@blamejs/core 0.13.45 → 0.13.46

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.46 (2026-05-29) — **`createApp` now wires the documented security middleware ON by default — CSRF, CSP nonce, cookie parser, fetch-metadata, and body parser.** The README has long described a security middleware stack as "wired by createApp", but createApp only mounted request-ID, security-headers, and bot-guard by default — CSRF protection, the CSP nonce, the threat-aware cookie parser, the fetch-metadata guard, and the body parser were documented but not actually wired. This release closes that gap: createApp now mounts all of them by default, in dependency order (cookies, CSP nonce, fetch-metadata, then body parser, then CSRF last so it can read a body-field token). This is a behavior change — apps built with createApp now enforce CSRF on state-changing requests by default. Each layer is configurable via opts.middleware.<name> (operator cookie and field names flow straight through — nothing is hardcoded) or can be turned off with false, and disabling a security default now emits an app.middleware.disabled audit event. Every layer is idempotent: an operator who also mounts one of these inside opts.routes gets a no-op second mount rather than a double-apply. The default CSRF is a double-submit cookie that auto-skips requests carrying an Authorization header or no cookies at all, which are not CSRF-able, so token-authenticated API clients are not rejected. The README middleware list is now an accurate description of what createApp wires. **Added:** *Idempotent security middleware* — The cookie parser, CSP nonce, fetch-metadata, and CSRF middleware are now idempotent within a request: if one has already run (because createApp wired it and an operator also mounted it), the second instance is a no-op rather than re-parsing, re-generating a nonce, or issuing a second CSRF cookie. This lets an application compose its own middleware order on top of createApp's defaults without double-applying. The body parser already had this behavior. **Changed:** *createApp wires CSRF, CSP nonce, cookie parser, fetch-metadata, and body parser by default (breaking)* — Applications constructed with b.createApp now mount, in order: the threat-aware cookie parser, the CSP nonce generator, the fetch-metadata resource-isolation guard, the body parser (JSON / urlencoded / text / multipart), and CSRF protection — in addition to the request-ID, security-headers, and bot-guard layers already wired. The ordering guarantees CSRF runs after the body parser so a body-field token is available. This is a behavior change: state-changing requests (POST / PUT / DELETE / PATCH) that carry a session cookie are now CSRF-validated by default. Each layer is configured through opts.middleware.<name> (an object passes operator options straight through; cookie and field names are not hardcoded) or disabled with false. Operators who were mounting these middleware themselves inside opts.routes do not need to change anything — the second mount is now a no-op (see idempotency below). · *Default CSRF auto-skips token-authenticated and cookieless requests* — The CSRF middleware gains a skipStateless option (default false; createApp's default wiring sets it true). When on, token validation is skipped for requests that carry an Authorization header or no Cookie header at all — such requests are not CSRF-able, because CSRF abuses a victim's ambient cookie credential and these have none. The token is still issued on safe methods so a later cookie-authenticated browser flow works. Cross-site form CSRF is unaffected: the browser auto-sends the victim's cookies, so an attack request always carries a Cookie header and is validated. · *Disabling a default security middleware is audited* — Passing false for one of the security-on-by-default middleware (for example middleware: { csrf: false }) now emits an app.middleware.disabled audit event naming the middleware, so a weakened posture leaves a trace in the audit chain rather than being silent.
+
 - v0.13.45 (2026-05-29) — **`b.cert` now fetches and staples a validated OCSP response per certificate, and validates declared compliance postures at create().** Two capabilities that b.cert documented but did not act on are now wired through. OCSP stapling: the cert manager fetches the leaf's OCSP response from the responder named in its Authority Information Access extension, validates it against the issuer (status, nonce, serial) via b.network.tls.ocsp, caches the DER, and exposes it on getContext().ocspResponse so a TLS server's OCSPRequest handler can staple it. The fetch runs in the background on a refresh timer and never blocks cert.start() — a slow or unreachable responder produces an audited per-certificate failure, not a stalled boot. Compliance postures: opts.compliance names are now validated against b.compliance.KNOWN_POSTURES at create() (an unknown name throws cert/unknown-compliance-posture instead of being silently recorded) and are surfaced on getContext().compliance for an auditor. Storage-confidentiality postures hold by construction because cert keys and certificates are always sealed at rest. The supporting composition primitive b.network.tls.ocsp.fetch (build request, POST to the responder through b.httpClient, validate the response) is now part of the public OCSP surface. **Added:** *b.network.tls.ocsp.fetch — fetch and validate an OCSP response* — The OCSP helper set previously built requests and evaluated responses but had no way to actually retrieve one. b.network.tls.ocsp.fetch({ leafPem, issuerPem, nonce?, timeoutMs? }) reads the responder URL from the leaf certificate's Authority Information Access extension, builds the request, POSTs it through b.httpClient (so the SSRF guard and pinned DNS apply), and validates the response against the issuer — returning the validated DER plus the parsed evaluation. It rejects when the leaf carries no OCSP responder URL or the response fails validation. · *b.cert staples a validated OCSP response per certificate* — With ocsp.stapling enabled (the default), the cert manager refreshes each certificate's OCSP response on a timer (ocsp.refreshMs, default 12h) and caches the validated DER. getContext(serverName).ocspResponse returns that DER for a TLS server to hand back from its OCSPRequest handler. The refresh runs in the background and is never on the path of cert.start(): an unreachable or slow responder is recorded as an audited cert.ocsp.refresh failure for that certificate and leaves the rest of the manager running. **Changed:** *opts.compliance posture names are validated at create()* — b.cert.create now checks each name in opts.compliance against b.compliance.KNOWN_POSTURES and throws cert/unknown-compliance-posture on an unrecognized name, so a typo is caught at construction rather than being silently recorded. The declared postures are surfaced on getContext().compliance. Cert keys and certificates are always sealed at rest, so storage-confidentiality postures are satisfied by construction.
 
