when the immediate connection is a declared trusted proxy — the same fail-closed model csrf-protect (Secure cookie), security-headers (HSTS), cors (same-origin), and bot-guard (secure context) already use. A codebase-patterns detector now flags any further middleware that reads X-Forwarded-Proto / -Host directly for a scheme/authority decision. **Migration:** *DPoP: trustForwardedHeaders is replaced by trustedProxies* — b.middleware.dpop no longer honors the bare trustForwardedHeaders: true boolean — it trusted forgeable X-Forwarded-Proto / X-Forwarded-Host from any caller. Behind a reverse proxy, declare your proxy CIDRs via trustedProxies: ["10.0.0.0/8", …] (peer-gates both headers for the htu reconstruction), or own the reconstruction via protocolResolver(req) / hostResolver(req) / getHtu(req). A bare trustForwardedHeaders: true now throws at create() with that guidance. Apps not behind a proxy need no change — the default already derives the scheme from the TLS socket and the host from the request's Host header.
14
+
15
+ - v0.15.17 (2026-06-22) — **The job queue runs on a Postgres or MySQL cluster backend, and a set of correctness and confidentiality fixes land for encrypted-API rejections, flow-job ordering, the self-update signature verifier, and bounded file reads.** The local job queue's lease path is now dialect-aware, so the queue works when its store is a Postgres or MySQL cluster backend rather than only single-node SQLite. The previous lease was a single SQLite-only statement: it double-quoted identifiers (which MySQL reads as string literals), updated a table named in its own subquery (MySQL error 1093), and used RETURNING (which MySQL rejects), so the first enqueue or lease against a cluster backend failed outright. The lease now resolves the active backend dialect and composes per-dialect SQL — a transactional SELECT ... FOR UPDATE SKIP LOCKED claim over the head of the queue followed by a guarded UPDATE against a literal id list, returning the claimed rows via RETURNING on Postgres and a re-select on MySQL — with backtick (MySQL) or double-quote (Postgres) identifier quoting, mirroring the framework's outbox claim. enqueue, lease, complete, fail, sweep, and dead-letter all run against the cluster backend, verified end-to-end against live MySQL and Postgres. Alongside the queue work: a request rejected on an established encrypted-API session is now returned inside the session envelope instead of leaking the rejection reason in cleartext; a flow child that declares dependencies can no longer be leased before those dependencies run during the brief window of the two-pass flow enqueue; the standalone self-update verifier classifies an ECDSA signature's encoding by its ASN.1 structure rather than its byte length and fails closed on an indeterminate shape; the self-update poller surfaces each asset's content digest; and the bounded synchronous file reader routes every failure branch through its typed error mapper. **Changed:** *Bundled Public Suffix List refreshed to current upstream* — The vendored Mozilla Public Suffix List — which b.publicSuffix uses to derive organizational domains for DMARC (psd= / np=), BIMI, cookie-scope checks, and same-site policy — is refreshed to the latest upstream revision. Domain classification reflects recent additions and removals to the list. **Fixed:** *The job queue's lease runs dialect-correct SQL on a Postgres or MySQL cluster backend* — When the queue's store is a cluster backend, the lease previously failed at the first enqueue or claim: it was composed as one SQLite-only statement that double-quoted column identifiers (a syntax error on MySQL, which treats double quotes as string literals), updated the jobs table from a subquery that named the same table (MySQL error 1093), and relied on RETURNING (which MySQL does not support). The lease now resolves the active backend dialect and builds per-dialect SQL — a transactional SELECT ... FOR UPDATE SKIP LOCKED over the head of the queue, then a guarded UPDATE ... WHERE status = 'pending' AND id IN (...) with a literal id list (no self-referencing subquery), reading the claimed rows back via RETURNING on Postgres and a re-select by id on MySQL — and quotes identifiers with backticks on MySQL and double quotes on Postgres. enqueue, lease, complete, fail, sweep, and the dead-letter operations now work against a cluster backend, with sealed-at-rest job payloads round-tripping correctly; single-node SQLite continues to use the original single-statement claim. The behavior is verified end-to-end against live MySQL and Postgres. · *Encrypted-API rejections that would disclose session state ride the session envelope* — On