@blamejs/core 0.13.8 → 0.13.10

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.10 (2026-05-27) — **Documented-but-inert options wired up, a non-existent CVE reference removed, and a silent iCalendar cap-bypass fixed.** A sweep for places where a documented option or citation did not match what the code does. The most operator-relevant fix: b.calendar.fromIcal documented a safeIcalOpts option that forwards parser caps (byte size, RRULE limits, nesting depth) to b.safeIcal.parse, but the value was never forwarded — so an operator who set tight caps through it got the default profile instead, silently. That is corrected; the nested options now reach the parser. b.archive.read.zip documented an AbortSignal option that was never honored; it now aborts the read at the entry boundary. b.auth.fal documented a bearerOnly alias that had no effect; it now forces the no-proof-of-possession path and refuses the contradictory combination of bearerOnly:true with a holder-of-key binding. Separately, the auth verification paths cited CVE-2026-23993 (13 places) for the "reject an unknown alg before key lookup" guard — that CVE id does not exist (the registry has no record of it); the citation is replaced with the weakness class (CWE-347 / CWE-757) and the real, verifiable neighboring CVEs. The circuit-breaker error-code note that promised a rename "in v0.10" is corrected to the actual plan (v1.0), and the build gate that catches overdue version promises now also catches two-part version numbers. **Changed:** *`b.auth.fal` `bearerOnly` is now a real alias and refuses contradictions* — `bearerOnly: true` now forces the no-proof-of-possession path (equivalent to `hokBinding: null`), as documented. Passing `bearerOnly: true` together with a non-null `hokBinding` is a contradictory assurance request and is now refused at the call rather than silently resolved one way. **Fixed:** *`b.calendar.fromIcal` now forwards `safeIcalOpts` to the parser* — The documented `safeIcalOpts` option (parser caps: max bytes, RRULE COUNT/BYxxx limits, nesting depth) was not being passed to `b.safeIcal.parse` — when supplied under the documented nested key it was silently ignored and the parser ran with its default profile. Both forms now reach the parser: the documented nested `{ safeIcalOpts: { ... } }` and the top-level `{ profile, ... }` that earlier releases accepted, with the nested form winning on conflict. No caller regresses. · *`b.archive.read.zip` honors the documented `signal` (AbortSignal)* — The `signal` option was documented but never read. A large or slow archive read can now be aborted cooperatively — the reader checks the signal at each entry boundary (`inspect`, `entries`, `extractEntries`, `extract`) and rejects with an `archive-read/aborted` error. · *Removed a non-existent CVE reference from the JWT/JWE verification paths* — The "reject an unknown/unsupported `alg` before any key lookup" guard in `b.auth.jwt.verifyExternal`, `b.auth.oauth.verifyIdToken`, `b.auth.oid4vci`, and `b.auth.sd-jwt-vc` cited a CVE id that the registry has no record of. The behaviour is unchanged; the citation is now the weakness class it defends (CWE-347 improper signature verification / CWE-757 algorithm downgrade) alongside the real, verifiable alg-confusion / JWE-bypass CVEs already cited beside it. **Detectors:** *Overdue-version-promise gate now catches two-part version numbers* — The build gate that flags a deferral whose promised landing version has already shipped previously matched only three-part versions (`vN.N.N`); a two-part promise (`vN.N`) slipped past it. It now matches both. The `b.circuitBreaker` `CIRCUIT_OPEN` error-code note that pointed at a passed version is corrected to its actual plan (rename at v1.0, with a deprecation warning a minor ahead).
+
+- v0.13.9 (2026-05-26) — **Corrected CVE citations in source threat annotations + a build gate that refuses malformed CVE identifiers.** Several source-comment threat annotations cited CVE identifiers that were rejected by the numbering authority (never assigned to a real issue), attributed to the wrong product, or structurally malformed (a placeholder with a non-numeric sequence). The annotated defenses are unchanged — every cap, refusal, and constant-time comparison behaves exactly as before; only the reference labels were corrected, each to a verifiable CVE or to the underlying weakness class (CWE / RFC) where no single CVE fits. Notable corrections: the S/MIME SHA-1 / MD5 certificate-signature refusal now cites the SHAttered collision and RFC 8551 §2.5 instead of a rejected candidate id; decompression-output caps cite CWE-409 and CVE-2025-0725 instead of a fabricated placeholder; the iCalendar RRULE / nesting / byte caps describe the calendar-bomb recursion-DoS class instead of an unrelated SSRF advisory; and the SAML signature-wrapping (XSW) defense now cites the actively-exploited CVE-2024-45409 (ruby-saml, CVSS 10.0) and CVE-2025-25291 / -25292 that the duplicate-element refusal defeats. A new build-time detector refuses any CVE token whose sequence number is not all-numeric, so a placeholder identifier can never reach a release again. **Fixed:** *Corrected rejected / misattributed / malformed CVE references in source threat annotations* — Threat-annotation comments across the mail, crypto, auth, guard, and safe modules carried CVE identifiers that were rejected by the CVE numbering authority, attributed to the wrong product, or written as non-numeric placeholders. Each was corrected to a verifiable CVE or to the weakness class (CWE / RFC) it defends. No runtime behaviour changed — the defenses these comments describe are unchanged. The S/MIME certificate check's SHA-1 / MD5 refusal message now names the SHAttered collision and RFC 8551 §2.5; the SAML XSW defense now names CVE-2024-45409 and CVE-2025-25291 / -25292. **Detectors:** *`malformed-cve-identifier` — refuses structurally-invalid CVE tokens at build time* — A CVE identifier's sequence number is always numeric (`CVE-<year>-<digits>`). The new detector refuses any CVE token whose post-year segment contains a letter — the placeholder shape that lets a fabricated reference slip past review. It cannot verify that a well-formed id is real or correctly attributed (that stays a review responsibility), but it makes the structurally-invalid class impossible to ship.
+
 - v0.13.8 (2026-05-26) — **In-memory archive extraction for read-only / serverless filesystems.** Archive readers gain an in-memory extraction path so an uploaded archive can be opened and its contents read without writing anything to disk — the case a read-only or ephemeral serverless filesystem requires. b.archive.read.zip(...).extractEntries() and b.archive.read.tar(...).extractEntries() are async generators that yield each regular file entry as { name, bytes, size }, applying the same bomb-policy caps, b.guardArchive metadata cascade (which refuses a Zip-Slip / traversal archive wholesale), and entry-type-policy refusals as the disk extract() — only the disk realpath agreement check is omitted, since nothing is written and the caller owns where the returned bytes land. Directory and link entries carry no content and are not yielded. The guard cascade is factored into one shared path so disk and in-memory extraction refuse identically. Also a documentation fix: b.archive.gz no longer claims a b.archive.zip().toGzip() convenience exists — a ZIP is already DEFLATE-compressed per entry, so gzip-wrapping it gains nothing; gzip the uncompressed tar stream (the canonical .tar.gz) instead. **Added:** *`extractEntries()` — in-memory archive extraction (ZIP + tar)* — `b.archive.read.zip(source).extractEntries(opts?)` and `b.archive.read.tar(source).extractEntries(opts?)` are async generators yielding `{ name, bytes, size }` per regular file entry, never touching disk — for serverless / read-only filesystems where the disk `extract({ destination })` path cannot run. Same bomb-policy, guard-archive cascade, and entry-type-policy refusals as disk extraction; the bytes are byte-identical to what `extract()` writes. **Fixed:** *Removed the inaccurate `b.archive.zip().toGzip()` doc claim* — The `b.archive.gz` documentation described a `b.archive.zip().toGzip()` convenience method that does not (and should not) exist: a ZIP is already DEFLATE-compressed per entry, so gzip-wrapping it would compress already-compressed data for no benefit. `b.archive.tar().toGzip()` (the real `.tar.gz`) is unchanged.
 
