@blamejs/core 0.12.62 → 0.12.64
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/README.md +2 -1
- package/index.js +2 -0
- package/lib/backup/manifest.js +1 -1
- package/lib/cloud-events.js +455 -0
- package/lib/csp.js +3 -2
- package/lib/json-schema.js +740 -0
- package/lib/jtd.js +4 -15
- package/lib/rfc3339.js +37 -0
- package/lib/safe-buffer.js +8 -0
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
package/lib/jtd.js
CHANGED
|
@@ -29,6 +29,7 @@
|
|
|
29
29
|
*/
|
|
30
30
|
|
|
31
31
|
var { defineClass } = require("./framework-error");
|
|
32
|
+
var rfc3339 = require("./rfc3339");
|
|
32
33
|
|
|
33
34
|
var JtdError = defineClass("JtdError", { alwaysPermanent: true });
|
|
34
35
|
|
|
@@ -48,21 +49,9 @@ var SHARED_KEYWORDS = { definitions: 1, nullable: 1, metadata: 1 };
|
|
|
48
49
|
function _isPlainObject(v) { return v !== null && typeof v === "object" && !Array.isArray(v); }
|
|
49
50
|
function _isInteger(v) { return typeof v === "number" && isFinite(v) && Math.floor(v) === v; }
|
|
50
51
|
|
|
51
|
-
// RFC 3339 date-time (the JTD "timestamp" type)
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
var m = RFC3339.exec(s);
|
|
55
|
-
if (!m) return false;
|
|
56
|
-
var mo = +m[2], d = +m[3], h = +m[4], mi = +m[5], se = +m[6];
|
|
57
|
-
if (mo < 1 || mo > 12 || d < 1 || d > 31 || h > 23 || mi > 59 || se > 60) return false; // allow:raw-time-literal — RFC 3339 field ranges (60 = leap second)
|
|
58
|
-
var days = [31, ((+m[1] % 4 === 0 && +m[1] % 100 !== 0) || +m[1] % 400 === 0) ? 29 : 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31]; // allow:raw-time-literal — days per month
|
|
59
|
-
if (d > days[mo - 1]) return false;
|
|
60
|
-
var tz = m[8];
|
|
61
|
-
if (tz !== "Z" && tz !== "z") { // numeric offset must be in range
|
|
62
|
-
if (+tz.slice(1, 3) > 23 || +tz.slice(4, 6) > 59) return false; // allow:raw-time-literal — RFC 3339 offset hour/minute ranges
|
|
63
|
-
}
|
|
64
|
-
return true;
|
|
65
|
-
}
|
|
52
|
+
// RFC 3339 date-time (the JTD "timestamp" type) — strict form shared with
|
|
53
|
+
// the other spec-driven consumers via lib/rfc3339.js.
|
|
54
|
+
var _validTimestamp = rfc3339.isValidDateTime;
|
|
66
55
|
|
|
67
56
|
// --- compile-time well-formedness (RFC 8927 section 2.2) ---
|
|
68
57
|
function _checkSchema(schema, root, isRoot) {
|
package/lib/rfc3339.js
ADDED
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* rfc3339 — strict RFC 3339 date-time validation, shared by the primitives
|
|
4
|
+
* whose specs require the full "internet date/time" form (a mandatory
|
|
5
|
+
* "T"/"t" separator and a mandatory "Z" or numeric UTC offset). b.jtd's
|
|
6
|
+
* `timestamp` type and b.cloudevents' `time` attribute both point at
|
|
7
|
+
* RFC 3339, so the field-range + leap-year + offset-range checks live here
|
|
8
|
+
* once instead of drifting between them.
|
|
9
|
+
*
|
|
10
|
+
* This is intentionally NOT the lenient validator b.guardTime ships: that
|
|
11
|
+
* one accepts a space separator and an absent offset by design (a content-
|
|
12
|
+
* safety guard tuned per profile), whereas these consumers must reject
|
|
13
|
+
* anything the spec disallows.
|
|
14
|
+
*
|
|
15
|
+
* var rfc3339 = require("./rfc3339");
|
|
16
|
+
* rfc3339.isValidDateTime("2018-04-05T17:31:00Z"); // → true
|
|
17
|
+
*/
|
|
18
|
+
|
|
19
|
+
// "T" separator required; offset ("Z"/"z" or ±HH:MM) required.