a per-session encrypted API channel, a rejection that reveals session state — an expired or rotated session, or a request admitted past the replay gate whose ciphertext then failed authentication — returned its reason as cleartext JSON, disclosing which check failed to a network observer of an otherwise-encrypted channel. Those rejections are now encrypted inside the session envelope under the response counter the server persists for them. The generic 'rejected' refusals that carry no session-lifecycle detail (a stale or duplicate request counter) stay plaintext: they reveal nothing a 400 status does not, and encrypting them would consume a response counter the server does not persist on those paths — desyncing the session's monotonic counter and bricking it for the next genuine request. Pre-session handshake failures (a malformed bootstrap, a stale timestamp, an unknown session) also remain plaintext, since no key exists yet to encrypt under. · *A flow child with dependencies can no longer be leased before its dependencies* — b.queue.enqueueFlow inserts a flow's children in two passes (the second resolves dependency names to the sibling job ids assigned in the first). The first pass previously enqueued every child as immediately leaseable and relied on the second pass to park the dependency-bearing children, leaving a window in which a consumer polling between the two passes could lease a child before the jobs it depends on had run. A dependency-bearing child is now parked at enqueue time on the first pass, so it is never leaseable in that window; the second pass only rewrites its dependency names to the resolved job ids. Children with no dependencies remain immediately leaseable. · *The self-update poller carries each asset's content digest* — b.selfUpdate.poll() now includes the content digest for each asset and its detached signature in the result it returns, so a caller can verify a downloaded asset against the digest advertised by the release feed. · *Bounded file reads always return the typed error shape* — The bounded synchronous file reader could surface an unmapped error on a few failure branches — a refused symlink whose target had since been removed, a short read, an integrity mismatch — rather than the typed error its callers expect. Every failure branch now passes through the reader's error mapper, so a caller always receives the documented error kind. **Security:** *The standalone self-update verifier detects ECDSA signature encoding by structure* — The standalone update-signature verifier inferred whether an ECDSA signature was DER- or IEEE-P1363-encoded from its byte length — a heuristic two distinct encodings can collide on, which could lead a valid-but-misclassified signature to be parsed under the wrong scheme. It now parses the signature's ASN.1 structure to classify the encoding and fails closed on an indeterminate shape rather than guessing.
16
+
11
17
  - v0.15.16 (2026-06-22) — **A correctness and hardening release: a broad set of credential and certificate verifiers now fail closed on a present-but-unparseable timestamp instead of silently skipping the check, outbound network clients gain an overall wall-clock timeout and a bounded framing buffer, DMARC refuses a record with no usable policy, append-only log sinks refuse a symlinked path, and the interactive-transaction and replay-store contracts refuse a backend that cannot honor them.** This release closes a family of fail-open and resource-exhaustion gaps without adding opt-ins to the request path. A recurring pattern across the verifiers — a timestamp parsed with a lenient parser, then gated by isFinite() so an unparseable value disables the check — is converted to fail-closed everywhere it appears: DKIM x=/t=/l=, ARC AMS/AS t=/x=, SAML Bearer and holder-of-key NotBefore, and the FIDO MDS3 / BIMI / S/MIME certificate validity windows now refuse a malformed value rather than accepting the credential. DMARC now validates and requires a usable p= policy and never recommends delivery for a failing message with an absent or unrecognized policy. Outbound clients that exposed a single timeout but applied it only as an idle (zero-progress) timer now also enforce it as an overall wall-clock cap, so a peer that trickles bytes within the idle window can no longer hold a request open indefinitely: the encrypted HTTP client, the object-store and SQS request paths, the CloudWatch / OTLP / webhook log sinks, and the password breach check. The DNS resolver and the lower-level DNS client gain a per-query wall-clock deadline that also tears the socket down, the SMTP client and the proxy CONNECT tunnel bound their framing buffers and add an overall