 - v0.13.44 (2026-05-29) — **Error codes on the consent, compliance, and protocol namespaces now follow the namespace/kebab-case contract.** The framework's error contract is `err.code = "namespace/kebab-case"`, and the vast majority of namespaces already followed it. This release normalizes the holdouts: fifteen namespaces that threw bare UPPER_SNAKE codes with no namespace, and nine that used a camelCase namespace prefix. After this release every error these namespaces throw carries a `namespace/kebab-case` code, so an operator switching on `err.code` no longer has to special-case them. This is a breaking change for code that matches the old strings — pre-1.0, there is no compatibility shim, so update any `err.code` comparisons against the listed namespaces. A codebase check now enforces the convention so it cannot regress. A small set of older codes (the cluster, scheduler, circuit-breaker, object-store, and upload subsystems) is intentionally left for the 1.0 release, where it will carry a deprecation cycle. **Changed:** *Bare UPPER_SNAKE error codes are now namespaced (breaking)* — Fifteen namespaces threw bare UPPER_SNAKE error codes with no namespace prefix (for example `mcp` threw `BAD_JSON`, `BAD_ENVELOPE`, `BAD_METHOD`). Their `err.code` values are now `namespace/kebab-case` — `mcp/bad-json`, `mcp/bad-envelope`, and so on. The affected namespaces are `b.a2a`, `b.aiInput`, `b.aiPref`, `b.budr`, `b.contentCredentials`, `b.darkPatterns`, `b.fapi2`, `b.fdx`, `b.graphqlFederation`, `b.iabTcf`, `b.iabMspa`, `b.mcp`, `b.secCyber`, `b.sse`, and `b.tcpa10dlc`. Operators matching the old bare codes on `err.code` must update those comparisons; the error message text is unchanged. · *camelCase error-code namespaces are now kebab-case (breaking)* — Nine namespaces emitted error codes whose namespace segment was camelCase (for example `aiDp/bad-bound`, `argParser/flag-duplicate`). The namespace segment is now kebab-case to match every other code: `ai-dp/`, `ai-capability/`, `ai-quota/`, `arg-parser/`, `audit-sign/`, `auth-step-up/`, `ddl-change-control/`, `dr-runbook/`, `tenant-quota/`, and `boot-gates/`. The `b.*` API namespace keys themselves are unchanged (those remain camelCase, e.g. `b.argParser`); only the `err.code` string changed. Operators matching these `err.code` strings must update them. **Detectors:** *Error-code shape is enforced* — A codebase check now flags any error code constructed via `new XError(...)` or the per-class `factory(...)` whose value is a bare UPPER_SNAKE string or carries a camelCase namespace segment, so the `namespace/kebab-case` contract cannot silently regress. It correctly ignores native error constructors (whose first argument is the message, not a code).

