@blamejs/core 0.13.9 → 0.13.10

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.13.x
 
+- v0.13.10 (2026-05-27) — **Documented-but-inert options wired up, a non-existent CVE reference removed, and a silent iCalendar cap-bypass fixed.** A sweep for places where a documented option or citation did not match what the code does. The most operator-relevant fix: b.calendar.fromIcal documented a safeIcalOpts option that forwards parser caps (byte size, RRULE limits, nesting depth) to b.safeIcal.parse, but the value was never forwarded — so an operator who set tight caps through it got the default profile instead, silently. That is corrected; the nested options now reach the parser. b.archive.read.zip documented an AbortSignal option that was never honored; it now aborts the read at the entry boundary. b.auth.fal documented a bearerOnly alias that had no effect; it now forces the no-proof-of-possession path and refuses the contradictory combination of bearerOnly:true with a holder-of-key binding. Separately, the auth verification paths cited CVE-2026-23993 (13 places) for the "reject an unknown alg before key lookup" guard — that CVE id does not exist (the registry has no record of it); the citation is replaced with the weakness class (CWE-347 / CWE-757) and the real, verifiable neighboring CVEs. The circuit-breaker error-code note that promised a rename "in v0.10" is corrected to the actual plan (v1.0), and the build gate that catches overdue version promises now also catches two-part version numbers. **Changed:** *`b.auth.fal` `bearerOnly` is now a real alias and refuses contradictions* — `bearerOnly: true` now forces the no-proof-of-possession path (equivalent to `hokBinding: null`), as documented. Passing `bearerOnly: true` together with a non-null `hokBinding` is a contradictory assurance request and is now refused at the call rather than silently resolved one way. **Fixed:** *`b.calendar.fromIcal` now forwards `safeIcalOpts` to the parser* — The documented `safeIcalOpts` option (parser caps: max bytes, RRULE COUNT/BYxxx limits, nesting depth) was not being passed to `b.safeIcal.parse` — when supplied under the documented nested key it was silently ignored and the parser ran with its default profile. Both forms now reach the parser: the documented nested `{ safeIcalOpts: { ... } }` and the top-level `{ profile, ... }` that earlier releases accepted, with the nested form winning on conflict. No caller regresses. · *`b.archive.read.zip` honors the documented `signal` (AbortSignal)* — The `signal` option was documented but never read. A large or slow archive read can now be aborted cooperatively — the reader checks the signal at each entry boundary (`inspect`, `entries`, `extractEntries`, `extract`) and rejects with an `archive-read/aborted` error. · *Removed a non-existent CVE reference from the JWT/JWE verification paths* — The "reject an unknown/unsupported `alg` before any key lookup" guard in `b.auth.jwt.verifyExternal`, `b.auth.oauth.verifyIdToken`, `b.auth.oid4vci`, and `b.auth.sd-jwt-vc` cited a CVE id that the registry has no record of. The behaviour is unchanged; the citation is now the weakness class it defends (CWE-347 improper signature verification / CWE-757 algorithm downgrade) alongside the real, verifiable alg-confusion / JWE-bypass CVEs already cited beside it. **Detectors:** *Overdue-version-promise gate now catches two-part version numbers* — The build gate that flags a deferral whose promised landing version has already shipped previously matched only three-part versions (`vN.N.N`); a two-part promise (`vN.N`) slipped past it. It now matches both. The `b.circuitBreaker` `CIRCUIT_OPEN` error-code note that pointed at a passed version is corrected to its actual plan (rename at v1.0, with a deprecation warning a minor ahead).
+
 - v0.13.9 (2026-05-26) — **Corrected CVE citations in source threat annotations + a build gate that refuses malformed CVE identifiers.** Several source-comment threat annotations cited CVE identifiers that were rejected by the numbering authority (never assigned to a real issue), attributed to the wrong product, or structurally malformed (a placeholder with a non-numeric sequence). The annotated defenses are unchanged — every cap, refusal, and constant-time comparison behaves exactly as before; only the reference labels were corrected, each to a verifiable CVE or to the underlying weakness class (CWE / RFC) where no single CVE fits. Notable corrections: the S/MIME SHA-1 / MD5 certificate-signature refusal now cites the SHAttered collision and RFC 8551 §2.5 instead of a rejected candidate id; decompression-output caps cite CWE-409 and CVE-2025-0725 instead of a fabricated placeholder; the iCalendar RRULE / nesting / byte caps describe the calendar-bomb recursion-DoS class instead of an unrelated SSRF advisory; and the SAML signature-wrapping (XSW) defense now cites the actively-exploited CVE-2024-45409 (ruby-saml, CVSS 10.0) and CVE-2025-25291 / -25292 that the duplicate-element refusal defeats. A new build-time detector refuses any CVE token whose sequence number is not all-numeric, so a placeholder identifier can never reach a release again. **Fixed:** *Corrected rejected / misattributed / malformed CVE references in source threat annotations* — Threat-annotation comments across the mail, crypto, auth, guard, and safe modules carried CVE identifiers that were rejected by the CVE numbering authority, attributed to the wrong product, or written as non-numeric placeholders. Each was corrected to a verifiable CVE or to the weakness class (CWE / RFC) it defends. No runtime behaviour changed — the defenses these comments describe are unchanged. The S/MIME certificate check's SHA-1 / MD5 refusal message now names the SHAttered collision and RFC 8551 §2.5; the SAML XSW defense now names CVE-2024-45409 and CVE-2025-25291 / -25292. **Detectors:** *`malformed-cve-identifier` — refuses structurally-invalid CVE tokens at build time* — A CVE identifier's sequence number is always numeric (`CVE-<year>-<digits>`). The new detector refuses any CVE token whose post-year segment contains a letter — the placeholder shape that lets a fabricated reference slip past review. It cannot verify that a well-formed id is real or correctly attributed (that stays a review responsibility), but it makes the structurally-invalid class impossible to ship.
 