 - v0.13.7 (2026-05-26) — **Documentation accuracy — several primitives described shipped features as deferred.** A documentation sweep corrected primitive descriptions that still called features deferred after they shipped, so the wiki and inline docs now match the code. b.mdoc documents that device authentication (the ISO 18013-5 §9.1.3 signature variant, verifyDeviceAuth) is verified, not deferred — only the COSE_Mac0 device-auth variant remains refused. b.network.dns.dnssec documents that the root-to-zone chain walk against the IANA trust anchors (verifyChain) and NSEC / NSEC3 denial of existence (verifyDenial / nsec3Hash) ship, where the card previously said they were deferred. b.cose lists COSE_Mac0 and COSE_Encrypt0 among what it ships. The JMAP server documents its push channel, blob upload/download, and EmailSubmission handlers as present, and the submission server documents CHUNKING / BDAT as supported. A new test detector keeps this class of drift from recurring: it fails the build when a comment promises a feature lands in a version that has already shipped. **Fixed:** *Corrected `deferred`/`does-not-ship` docs for features that have shipped* — `b.mdoc` (device authentication, §9.1.3), `b.network.dns.dnssec` (chain walk + NSEC/NSEC3), `b.cose` (COSE_Mac0 + COSE_Encrypt0), the JMAP server (push, blob, EmailSubmission), and the submission server (BDAT/CHUNKING) all carried `@card`/`@intro` text describing shipped capabilities as deferred or not-shipped. The descriptions now match the implemented surface; genuinely-deferred items (the mdoc MAC variant, DNSSEC in-RDATA name canonicalization, COSE multi-signer/multi-recipient) remain documented as such. **Detectors:** *Overdue-defer detector in the codebase-pattern gate* — A new check fails the build when a comment promises a feature "lands in" / is "deferred to" / is "not supported in" a version that the package has already reached — catching stale deferral notes (a feature that shipped but whose comment still says otherwise, or a missed deadline) before they reach a release. An allowlist records the deliberate defer-with-condition exceptions.

package/lib/archive-read.js

@@ -503,6 +503,18 @@ function zip(adapter, opts) {
   var entryTypePolicy = _normalizeEntryTypePolicy(opts.entryTypePolicy);
   var cdCache         = null;
 
+  // Cooperative cancellation — operators pass an AbortSignal to bound a
+  // large/slow archive read. Checked between entries (the natural yield
+  // point); a long single-entry decompress is already bounded by the
+  // bomb policy.
+  function _throwIfAborted() {
+    if (opts.signal && opts.signal.aborted) {
+      throw new ArchiveReadError("archive-read/aborted",
+        "archive read aborted via opts.signal" +
+        (opts.signal.reason !== undefined ? ": " + String(opts.signal.reason) : ""));
+    }
+  }
+
   async function _loadCD() {
     if (cdCache) return cdCache;
     var eocd = await _locateEocd(adapter);
@@ -512,6 +524,7 @@ function zip(adapter, opts) {
   }
 
   async function inspect() {
+    _throwIfAborted();
     var loaded = await _loadCD();
     _enforceBombPolicy(loaded.entries, bombPolicy);
     _emitAudit(opts, "archive.read.inspect", "success", {
@@ -539,9 +552,11 @@ function zip(adapter, opts) {
   }
 
   async function* entries() {
+    _throwIfAborted();
     var loaded = await _loadCD();
     _enforceBombPolicy(loaded.entries, bombPolicy);
     for (var i = 0; i < loaded.entries.length; i += 1) {
+      _throwIfAborted();
       yield loaded.entries[i];
     }
   }
@@ -593,6 +608,7 @@ function zip(adapter, opts) {
     var totalDecompressed = 0;
     var yielded = 0;
     for (var i = 0; i < loaded.entries.length; i += 1) {
+      _throwIfAborted();
       var entry = loaded.entries[i];
       if (entry.isEncrypted && !extractOpts.allowEncrypted) {
         throw new ArchiveReadError("archive-read/encrypted-entry",
@@ -644,6 +660,7 @@ function zip(adapter, opts) {
     var totalDecompressed = 0;
     try {
       for (var i = 0; i < loaded.entries.length; i += 1) {
+        _throwIfAborted();
         var entry = loaded.entries[i];
         // Skip directory + dangerous-by-default entry types unless the
         // entry-type policy opts in.

package/lib/auth/fal.js

@@ -155,6 +155,18 @@ function fromAssertion(opts) {
       "fal.fromAssertion: channel must be 'front' or 'back'");
   }
   var hokBinding = opts.hokBinding;
+  // `bearerOnly: true` is the explicit alias for "no proof-of-possession
+  // binding" (hokBinding === null). It contradicts a non-null hokBinding;
+  // refuse the contradiction at the entry point rather than silently
+  // picking one — an operator who sets both has a config bug.
+  if (opts.bearerOnly === true) {
+    if (hokBinding !== undefined && hokBinding !== null) {
+      throw new AuthError("auth/bad-fal-opts",
+        "fal.fromAssertion: bearerOnly:true conflicts with hokBinding '" + hokBinding +
+        "' (bearerOnly forces no proof-of-possession binding)");
+    }
+    hokBinding = null;
+  }
   if (hokBinding !== undefined && hokBinding !== null) {
     if (hokBinding !== "mtls" && hokBinding !== "dpop" && hokBinding !== "saml-hok") {
       throw new AuthError("auth/bad-fal-opts",

package/lib/auth/jwt-external.js

@@ -28,8 +28,8 @@
  *
  * Defenses against the well-known JWT pitfalls:
  *
- *   - alg confusion (CVE-2024-54150 / CVE-2025-30144 / CVE-2026-22817
- *     Hono class) — `algorithms` is REQUIRED with no default; `none`,
+ *   - alg confusion (CVE-2024-54150 / CVE-2026-22817 Hono class) —
+ *     `algorithms` is REQUIRED with no default; `none`,
  *     `HS256` cannot be accepted unless the operator explicitly listed
  *     them, and even then the verifier refuses HS* algs in
  *     verifyExternal because HMAC + a public-key JWKS is the canonical
@@ -175,8 +175,8 @@ function _assertAlgKtyMatch(alg, jwk) {
   else if   (alg === "ML-DSA-65" || alg === "ML-DSA-87") { expectedKty = "AKP"; }
   else {
     // Unknown alg — caller's alg allowlist should have rejected first;
-    // refuse here defensively (CVE-2026-23993 class — unknown-alg paths
-    // that skip downstream verification).
+    // refuse here defensively (CWE-347 alg-confusion class — unknown-alg
+    // paths that skip downstream verification; cf. CVE-2026-22817).
     throw new AuthError("auth-jwt-external/unsupported-alg",
       "_assertAlgKtyMatch: alg '" + alg + "' has no defined key-type binding");
   }
@@ -336,7 +336,7 @@ async function verifyExternal(token, opts) {
 
   // Decode header + payload.
   var parts = token.split(".");
-  // CVE-2026-29000 / CVE-2026-23993 / CVE-2026-22817 / CVE-2026-34950 —
+  // CVE-2026-29000 / CVE-2026-22817 / CVE-2026-34950 —
   // JWE-bypass + alg-confusion. A 5-segment compact serialization is a
   // JWE (RFC 7516); accepting it on a JWS verifier is the canonical
   // confused-deputy shape. verifyExternal is JWS-only; refuse JWE
@@ -350,7 +350,7 @@ async function verifyExternal(token, opts) {
     }); } catch (_e) { /* audit best-effort */ }
     throw new AuthError("auth-jwt-external/jwe-refused",
       "5-segment JWE token refused — verifyExternal only handles JWS " +
-      "(JWE bypass class — CVE-2026-29000 / CVE-2026-23993 / CVE-2026-22817 / CVE-2026-34950)");
+      "(JWE bypass class — CVE-2026-29000 / CVE-2026-22817 / CVE-2026-34950)");
   }
   if (parts.length !== 3) {
     throw new AuthError("auth-jwt-external/malformed-jwt",
@@ -371,8 +371,9 @@ async function verifyExternal(token, opts) {
     throw new AuthError("auth-jwt-external/unknown-crit",
       "token declares 'crit' header — verifyExternal does not support critical extensions");
   }
-  // CVE-2026-23993 — refuse alg values outside the accepted list BEFORE
-  // any key lookup. The early refusal closes the class where an
+  // Alg-allowlist gate (CWE-347 improper-sig-verification / CWE-757
+  // algorithm-downgrade) — refuse alg values outside the accepted list
+  // BEFORE any key lookup. The early refusal closes the class where an
   // unknown / unsupported alg slips through to a downstream code path
   // that interprets it permissively. The per-listed algorithm check
   // above in the opts-validation loop refuses the OPERATOR'S allowlist
@@ -381,11 +382,11 @@ async function verifyExternal(token, opts) {
   if (opts.algorithms.indexOf(header.alg) === -1) {
     throw new AuthError("auth-jwt-external/alg-not-allowed",
       "token alg='" + header.alg + "' not in allowed list [" + opts.algorithms.join(", ") +
-      "] (CVE-2026-23993 — refused before key lookup)");
+      "] (alg-allowlist gate — refused before key lookup)");
   }
   if (SUPPORTED_CLASSICAL_ALGS.indexOf(header.alg) === -1) {
     throw new AuthError("auth-jwt-external/unsupported-alg",
-      "token alg='" + header.alg + "' is not in the verifier's supported set (CVE-2026-23993)");
+      "token alg='" + header.alg + "' is not in the verifier's supported set (alg-allowlist gate)");
   }
 