package/README.md

@@ -119,20 +119,17 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 ### HTTP
 
 - **Router + API specs** — schema-validated routes; OpenAPI publication (`b.openapi`) + AsyncAPI publication for event/streaming (`b.asyncapi`)
-- **Middleware stack (wired by `createApp`)**
-  - CSRF protection
-  - CORS with W3C Private Network Access preflight refusal default + `allowPrivateNetwork` opt
-  - Rate-limit
+- **Middleware stack (`createApp`)** — security layers wired ON by default (Core Rule §3); each is configurable via `middleware.<name>` (operator cookie / field names flow straight through — nothing static is baked in) or opt-out with `false` (disabling a default is audited via `app.middleware.disabled`). Ordered so each layer has what it needs (cookies + CSP nonce + fetch-metadata, then body parser, then CSRF last):
+  - Request-ID tagging and bot-guard
   - Security headers with `Permissions-Policy` defaults denying storage-access / browsing-topics / private-aggregation / controlled-frame
-  - CSP nonce
-  - Body parser — JSON / urlencoded / text / multipart; multipart file parts stream to a tmp dir or buffer in memory (`storage: "memory"`) for read-only / serverless filesystems
-  - Compression
-  - SSE
-  - Request log
   - Threat-aware cookie parser (`b.middleware.cookies`)
-  - Request-time DB role binding (`b.middleware.dbRoleFor`)
-  - In-process CIDR fence (`b.middleware.networkAllowlist`)
+  - CSP nonce — generated per request, merged into the CSP (`b.middleware.cspNonce`)
+  - Fetch-metadata resource-isolation guard (`b.middleware.fetchMetadata`)
+  - Body parser — JSON / urlencoded / text / multipart; multipart file parts stream to a tmp dir or buffer in memory (`storage: "memory"`) for read-only / serverless filesystems
+  - CSRF protection — double-submit cookie + Origin/Referer cross-check; auto-skips Authorization-header / cookieless requests, which are not CSRF-able (`b.middleware.csrfProtect`)
+  - CORS (W3C Private Network Access preflight refusal default + `allowPrivateNetwork` opt) and rate-limit are wired when configured via `middleware.cors` / `middleware.rateLimit`
   - `Cache-Control: no-store` on every 401 from `requireAuth` / `requireAal` / `requireStepUp` per RFC 9111 §5.2.2.5
+- **Additional middleware** to mount in your `routes` callback: compression, SSE, request logging, request-time DB role binding (`b.middleware.dbRoleFor`), in-process CIDR fence (`b.middleware.networkAllowlist`)
 - **Outbound HTTP client** — HTTP/1.1 + HTTP/2 with SSRF gate (cloud-metadata IPs hard-denied; private / loopback / link-local overridable per call); scheme + userinfo + per-host destination allowlist; redirects, multipart, interceptors, progress, encrypted cookie jar (`b.httpClient`, `b.ssrfGuard`, `b.safeUrl`)
 - **Network configurability (`b.network`)** — env-driven NTP / NTS (RFC 8915), IPv4/IPv6 NTP, DNS with IPv6 / DoH / DoT (private-CA pinning) / cache / lookup timeout; local DNSSEC signature verification (RFC 4035 — `b.network.dns.dnssec.verifyRrset` over a canonicalised RRset against RSA / ECDSA P-256·P-384 / Ed25519 DNSKEYs, plus DS-digest + key-tag, plus `verifyDenial` for NSEC / NSEC3 (RFC 5155) NXDOMAIN / NODATA proofs with iteration caps + Opt-Out handling, plus `verifyChain` to validate a full root→TLD→zone delegation chain against the pinned IANA root anchors) so a resolver client can verify both positive and negative answers instead of trusting the upstream AD bit; DANE / TLSA certificate matching (RFC 6698/7671 — `b.network.dns.dane.matchCertificate`) to pin a service's key through DNSSEC instead of a public CA; TSIG transaction signatures (RFC 8945 — `b.network.dns.tsig.sign` / `verify`) for shared-key HMAC authentication of zone transfers, dynamic updates, and query/response pairs, with constant-time MAC compare + fudge-window check (verified against dnspython); outbound HTTP proxy (`HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`); runtime DPI trust-store CA additions; application-level heartbeats; TCP socket defaults
 - **Error pages** — operator-rendered, no app-frame leakage (`b.errorPage`)

