@blamejs/core 0.13.34 → 0.13.35

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.35 (2026-05-29) — **In-memory replay, idempotency, DNS, and i18n stores gain entry-count ceilings.** Several framework caches keyed on request-influenced input grew without an upper bound between their periodic sweeps, so a flood of unique keys could exhaust process memory faster than the sweep reclaimed it. Each now enforces a hard entry ceiling. The replay-protection nonce store is the security-sensitive one: rather than evict a live nonce to admit a new one — which would reopen a replay window for the evicted nonce — it purges expired entries and then fails closed at capacity, refusing the unrecordable request instead of admitting it unprotected. The idempotency, DNS, and i18n caches hold re-derivable values, so they evict the oldest entry instead (the worst case is a recomputed value or a single re-executed retry under flood). Ceilings are generous defaults that normal traffic never reaches; the nonce store and the agent idempotency in-memory backend expose options to tune them. **Fixed:** *Agent idempotency in-memory backend no longer grows without bound* — The default in-memory backend for `b.agent.idempotency` is keyed on the request-supplied idempotency key, and its garbage collector only reclaims expired rows when an operator wires a scheduler to call it — so a flood of distinct keys could grow it until the process ran out of memory. It now caps its entry count and evicts oldest-first; a dropped record just means that one key re-executes on a later retry, never a crash. A new `maxInMemoryEntries` option tunes the ceiling (default 100,000); deployments needing a hard guarantee at scale still supply a durable `store`. · *DNS resolver cache is bounded* — The positive and negative resolver caches in `b.network.dns` reclaimed an expired entry only when the same hostname was looked up again, so entries for never-requeried hostnames persisted — and hostnames reaching the resolver are request-influenced (outbound request targets, mail MX lookups). Both caches now cap their entry count and evict oldest-first; DNS simply re-resolves on the next miss. · *i18n formatter cache is bounded* — Per-instance `Intl` formatter caches in `b.i18n` are keyed on the locale plus a hash of the format options. The format-options shape is open-ended and caller-supplied, so the key space was request-influenced and uncapped. The cache now enforces an entry ceiling and evicts oldest-first — a formatter is pure-derived and re-created on the next miss. **Security:** *Replay-nonce store bounds memory and fails closed under a nonce flood* — The in-memory `b.nonceStore` backend recorded every request-supplied nonce until a periodic sweep ran, so a stream of unique nonces could exhaust memory between sweeps (a memory-amplification denial of service). It now caps its entry count. Because a replay-protection store must never evict a live nonce to make room — doing so would reopen a replay window for the evicted nonce — it instead purges expired entries inline and, if still at capacity with live nonces, fails closed: the new request is refused rather than admitted without replay protection. A new `maxEntries` option tunes the ceiling (default 1,000,000).
+
 - v0.13.34 (2026-05-29) — **Corrupt TLS certs self-heal at boot, and graceful shutdown no longer loses the final DB flush.** Two failure-mode fixes in the same family as the encrypted-DB recovery in 0.13.33. The cert manager treated a corrupt sealed cert or key worse than a missing one: a missing file re-issues via ACME, but a corrupt one let a raw decrypt error escape out of start(), so the same bad file was read on every boot — an unrecoverable crash loop. A corrupt sealed cert/key is now treated like an absent one and re-issued, and a corrupt derived meta.json is re-derived rather than fatal; the ACME account key (which binds order history) instead fails with an actionable error rather than a raw throw. On the shutdown side, an encrypted database that failed its final re-encrypt used to delete its plaintext working copy anyway, discarding every write since the last periodic flush; it now keeps the working copy so the next boot recovers it. The shutdown orchestrator also gains a hard-deadline watchdog: when the operator delegates signal handling to it, a phase that never settles can no longer hold the process open until the supervisor SIGKILLs it (which would skip the final DB re-encrypt) — the watchdog forces a clean exit, so exit handlers still flush. The wiki production and base compose files set a stop_grace_period above that budget so a docker stop or rolling redeploy lets the re-encrypt finish. **Changed:** *Shutdown watchdog forces a clean, DB-flushing exit if a phase hangs* — The graceful-shutdown orchestrator uses soft per-phase timeouts — on expiry the underlying work keeps running — so a phase that never settles could hold the event loop open past the grace window, after which a container supervisor SIGKILLs the process and skips the final DB re-encrypt. When the operator opts into signal handling, a watchdog now forces `process.exit` `graceMs + forceExitMarginMs` after the signal; exit runs the registered handlers (the DB re-encrypt), so the last flush still happens. A new `forceExitMarginMs` option (default 5000) tunes the headroom; set the container stop grace above `graceMs + forceExitMarginMs`. · *Wiki compose sets stop_grace_period above the shutdown budget* — `examples/wiki/docker-compose.yml` and `docker-compose.prod.yml` now set `stop_grace_period: 40s`. Docker's 10s default would SIGKILL the container before the 30s shutdown budget reaches the DB re-encrypt phase, losing the final flush on a `docker stop` or rolling redeploy. The production note also reminds PaaS platforms that regenerate the compose (Coolify, Dokku, CapRover) to set the stop grace via the platform UI alongside the persistent-storage mount and `--shm-size`. **Fixed:** *A corrupt sealed TLS cert or key re-issues instead of crash-looping at boot* — `b.cert`'s start path read the sealed `cert.pem`/`key.pem` and let a raw unseal/decrypt error escape if the file was truncated or corrupt, so a managed restart read the same bad file on every boot — a crash loop, and worse handling than an absent file (which already re-issues). A corrupt sealed cert/key is now treated like a missing one: it is logged, an audit event is emitted, and the certificate is re-issued via ACME. A corrupt derived `meta.json` is likewise re-derived rather than throwing `cert/bad-meta`. · *Unreadable ACME account key fails with an actionable error, not a raw decrypt throw* — Unlike a re-issuable certificate, the ACME account key binds existing order and authorization history, so it is not silently regenerated on corruption. An unreadable `account/jwk.json.sealed` now raises `cert/account-key-unreadable` naming the file and the recovery (restore from backup, or delete to register a fresh account) instead of letting a raw decrypt/parse error escape out of start(). · *Encrypted DB keeps its working copy when the final shutdown re-encrypt fails* — `db.close()` re-encrypts the tmpfs working copy to `db.enc`, then deletes the working copy. If that final re-encrypt failed (a full `/dev/shm`, a full disk), the delete still ran, discarding every write since the last periodic flush and leaving only the older `db.enc`. The working copy is now kept whenever the re-encrypt fails, so the next boot's integrity-probed recovery picks up the latest writes (and still falls back to `db.enc` if the working copy is itself corrupt). `db.enc` is never modified by this path. **Detectors:** *Cross-artifact guard that stop_grace_period covers the shutdown budget* — A new codebase check fails if either wiki compose file omits `stop_grace_period` or sets it below the orchestrator's `graceMs` plus the watchdog margin read from `lib/app-shutdown.js`, so raising the shutdown budget without bumping the compose — or dropping the setting — cannot silently reopen the SIGKILL-before-re-encrypt data-loss window.
 
