@blamejs/core 0.12.34 → 0.12.35

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.35 (2026-05-24) — **`b.eat` — Entity Attestation Token (RFC 9711) over `b.cwt`.** An EAT is the token a Relying Party asks a device or software entity to produce to prove what it is and what state it is in — a freshness nonce, a Universal Entity ID, OEM / hardware identifiers, debug status, software measurements, and nested submodule attestations. `b.eat` is the RFC 9711 profile over the v0.12.34 `b.cwt`: it maps the EAT claim names to their IANA CWT claim-key integer labels and adds the attestation-specific verification on top of the CWT signature + time checks. The central control is the verifier-nonce binding: when the Relying Party supplies a fresh `expectedNonce`, the token's `eat_nonce` (claim 10) must match it (constant-time compare) — without it a captured attestation replays forever. `verify` also enforces a debug-status policy (`requireDebugDisabled` refuses an `enabled` or absent `dbgstat`) and pins the `eat_profile`. RFC 9711 is a finalized standard; signing follows `b.cwt` / `b.cose` (ES256/384/512 + EdDSA interoperable today, ML-DSA-87 PQC-forward). **Added:** *`b.eat.sign(claims, opts)` / `b.eat.verify(eat, opts)`* — `sign` maps EAT claim names (`nonce`, `ueid`, `oemid`, `hwmodel`, `dbgstat`, `eat_profile`, `swname`/`swversion`, `measurements`, `submods`, …) to their RFC 9711 integer labels and accepts the `dbgstat` enum by name (`disabled-since-boot` → 2); standard CWT claims (`iss` / `exp` / …) pass through. `verify` returns `{ claims, raw, alg, protectedHeaders }` with the labels mapped back to friendly names and `dbgstat` decoded to its enum name. Attestation enforcement: `expectedNonce` requires a matching `eat_nonce` (refused `eat/nonce-mismatch`, missing `eat/nonce-missing` — `eat_nonce` may be a single byte string or an array for multiple verifiers), `requireDebugDisabled` refuses a non-disabled `dbgstat` (`eat/debug-not-disabled`), and `expectedProfile` pins `eat_profile`. The signature, algorithm allowlist, and `exp`/`nbf` checks delegate to `b.cwt` / `b.cose`. · *`b.cwt.sign` accepts a `Map`* — `b.cwt.sign` now takes either a plain object (string keys, standard claims mapped by name) or a `Map`, which preserves integer claim keys verbatim — profiles like `b.eat` resolve their claim names to integer labels and pass them through without the keys being stringified. The plain-object path is unchanged.
+
 - v0.12.34 (2026-05-24) — **`b.cwt` — CBOR Web Token (RFC 8392) sign / verify over `b.cose`.** A CWT is the CBOR-native counterpart to JWT — a signed claims set for constrained / IoT, FIDO attestation, and verifiable-credential contexts. `b.cwt` composes the v0.12.33 `b.cose` (COSE_Sign1 signature + mandatory algorithm allowlist) and v0.12.32 `b.cbor` (deterministic claims encoding) and layers the standard-claim handling on top: `sign` takes a friendly claims object, maps the standard claims to their RFC 8392 §3.1.1 integer labels (iss=1, sub=2, aud=3, exp=4, nbf=5, iat=6, cti=7), and signs; `verify` checks the COSE signature, decodes the claims, and enforces the time + identity claims — a passed `exp` (with clock-skew tolerance), a future `nbf`, and an `iss` / `aud` mismatch against the expected values are each refused. Signing algorithms follow `b.cose`: classical ES256/384/512 + EdDSA (final COSE ids, interoperable today) and ML-DSA-87 (PQC-forward). RFC 8392 is a finalized standard, so CWTs produced here interoperate with other COSE/CWT implementations. **Added:** *`b.cwt.sign(claims, opts)` / `b.cwt.verify(cwt, opts)`* — `sign` maps standard claim names to integer labels and keeps custom claims verbatim; `exp` / `nbf` / `iat` must be non-negative integer NumericDates. `opts.tagged` wraps the COSE_Sign1 in the CWT CBOR tag 61 (RFC 8392 §6); `verify` accepts tagged or bare input. `verify` returns `{ claims, raw, alg, protectedHeaders }` — `claims` is the friendly object (labels mapped back to names), `raw` the integer-keyed Map. Standard-claim enforcement: `exp` past `now + clockSkewSec` (default 60s) is refused with `cwt/expired`, `nbf` beyond `now - skew` with `cwt/not-yet-valid`, and `expectedIssuer` / `expectedAudience` mismatches with `cwt/issuer-mismatch` / `cwt/audience-mismatch` (aud may be a single value or an array). `opts.now` overrides the clock for testing. The signature itself is verified by `b.cose.verify`, so a tampered token fails there.
 