 - v0.13.8 (2026-05-26) — **In-memory archive extraction for read-only / serverless filesystems.** Archive readers gain an in-memory extraction path so an uploaded archive can be opened and its contents read without writing anything to disk — the case a read-only or ephemeral serverless filesystem requires. b.archive.read.zip(...).extractEntries() and b.archive.read.tar(...).extractEntries() are async generators that yield each regular file entry as { name, bytes, size }, applying the same bomb-policy caps, b.guardArchive metadata cascade (which refuses a Zip-Slip / traversal archive wholesale), and entry-type-policy refusals as the disk extract() — only the disk realpath agreement check is omitted, since nothing is written and the caller owns where the returned bytes land. Directory and link entries carry no content and are not yielded. The guard cascade is factored into one shared path so disk and in-memory extraction refuse identically. Also a documentation fix: b.archive.gz no longer claims a b.archive.zip().toGzip() convenience exists — a ZIP is already DEFLATE-compressed per entry, so gzip-wrapping it gains nothing; gzip the uncompressed tar stream (the canonical .tar.gz) instead. **Added:** *`extractEntries()` — in-memory archive extraction (ZIP + tar)* — `b.archive.read.zip(source).extractEntries(opts?)` and `b.archive.read.tar(source).extractEntries(opts?)` are async generators yielding `{ name, bytes, size }` per regular file entry, never touching disk — for serverless / read-only filesystems where the disk `extract({ destination })` path cannot run. Same bomb-policy, guard-archive cascade, and entry-type-policy refusals as disk extraction; the bytes are byte-identical to what `extract()` writes. **Fixed:** *Removed the inaccurate `b.archive.zip().toGzip()` doc claim* — The `b.archive.gz` documentation described a `b.archive.zip().toGzip()` convenience method that does not (and should not) exist: a ZIP is already DEFLATE-compressed per entry, so gzip-wrapping it would compress already-compressed data for no benefit. `b.archive.tar().toGzip()` (the real `.tar.gz`) is unchanged.

package/lib/archive-read.js

@@ -503,6 +503,18 @@ function zip(adapter, opts) {
   var entryTypePolicy = _normalizeEntryTypePolicy(opts.entryTypePolicy);
   var cdCache         = null;
 