 - v0.13.33 (2026-05-28) — **Encrypted-mode DB recovers from a corrupt tmpfs working copy instead of crash-looping.** In encrypted-at-rest mode the live SQLite copy is decrypted into a tmpfs working file and re-encrypted to db.enc periodically. If that working copy was corrupted (an unclean shutdown, or a full tmpfs — Docker's /dev/shm defaults to 64 MiB), the boot path trusted it because its mtime was newer than db.enc, so db.init failed its integrity gate with "database disk image is malformed" identically on every boot — an unrecoverable crash loop. db now integrity-probes the newer working copy before trusting it: if it is unreadable, the working copy is discarded and db.enc (the last-good encrypted snapshot) is re-decrypted, so the next boot self-heals. db.enc is never modified by this path, and a genuinely-corrupt db.enc still fails loudly rather than wiping data. The boot error on an unreadable database is now actionable (it names the tmpfs-size cause and the recovery). The wiki production compose also gains the storage settings encrypted mode needs. **Fixed:** *Corrupt tmpfs working copy no longer causes a boot crash loop (encrypted-at-rest mode)* — `db.init`'s crash-recovery path preferred a newer tmpfs working copy over `db.enc` unconditionally. When that copy was corrupt (truncated by an unclean shutdown or a full `/dev/shm`), every boot trusted it and failed the integrity gate the same way — an unrecoverable loop. The newer working copy is now integrity-probed (`PRAGMA quick_check`); if it is unreadable it is discarded and `db.enc` — the last-good encrypted snapshot — is re-decrypted, so boot self-heals. `db.enc` is never modified, so this only ever rolls back to the persistent copy; if `db.enc` is also corrupt, boot still fails loudly (no silent data loss). A regression test pins the recovery. · *Actionable boot error when the database is unreadable* — When SQLite reports a database too corrupt to even run an integrity check, the boot error now names the likely cause and recovery instead of surfacing the raw "database disk image is malformed": in encrypted mode it points at the tmpfs working copy and the most common operational cause (Docker's 64 MiB `/dev/shm` default — raise it via `shm_size` / `--shm-size`), or restoring `db.enc` / the DB file from backup. · *Wiki production compose ships the storage encrypted mode needs* — `examples/wiki/docker-compose.prod.yml` now sets `shm_size: '512m'` (so the encrypted-mode tmpfs working copy has headroom above Docker's 64 MiB default) and mounts a persistent `wiki-data` volume at `/data` (so `db.enc` + sealed keys survive container recreate, host reboot, and image redeploys, and give a restore point). A note flags that PaaS platforms which regenerate the compose on deploy (Coolify, Dokku, CapRover, …) must set both via the platform UI — a persistent-storage mount for `/data` and a `--shm-size 512m` custom option.