deadline, and the NTS key-establishment handshake bounds its accumulator. The append-only local log sink and the daemon log open with O_NOFOLLOW so a symlink planted at the path is refused rather than followed. b.externalDb.transaction and b.outbox now refuse a backend that declares it cannot provide an interactive transaction instead of silently running a non-atomic block, and the GraphQL-federation replay store adopts the framework's atomic check-and-insert contract. **Added:** *b.atomicFile.openAppendNoFollowSync — symlink-refusing append open* — Opens a long-lived append target (an active log file kept open across appends and reopened on rotation) with O_WRONLY | O_APPEND | O_CREAT | O_NOFOLLOW: the file is created or appended normally, but a symlink at the final path component fails the open closed (ELOOP) rather than redirecting writes. The append-sink counterpart to openNoFollowSync (read) and the exclusive-create temp open. · *b.externalDb.supportsTransactions() and stateless-adapter declaration* — A backend adapter may declare supportsTransactions: false (a stateless / autocommit-per-statement adapter) and/or provide a batch(client, statements) hook for an atomic multi-statement path. b.externalDb.supportsTransactions() reports whether the picked backend can provide an interactive transaction, so a consumer built on the dual-write guarantee can refuse a non-atomic backend up front. · *Store-free device fingerprint* — b.sessionDeviceBinding.fingerprint(req, opts) is now a static entry point returning the request-shape digest with no store, and b.sessionDeviceBinding.create() with neither a bindingStore nor storeInSession returns an instance whose stateless fingerprint() works while bind()/verify() throw a clear "no store configured". Soft device binding for self-validating tokens (a sealed cookie or JWT carrying the fingerprint) no longer needs a fabricated no-op store. **Changed:** *Device fingerprint IP masking is canonical* — b.sessionDeviceBinding masked the client IP into its prefix bucket by textual group slicing with no IPv6 normalization, so equivalent forms of one address (a ::-compressed form vs its fully-expanded form) hashed to different fingerprints and a roaming client could be logged out on a false drift. It now masks through the same canonical prefix helper b.session uses, preserving the configured prefix width (the IPv6 default stays /48, and ipPrefixBits is honored). b.requestHelpers.ipPrefix accepts { v4Bits, v6Bits } to override the /24 + /64 default for a function-form fingerprint or other reuse. **Fixed:** *b.session.destroyAllForUser works for pluggable-store consumers* — A consumer configuring sessions through b.session.useStore without calling b.db.init() got a db/not-initialized error from destroyAllForUser — every "log out everywhere" / suspend / delete path rejected with a 500 after the store rows had already been deleted, because the stateless valid-from boundary write was routed only to the framework database. The boundary now prefers the framework database when one is initialized and otherwise falls back to the configured session store (provisioning its table on demand), so store-backed deployments raise the stateless boundary successfully; it still fails closed when neither a framework database nor a store is available. **Security:** *Certificate and credential verifiers fail closed on an unparseable timestamp* — A present-but-unparseable date no longer silently disables a validity check. DKIM x= / t= (signature expiry, future-date, ordering) and l= (body-length cap), ARC AMS/AS t= / x=, SAML Bearer and holder-of-key SubjectConfirmationData NotBefore, and the FIDO MDS3, BIMI, and S/MIME certificate validity windows previously parsed the value, then guarded the comparison with isFinite() — so a value that did not parse (NaN) skipped the check and the credential was accepted. Each now refuses a present-but-unparseable value (a permerror / not-valid result) and only an absent optional field is ignored, matching the existing fail-closed handling of the SAML Conditions block. · *DMARC refuses a record with no usable policy* — The DMARC policy tag p= (and the subdomain sp=) were taken verbatim with no validation and p= was never required, so the disposition mapped a null or typo'd policy to the catch-all "deliver". A failing, unaligned message against a domain whose record omitted p= or carried an unrecognized value was therefore delivered. p= and sp= are now validated against none|quarantine|reject, p= is required for a record to carry a policy at all, an invalid record is a permerror (not a transient temperror), and the disposition is an explicit fail-closed mapping that