package/lib/app.js

@@ -92,6 +92,7 @@
 var nodeFs = require("node:fs");
 var nodePath = require("node:path");
 var appShutdown = require("./app-shutdown");
+var audit = require("./audit");
 var C = require("./constants");
 var cluster = require("./cluster");
 var db = require("./db");
@@ -103,13 +104,28 @@ var queue = require("./queue");
 var routerMod = require("./router");
 var vault = require("./vault");
 
-function _resolveMiddlewareOpt(value, allowDefault) {
+function _resolveMiddlewareOpt(value, allowDefault, name) {
   // value can be:
   //   false          — operator opted out
   //   undefined      — fall back to allowDefault (mount with empty opts)
   //   true           — explicit opt-in with default opts
   //   object         — explicit opts
-  if (value === false) return null;
+  if (value === false) {
+    // Operator explicitly disabled this middleware. When it's one of the
+    // security-on-by-default layers (allowDefault), leave an audit trace
+    // so the weakened posture is visible — Core Rule §3 security defaults
+    // shouldn't be silently opt-out-able. Drop-silent observability sink.
+    if (allowDefault && name) {
+      try {
+        audit.safeEmit({
+          action:   "app.middleware.disabled",
+          outcome:  "success",
+          metadata: { middleware: name },
+        });
+      } catch (_e) { /* drop-silent — by design */ }
+    }
+    return null;
+  }
   if (value === undefined) return allowDefault ? {} : null;
   if (value === true) return {};
   if (value && typeof value === "object") return value;
@@ -196,21 +212,55 @@ async function createApp(opts) {
   });
   router.use(orchestrator.middleware());
 
-  var requestIdOpts = _resolveMiddlewareOpt(mwConfig.requestId, true);
+  var requestIdOpts = _resolveMiddlewareOpt(mwConfig.requestId, true, "requestId");
   if (requestIdOpts) router.use(middleware.requestId(requestIdOpts));
 
-  var securityHeadersOpts = _resolveMiddlewareOpt(mwConfig.securityHeaders, true);
+  var securityHeadersOpts = _resolveMiddlewareOpt(mwConfig.securityHeaders, true, "securityHeaders");
   if (securityHeadersOpts) router.use(middleware.securityHeaders(securityHeadersOpts));
 
-  var corsOpts = _resolveMiddlewareOpt(mwConfig.cors, false);
+  var corsOpts = _resolveMiddlewareOpt(mwConfig.cors, false, "cors");
   if (corsOpts) router.use(middleware.cors(corsOpts));
 
-  var botGuardOpts = _resolveMiddlewareOpt(mwConfig.botGuard, true);
+  var botGuardOpts = _resolveMiddlewareOpt(mwConfig.botGuard, true, "botGuard");
   if (botGuardOpts) router.use(middleware.botGuard(botGuardOpts));
 
-  var rateLimitOpts = _resolveMiddlewareOpt(mwConfig.rateLimit, false);
+  var rateLimitOpts = _resolveMiddlewareOpt(mwConfig.rateLimit, false, "rateLimit");
   if (rateLimitOpts) router.use(middleware.rateLimit(rateLimitOpts));
 