package/lib/agent-idempotency.js

@@ -68,6 +68,16 @@ var bCrypto           = require("./crypto");
 var safeJson          = require("./safe-json");
 var guardIdempotencyKey = require("./guard-idempotency-key");
 var agentAudit        = require("./agent-audit");
+var { boundedMap }    = require("./bounded-map");
+
+// The default in-memory backend is keyed on (method, actorId, keyHash) —
+// the key hash comes from request-supplied idempotency keys, so a flood of
+// distinct keys would grow the Map without bound (gc only reclaims EXPIRED
+// rows, and only if the operator wires a scheduler to call it). Cap it.
+// Evict-oldest degrades gracefully under flood: the worst case is a dropped
+// dedup record, so a retry of that one key re-executes — never an OOM.
+// Operators who need a hard guarantee at scale supply a durable `opts.store`.
+var DEFAULT_IN_MEMORY_MAX_ENTRIES = 100000;
 
 var audit             = lazyRequire(function () { return require("./audit"); });
 var cryptoField       = lazyRequire(function () { return require("./crypto-field"); });
@@ -130,7 +140,7 @@ function _ensureSealTable() {
  */
 function create(opts) {
   opts = opts || {};
-  var store = opts.store || _inMemoryBackend();
+  var store = opts.store || _inMemoryBackend(opts.maxInMemoryEntries);
   if (typeof store.get !== "function" || typeof store.put !== "function" ||
       typeof store.delete !== "function") {
     throw new AgentIdempotencyError("agent-idempotency/bad-store",
@@ -470,8 +480,10 @@ function _checkArgs(method, actorId, key) {
   // key is validated separately via guardIdempotencyKey.validate.
 }
 
-function _inMemoryBackend() {
-  var map = new Map();
+function _inMemoryBackend(maxEntries) {
+  // boundedMap validates maxEntries (throws bounded-map/bad-max-entries on a
+  // non-positive-int); undefined falls back to the default ceiling.
+  var map = boundedMap({ maxEntries: maxEntries || DEFAULT_IN_MEMORY_MAX_ENTRIES, policy: "evict-oldest" });
   function _k(method, actorId, hash) { return method + "\0" + actorId + "\0" + hash; }
   return {
     get:    function (method, actorId, hash) {