never delivers a failing message on an absent or unrecognized policy. · *Outbound clients enforce an overall wall-clock timeout, not only an idle timeout* — Several clients exposed a single timeout but forwarded it to the underlying request only as idleTimeoutMs (a zero-progress cap that resets on every received byte), leaving no overall bound — a peer that trickles one byte inside each idle window holds the call open indefinitely. b.httpClient.encrypted (which dropped timeoutMs entirely, and now also forwards the caller's AbortSignal), the object-store request path and Azure/GCS bucket operations, the SQS queue client, the CloudWatch / OTLP / webhook log sinks, and the password HIBP breach check now set the overall wall-clock timeout alongside the idle timeout. · *DNS lookups gain a default wall-clock deadline and tear the socket down* — The DNS resolver's DoH transport had no time bound of any kind and the lower-level DNS client defaulted its lookup timeout to zero (no deadline). A non-responsive or slow-trickle upstream — reachable while resolving DKIM/SPF/BIMI records for inbound mail — held the lookup pending forever. The resolver now takes a per-query timeout (default 10s) wrapping every query and CNAME hop, the DNS client defaults its lookup timeout to 10s (operators opt out with a zero timeout), and the raw DoH/DoT request paths arm a socket timeout that destroys the connection on a stall rather than leaking the descriptor. · *SMTP, proxy-CONNECT, and NTS clients bound their read buffers and add deadlines* — The SMTP client accumulated the server's reply without a byte cap and relied on an idle timer alone; a hostile or broken MX that never sent a line terminator could exhaust memory, and a slow trickle held the transaction open. It now caps the accumulated reply (refusing once it exceeds the response ceiling) and enforces an overall transaction deadline. The proxy CONNECT-tunnel client, which accumulated the proxy's reply unbounded with no socket timeout, now caps the header buffer and times out the connect. The NTS key-establishment handshake reader caps its record accumulator so a server streaming non-terminating records cannot exhaust memory before the handshake timer fires. · *Append-only log sinks refuse a symlinked path* — The local log sink and the daemon log opened the active file in append mode without O_NOFOLLOW, so a symlink planted at the log path (including one re-planted in the race window after a caller's pre-check) was followed, redirecting log writes to an attacker-chosen file. Both now open with O_NOFOLLOW via the new b.atomicFile.openAppendNoFollowSync, refusing a symlinked final path component. · *Transaction and replay-store contracts refuse a backend that cannot honor them* — b.externalDb.transaction and b.outbox.create now refuse a backend that declares it cannot provide an interactive transaction (a stateless / autocommit-per-statement adapter) instead of silently running BEGIN, the body, and COMMIT on different sessions — no isolation, no rollback — while reporting success. b.graphqlFederation.guardSdl now consults its replay nonce store through the framework's atomic checkAndInsert(nonce, expireAt) contract (the same one b.webhook and b.nonceStore use) rather than a non-atomic has()-then-remember() check that raced concurrent redeliveries; a store lacking checkAndInsert is refused at construction. **Migration:** *DNS lookups now time out by default* — The lower-level DNS client's lookup timeout previously defaulted to zero (no deadline); it now defaults to 10 seconds. A deployment that intentionally ran DNS lookups with no wall-clock bound must set the lookup timeout to zero explicitly to restore the old behavior. The b.network.dns.resolver default timeout is also 10 seconds and is configurable via its timeoutMs option. · *b.graphqlFederation.guardSdl nonceStore contract* — guardSdl's optional replay nonceStore now requires the atomic checkAndInsert(nonce, expireAt) contract (b.nonceStore.create is the reference store) and refuses the previous { has, remember } shape at construction. Operators using the old shape should pass b.nonceStore.create(...) or an adapter exposing checkAndInsert. · *Interactive transactions on a stateless backend are refused* — If an externalDb backend adapter declares supportsTransactions: false, b.externalDb.transaction and b.outbox.create now throw rather than running a silently non-atomic block. Existing stateful adapters (Postgres / MySQL / SQLite, and any adapter that supplies beginTx/commit/rollback or omits the flag) are unaffected. A stateless / autocommit-per-statement adapter should supply interactive transaction hooks or a batch adapter.