+  // Security middleware wired ON by default (Core Rule §3). Each reads its
+  // config from opts.middleware.<name>: pass `false` to opt out (audited
+  // via _resolveMiddlewareOpt), or an object to customize — operator cookie
+  // / field names flow straight through, nothing static is baked in.
+  // Ordered so each layer has what it needs: cookies + cspNonce +
+  // fetchMetadata first, then bodyParser (so csrf can read a body-field
+  // token), then csrfProtect last. Every layer is idempotent — if an
+  // operator also mounts one of these inside opts.routes, the second mount
+  // is a no-op rather than a double-apply.
+  var cookiesOpts = _resolveMiddlewareOpt(mwConfig.cookies, true, "cookies");
+  if (cookiesOpts) router.use(middleware.cookies(cookiesOpts));
+
+  var cspNonceOpts = _resolveMiddlewareOpt(mwConfig.cspNonce, true, "cspNonce");
+  if (cspNonceOpts) router.use(middleware.cspNonce(cspNonceOpts));
+
+  var fetchMetadataOpts = _resolveMiddlewareOpt(mwConfig.fetchMetadata, true, "fetchMetadata");
+  if (fetchMetadataOpts) router.use(middleware.fetchMetadata(fetchMetadataOpts));
+
+  var bodyParserOpts = _resolveMiddlewareOpt(mwConfig.bodyParser, true, "bodyParser");
+  if (bodyParserOpts) router.use(middleware.bodyParser(bodyParserOpts));
+
+  var csrfOpts = _resolveMiddlewareOpt(mwConfig.csrf, true, "csrf");
+  if (csrfOpts) {
+    // Defaults: double-submit cookie (unless the operator chose a token
+    // lookup or their own cookie config) + skip validation for stateless
+    // token-API / cookieless requests. Operator config overrides both.
+    var csrfDefaults = { skipStateless: true };
+    if (csrfOpts.tokenLookup === undefined && csrfOpts.cookie === undefined) {
+      csrfDefaults.cookie = true;
+    }
+    csrfOpts = Object.assign(csrfDefaults, csrfOpts);
+    router.use(middleware.csrfProtect(csrfOpts));
+  }
+
   // ---- 6. Operator routes ----
   if (typeof opts.routes === "function") {
     opts.routes(router);

package/lib/audit.js

@@ -243,6 +243,7 @@ var FRAMEWORK_NAMESPACES = [
   "auth", "system", "audit", "consent", "subject",
   // Per-primitive namespaces — keep alphabetical
   "apikey",     // b.apiKey
+  "app",        // b.createApp (app.middleware.disabled — a security-default middleware was opted out at construction)
   "backup",     // b.backup
   "breakglass", // b.breakGlass — column-policy / row-enforcement step-up auth (audit namespace lowercased per the validator's `namespace.verb` rule, same convention as b.apiKey → apikey.*)
   "cache",      // b.cache

package/lib/middleware/cookies.js

@@ -89,6 +89,10 @@ function create(opts) {
   var audit = opts.audit || null;
 
   return function cookiesMiddleware(req, res, next) {
+    // Idempotent: if an earlier cookies middleware already parsed the jar
+    // this request (e.g. createApp wired it AND an operator mounted it
+    // again), don't re-parse — keep the first jar.
+    if (req.cookieJar !== undefined) return next();
     var header = req && req.headers ? req.headers.cookie : "";
     var rv = cookies.parseSafe(header || "", {
       maxHeaderBytes: maxHeaderBytes,

package/lib/middleware/csp-nonce.js

@@ -333,6 +333,10 @@ function create(opts) {
   }
 
   function cspNonce(req, res, next) {
+    // Idempotent: if an earlier cspNonce middleware already set a nonce on
+    // this request, keep it — re-generating would desync the header nonce
+    // from the one templates already rendered against.
+    if (req[property] !== undefined) return next();
     // Generate the nonce. Cheap (16 bytes from getrandom → SHAKE256 →
     // base64 encode); do it always for consistency unless `always:
     // false` was set explicitly.