package/lib/bounded-map.js

@@ -0,0 +1,102 @@
+"use strict";
+/**
+ * bounded-map — a Map facade that caps its entry count.
+ *
+ * Defends the unbounded-in-bounded resource-exhaustion class: an in-memory
+ * store keyed on request-derived input (a locale, a hostname, an
+ * idempotency key, a replay nonce) grows without limit between sweeps
+ * unless something enforces a ceiling. A periodic TTL sweep alone does not
+ * bound peak memory — a flood of unique keys arrives faster than the sweep
+ * interval. This adds the missing ceiling.
+ *
+ * Two policies for what happens on `set` when already at `maxEntries`:
+ *
+ *   "evict-oldest" (default) — drop the oldest entry (insertion order)
+ *     to make room, then store the new one. For caches whose entries are
+ *     re-derivable on demand (Intl formatters, DNS results, idempotency
+ *     records) eviction is cheap — the worst case is a recomputed value or
+ *     a missed dedup under active flood, never a correctness or security
+ *     hole. `set` always stores and returns true.
+ *
+ *   "reject" — refuse the new entry (do NOT evict a live one) and return
+ *     false. For stores where evicting an unexpired entry would be unsafe:
+ *     a replay-protection nonce store must not drop a live nonce to admit a
+ *     new one, because that reopens a replay window for the dropped nonce.
+ *     The caller fails closed on a false return (treats the request as
+ *     un-recordable → reject it). Callers should purge expired entries
+ *     before relying on this so the ceiling is hit only under genuine flood.
+ *
+ * This is deliberately NOT `b.cache` — that is an operator-facing primitive
+ * with TTL, LRU-touch, observability, and pluggable backends. This is the
+ * minimal internal ceiling the framework's own request-keyed Maps need, and
+ * leaves TTL/expiry semantics to the caller (which already owns them).
+ *
+ * `onEvict(key, value)` (optional) fires when an entry is dropped to make
+ * room under "evict-oldest" — for an observability counter, say. It never
+ * fires under "reject" (nothing is evicted; the new entry is dropped).
+ */
+
+var numericBounds = require("./numeric-bounds");
+var { defineClass } = require("./framework-error");
+
+var BoundedMapError = defineClass("BoundedMapError");
+
+/**
+ * @param {object} opts
+ * @param {number} opts.maxEntries    - hard ceiling; throws if not a positive finite int
+ * @param {string} [opts.policy]      - "evict-oldest" (default) | "reject"
+ * @param {function} [opts.onEvict]   - (key, value) called on eviction under "evict-oldest"
+ * @returns Map-like facade: get/has/set/delete/clear, size getter, keys/values/entries/forEach, [Symbol.iterator]
+ */
+function boundedMap(opts) {
+  opts = opts || {};
+  if (!numericBounds.isPositiveFiniteInt(opts.maxEntries)) {
+    throw new BoundedMapError("bounded-map/bad-max-entries",
+      "boundedMap: opts.maxEntries must be a positive finite integer, got " + JSON.stringify(opts.maxEntries));
+  }
+  var maxEntries = opts.maxEntries;
+  var policy = opts.policy || "evict-oldest";
+  if (policy !== "evict-oldest" && policy !== "reject") {
+    throw new BoundedMapError("bounded-map/bad-policy",
+      "boundedMap: opts.policy must be 'evict-oldest' | 'reject', got " + JSON.stringify(policy));
+  }
+  var onEvict = typeof opts.onEvict === "function" ? opts.onEvict : null;
+  var inner = new Map();
+
+  function set(key, value) {
+    // Updating an existing key never grows the map — always allowed.
+    if (inner.has(key)) { inner.set(key, value); return true; }
+    if (inner.size >= maxEntries) {
+      if (policy === "reject") return false;
+      // evict-oldest: the first key in insertion order is the oldest.
+      var oldest = inner.keys().next().value;
+      if (oldest !== undefined || inner.has(oldest)) {
+        var evictedVal = inner.get(oldest);
+        inner.delete(oldest);
+        if (onEvict) { try { onEvict(oldest, evictedVal); } catch (_e) { /* obs hook — drop-silent */ } }
+      }
+    }
+    inner.set(key, value);
+    return true;
+  }
+
+  return {
+    get:    function (k) { return inner.get(k); },
+    has:    function (k) { return inner.has(k); },
+    set:    set,
+    delete: function (k) { return inner.delete(k); },
+    clear:  function () { inner.clear(); },
+    keys:   function () { return inner.keys(); },
+    values: function () { return inner.values(); },
+    entries: function () { return inner.entries(); },
+    forEach: function (fn, thisArg) { return inner.forEach(fn, thisArg); },
+    get size() { return inner.size; },
+    get maxEntries() { return maxEntries; },
+    get policy() { return policy; },
+    // Iterable like a Map, so `for (var e of bmap)` yields [key, value]
+    // entries — callers that iterate a plain Map keep working unchanged.
+    [Symbol.iterator]: function () { return inner[Symbol.iterator](); },
+  };
+}
+
+module.exports = { boundedMap: boundedMap, BoundedMapError: BoundedMapError };