|
|
20
|
+
var RFC3339_RE = /^(\d{4})-(\d{2})-(\d{2})[Tt](\d{2}):(\d{2}):(\d{2})(\.\d+)?([Zz]|[+-]\d{2}:\d{2})$/;
|
|
21
|
+
|
|
22
|
+
function isValidDateTime(s) {
|
|
23
|
+
if (typeof s !== "string") return false;
|
|
24
|
+
var m = RFC3339_RE.exec(s);
|
|
25
|
+
if (!m) return false;
|
|
26
|
+
var mo = +m[2], d = +m[3], h = +m[4], mi = +m[5], se = +m[6];
|
|
27
|
+
if (mo < 1 || mo > 12 || d < 1 || d > 31 || h > 23 || mi > 59 || se > 60) return false; // allow:raw-time-literal — RFC 3339 field ranges (60 = leap second)
|
|
28
|
+
var days = [31, ((+m[1] % 4 === 0 && +m[1] % 100 !== 0) || +m[1] % 400 === 0) ? 29 : 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31]; // allow:raw-time-literal — days per month (Gregorian)
|
|
29
|
+
if (d > days[mo - 1]) return false;
|
|
30
|
+
var tz = m[8];
|
|
31
|
+
if (tz !== "Z" && tz !== "z") {
|
|
32
|
+
if (+tz.slice(1, 3) > 23 || +tz.slice(4, 6) > 59) return false; // allow:raw-time-literal — RFC 3339 offset hour/minute ranges
|
|
33
|
+
}
|
|
34
|
+
return true;
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
module.exports = { isValidDateTime: isValidDateTime, RFC3339_RE: RFC3339_RE };
|
package/lib/safe-buffer.js
CHANGED
|
@@ -372,6 +372,13 @@ var HEX_RE = /^[0-9a-fA-F]+$/;
|
|
|
372
372
|
// is length-agnostic — callers cap length per protocol contract.
|
|
373
373
|
var BASE64URL_RE = /^[A-Za-z0-9_-]+$/;
|
|
374
374
|
|
|
375
|
+
// BASE64_RE matches standard base64 (RFC 4648 §4) with the `+` / `/`
|
|
376
|
+
// alphabet and canonical 0-2 chars of `=` padding (empty string allowed).
|
|
377
|
+
// Shared by callers that validate padded base64 fields (backup manifest
|
|
378
|
+
// digests, CloudEvents data_base64) so the alphabet check isn't reinvented.
|
|
379
|
+
// Length-agnostic — callers cap length per their own contract / maxBytes.
|
|
380
|
+
var BASE64_RE = /^[A-Za-z0-9+/]*={0,2}$/;
|
|
381
|
+
|
|
375
382
|
// Fixed-length hex predicates used by trace-context primitives (W3C
|
|
376
383
|
// trace-id is 16 bytes = 32 hex chars; span-id / parent-id is 8
|
|
377
384
|
// bytes = 16 hex chars). Extracted to keep callers length-bounded
|
|
@@ -552,6 +559,7 @@ module.exports = {
|
|
|
552
559
|
stripTrailingHspace: stripTrailingHspace,
|
|
553
560
|
HEX_RE: HEX_RE,
|
|
554
561
|
BASE64URL_RE: BASE64URL_RE,
|
|
562
|
+
BASE64_RE: BASE64_RE,
|
|
555
563
|
IPV6_HEXTET_RE: IPV6_HEXTET_RE,
|
|
556
564
|
TRACE_ID_HEX_RE: TRACE_ID_HEX_RE,
|
|
557
565
|
SPAN_ID_HEX_RE: SPAN_ID_HEX_RE,
|
package/package.json
CHANGED
package/sbom.cdx.json
CHANGED
|
@@ -2,10 +2,10 @@
|
|
|
2
2
|
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
|
|
3
3
|
"bomFormat": "CycloneDX",
|
|
4
4
|
"specVersion": "1.5",
|
|
5
|
-
"serialNumber": "urn:uuid:
|
|
5
|
+
"serialNumber": "urn:uuid:35a8fec8-fa70-4913-a315-c839ce432741",
|
|
6
6
|
"version": 1,
|
|
7
7
|
"metadata": {
|
|
8
|
-
"timestamp": "2026-05-
|
|
8
|
+
"timestamp": "2026-05-26T07:36:53.769Z",
|
|
9
9
|
"lifecycles": [
|
|
10
10
|
{
|
|
11
11
|
"phase": "build"
|
|
@@ -19,14 +19,14 @@
|
|
|
19
19
|
}
|
|
20
20
|
],
|
|
21
21
|
"component": {
|
|
22
|
-
"bom-ref": "@blamejs/core@0.12.
|
|
22
|
+
"bom-ref": "@blamejs/core@0.12.64",
|
|
23
23
|
"type": "application",
|
|
24
24
|
"name": "blamejs",
|
|
25
|
-
"version": "0.12.
|
|
25
|
+
"version": "0.12.64",
|
|
26
26
|
"scope": "required",
|
|
27
27
|
"author": "blamejs contributors",
|
|
28
28
|
"description": "The Node framework that owns its stack.",
|
|
29
|
-
"purl": "pkg:npm/%40blamejs/core@0.12.
|
|
29
|
+
"purl": "pkg:npm/%40blamejs/core@0.12.64",
|
|
30
30
|
"properties": [],
|
|
31
31
|
"externalReferences": [
|
|
32
32
|
{
|
|
@@ -54,7 +54,7 @@
|
|
|
54
54
|
"components": [],
|
|
55
55
|
"dependencies": [
|
|
56
56
|
{
|
|
57
|
-
"ref": "@blamejs/core@0.12.
|
|
57
|
+
"ref": "@blamejs/core@0.12.64",
|
|
58
58
|
"dependsOn": []
|
|
59
59
|
}
|
|
60
60
|
]
|