   // Resolve key.
@@ -480,7 +481,10 @@ async function verifyExternal(token, opts) {
     // weak iss validation. Constant-time compare defeats prefix-timing
     // narrowing; emit a DISTINCT audit event (separate from sig-verify-
     // fail) so detection signals lights up on the cross-realm shape
-    // independently of generic verification failures.
+    // independently of generic verification failures. The `typeof ... !==
+    // "string"` guard also rejects an array-valued iss (CVE-2025-30144,
+    // fast-jwt — an iss array `["attacker", "valid"]` passed an any-match
+    // check); only a single string iss is accepted.
     if (typeof payload.iss !== "string" ||
         !_issuerMatches(payload.iss, opts.issuer)) {
       try { audit().safeEmit({

package/lib/auth/jwt.js

@@ -234,8 +234,8 @@ async function verify(token, opts) {
   // SECURITY: when the resolver uses header.kid as a filename / map
   // key / cache index, it MUST sanitize the kid first. Path-traversal
   // (`../etc/passwd`), null-byte (`key\0..`), control chars, and
-  // similar shapes turn a kid lookup into an arbitrary-file-read
-  // primitive (CVE-2018-0114 java-jwt class). Use
+  // similar shapes turn a kid lookup into an arbitrary-file-read or
+  // SQLi primitive (the PortSwigger JWT "kid" injection / LFI class). Use
   // `b.guardJwt.kidSafe(header.kid)` — throws on traversal indicators
   // and control bytes, returns the validated kid on success.
   var key;

package/lib/auth/oauth.js

@@ -1008,7 +1008,7 @@ function create(opts) {
       throw new OAuthError("auth-oauth/no-id-token", "verifyIdToken: idToken must be a string");
     }
     var parts = idToken.split(".");
-    // CVE-2026-29000 / CVE-2026-22817 / CVE-2026-23993 — mirror
+    // CVE-2026-29000 / CVE-2026-22817 — mirror
     // jwt-external's 5-segment JWE refusal. A 5-segment compact
     // serialization is a JWE (RFC 7516); verifyIdToken is a JWS verifier
     // and a JWE shape reaching here is the confused-deputy class an OP
@@ -1023,7 +1023,7 @@ function create(opts) {
       }); } catch (_e) { /* drop-silent — observability sink */ }
       throw new OAuthError("auth-oauth/jwe-refused",
         "5-segment JWE id_token refused — verifyIdToken only handles JWS " +
-        "(CVE-2026-29000 / CVE-2026-23993 / CVE-2026-22817 / CVE-2026-34950 JWE-bypass class)");
+        "(CVE-2026-29000 / CVE-2026-22817 / CVE-2026-34950 JWE-bypass class)");
     }
     if (parts.length !== 3) {
       throw new OAuthError("auth-oauth/malformed-jwt", "ID token does not have 3 parts");
@@ -1039,13 +1039,14 @@ function create(opts) {
     if (!header || typeof header.alg !== "string") {
       throw new OAuthError("auth-oauth/malformed-jwt", "ID token header missing 'alg'");
     }
-    // CVE-2026-23993 — refuse unknown alg BEFORE any key resolution.
+    // Alg-allowlist gate (CWE-347 / CWE-757) — refuse unknown alg BEFORE
+    // any key resolution.
     // The acceptedAlgorithms list is the operator's posture; an alg
     // outside it never reaches the JWKS lookup or node:crypto.verify.
     if (acceptedAlgorithms.indexOf(header.alg) === -1) {
       throw new OAuthError("auth-oauth/alg-not-accepted",
         "ID token signed with '" + header.alg + "' which is not in the accepted-algorithm list " +
-        "(CVE-2026-23993 — refused before key lookup)");
+        "(alg-allowlist gate — refused before key lookup)");
     }
     // RFC 7515 §4.1.11 — refuse JWS with `crit` header. Every other
     // verifier in the framework (jwt.js, jwt-external.js, dpop.js)
@@ -1344,8 +1345,8 @@ function create(opts) {
     }
     var iss = u.searchParams.get("iss");
     var sid = u.searchParams.get("sid");
-    // RFC 0 invariant: `iss` MUST match the configured issuer when
-    // present (defends against an attacker-controlled IdP forging a
+    // OpenID Connect Front-Channel Logout 1.0 §3: `iss` MUST match the
+    // configured issuer when present (defends against an attacker-controlled IdP forging a
     // logout for a session at a different IdP). `sid` is required
     // when the RP registered with frontchannel_logout_session_required=true;
     // we surface it either way and let the operator decide.

package/lib/auth/oid4vci.js

@@ -108,14 +108,14 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
     throw new AuthError("auth-oid4vci/wrong-proof-typ",
       "credential issuance: proof JWT typ must be \"openid4vci-proof+jwt\" (got \"" + header.typ + "\")");
   }
-  // CVE-2026-23993 — refuse unknown / unsupported alg BEFORE any
-  // verify-side work. The supportedAlgs list is the issuer's posture;
+  // Alg-allowlist gate (CWE-347 / CWE-757) — refuse unknown / unsupported
+  // alg BEFORE any verify-side work. The supportedAlgs list is the issuer's posture;
   // refusing here mirrors the discipline in oauth.verifyIdToken /
   // jwt-external.verifyExternal.
   if (!header.alg || supportedAlgs.indexOf(header.alg) === -1) {
     throw new AuthError("auth-oid4vci/unsupported-proof-alg",
       "credential issuance: proof JWT alg \"" + header.alg + "\" not in issuer-supported set " +
-      "(CVE-2026-23993 — refused before key lookup)");
+      "(alg-allowlist gate — refused before key lookup)");
   }
   // AUTH-5 / RFC 7515 §4.1.11 — refuse non-empty `crit`. Pre-v0.9.x
   // silently ignored, letting an attacker-controlled wallet declare