package/lib/middleware/csrf-protect.js

@@ -261,6 +261,7 @@ function _writeReject(res, message) {
  *     requireJsonContentType: boolean,
  *     trustProxy:             boolean|number,
  *     audit:                  boolean,
+ *     skipStateless:          boolean,   // default false — skip validation for Authorization-header / cookieless (not-CSRF-able) requests
  *   }
  *
  * @example
@@ -278,7 +279,7 @@ function create(opts) {
   validateOpts(opts, [
     "cookie", "tokenLookup", "fieldName", "headerName", "methods", "audit",
     "trustProxy", "checkOrigin", "allowedOrigins", "requireJsonContentType",
-    "requireOrigin",
+    "requireOrigin", "skipStateless",
   ], "middleware.csrfProtect");
   var trustProxy = opts.trustProxy === true || typeof opts.trustProxy === "number"
     ? opts.trustProxy : false;
@@ -335,6 +336,19 @@ function create(opts) {
   // is opt-in rather than silent.
   var requireOriginOpt = opts.requireOrigin === true;
 
+  // skipStateless — skip token VALIDATION for requests that carry an
+  // Authorization header (bearer / token auth) or no Cookie header at
+  // all. Such requests are not CSRF-able: CSRF abuses a victim's ambient
+  // cookie credential, and a token-authenticated or cookieless request
+  // has none to abuse. The token is still ISSUED on safe methods so a
+  // later cookie-authenticated browser flow on the same app works. Default
+  // false (strict — every state-changing request is validated). createApp
+  // wires its default csrf with this on so mixed browser-form + token-API
+  // surfaces don't reject legitimate API clients. Cross-site form CSRF is
+  // unaffected: the browser auto-sends the victim's cookies, so the attack
+  // request always carries a Cookie header and is validated.
+  var skipStateless = opts.skipStateless === true;
+
   // Cookie issuance config (only when opts.cookie is set).
   var cookieCfg = null;
   if (hasCookie) {
@@ -436,6 +450,12 @@ function create(opts) {
   }
 
   return function csrfProtect(req, res, next) {
+    // Idempotent: a second csrf mount this request (e.g. createApp wired
+    // it AND an operator mounted it again) is a no-op — the first instance
+    // already issued + validated.
+    if (req._csrfApplied) return next();
+    req._csrfApplied = true;
+
     // Issue/refresh the token on EVERY request (safe + state-changing)
     // when running in cookie mode — templates rendered after a POST
     // (e.g. error response) still need req.csrfToken populated.
@@ -443,6 +463,14 @@ function create(opts) {
 
     if (methods.indexOf(req.method) === -1) return next();
 
+    // Stateless / token-authenticated requests are not CSRF-able — the
+    // token was still issued above for any later browser flow.
+    if (skipStateless) {
+      var hasAuthHeader = !!(req.headers && req.headers.authorization);
+      var hasCookieHeader = !!(req.headers && req.headers.cookie);
+      if (hasAuthHeader || !hasCookieHeader) return next();
+    }
+
     // requireJsonContentType — refuse before the token check.
     if (requireJsonCt) {
       var ct = req.headers && req.headers["content-type"];

package/lib/middleware/fetch-metadata.js

@@ -120,6 +120,9 @@ function create(opts) {
   }
 
   return function fetchMetadata(req, res, next) {
+    // Idempotent: a second fetch-metadata mount this request is a no-op.
+    if (req._fetchMetadataChecked) return next();
+    req._fetchMetadataChecked = true;
     if (methods.indexOf(req.method) === -1) return next();
 
     var headers = req.headers || {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.45",
+  "version": "0.13.46",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:4f2a624b-9183-4e8a-8807-eb827d32fb2b",
+  "serialNumber": "urn:uuid:f993db8e-7dd3-41d0-95bd-33ee9d07ab8f",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-30T01:55:57.060Z",
+    "timestamp": "2026-05-30T02:44:28.905Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.45",
+      "bom-ref": "@blamejs/core@0.13.46",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.45",
+      "version": "0.13.46",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.45",
+      "purl": "pkg:npm/%40blamejs/core@0.13.46",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.45",
+      "ref": "@blamejs/core@0.13.46",
       "dependsOn": []
     }
   ]