 - v0.12.33 (2026-05-24) — **`b.cose` — COSE_Sign1 sign / verify (RFC 9052) over the in-tree CBOR codec.** COSE is the signed-statement substrate under SCITT, CWT, and C2PA — the CBOR-native counterpart to JWS. `b.cose` ships COSE_Sign1 signing and verification composing the v0.12.32 `b.cbor` codec for the deterministic Sig_structure encoding. It signs with the classical COSE algorithms that interoperate today — ES256 / ES384 / ES512 (ECDSA) and EdDSA (Ed25519), all with final IANA algorithm ids (RFC 9053) — and with ML-DSA-87 (FIPS 204) for PQC-forward deployments. Verification accepts the same set, so the framework both produces COSE other implementations read today and consumes third-party COSE. There is no classical default: the caller names the algorithm and supplies the key. **Added:** *`b.cose.sign(payload, opts)` / `b.cose.verify(coseSign1, opts)`* — `sign` produces a tagged COSE_Sign1 with `alg` in the integrity-protected header; `verify` returns `{ payload, alg, protectedHeaders, unprotectedHeaders }`. The Sig_structure (`["Signature1", protected, external_aad, payload]`) is deterministically CBOR-encoded; ECDSA signatures use the IEEE-P1363 fixed-width encoding COSE mandates (RFC 9053 §2.1), not ASN.1 DER. `external_aad` is bound into the signature. v1 is single-signer with an attached payload; detached payload, COSE_Sign (multi-signer), COSE_Mac0, and COSE_Encrypt are deferred-with-condition (operator demand). **Security:** *Bounded, alg-allowlisted, crit-checked verification* — `verify` decodes the COSE_Sign1 bytes AND the protected-header bstr through the bounded `b.cbor.decode` (depth + size caps, indefinite-length / tag / duplicate-key refusal). `opts.algorithms` is a required allowlist (no defaults — name the accepted algorithms). A `crit` header (label 2) listing a header label the verifier does not understand is refused (RFC 9052 §3.1 crit-bypass defense), as is a `crit` label absent from the protected header. The COSE algorithm switch refuses any unrecognized id at the default branch. · *ML-DSA-87 COSE algorithm id is a non-final draft* — ML-DSA-87 uses COSE algorithm id `-50`, a requested (non-final) IANA assignment from draft-ietf-cose-dilithium — an ML-DSA-87 COSE_Sign1 is not yet broadly interoperable and the id may change; it is pinned deliberately with the re-open condition being IANA finalization. SLH-DSA-SHAKE-256f has no registered COSE algorithm id at all and cannot be represented in COSE. The COSE_Sign1 mechanism and the classical algorithms are stable; ML-DSA-87 is the forward-looking opt-in.