+  // Cooperative cancellation — operators pass an AbortSignal to bound a
+  // large/slow archive read. Checked between entries (the natural yield
+  // point); a long single-entry decompress is already bounded by the
+  // bomb policy.
+  function _throwIfAborted() {
+    if (opts.signal && opts.signal.aborted) {
+      throw new ArchiveReadError("archive-read/aborted",
+        "archive read aborted via opts.signal" +
+        (opts.signal.reason !== undefined ? ": " + String(opts.signal.reason) : ""));
+    }
+  }
+
   async function _loadCD() {
     if (cdCache) return cdCache;
     var eocd = await _locateEocd(adapter);
@@ -512,6 +524,7 @@ function zip(adapter, opts) {
   }
 
   async function inspect() {
+    _throwIfAborted();
     var loaded = await _loadCD();
     _enforceBombPolicy(loaded.entries, bombPolicy);
     _emitAudit(opts, "archive.read.inspect", "success", {
@@ -539,9 +552,11 @@ function zip(adapter, opts) {
   }
 
   async function* entries() {
+    _throwIfAborted();
     var loaded = await _loadCD();
     _enforceBombPolicy(loaded.entries, bombPolicy);
     for (var i = 0; i < loaded.entries.length; i += 1) {
+      _throwIfAborted();
       yield loaded.entries[i];
     }
   }
@@ -593,6 +608,7 @@ function zip(adapter, opts) {
     var totalDecompressed = 0;
     var yielded = 0;
     for (var i = 0; i < loaded.entries.length; i += 1) {
+      _throwIfAborted();
       var entry = loaded.entries[i];
       if (entry.isEncrypted && !extractOpts.allowEncrypted) {
         throw new ArchiveReadError("archive-read/encrypted-entry",
@@ -644,6 +660,7 @@ function zip(adapter, opts) {
     var totalDecompressed = 0;
     try {
       for (var i = 0; i < loaded.entries.length; i += 1) {
+        _throwIfAborted();
         var entry = loaded.entries[i];
         // Skip directory + dangerous-by-default entry types unless the
         // entry-type policy opts in.

package/lib/auth/fal.js

@@ -155,6 +155,18 @@ function fromAssertion(opts) {
       "fal.fromAssertion: channel must be 'front' or 'back'");
   }
   var hokBinding = opts.hokBinding;
+  // `bearerOnly: true` is the explicit alias for "no proof-of-possession
+  // binding" (hokBinding === null). It contradicts a non-null hokBinding;
+  // refuse the contradiction at the entry point rather than silently
+  // picking one — an operator who sets both has a config bug.
+  if (opts.bearerOnly === true) {
+    if (hokBinding !== undefined && hokBinding !== null) {
+      throw new AuthError("auth/bad-fal-opts",
+        "fal.fromAssertion: bearerOnly:true conflicts with hokBinding '" + hokBinding +
+        "' (bearerOnly forces no proof-of-possession binding)");
+    }
+    hokBinding = null;
+  }
   if (hokBinding !== undefined && hokBinding !== null) {
     if (hokBinding !== "mtls" && hokBinding !== "dpop" && hokBinding !== "saml-hok") {
       throw new AuthError("auth/bad-fal-opts",

package/lib/auth/jwt-external.js

@@ -175,8 +175,8 @@ function _assertAlgKtyMatch(alg, jwk) {
   else if   (alg === "ML-DSA-65" || alg === "ML-DSA-87") { expectedKty = "AKP"; }
   else {
     // Unknown alg — caller's alg allowlist should have rejected first;
-    // refuse here defensively (CVE-2026-23993 class — unknown-alg paths
-    // that skip downstream verification).
+    // refuse here defensively (CWE-347 alg-confusion class — unknown-alg
+    // paths that skip downstream verification; cf. CVE-2026-22817).
     throw new AuthError("auth-jwt-external/unsupported-alg",
       "_assertAlgKtyMatch: alg '" + alg + "' has no defined key-type binding");
   }
@@ -336,7 +336,7 @@ async function verifyExternal(token, opts) {
 