package/lib/auth/saml.js

@@ -453,12 +453,14 @@ function create(opts) {
 
     // XSW defense — refuse duplicate top-level security-critical
     // elements. SAML XML signature wrapping (XSW) attacks shuffle
-    // signed elements alongside unsigned siblings; the parser's
-    // first-match `_findChild` lookup combined with the signed-
-    // element-ID check at L479 was vulnerable to a multi-Assertion
-    // payload where the verifier signed one but the consumer read
-    // attributes from another. Reject any Response with more than
-    // one of these structural children (Audit 2026-05-11).
+    // signed elements alongside unsigned siblings; a first-match
+    // child lookup combined with a signed-element-ID check is
+    // vulnerable to a multi-Assertion payload where the verifier
+    // signs one element but the consumer reads attributes from
+    // another. This is the class behind CVE-2024-45409 (ruby-saml,
+    // CVSS 10.0, actively exploited) and CVE-2025-25291/25292
+    // (omniauth-saml / ruby-saml namespace-confusion XSW). Reject
+    // any Response with more than one of these structural children.
     var statusChildren = _findAllChildren(root, "Status", SAML_NS.protocol);
     if (statusChildren.length > 1) {
       throw new AuthError("auth-saml/duplicate-status",
@@ -1531,9 +1533,10 @@ function create(opts) {
 //     http://www.w3.org/2009/xmlenc11#rsa-oaep          (XMLEnc 1.1 §5.4.2)
 //
 // AES-CBC content encryption (xmlenc#aes128-cbc / aes256-cbc) is
-// intentionally REFUSED: CVE-2011-1473 + the broader XML-Encryption
-// padding-oracle research (Jager & Somorovsky 2011) demonstrate that
-// CBC mode under XMLEnc is exploitable without per-content MAC.
+// intentionally REFUSED: the XML-Encryption padding-oracle research
+// (Jager & Somorovsky, "How to Break XML Encryption", CCS 2011)
+// demonstrates that CBC mode under XMLEnc is exploitable without per-
+// content MAC.
 // Operators integrating with IdPs that default to CBC (older ADFS /
 // Azure AD / Okta / Keycloak / OneLogin) MUST switch the IdP's
 // content-encryption setting to AES-128-GCM or AES-256-GCM. The
@@ -1543,7 +1546,7 @@ function create(opts) {
 //
 // SHA-1 anywhere (rsa-oaep-mgf1p with SHA-1 OAEP DigestMethod,
 // xmldsig#sha1 DigestMethod) is also refused — Bleichenbacher /
-// collision risk plus CVE-2023-49141-class advisories outweigh
+// collision risk plus CVE-2023-49141 class advisories outweigh
 // "interop with stale IdPs". Operators upgrade the IdP's digest
 // algorithm to SHA-256+ rather than relax the framework defense.
 //
@@ -1606,7 +1609,7 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
     }
     if (oaepHashName === "sha1") {
       throw new AuthError("auth-saml/encrypted-weak-oaep-digest",
-        "EncryptedKey OAEP DigestMethod is SHA-1 — refused (CVE-2023-49141-class). " +
+        "EncryptedKey OAEP DigestMethod is SHA-1 — refused (CVE-2023-49141 class). " +
         "Require SHA-256+ on IdP side.");
     }
     var spKey;
@@ -1710,7 +1713,7 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
       "(supported: W3C xmlenc11#aes128-gcm, xmlenc11#aes256-gcm, " +
       "framework-experimental urn:blamejs:experimental:xmlenc:xchacha20-poly1305). " +
       "AES-CBC content encryption is refused — switch the IdP to AES-128-GCM or AES-256-GCM " +
-      "(CVE-2011-1473 padding-oracle class).");
+      "(XMLEnc CBC padding-oracle class, Jager & Somorovsky CCS 2011).");
   }
   return clearBytes.toString("utf8");
 }

package/lib/auth/sd-jwt-vc.js

@@ -441,15 +441,15 @@ async function verify(presentation, opts) {
       "verify: malformed JWT header: " + e.message);
   }
   var alg = headerObj.alg;
-  // CVE-2026-23993 — refuse unknown / unsupported alg BEFORE any key
-  // resolution. The shared `_assertAlgKtyMatch` helper repeats this
+  // Alg-allowlist gate (CWE-347 / CWE-757) — refuse unknown / unsupported
+  // alg BEFORE any key resolution. The shared `_assertAlgKtyMatch` helper repeats this
   // check after the issuer key is resolved; doing it here too closes
   // the gap where an issuerKeyResolver with side effects (network
   // fetch, audit emit) would run even when the alg is unsupported.
   if (typeof alg !== "string" || SUPPORTED_ALGS.indexOf(alg) === -1) {
     throw new AuthError("auth-sd-jwt-vc/unsupported-alg",
       "verify: header alg \"" + alg + "\" not in supported set " +
-      "(CVE-2026-23993 — refused before key lookup)");
+      "(alg-allowlist gate — refused before key lookup)");
   }
   // draft-ietf-oauth-sd-jwt-vc §3.1 — typ MUST be `vc+sd-jwt` (or
   // `dc+sd-jwt` for digital-credential profile). Pre-v0.9.x the absent-

package/lib/calendar.js

@@ -354,7 +354,14 @@ function validate(jsCal) {
  *   // → { "@type":"Event", uid:"a@b", updated:"2026-05-21T10:00:00Z", ... }
  */
 function fromIcal(text, opts) {
-  var ast = safeIcal.parse(text, opts || {});
+  // Forward parser options to b.safeIcal.parse. Accept BOTH the
+  // documented nested form (`{ safeIcalOpts: { profile, caps, ... } }`)
+  // AND the historically-working top-level form (`{ profile: "balanced" }`)
+  // so neither caller regresses; the nested form wins on conflict. The
+  // `safeIcalOpts` wrapper key itself is stripped before forwarding.
+  var icalOpts = Object.assign({}, opts || {}, (opts && opts.safeIcalOpts) || {});
+  delete icalOpts.safeIcalOpts;
+  var ast = safeIcal.parse(text, icalOpts);
   var events   = (ast && ast.vcalendar && ast.vcalendar.vevent)   || [];
   var todos    = (ast && ast.vcalendar && ast.vcalendar.vtodo)    || [];
   var journals = (ast && ast.vcalendar && ast.vcalendar.vjournal) || [];
@@ -515,7 +522,7 @@ function toIcal(jsCal, opts) {
  * timestamps in the operator's `[from, to]` window. Returns an array
  * of ISO 8601 UTC strings (`yyyy-mm-ddTHH:MM:SSZ`). Bounded by
  * `MAX_EXPAND_INSTANCES` (4096) + `MAX_EXPAND_SPAN_MS` (10 years) to
- * defend against CVE-2024-39687-class recurrence-bomb expansion.
+ * defend against the RRULE recurrence-bomb expansion class.
  *
  * v1 supports FREQ=DAILY/WEEKLY/MONTHLY/YEARLY with INTERVAL, COUNT,
  * UNTIL. BYDAY / BYMONTH / BYMONTHDAY / BYWEEKNO / BYYEARDAY /

package/lib/circuit-breaker.js

@@ -42,10 +42,11 @@ var retryHelper = require("./retry");
  * with the framework's `create(opts)` vocabulary.
  *
  * The `CIRCUIT_OPEN` error code is a pre-v1 artifact — every other
- * framework error class uses namespaced codes (`retry/...`). The
- * rename is deferred to v0.10 with a deprecation cycle so existing
- * operators who match `err.code === "CIRCUIT_OPEN"` aren't broken
- * in a patch.
+ * framework error class uses namespaced codes (`retry/...`). It is
+ * kept through the pre-1.0 line so existing operators who match
+ * `err.code === "CIRCUIT_OPEN"` aren't broken in a patch; the rename
+ * to a namespaced code lands at v1.0 alongside the namespaced-error
+ * sweep, with a deprecation warning shipping a minor ahead.
  *
  * @opts
  *   name:             string,    // identifier used in audit + state-change events

package/lib/crypto-hpke.js

@@ -5,7 +5,7 @@
  * Suite (PQC-first per framework crypto policy):
  *   KEM:    ML-KEM-1024 (FIPS 203) — post-quantum encapsulation
  *   KDF:    HKDF-SHA3-512
- *   AEAD:   ChaCha20-Poly1305 (RFC 7539)
+ *   AEAD:   ChaCha20-Poly1305 (RFC 8439, obsoletes RFC 7539)
  *
  * The classical HPKE suites in RFC 9180 §7 (DHKEM with X25519 / P-256 /
  * P-384 / P-521 + HKDF-SHA256/384/512 + AES-GCM/ChaCha20) are NOT

package/lib/crypto-oprf.js

@@ -30,14 +30,14 @@
  *   <code>suite(name)</code> returns the suite for one of the RFC 9497
  *   ciphersuites — <code>ristretto255-sha512</code> (the Privacy Pass
  *   default), <code>p256-sha256</code>, <code>p384-sha384</code>, or
- *   <code>p521-sha512</code> — each exposing the three modes. Group and
+ *   <code>p521-sha512</code> — each exposing both shipped modes. Group and
  *   hash-to-curve operations come from the vendored <code>@noble/curves</code>.
  *   Byte arguments are <code>Uint8Array</code> / <code>Buffer</code>;
  *   returned elements and outputs are <code>Uint8Array</code>.
  *
  * @card
  *   RFC 9497 Oblivious PRFs — learn <code>F(key, input)</code> without the
- *   server seeing the input (oprf / voprf / poprf modes; ristretto255 / P-256
+ *   server seeing the input (oprf / voprf modes; ristretto255 / P-256
  *   / P-384 / P-521 suites). The primitive behind Privacy Pass, password
  *   hardening, and private set intersection.
  */

package/lib/crypto.js

@@ -789,7 +789,7 @@ function toBase64Url(buf) {
  *
  * Strict mode (default) refuses non-canonical input — chars outside
  * the RFC 4648 §5 alphabet, length-mod-4-of-1, mixed `+/` from
- * standard base64, trailing garbage. Defends a CVE-2022-0235-class
+ * standard base64, trailing garbage. Defends a CVE-2022-0235 class
  * footgun where Node's permissive decoder silently tolerated
  * tampered JWT signatures. Operators with a documented lossy legacy
  * payload opt out per call via `{ strict: false }`.
@@ -817,7 +817,7 @@ function fromBase64Url(s, opts) {
   // OAuth `state` round-tripping) MUST reject non-canonical / malformed
   // input. The Node base64url decoder silently tolerates trailing
   // garbage, mixed `+/` from standard base64, missing padding errors,
-  // and length-mod-4 shapes — CVE-2022-0235-class footgun. Strict mode
+  // and length-mod-4 shapes — CVE-2022-0235 class footgun. Strict mode
   // (the default) refuses anything outside the RFC 4648 §5 alphabet +
   // length rules. Operators with a known-lossy legacy payload pass
   // `{ strict: false }` to opt out per call.