package/README.md

@@ -128,6 +128,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **Binary codec** — `b.cbor` bounded deterministic CBOR (RFC 8949 §4.2): depth/size caps, indefinite-length + reserved-info + tag + duplicate-key refusal, `requireDeterministic` canonical-form check; the in-tree substrate under COSE / CWT / SCITT / WebAuthn attestation
 - **COSE signing** — `b.cose` COSE_Sign1 sign/verify (RFC 9052) over `b.cbor`: classical ES256/384/512 + EdDSA (final COSE ids, interoperable today) plus ML-DSA-87 (PQC-forward, draft id); bounded + alg-allowlisted + crit-bypass-checked verification; the signed-statement substrate under SCITT / CWT / C2PA
 - **CBOR Web Token** — `b.cwt` CWT sign/verify (RFC 8392) over `b.cose`: standard-claim mapping (iss/sub/aud/exp/nbf/iat/cti) + `exp`/`nbf` clock-skew enforcement + `iss`/`aud` matching; the CBOR-native JWT for constrained / IoT / FIDO / verifiable-credential contexts
+- **Entity Attestation Token** — `b.eat` EAT sign/verify (RFC 9711) over `b.cwt`: device + software attestation claims (ueid / oemid / hwmodel / measurements / submods) with verifier-nonce freshness binding, `dbgstat` debug-status policy, and `eat_profile` pinning
 - **Document parsers** — `b.parsers` (XML / TOML / YAML / .env); `b.config` (schema-validated env)
 - **File-type detection** — `b.fileType` magic-byte content classification with deny-on-upload categories (image / document / archive / executable / etc.)
 ### Content-safety gates

package/index.js

@@ -458,6 +458,7 @@ module.exports = {
   cbor:             require("./lib/cbor"),
   cose:             require("./lib/cose"),
   cwt:              require("./lib/cwt"),
+  eat:              require("./lib/eat"),
   queue:            queue,
   logStream:        logStream,
   redact:           redact,

package/lib/cwt.js

@@ -101,23 +101,28 @@ function _readTagHead(buf) {
  */
 async function sign(claims, opts) {
   if (!claims || typeof claims !== "object" || Array.isArray(claims)) {
-    throw new CwtError("cwt/bad-claims", "cwt.sign: claims must be a plain object");
+    throw new CwtError("cwt/bad-claims", "cwt.sign: claims must be a plain object or a Map");
   }
   validateOpts.requireObject(opts, "cwt.sign", CwtError);
   validateOpts(opts, ["alg", "privateKey", "kid", "tagged", "externalAad"], "cwt.sign");
 
+  // Accept a plain object (string keys) OR a Map. A Map preserves
+  // INTEGER claim keys verbatim — profiles like b.eat pass their
+  // already-resolved integer labels through and must not have them
+  // stringified.
+  var source = (claims instanceof Map)
+    ? claims
+    : new Map(Object.keys(claims).map(function (k) { return [k, claims[k]]; }));
+
   var map = new Map();
-  var keys = Object.keys(claims);
-  for (var i = 0; i < keys.length; i++) {
-    var name = keys[i];
-    var value = claims[name];
-    if (NUMERIC_DATE_CLAIMS[name] &&
+  source.forEach(function (value, name) {
+    if (typeof name === "string" && NUMERIC_DATE_CLAIMS[name] &&
         (typeof value !== "number" || !Number.isInteger(value) || value < 0)) {
       throw new CwtError("cwt/bad-numeric-date",
         "cwt.sign: claim '" + name + "' must be a non-negative integer NumericDate (seconds)");
     }
-    map.set(Object.prototype.hasOwnProperty.call(STD, name) ? STD[name] : name, value);
-  }
+    map.set((typeof name === "string" && Object.prototype.hasOwnProperty.call(STD, name)) ? STD[name] : name, value);
+  });
 
   var claimsCbor = cbor.encode(map);
   var coseSign1 = await cose.sign(claimsCbor, {