package/lib/i18n.js

@@ -64,6 +64,15 @@ var requestHelpers = require("./request-helpers");
 var safeJson = require("./safe-json");
 var validateOpts = require("./validate-opts");
 var { I18nError } = require("./framework-error");
+var { boundedMap } = require("./bounded-map");
+
+// Per-instance formatter caches are keyed on (locale, JSON.stringify
+// formatOpts). A fixed `locales` set bounds the locale axis, but operators
+// can pass fresh formatOpts shapes per call (and `Intl` options are open-
+// ended), so the key space is request-influenced — cap it so it can't grow
+// without limit. Evict-oldest is free here: a formatter is pure-derived and
+// re-created on the next miss.
+var FORMATTER_CACHE_MAX_ENTRIES = 512;
 
 var observability = lazyRequire(function () { return require("./observability"); });
 
@@ -353,7 +362,7 @@ function _interpolate(template, vars, interpolation) {
 // only with operators handing in fresh literals every call (they
 // usually pass the same shape).
 function _makeFormatterCache(make, kind, emitObs) {
-  var cache = new Map();
+  var cache = boundedMap({ maxEntries: FORMATTER_CACHE_MAX_ENTRIES, policy: "evict-oldest" });
   return function getFormatter(locale, formatOpts) {
     var optsKey = formatOpts ? JSON.stringify(formatOpts) : "";
     var cacheKey = locale + "\x1f" + optsKey;

package/lib/network-dns.js

@@ -13,6 +13,7 @@ var safeBuffer = require("./safe-buffer");
 var safeUrl = require("./safe-url");
 var validateOpts = require("./validate-opts");
 var { defineClass } = require("./framework-error");
+var { boundedMap } = require("./bounded-map");
 
 var DnsError = defineClass("DnsError", { alwaysPermanent: false });
 
@@ -89,8 +90,15 @@ function _ensureSecureDefault() {
   STATE.doh = { url: DEFAULT_DOH_URL, method: null, ca: null };
 }
 
-var POSITIVE_CACHE = new Map();
-var NEGATIVE_CACHE = new Map();
+// Resolver caches are keyed on (hostname, family). Hostnames reaching the
+// resolver are request-influenced (outbound HTTP targets, mail MX lookups,
+// operator-supplied URLs), and expired entries are only reclaimed lazily on
+// a re-query of the SAME key — so a stream of unique hostnames would grow
+// these without bound. Cap them; evict-oldest is free (DNS re-resolves on
+// the next miss). The cap bounds peak memory even with no periodic sweep.
+var DNS_CACHE_MAX_ENTRIES = 4096;
+var POSITIVE_CACHE = boundedMap({ maxEntries: DNS_CACHE_MAX_ENTRIES, policy: "evict-oldest" });
+var NEGATIVE_CACHE = boundedMap({ maxEntries: DNS_CACHE_MAX_ENTRIES, policy: "evict-oldest" });
 
 function _now() { return Date.now(); }
 

package/lib/nonce-store.js

@@ -45,10 +45,18 @@ var clusterStorage = require("./cluster-storage");
 var C = require("./constants");
 var safeAsync = require("./safe-async");
 var { defineClass } = require("./framework-error");
+var { boundedMap } = require("./bounded-map");
 
 var NonceStoreError = defineClass("NonceStoreError");
 