package/lib/framework-error.js

@@ -290,7 +290,8 @@ var GuardTimeError        = defineClass("GuardTimeError",        { alwaysPermane
 var GuardMimeError        = defineClass("GuardMimeError",        { alwaysPermanent: true });
 // GuardJwtError covers JWT identifier violations: shape malformation
 // (not 3 base64url segments), alg=none refuse (canonical CVE-class —
-// CVE-2015-9235 jsonwebtoken / CVE-2018-0114 java-jwt), alg-allowlist
+// CVE-2015-9235 jsonwebtoken alg:none / CVE-2018-0114 Cisco node-jose
+// embedded-JWK key confusion), alg-allowlist
 // drift, kid path-traversal (operator keyResolver path-injection
 // class), typ confusion, oversized header / payload / signature,
 // exp / nbf / iat sanity, missing required claims, unknown crit

package/lib/guard-jwt.js

@@ -16,8 +16,9 @@
  *
  *   Algorithm-confusion defense: `alg=none` is universally refused
  *   at every profile (RFC 7518 §3.6 explicit-no-signature, the
- *   canonical CVE-2015-9235 jsonwebtoken / CVE-2018-0114 java-jwt
- *   class). The operator-supplied `allowedAlgs` allowlist defaults
+ *   canonical CVE-2015-9235 jsonwebtoken alg:none / CVE-2018-0114
+ *   Cisco node-jose embedded-JWK confusion class). The
+ *   operator-supplied `allowedAlgs` allowlist defaults
  *   to the framework's PQC-first set (ML-DSA-87 / ML-DSA-65 /
  *   ML-DSA-44 / SLH-DSA-SHAKE-256{f,s} / SLH-DSA-SHA2-256{f,s} /
  *   EdDSA / ES* / RS* / PS*) so HS256-against-RSA-public-key

package/lib/guard-smtp-command.js

@@ -493,7 +493,7 @@ function gate(opts) {
  *
  * Scan a DATA-body byte buffer for the SMTP smuggling shape per
  * CVE-2023-51764 (Postfix), CVE-2023-51765 (Sendmail), CVE-2023-51766
- * (Exim), CVE-2024-32178 (.NET System.Net.Mail). RFC 5321 §2.3.8
+ * (Exim). RFC 5321 §2.3.8
  * mandates canonical CRLF line termination; the smuggling exploit
  * relies on parsers that accept `\n.\n` (bare LF before / after the
  * dot) as an alternate body terminator and then resume parsing the
@@ -517,7 +517,7 @@ function detectBodySmuggling(buf) {
     throw new GuardSmtpCommandError("guard-smtp-command/bad-input",
       "detectBodySmuggling: input must be a Buffer");
   }
-  // The CVE-2023-51764 / 51765 / 51766 / 2024-32178 class is any
+  // The CVE-2023-51764 / 51765 / 51766 class is any
   // dot-line whose line boundary is anything OTHER than canonical
   // \r\n on BOTH sides of the dot. The canonical-and-only terminator
   // is `\r\n.\r\n`. Every other shape that some receiver might honor

package/lib/mail-auth.js

@@ -1858,8 +1858,8 @@ function dmarcParseAggregateReport(input, opts) {
       // "stream is malformed" (operator-level diagnostic) so audit/
       // alert wiring can react differently. Node surfaces the bomb
       // case with ERR_BUFFER_TOO_LARGE / "Output length exceeded the
-      // limit" / the explicit `maxOutputLength` code. CVE-class:
-      // CVE-2024-zlib decompression amplification.
+      // limit" / the explicit `maxOutputLength` code. Defends the
+      // decompression-amplification class (CWE-409 / CVE-2025-0725).
       var msg = (e && e.message) || String(e);
       var isBomb = (e && (e.code === "ERR_BUFFER_TOO_LARGE" ||
                           e.code === "ERR_OUT_OF_RANGE")) ||

package/lib/mail-crypto-pgp.js

@@ -663,7 +663,7 @@ function _parseSignaturePacket(packetBytes) {
   if (hashAlg !== HASH_ALG_SHA256 && hashAlg !== HASH_ALG_SHA512) {
     throw new MailCryptoError("mail-crypto/pgp/bad-hash",
       "hash alg " + hashAlg + " refused; only SHA-256 (8) and SHA-512 (10) are accepted. " +
-      "SHA-1 (id=2) refused per SHAttered (CVE-2017-9006-class).");
+      "SHA-1 (id=2) refused per SHAttered (2017 SHA-1 collision).");
   }
   var hashedSubLen = body.readUInt16BE(4);
   if (6 + hashedSubLen > body.length) {

package/lib/mail-crypto-smime.js

@@ -21,9 +21,9 @@
  *   second part as base64-encoded DER.
  *
  *   Posture (when the surface lights up):
- *     - Refuses SHA-1 as the signature hash (CVE-2017-9006-class —
- *       PKCS#7 collision attacks against legacy S/MIME) and as the
- *       certificate signature algorithm.
+ *     - Refuses SHA-1 as the signature hash (SHAttered, 2017 — practical
+ *       SHA-1 collision; RFC 8551 §2.5 mandates SHA-256+ for S/MIME) and
+ *       as the certificate signature algorithm.
  *     - Refuses RSA keys < 2048 bits (RFC 8301 §3.1 — same posture
  *       as the rest of the mail surface).
  *     - Refuses MD5 anywhere (the historical S/MIME-v2 default; long
@@ -87,8 +87,8 @@
  * CVE citations:
  *   - CVE-2017-17688 / CVE-2017-17689 (EFAIL — S/MIME variant; informs
  *     the encrypt+decrypt deferral when that surface lights up)
- *   - CVE-2017-9006 (PKCS#7 / S/MIME signature-validation bypass
- *     class — informs the SHA-1 refusal posture)
+ *   - SHAttered (2017 practical SHA-1 collision) + RFC 8551 §2.5 (SHA-256
+ *     floor for S/MIME) — inform the SHA-1 signature-hash refusal posture
  *   - CVE-2018-5407 (PortSmash — informs the side-channel hardening
  *     posture when private operations land in v2)
  */
@@ -109,7 +109,7 @@ var MailCryptoError = defineClass("MailCryptoError", { alwaysPermanent: true });
 // hand-copying strings. These reflect RFC 8551 §2.5 + RFC 8301 floors.
 var RSA_MIN_BITS = 2048;                                                          // allow:raw-byte-literal — RFC 8301 §3.1
 var ALLOWED_HASHES = ["sha256", "sha384", "sha512"];
-var REFUSED_HASHES = ["md5", "sha1"];                                             // allow:raw-byte-literal — CVE-2017-9006-class
+var REFUSED_HASHES = ["md5", "sha1"];                                             // allow:raw-byte-literal — SHAttered / RFC 8551 §2.5
 