package/lib/eat.js

@@ -0,0 +1,240 @@
+"use strict";
+/**
+ * @module b.eat
+ * @nav    Crypto
+ * @title  Entity Attestation Token (EAT)
+ *
+ * @intro
+ *   RFC 9711 Entity Attestation Token — a CWT (or JWT) profile that
+ *   carries attestation claims describing the state of a device or
+ *   software entity: a freshness nonce, a Universal Entity ID, OEM /
+ *   hardware identifiers, debug status, software measurements, and
+ *   nested submodule attestations. EAT is the token a Relying Party
+ *   asks a device to produce to prove what it is and what state it is
+ *   in. This module is the EAT profile over <code>b.cwt</code> — it
+ *   maps the RFC 9711 claim names to their CWT claim-key integer
+ *   labels and adds the attestation-specific verification.
+ *
+ *   <code>b.eat.sign(claims, opts)</code> takes a friendly claims
+ *   object (<code>nonce</code>, <code>ueid</code>, <code>oemid</code>,
+ *   <code>dbgstat</code>, <code>eat_profile</code>,
+ *   <code>measurements</code>, <code>submods</code>, … plus the
+ *   standard CWT claims) and signs it as a CWT.
+ *
+ *   <code>b.eat.verify(eat, opts)</code> verifies the CWT (signature +
+ *   alg allowlist + time claims, via <code>b.cwt</code>) and then
+ *   enforces the attestation contract:
+ *
+ *   - <strong>Nonce binding</strong> — when the Relying Party supplied
+ *     a fresh <code>expectedNonce</code>, the token's
+ *     <code>eat_nonce</code> (claim 10) MUST match it (constant-time
+ *     compare). This is the freshness / anti-replay defense: without
+ *     it a captured attestation can be replayed indefinitely.
+ *   - <strong>Debug status</strong> — <code>requireDebugDisabled</code>
+ *     refuses a token whose <code>dbgstat</code> is
+ *     <code>enabled</code> (0) or absent; only the disabled states
+ *     (1–4) pass.
+ *   - <strong>Profile</strong> — <code>expectedProfile</code> pins the
+ *     <code>eat_profile</code> claim.
+ *
+ *   Signing algorithms follow <code>b.cwt</code> / <code>b.cose</code>:
+ *   ES256/384/512 + EdDSA (interoperable today) and ML-DSA-87.
+ *
+ * @card
+ *   RFC 9711 Entity Attestation Token over b.cwt — sign / verify
+ *   device + software attestation claims with verifier-nonce binding,
+ *   debug-status policy, and profile pinning.
+ */
+
+var cwt = require("./cwt");
+var bCrypto = require("./crypto");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var EatError = defineClass("EatError", { alwaysPermanent: true });
+
+// RFC 9711 / IANA CWT Claims registry claim keys.
+var EAT = {                                                                            // allow:raw-byte-literal — RFC 9711 / IANA CWT claim-key labels, not byte sizes
+  nonce: 10, ueid: 256, sueids: 257, oemid: 258, hwmodel: 259, hwversion: 260,         // allow:raw-byte-literal — CWT claim keys
+  uptime: 261, oemboot: 262, dbgstat: 263, location: 264, eat_profile: 265,            // allow:raw-byte-literal — CWT claim keys
+  submods: 266, swname: 270, swversion: 271, manifests: 272, measurements: 273,        // allow:raw-byte-literal — CWT claim keys
+};
+var EAT_BY_LABEL = {};
+Object.keys(EAT).forEach(function (k) { EAT_BY_LABEL[EAT[k]] = k; });
+
+// RFC 9711 §4.3.1 debug-status enumeration.
+var DBGSTAT = {
+  "enabled": 0, "disabled": 1, "disabled-since-boot": 2,
+  "disabled-permanently": 3, "disabled-fully-and-permanently": 4,
+};
+var DBGSTAT_BY_VALUE = {};
+Object.keys(DBGSTAT).forEach(function (k) { DBGSTAT_BY_VALUE[DBGSTAT[k]] = k; });
+
+// Standard CWT claim labels → names (RFC 8392 §3.1.1) so EAT's
+// friendly output names the standard claims alongside the EAT ones.
+var STD_NAME = { 1: "iss", 2: "sub", 3: "aud", 4: "exp", 5: "nbf", 6: "iat", 7: "cti" };
+
+function _toBuf(x) {