 var DEFAULT_SWEEP_INTERVAL_MS = C.TIME.minutes(5);
+// Memory-backend ceiling. Each request carries an attacker-choosable unique
+// nonce, so between sweeps the store would otherwise grow without bound (a
+// memory-amplification DoS). Capped — but a replay-protection store must
+// NOT evict a live nonce to admit a new one (that reopens a replay window
+// for the evicted nonce), so the cap uses the "reject" policy and the
+// backend fails CLOSED at capacity (see checkAndInsert).
+var DEFAULT_MAX_ENTRIES = 1000000;
 
 function _err(code, message) {
   return new NonceStoreError(code, message, true);
@@ -58,14 +66,22 @@ function _err(code, message) {
 
 function _memoryBackend(opts) {
   var sweepIntervalMs = opts.sweepIntervalMs || DEFAULT_SWEEP_INTERVAL_MS;
-  var seen = new Map();   // nonce -> expireAt
+  var maxEntries = opts.maxEntries || DEFAULT_MAX_ENTRIES;
+  // policy "reject" — never evict a live nonce (that would reopen a replay
+  // window for the dropped one). At capacity the backend fails closed.
+  var seen = boundedMap({ maxEntries: maxEntries, policy: "reject" });
+  var capacityRejects = 0;
 
-  var sweepTimer = safeAsync.repeating(function () {
+  function _purgeExpiredSync() {
     var now = Date.now();
+    var removed = 0;
     for (var entry of seen) {
-      if (entry[1] <= now) seen.delete(entry[0]);
+      if (entry[1] <= now) { seen.delete(entry[0]); removed++; }
     }
-  }, sweepIntervalMs, { name: "nonce-sweep" });
+    return removed;
+  }
+
+  var sweepTimer = safeAsync.repeating(_purgeExpiredSync, sweepIntervalMs, { name: "nonce-sweep" });
 
   function checkAndInsert(nonce, expireAt) {
     if (typeof nonce !== "string" || nonce.length === 0) {
@@ -78,17 +94,26 @@ function _memoryBackend(opts) {
     if (existing !== undefined && existing > Date.now()) {
       return Promise.resolve(false);   // replay
     }
-    seen.set(nonce, expireAt);
+    var stored = seen.set(nonce, expireAt);
+    if (!stored) {
+      // At capacity. Reclaim expired entries inline, then retry once.
+      _purgeExpiredSync();
+      stored = seen.set(nonce, expireAt);
+    }
+    if (!stored) {
+      // Still full of LIVE nonces — a genuine flood. FAIL CLOSED: we
+      // cannot record this nonce, so we cannot prove it is first-seen.
+      // Refuse it (report as "seen") rather than admit an unprotected
+      // request. Evicting a live nonce to make room would reopen a replay
+      // window, so we never evict — the request is rejected instead.
+      capacityRejects += 1;
+      return Promise.resolve(false);
+    }
     return Promise.resolve(true);
   }
 
   function purgeExpired() {
-    var now = Date.now();
-    var removed = 0;
-    for (var entry of seen) {
-      if (entry[1] <= now) { seen.delete(entry[0]); removed++; }
-    }
-    return Promise.resolve(removed);
+    return Promise.resolve(_purgeExpiredSync());
   }
 
   function close() {
@@ -101,8 +126,10 @@ function _memoryBackend(opts) {
     checkAndInsert:  checkAndInsert,
     purgeExpired:    purgeExpired,
     close:           close,
-    // Test hook — direct read of the underlying Map size
+    // Test hooks — underlying entry count + count of capacity fail-closed
+    // rejections (a nonce flood that hit the ceiling).
     _size:           function () { return seen.size; },
+    _capacityRejects: function () { return capacityRejects; },
   };
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.34",
+  "version": "0.13.35",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:315508ca-8141-48dc-aa50-76d4a8892704",
+  "serialNumber": "urn:uuid:6028bee9-9cbe-4913-ac29-c3b458c70b55",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-29T12:27:08.508Z",
+    "timestamp": "2026-05-29T13:13:34.221Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.34",
+      "bom-ref": "@blamejs/core@0.13.35",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.34",
+      "version": "0.13.35",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.34",
+      "purl": "pkg:npm/%40blamejs/core@0.13.35",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.34",
+      "ref": "@blamejs/core@0.13.35",
       "dependsOn": []
     }
   ]