 // PROFILES + COMPLIANCE_POSTURES — the framework's standard cross-
 // primitive contract. sign() and verify() (live since v0.10.16) read
@@ -708,7 +708,7 @@ function checkCert(opts) {
       throw new MailCryptoError("mail-crypto/smime/refused-hash",
         "cert signature algorithm '" + sigAlgName +
         "' refused — SHA-1 / MD5 in cert signatures is forbidden " +
-        "(CVE-2017-9006-class). Acceptable hashes: " + ALLOWED_HASHES.join(", "));
+        "(SHAttered SHA-1 collision; RFC 8551 §2.5). Acceptable hashes: " + ALLOWED_HASHES.join(", "));
     }
   }
 

package/lib/mail-crypto.js

@@ -62,7 +62,7 @@
  *
  * CVE citations:
  *   - CVE-2017-17688 / CVE-2017-17689 (EFAIL)
- *   - CVE-2017-9006 (PKCS#7 / S/MIME signature-validation bypass class)
+ *   - SHAttered (2017 SHA-1 collision) + RFC 8551 §2.5 — SHA-1 signature-hash refusal
  */
 
 var pgp   = require("./mail-crypto-pgp");

package/lib/mail-dav.js

@@ -112,8 +112,9 @@
  *   ## CVE defense composition
  *
  *   - `b.safeIcal` rejects RRULE COUNT > 10000 / BYxxx list > 24 →
- *     defends CVE-2024-39687 (ical4j RRULE recursion / Outlook
- *     calendar bomb) on the PUT path.
+ *     defends the ical4j RRULE-recursion / recurrence-expansion DoS
+ *     class (unbounded RRULE expansion exhausts CPU/memory) on the
+ *     PUT path.
  *   - `b.xmlC14n.parse` rejects DOCTYPE / ENTITY in the
  *     PROPFIND / REPORT body → defends XXE / billion-laughs on the
  *     query path.
@@ -125,7 +126,7 @@
  *   mount under their HTTP router. Composes b.safeIcal / b.safeVcard
  *   for PUT-body validation, b.xmlC14n.parse for PROPFIND / REPORT
  *   bodies. Per-principal URL isolation; operator-supplied storage
- *   backend. Defends CVE-2024-39687 at the PUT boundary.
+ *   backend. Defends the RRULE-recursion expansion-DoS class at the PUT boundary.
  */
 
 var lazyRequire = require("./lazy-require");
@@ -749,7 +750,7 @@ function create(opts) {
       return _refuseStatus(res, 400, "PUT requires a component path");
     }
     var bodyBuf = await _readBodyBytes(req);
-    // Validate iCal body via safeIcal — defends CVE-2024-39687 at the
+    // Validate iCal body via safeIcal — defends the RRULE-recursion expansion-DoS class at the
     // ingest boundary.
     try {
       safeIcal.parse(bodyBuf, {

package/lib/mail-deploy.js

@@ -527,8 +527,9 @@ function autoDiscoverXml(opts) {
 //     brotli or the in-progress UTA-draft requires it.
 
 // Hard caps — defensive against CVE-2025-0725 (libcurl/zlib
-// integer overflow), CVE-2024-zlib decompression amplification, and
-// the §5.2 community ceiling (receivers commonly cap at 10 MiB).
+// integer overflow) and the decompression-amplification class
+// (CWE-409), plus the §5.2 community ceiling (receivers commonly cap
+// at 10 MiB).
 var TLSRPT_MAX_COMPRESSED_BYTES   = C.BYTES.mib(4);                                                   // allow:raw-byte-literal — 4 MiB compressed cap per §5.2 community practice
 var TLSRPT_MAX_DECOMPRESSED_BYTES = C.BYTES.mib(32);                                                  // allow:raw-byte-literal — 32 MiB decompressed cap (operators override via opts)
 var TLSRPT_MAX_RATIO              = 50;                                                               // allow:raw-byte-literal — 50:1 compression ratio refusal

package/lib/mail-server-imap.js

@@ -53,7 +53,7 @@
  *     pipelined command queued before TLS is refused with
  *     `BAD Pipelined post-STARTTLS not permitted`.
  *
- *   - **Literal-injection (CVE-2018-19518 INC IMAP class)** —
+ *   - **Literal-injection / command-continuation smuggling** —
  *     `{n}` literal continuation MUST come on a line of its own
  *     (per `b.guardImapCommand.detectLiteralSmuggling`); oversize
  *     literals refused (default 64 MiB); LITERAL+ (RFC 7888) non-

package/lib/mail-server-jmap.js

@@ -106,7 +106,7 @@
  *
  *   ## What v1 does NOT ship
  *
- *   - **Calendars / Contacts (RFC 9610)**, **Sieve (RFC 9404)**,
+ *   - **Calendars / Contacts (RFC 9610)**, **Sieve (RFC 9661)**,
  *     **MDN (RFC 9007)** — opt-in capabilities.
  *
  * @card

package/lib/mail-server-managesieve.js

@@ -95,7 +95,7 @@
  *
  *   - **CHECKSCRIPT** (RFC 5804 §2.12) — parse-only verb. Operators
  *     who want it compose `b.safeSieve.validate` directly via JMAP
- *     `SieveScript/validate` (RFC 9404). The MTA-side ManageSieve
+ *     `SieveScript/validate` (RFC 9661). The MTA-side ManageSieve
  *     surface is `PUTSCRIPT` + `HAVESPACE`; CHECKSCRIPT adds a third
  *     entry point with no operator demand yet.
  *   - **UNAUTHENTICATE** (RFC 5804 §2.14) — exotic. Operators close

package/lib/mail-server-mx.js

@@ -25,7 +25,7 @@
  *
  *   ## Defenses baked in
  *
- *   - **SMTP smuggling** (CVE-2023-51764 / CVE-2024-32178) — every
+ *   - **SMTP smuggling** (CVE-2023-51764 Postfix / CVE-2023-51765 Sendmail / CVE-2023-51766 Exim) — every
  *     wire line passes through `b.guardSmtpCommand.validate` which
  *     refuses bare LF, bare CR, NUL, C0 controls, DEL, and oversize.
  *     The DATA body's `\r\n.\r\n` terminator is matched on canonical
@@ -108,7 +108,7 @@
  * @card
  *   Inbound SMTP / MX listener. RFC 5321 state machine with SMTP-
  *   smuggling defense baked into the wire-protocol layer (RFC 5321
- *   §2.3.8 + CVE-2023-51764 / CVE-2024-32178), open-relay refusal by
+ *   §2.3.8 + CVE-2023-51764 / 51765 / 51766), open-relay refusal by
  *   default, STARTTLS-stripping defense (CVE-2021-38371), and the
  *   framework's mail-gate cascade (HELO / RBL / greylist /
  *   guardEnvelope / DMARC / safeMime / guardEmail) running at the
@@ -260,8 +260,8 @@ function create(opts) {
 
   // Default-on operator-supplied-domain hardening. opts.localDomains
   // and the HELO / MAIL FROM / RCPT TO domain validations all route
-  // through `b.guardDomain` for IDN homograph defense (CVE-2017-5469
-  // class), special-use-domain refusal (RFC 6761), label-length cap
+  // through `b.guardDomain` for IDN homograph / Punycode-spoof defense
+  // (mixed-script confusable class), special-use-domain refusal (RFC 6761), label-length cap
   // (RFC 1035 §2.3.4), and bare-IP-as-domain refusal (CVE-2021-22931
   // class). Operators with a closed-network deployment can pass
   // `guardDomain: false` to skip; the default keeps the protection on.

package/lib/mail-server-submission.js

@@ -40,7 +40,7 @@
  *
  *   ## Wire-protocol defenses (inherited from MX listener pattern)
  *
- *   - SMTP smuggling (CVE-2023-51764 / -51765 / -51766 / 2024-32178 /
+ *   - SMTP smuggling (CVE-2023-51764 / -51765 / -51766 /
  *     RFC 5321 §2.3.8): every wire line through
  *     `b.guardSmtpCommand.validate`; DATA-body terminator scan
  *     through `b.safeSmtp.findDotTerminator` (strict-CRLF);
@@ -351,8 +351,8 @@ function create(opts) {
   }
 
   // Default-on guardDomain hardening for HELO / MAIL FROM / RCPT TO.
-  // Same posture as mail-server-mx — IDN homograph (CVE-2017-5469
-  // class), special-use-domain refusal (RFC 6761), label-length cap
+  // Same posture as mail-server-mx — IDN homograph / Punycode-spoof
+  // (mixed-script confusable class), special-use-domain refusal (RFC 6761), label-length cap
   // (RFC 1035 §2.3.4), bare-IP-as-domain refusal (CVE-2021-22931
   // class). Operators with a closed-network deployment pass
   // `guardDomain: false` to skip; the default keeps protection on.