+  if (Buffer.isBuffer(x)) return x;
+  if (x instanceof Uint8Array) return Buffer.from(x);
+  if (typeof x === "string") return Buffer.from(x, "utf8");
+  return null;
+}
+
+function _nonceMatches(claimValue, expected) {
+  var exp = _toBuf(expected);
+  if (!exp) return false;
+  // eat_nonce may be a single byte string or an array of them (one per
+  // verifier). Constant-time compare against each candidate.
+  var candidates = Array.isArray(claimValue) ? claimValue : [claimValue];
+  for (var i = 0; i < candidates.length; i++) {
+    var c = _toBuf(candidates[i]);
+    if (c && c.length === exp.length && bCrypto.timingSafeEqual(c, exp)) return true;
+  }
+  return false;
+}
+
+/**
+ * @primitive b.eat.sign
+ * @signature b.eat.sign(claims, opts)
+ * @since     0.12.35
+ * @status    stable
+ * @related   b.eat.verify, b.cwt.sign
+ *
+ * Sign EAT attestation claims into a CWT. EAT claim names map to their
+ * RFC 9711 integer labels; <code>dbgstat</code> accepts the enum name
+ * (<code>"disabled-since-boot"</code>) or its integer. Standard CWT
+ * claims (<code>iss</code> / <code>exp</code> / …) pass through to
+ * <code>b.cwt.sign</code>.
+ *
+ * @opts
+ *   {
+ *     alg:        string,   // COSE signing alg (ES256 / EdDSA / ML-DSA-87 / …)
+ *     privateKey: object,   // signing key
+ *     kid?:       string,
+ *     tagged?:    boolean,  // CWT tag 61
+ *   }
+ *
+ * @example
+ *   var eat = await b.eat.sign(
+ *     { nonce: rpNonce, ueid: deviceUeid, oemid: oem, dbgstat: "disabled-permanently",
+ *       eat_profile: "https://example.com/eat/profile-1", iat: Math.floor(Date.now()/1000) },
+ *     { alg: "ES256", privateKey: deviceKey });
+ */
+async function sign(claims, opts) {
+  if (!claims || typeof claims !== "object" || Array.isArray(claims)) {
+    throw new EatError("eat/bad-claims", "eat.sign: claims must be a plain object");
+  }
+  validateOpts.requireObject(opts, "eat.sign", EatError);
+  // Translate EAT claim names to their integer labels into a Map (so
+  // the integer keys survive — a plain object would stringify them).
+  // Standard CWT names (iss/sub/aud/exp/nbf/iat/cti) + custom keys are
+  // left for b.cwt.sign to handle.
+  var mapped = new Map();
+  var keys = Object.keys(claims);
+  for (var i = 0; i < keys.length; i++) {
+    var name = keys[i];
+    var value = claims[name];
+    if (name === "dbgstat" && typeof value === "string") {
+      if (!Object.prototype.hasOwnProperty.call(DBGSTAT, value)) {
+        throw new EatError("eat/bad-dbgstat",
+          "eat.sign: dbgstat must be one of " + Object.keys(DBGSTAT).join(" / ") + " (or an integer 0-4)");
+      }
+      value = DBGSTAT[value];
+    }
+    mapped.set(Object.prototype.hasOwnProperty.call(EAT, name) ? EAT[name] : name, value);
+  }
+  return cwt.sign(mapped, opts);
+}
+
+/**
+ * @primitive b.eat.verify
+ * @signature b.eat.verify(eat, opts)
+ * @since     0.12.35
+ * @status    stable
+ * @related   b.eat.sign, b.cwt.verify
+ *
+ * Verify an EAT and return its attestation claims. Delegates the CWT
+ * signature + algorithm-allowlist + time-claim checks to
+ * <code>b.cwt.verify</code>, then enforces the attestation contract:
+ * the <code>eat_nonce</code> must match <code>expectedNonce</code>
+ * (when supplied — the freshness/anti-replay binding),
+ * <code>requireDebugDisabled</code> refuses a non-disabled
+ * <code>dbgstat</code>, and <code>expectedProfile</code> pins
+ * <code>eat_profile</code>.
+ *
+ * @opts
+ *   {
+ *     algorithms:        string[],  // required — accepted COSE algs
+ *     publicKey?:        object,
+ *     keyResolver?:      function,
+ *     expectedNonce?:    Buffer,    // require eat_nonce to match (freshness)