12
18
 
13
19
  - v0.15.15 (2026-06-21) — **A focused correctness and hardening release: more authentication and signature verifiers fail closed (JWT issuer, SAML recipient binding, OAuth nonce, CIBA token binding, FIDO certification level), the WebSocket client bounds a fragmented message before it completes, DMARC resolves the From domain before the policy lookup, and the CSP builder refuses a directive-injecting source; fixes a middleware pipeline promise that never settled on a write-and-halt, and exposes the X.509 CA-bit issuer test, an IP-prefix helper, and a reverse-proxy-aware session fingerprint option.** This release continues to tighten existing protections without adding opt-ins on the request path. A further set of authentication and signature verifiers now refuse malformed or unbound credentials: JWT verify rejects an array-valued issuer claim (an any-match bypass, CVE-2025-30144 class), SAML requires the mandatory Recipient on a Bearer or holder-of-key confirmation and enforces every AudienceRestriction, OAuth no longer skips the ID-token nonce check on an empty nonce, CIBA binds the returned ID token to its auth_req_id, the FIDO MDS3 certification level reflects the authenticator's current status rather than its historical maximum, and a JOSE header that decodes to a non-object is a typed error rather than an uncaught throw. The WebSocket client now bounds a fragmented incoming message by its running total instead of only at the final frame, DMARC validates the From-header domain before the policy lookup, the data-residency write gate compares the residency column case-insensitively, and the SQL builder refuses an equality against NULL and validates every IN-list element. The CSP builder refuses a source token containing whitespace or a semicolon (directive injection). A middleware pipeline that a request handler halted by writing the response without calling next() left its promise pending forever, retaining the request closure — it now settles. New surface is additive and backward compatible: the basicConstraints-enforcing X.509 issuer test is exposed publicly, the session device fingerprint can resolve the client IP through a trusted-proxy allowlist, and the /24+/64 IP-prefix masking it uses is exposed for reuse. **Added:** *b.x509Chain — the CA-bit-enforcing X.509 issuer test* — isCaCert(cert) and issuerValidlyIssued(issuer, subject) are now public. Node's X509Certificate.checkIssued() does not enforce the basicConstraints cA bit (CVE-2002-0862 class), so a non-CA leaf can be accepted as an issuer; these helpers require cA:TRUE and verify the signature, fail closed on any malformed input, and are the same test the framework's own chain walkers use. A consumer validating a chain outside a TLS handshake (an operator-uploaded CA bundle, a non-handshake PQ-signed certificate) can now use the hardened path instead of raw checkIssued(). · *Reverse-proxy-aware session device fingerprint* — b.session.create / verify / rotate accept { trustedProxies } (CIDRs) or { clientIpResolver } so the built-in clientIp / clientIpPrefix fingerprint fields resolve the real client IP behind a trusted proxy, consistent with b.requestHelpers.trustedClientIp. Without the option the fingerprint still binds to the bare socket peer (unchanged default), so existing fingerprints keep matching; pass the same option to create, verify, and rotate. The /24 (IPv4) + /64 (IPv6) subnet masking is exposed as b.requestHelpers.ipPrefix for an operator using a function-form fingerprint field. **Changed:** *DKIM l= is counted over the canonicalized body* — On verify, the l= body-length tag was applied to the raw body before canonicalization, so a legitimate relaxed/relaxed signature whose l= matched the canonicalized length was rejected with a body-hash mismatch whenever relaxed canonicalization changed the byte count within the first l= octets. The body is now canonicalized first and the canonicalized octet stream truncated to l= (RFC 6376 §3.4.5). · *PIPL cross-border security-assessment threshold documentation corrected* — The b.pipl.sccFilingAssessment contract stated the CAC security assessment becomes mandatory above 100,000 cumulative PI subjects (the superseded 2022 figure). The builder enforces the current CAC Provisions on Promoting and Regulating Cross-Border Data Flows — a security assessment above 1,000,000 non-sensitive PI subjects or 10,000 sensitive, with the 100,000–1,000,000 