package/lib/mail-store.js

@@ -50,7 +50,7 @@
  *   of caller; only `b.legalHold.release` can flip the flag.
  *
  *   Parses messages on append via `b.safeMime.parse` (bounded
- *   substrate, defends CVE-2024-39929 + CVE-2025-30258). Validates
+ *   substrate, defends CVE-2024-39929 + CVE-2026-26312). Validates
  *   `Message-Id` via `b.guardMessageId.validate`.
  *
  * @card
@@ -526,7 +526,7 @@ function _appendMessage(args) {
       "appendMessage: folder '" + args.folderName + "' not found");
   }
 
-  // Parse via safe-mime — bounded; defends CVE-2024-39929 + CVE-2025-30258.
+  // Parse via safe-mime — bounded; defends CVE-2024-39929 + CVE-2026-26312.
   var tree = safeMime.parse(buf, args.safeMimeOpts);
 
   // Extract canonical fields.

package/lib/mail.js

@@ -1594,10 +1594,10 @@ function create(opts) {
   var auditOn = opts.audit !== false;
 
   // Default-on guardDomain hardening for every outbound recipient + the
-  // sender address. Refuses CVE-2017-5469-class IDN homograph spoofs in
+  // sender address. Refuses IDN homograph / mixed-script-confusable spoofs in
   // recipient or from domains, RFC 6761 special-use domain names
   // (`.localhost`, `.test`, `.invalid`, `.example`) in production sends,
-  // RFC 1035 §2.3.4 label-length violations, and CVE-2021-22931-class
+  // RFC 1035 §2.3.4 label-length violations, and CVE-2021-22931 class
   // bare-IP-as-domain (DNS-rebinding allowlist-bypass class). Operators
   // sending to address literals (`<x@[1.2.3.4]>`) — rare; mostly mailing-
   // list internals — pass `guardDomain: false` to opt out, or pass

package/lib/network-tls.js

@@ -462,12 +462,15 @@ function applyToContext(opts) {
 //   setKeyShares(["X25519MLKEM768", "X25519"])        → string[] (after)
 //   resetKeyShares()                                  → restores default
 
-// RFC 9794 (PQ TLS Hybrid Key Exchange) named-group ordering. The
-// preferred groups (the first the peer mutually supports wins) put the
-// IANA-registered hybrid named groups ahead of the classical fallback:
+// PQ/T-hybrid named-group ordering (RFC 9794 is the PQ/T-hybrid
+// *terminology*; the TLS codepoints come from the IANA TLS Supported
+// Groups registry + draft-kwiatkowski-tls-ecdhe-mlkem +
+// draft-ietf-tls-hybrid-design). The preferred groups (the first the peer
+// mutually supports wins) put the IANA-registered hybrid named groups
+// ahead of the classical fallback:
 //
-//   X25519MLKEM768       — codepoint 0x11EC, RFC 9794 default hybrid
-//   SecP256r1MLKEM768    — codepoint 0x11EB, RFC 9794 optional hybrid
+//   X25519MLKEM768       — codepoint 0x11EC (IANA; draft-kwiatkowski-tls-ecdhe-mlkem)
+//   SecP256r1MLKEM768    — codepoint 0x11EB (IANA; NIST-curve hybrid)
 //                            (NIST-curve fallback for FIPS-mandated peers
 //                            that refuse X25519)
 //   SecP384r1MLKEM1024   — draft-kwiatkowski-tls-ecdhe-mlkem-02 codepoint
@@ -520,7 +523,7 @@ function resetKeyShares() {
   return getKeyShares();
 }
 
-// preferredGroups — RFC 9794 alias surface for the named-group list.
+// preferredGroups — alias surface for the named-group list.
 // `set(list)` overrides the default ordering; `get()` reads the active
 // list; `reset()` restores the framework default. The setKeyShares /
 // getKeyShares / resetKeyShares names are kept as the lower-level
@@ -604,7 +607,7 @@ function buildOptions(opts) {
 
   // PQC group preference. Caller may narrow (drop a group) but not
   // widen — every requested group must appear in the framework
-  // preferred list. Both `groups` (RFC 9794 alias) and `ecdhCurve`
+  // preferred list. Both `groups` (alias) and `ecdhCurve`
   // (Node TLS option) are accepted; `groups` wins when both supplied.
   var requested = null;
   if (Array.isArray(opts.groups)) {

package/lib/safe-decompress.js

@@ -54,10 +54,12 @@
  *   bytes ever cross the audit boundary on the bomb-class path.
  *
  *   Threat model:
- *     - **CVE-2025-0725** (libcurl + zlib decompression amplification)
- *       — bounded output + ratio cap defeat the amplification.
- *     - **CVE-2024-zlib** class (decompression-bomb research, gzip /
- *       deflate / brotli variants) — bounded output prevents OOM.
+ *     - **Decompression bomb** (CWE-409 — improper handling of highly
+ *       compressed data; the classic 42.zip nested-bomb expands to
+ *       petabytes from kilobytes) across gzip / deflate / brotli —
+ *       the bounded-output cap + expansion-ratio cap refuse before the
+ *       allocation, so no decompressed bytes are ever materialized past
+ *       the cap.
  *     - **Efail-class** (CVE-2017-17688 / 17689) — operators decrypting
  *       MIME parts compose `b.safeDecompress` on the inner deflate
  *       streams; the bounded-output posture defeats the unbounded-
@@ -73,8 +75,8 @@
  *   - [RFC 1951](https://www.rfc-editor.org/rfc/rfc1951) deflate
  *   - [RFC 1952](https://www.rfc-editor.org/rfc/rfc1952) gzip
  *   - [RFC 7932](https://www.rfc-editor.org/rfc/rfc7932) brotli
- *   - [CVE-2025-0725](https://nvd.nist.gov/vuln/detail/CVE-2025-0725)
- *   - [CVE-2024-zlib](https://nvd.nist.gov/) decompression-bomb class
+ *   - [CWE-409](https://cwe.mitre.org/data/definitions/409.html) improper
+ *     handling of highly compressed data (decompression bomb)
  */
 
 var zlib = require("node:zlib");

package/lib/safe-ical.js

@@ -15,7 +15,7 @@
  *   delivery-time iTIP processing, and the scheduling primitives that
  *   compose against ical bytes.
  *
- *   Defends `CVE-2024-39687` (ical4j RRULE recursion / "Outlook
+ *   Defends the ical4j RRULE-recursion expansion-DoS class ("Outlook
  *   calendar bomb" — a hostile RRULE with unbounded COUNT and
  *   recursive BYxxx expansion can pin a CalDAV server's CPU at 100%
  *   until the request times out). Caps:
@@ -36,8 +36,8 @@
  *       instances than this cap.
  *     - RRULE BYDAY / BYMONTH / BYMONTHDAY / BYHOUR / BYMINUTE /
  *       BYSECOND / BYSETPOS / BYWEEKNO / BYYEARDAY list-length cap
- *       (24 entries) — refused regardless of profile. CVE-2024-39687
- *       achieves expansion blow-up by stacking long BYxxx lists.
+ *       (24 entries) — refused regardless of profile. The recursion
+ *       DoS achieves expansion blow-up by stacking long BYxxx lists.
  *
  *   Header-injection / control-char defense: refuses NUL, C0 control
  *   bytes (other than TAB inside QUOTED-PRINTABLE-shaped values), and
@@ -75,8 +75,8 @@
  * @card
  *   Bounded RFC 5545 iCalendar parser — caps total bytes, nesting
  *   depth, RRULE COUNT and BYxxx list-lengths; refuses NUL / C0 / DEL
- *   inside property values; allowlists property names; defends
- *   CVE-2024-39687 (ical4j RRULE recursion / Outlook calendar-bomb).
+ *   inside property values; allowlists property names; defends the
+ *   ical4j RRULE-recursion expansion-DoS class (Outlook calendar-bomb).
  */
 
 var C = require("./constants");
@@ -84,8 +84,8 @@ var { defineClass } = require("./framework-error");
 
 var SafeIcalError = defineClass("SafeIcalError", { alwaysPermanent: true });
 