+ *     requireDebugDisabled?: boolean,  // refuse dbgstat enabled / absent
+ *     expectedProfile?:  string,    // pin eat_profile
+ *     expectedIssuer?:   string,    // forwarded to b.cwt.verify
+ *     expectedAudience?: string,
+ *     clockSkewSec?:     number,
+ *     now?:              number,
+ *     externalAad?:      Buffer,
+ *   }
+ *
+ * @example
+ *   var att = await b.eat.verify(eat, { algorithms: ["ES256"], publicKey: devicePub, expectedNonce: rpNonce, requireDebugDisabled: true });
+ *   // → { claims: { nonce, ueid, dbgstat: "disabled-permanently", ... }, raw: Map, alg }
+ */
+async function verify(eat, opts) {
+  validateOpts.requireObject(opts, "eat.verify", EatError);
+  var out = await cwt.verify(eat, {
+    algorithms: opts.algorithms, publicKey: opts.publicKey, keyResolver: opts.keyResolver,
+    expectedIssuer: opts.expectedIssuer, expectedAudience: opts.expectedAudience,
+    clockSkewSec: opts.clockSkewSec, now: opts.now, externalAad: opts.externalAad,
+  });
+  var raw = out.raw;
+
+  // Nonce binding — the freshness / anti-replay defense. When the RP
+  // supplied a nonce, the token MUST carry a matching eat_nonce.
+  if (opts.expectedNonce != null) {
+    if (!raw.has(EAT.nonce)) {
+      throw new EatError("eat/nonce-missing", "eat.verify: expectedNonce supplied but token has no eat_nonce claim");
+    }
+    if (!_nonceMatches(raw.get(EAT.nonce), opts.expectedNonce)) {
+      throw new EatError("eat/nonce-mismatch", "eat.verify: eat_nonce does not match expectedNonce (stale / replayed attestation)");
+    }
+  }
+
+  // Debug status — refuse a token that can't prove debug is disabled.
+  if (opts.requireDebugDisabled === true) {
+    var ds = raw.get(EAT.dbgstat);
+    if (typeof ds !== "number" || ds < DBGSTAT.disabled) {
+      throw new EatError("eat/debug-not-disabled",
+        "eat.verify: requireDebugDisabled — dbgstat is " +
+        (ds === undefined ? "absent" : (DBGSTAT_BY_VALUE[ds] || ds)) + ", not a disabled state");
+    }
+  }
+
+  if (opts.expectedProfile != null && raw.get(EAT.eat_profile) !== opts.expectedProfile) {
+    throw new EatError("eat/profile-mismatch", "eat.verify: eat_profile does not match expectedProfile");
+  }
+
+  // Build friendly claims: EAT + standard labels → names; decode the
+  // dbgstat enum to its name.
+  var claims = {};
+  raw.forEach(function (v, k) {
+    var name = Object.prototype.hasOwnProperty.call(EAT_BY_LABEL, k) ? EAT_BY_LABEL[k]
+      : (Object.prototype.hasOwnProperty.call(STD_NAME, k) ? STD_NAME[k] : k);
+    if (name === "dbgstat" && typeof v === "number" && Object.prototype.hasOwnProperty.call(DBGSTAT_BY_VALUE, v)) {
+      v = DBGSTAT_BY_VALUE[v];
+    }
+    claims[name] = v;
+  });
+
+  return { claims: claims, raw: raw, alg: out.alg, protectedHeaders: out.protectedHeaders };
+}
+
+module.exports = {
+  sign:        sign,
+  verify:      verify,
+  CLAIM_LABELS: EAT,
+  DBGSTAT:     DBGSTAT,
+  EatError:    EatError,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.34",
+  "version": "0.12.35",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:619f056d-4027-4805-8bea-f39101edd638",
+  "serialNumber": "urn:uuid:05721aa1-7108-4263-bd58-e67b140f3790",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-24T22:52:17.036Z",
+    "timestamp": "2026-05-24T23:29:47.165Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.34",
+      "bom-ref": "@blamejs/core@0.12.35",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.34",
+      "version": "0.12.35",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.34",
+      "purl": "pkg:npm/%40blamejs/core@0.12.35",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.34",
+      "ref": "@blamejs/core@0.12.35",
       "dependsOn": []
     }
   ]