band in the standard-contract / certification tier. The documentation now matches the enforced thresholds. **Fixed:** *composePipeline settles its promise when a middleware halts* — A regular middleware that wrote the response and returned without calling next() — the intended way to halt the chain from an auth / rate-limit / bot block — left the promise returned by b.middleware.composePipeline pending forever, retaining its request/response closure (an unbounded leak under sustained blocked traffic). The halt path now settles the promise without advancing to the route handler; the same applies to an error handler that consumes the error without calling next(). · *Quality-list header parsing is quote-aware* — parseQualityList mis-read a q= substring that appeared inside a quoted media-range or Accept-* parameter, mis-weighting content negotiation. It now parses the q parameter with quote-aware splitting. **Security:** *More authentication and signature verifiers fail closed* — JWT verify rejects an array-valued iss claim (it had passed through a generic any-match built for the legitimately-array aud claim, so a multi-issuer array satisfied a single-issuer expectation — CVE-2025-30144 class), matching the external JWT and OIDC verifiers. SAML verifyResponse requires the Recipient attribute on a Bearer or holder-of-key SubjectConfirmation and confirms it equals the ACS URL (an absent Recipient was silently skipped), and enforces every AudienceRestriction (AND-combined per SAML core). OAuth no longer fails open and skips the ID-token nonce replay check when the supplied nonce is empty. CIBA binds the polled / notified ID token to its auth_req_id so a token minted for another request can't be accepted. The FIDO MDS3 certification level reflects the authenticator's current status, not the highest level it ever held, so a later decertification or downgrade is honored by a step-up policy. A JOSE header or payload that decodes to JSON null or a non-object now raises a typed authentication error instead of an uncaught TypeError. · *WebSocket fragmented-message reassembly is bounded before completion* — The client enforced maxMessageBytes only when a fragmented message's final frame arrived, so a peer could stream unbounded continuation frames and exhaust memory before the limit was ever checked. The running reassembly total is now enforced per frame, and a frame arriving after close is ignored. · *DMARC resolves the From domain before the policy lookup* — The From-header bare addr-spec domain extraction did not reject RFC 5322 group syntax or a trailing semicolon, so a crafted From header could yield a corrupted domain that defeated the DMARC alignment / policy lookup. The domain is now validated (length-bounded, rejecting the group and punctuation forms) before it is used. · *Data-residency and SQL builder correctness* — The per-row data-residency write gate compares the residency column name case-insensitively, so a raw UPDATE that spells the column in a different letter case can no longer slip the cross-border transfer check. The SQL builder refuses an equality against NULL (col = NULL is always false; use IS NULL) and validates every element of an IN-list on the Postgres = ANY(?) path, matching the sqlite / MySQL path. · *CSP builder refuses a directive-injecting source* — A CSP source is a single non-whitespace token. build() and mergeDirectives() now reject a source containing whitespace or a semicolon — because the emitter space-joins sources and semicolon-joins directives, a value like "https://x; script-src https://evil" injected a live directive.
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "version": 1,
3
- "frameworkVersion": "0.15.16",
4
- "createdAt": "2026-06-22T12:04:10.257Z",
3
+ "frameworkVersion": "0.15.19",
4
+ "createdAt": "2026-06-23T04:32:56.651Z",
5
5
  "exports": {
6
6
  "a2a": {
7
7
  "type": "object",
@@ -49239,6 +49239,10 @@
49239
49239
  "type": "function",
49240
49240
  "arity": 2
49241
49241
  },
49242
+ "requestHost": {
49243
+ "type": "function",
49244
+ "arity": 2
49245
+ },
49242
49246
  "requestProtocol": {
49243
49247
  "type": "function",
49244
49248
  "arity": 2
@@ -49259,6 +49263,10 @@
49259
49263
  "type": "function",
49260
49264
  "arity": 1
49261
49265
  },
49266
+ "trustedHost": {
49267
+ "type": "function",
49268
+ "arity": 1
49269
+ },
49262
49270
  "trustedProtocol": {
49263
49271
  "type": "function",
49264
49272
  "arity": 1