-// RRULE caps are enforced regardless of profile — CVE-2024-39687 has
-// no safe permissive posture.
+// RRULE caps are enforced regardless of profile — the recursion-DoS
+// class has no safe permissive posture.
 var RRULE_MAX_COUNT      = 10000;                                                                          // allow:raw-byte-literal — RFC 5545 §3.3.10 recurrence-count cap
 var RRULE_MAX_BY_ENTRIES = 24;                                                                             // allow:raw-byte-literal — BYxxx list-length cap
 
@@ -223,7 +223,7 @@ function parse(text, opts) {
   if (byteLen > caps.maxBytes) {
     throw new SafeIcalError("safe-ical/oversize-bytes",
       "safeIcal.parse: input " + byteLen + " bytes exceeds maxBytes=" + caps.maxBytes +
-      " (CVE-2024-39687-class defense)");
+      " (calendar-bomb defense)");
   }
 
   var lines = _unfold(s, caps);
@@ -466,7 +466,7 @@ function _parseComponent(lines, startIdx, ctx, depth) {
   if (depth > ctx.caps.maxNestingDepth) {
     throw new SafeIcalError("safe-ical/oversize-nesting",
       "safeIcal.parse: nesting depth exceeds maxNestingDepth=" +
-      ctx.caps.maxNestingDepth + " (CVE-2024-39687-class defense)");
+      ctx.caps.maxNestingDepth + " (calendar-bomb defense)");
   }
   ctx.componentCount += 1;
   if (ctx.componentCount > ctx.caps.maxComponents) {
@@ -516,7 +516,7 @@ function _parseComponent(lines, startIdx, ctx, depth) {
         "safeIcal.parse: unknown property '" + pn +
         "' (extend via opts.extraProperties or use X- prefix)");
     }
-    // RRULE caps — CVE-2024-39687 defense.
+    // RRULE caps — recursion-DoS / calendar-bomb defense.
     if (pn === "RRULE" || pn === "EXRULE") {
       _validateRrule(ln.value);
     }
@@ -558,7 +558,7 @@ function _validateRrule(value) {
       if (!isFinite(n) || n < 0 || n > RRULE_MAX_COUNT) {
         throw new SafeIcalError("safe-ical/oversize-rrule-count",
           "safeIcal.parse: RRULE COUNT=" + val + " exceeds cap=" +
-          RRULE_MAX_COUNT + " (CVE-2024-39687 defense)");
+          RRULE_MAX_COUNT + " (calendar-bomb defense)");
       }
     } else if (key === "BYDAY" || key === "BYMONTH" || key === "BYMONTHDAY" ||
                key === "BYHOUR" || key === "BYMINUTE" || key === "BYSECOND" ||
@@ -567,7 +567,7 @@ function _validateRrule(value) {
       if (entries.length > RRULE_MAX_BY_ENTRIES) {
         throw new SafeIcalError("safe-ical/oversize-rrule-by",
           "safeIcal.parse: RRULE " + key + " list length " + entries.length +
-          " exceeds cap=" + RRULE_MAX_BY_ENTRIES + " (CVE-2024-39687 defense)");
+          " exceeds cap=" + RRULE_MAX_BY_ENTRIES + " (calendar-bomb defense)");
       }
     }
   }

package/lib/safe-mime.js

@@ -27,7 +27,7 @@
  *       crypto.
  *
  *   Defends `CVE-2024-39929` (Exim MIME multipart parser) and
- *   `CVE-2025-30258` (gnumail truncated-MIME-tree class) by capping
+ *   `CVE-2026-26312` (Stalwart nested `message/rfc822` MIME OOM) by capping
  *   total parts, nesting depth, boundary length, header bytes,
  *   header-line bytes, decoded body bytes, message bytes — plus
  *   charset + transfer-encoding allowlists.
@@ -41,7 +41,7 @@
  *   incoming message above a threshold.
  *
  * @card
- *   Bounded MIME parser — walks RFC 5322 + 2045 / 2046 / 2047 + EAI message structure into a part tree with hard caps on depth, part count, body size, header bytes, and charset / transfer-encoding allowlists. Defends CVE-2024-39929 + CVE-2025-30258.
+ *   Bounded MIME parser — walks RFC 5322 + 2045 / 2046 / 2047 + EAI message structure into a part tree with hard caps on depth, part count, body size, header bytes, and charset / transfer-encoding allowlists. Defends CVE-2024-39929 + CVE-2026-26312.
  */
 
 var C = require("./constants");
@@ -332,13 +332,13 @@ function _parsePart(buf, ctx, depth) {
   if (depth > ctx.maxNestingDepth) {
     throw new SafeMimeError("safe-mime/oversize-nesting",
       "safeMime.parse: nesting depth exceeded maxNestingDepth=" + ctx.maxNestingDepth +
-      " (CVE-2024-39929-class defense)");
+      " (CVE-2024-39929 class defense)");
   }
   ctx.partCount += 1;
   if (ctx.partCount > ctx.maxParts) {
     throw new SafeMimeError("safe-mime/oversize-part-count",
       "safeMime.parse: total parts exceeded maxParts=" + ctx.maxParts +
-      " (CVE-2024-39929-class defense)");
+      " (CVE-2024-39929 class defense)");
   }
 
   var sep = _findHeaderBodySep(buf);
@@ -668,7 +668,7 @@ function _decodeRfc2047Words(value) {
         raw = Buffer.from(text.replace(/_/g, " ").replace(/=([0-9A-Fa-f]{2})/g,
           function (__, hex) { return String.fromCharCode(parseInt(hex, 16)); }), "binary");      // allow:raw-byte-literal — parseInt radix 16, not bytes
       }
-      // RFC 2047 §5 / CVE-2020-7244 header-injection defense — after
+      // RFC 2047 §5 encoded-word header-injection defense — after
       // base64 / Q-encoded decode, check the DECODED bytes for header
       // separators (CR, LF, NUL). A sender that base64-encodes
       // `\r\nBcc: attacker@x.com` would otherwise reach the consumer's
@@ -680,7 +680,7 @@ function _decodeRfc2047Words(value) {
         if (b === 0x0d /* CR */ || b === 0x0a /* LF */ || b === 0x00 /* NUL */) {
           throw new SafeMimeError("safe-mime/rfc2047-header-injection",
             "RFC 2047 encoded-word decoded to bytes containing CR/LF/NUL " +
-            "(byte index " + bi + "); refusing per RFC 2047 §5 / CVE-2020-7244 class");
+            "(byte index " + bi + "); refusing per RFC 2047 §5 (encoded-word header injection)");
         }
       }
       return _decodeBufferAs(raw, charset);

package/lib/safe-sieve.js

@@ -619,7 +619,7 @@ function parse(script, opts) {
  * Parse-only validation — returns `{ ok, requiredCaps, issues }`
  * shape mirroring the rest of the guard family. Operator-facing
  * primitives that want a JMAP-style `SieveScript/validate` response
- * (RFC 9404) compose this and surface `issues` directly.
+ * (RFC 9661 — JMAP for Sieve Scripts) compose this and surface `issues` directly.
  *
  * @opts
  *   profile:           "strict" | "balanced" | "permissive",

package/lib/safe-smtp.js

@@ -23,7 +23,7 @@
  *     - RFC 5321 §2.3.8 — line termination MUST be CRLF
  *     - RFC 5321 §4.5.2 — dot-stuffing on the SMTP body
  *     - RFC 5321 §4.1.1.4 — DATA command terminates with `<CRLF>.<CRLF>`
- *     - CVE-2023-51764 / -51765 / -51766 / 2024-32178 — SMTP
+ *     - CVE-2023-51764 / -51765 / -51766 — SMTP
  *       smuggling (parsers that accept bare-LF dot-terminators).
  *       The guard primitive `b.guardSmtpCommand.detectBodySmuggling`
  *       owns smuggling detection; the safe-* terminator scanner

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.8",
+  "version": "0.13.10",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:fd9a8f72-de3b-4a8d-8059-9ff47ccebb1b",
+  "serialNumber": "urn:uuid:62fe872e-bfa6-4982-9eb9-f37d3f139663",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-27T05:52:19.814Z",
+    "timestamp": "2026-05-27T08:47:25.364Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.8",
+      "bom-ref": "@blamejs/core@0.13.10",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.8",
+      "version": "0.13.10",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.8",
+      "purl": "pkg:npm/%40blamejs/core@0.13.10",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.8",
+      "ref": "@blamejs/core@0.13.10",
       "dependsOn": []
     }
   ]