   // Decode header + payload.
   var parts = token.split(".");
-  // CVE-2026-29000 / CVE-2026-23993 / CVE-2026-22817 / CVE-2026-34950 —
+  // CVE-2026-29000 / CVE-2026-22817 / CVE-2026-34950 —
   // JWE-bypass + alg-confusion. A 5-segment compact serialization is a
   // JWE (RFC 7516); accepting it on a JWS verifier is the canonical
   // confused-deputy shape. verifyExternal is JWS-only; refuse JWE
@@ -350,7 +350,7 @@ async function verifyExternal(token, opts) {
     }); } catch (_e) { /* audit best-effort */ }
     throw new AuthError("auth-jwt-external/jwe-refused",
       "5-segment JWE token refused — verifyExternal only handles JWS " +
-      "(JWE bypass class — CVE-2026-29000 / CVE-2026-23993 / CVE-2026-22817 / CVE-2026-34950)");
+      "(JWE bypass class — CVE-2026-29000 / CVE-2026-22817 / CVE-2026-34950)");
   }
   if (parts.length !== 3) {
     throw new AuthError("auth-jwt-external/malformed-jwt",
@@ -371,8 +371,9 @@ async function verifyExternal(token, opts) {
     throw new AuthError("auth-jwt-external/unknown-crit",
       "token declares 'crit' header — verifyExternal does not support critical extensions");
   }
-  // CVE-2026-23993 — refuse alg values outside the accepted list BEFORE
-  // any key lookup. The early refusal closes the class where an
+  // Alg-allowlist gate (CWE-347 improper-sig-verification / CWE-757
+  // algorithm-downgrade) — refuse alg values outside the accepted list
+  // BEFORE any key lookup. The early refusal closes the class where an
   // unknown / unsupported alg slips through to a downstream code path
   // that interprets it permissively. The per-listed algorithm check
   // above in the opts-validation loop refuses the OPERATOR'S allowlist
@@ -381,11 +382,11 @@ async function verifyExternal(token, opts) {
   if (opts.algorithms.indexOf(header.alg) === -1) {
     throw new AuthError("auth-jwt-external/alg-not-allowed",
       "token alg='" + header.alg + "' not in allowed list [" + opts.algorithms.join(", ") +
-      "] (CVE-2026-23993 — refused before key lookup)");
+      "] (alg-allowlist gate — refused before key lookup)");
   }
   if (SUPPORTED_CLASSICAL_ALGS.indexOf(header.alg) === -1) {
     throw new AuthError("auth-jwt-external/unsupported-alg",
-      "token alg='" + header.alg + "' is not in the verifier's supported set (CVE-2026-23993)");
+      "token alg='" + header.alg + "' is not in the verifier's supported set (alg-allowlist gate)");
   }
 
   // Resolve key.

package/lib/auth/oauth.js

@@ -1008,7 +1008,7 @@ function create(opts) {
       throw new OAuthError("auth-oauth/no-id-token", "verifyIdToken: idToken must be a string");
     }
     var parts = idToken.split(".");
-    // CVE-2026-29000 / CVE-2026-22817 / CVE-2026-23993 — mirror
+    // CVE-2026-29000 / CVE-2026-22817 — mirror
     // jwt-external's 5-segment JWE refusal. A 5-segment compact
     // serialization is a JWE (RFC 7516); verifyIdToken is a JWS verifier
     // and a JWE shape reaching here is the confused-deputy class an OP
@@ -1023,7 +1023,7 @@ function create(opts) {
       }); } catch (_e) { /* drop-silent — observability sink */ }
       throw new OAuthError("auth-oauth/jwe-refused",
         "5-segment JWE id_token refused — verifyIdToken only handles JWS " +
-        "(CVE-2026-29000 / CVE-2026-23993 / CVE-2026-22817 / CVE-2026-34950 JWE-bypass class)");
+        "(CVE-2026-29000 / CVE-2026-22817 / CVE-2026-34950 JWE-bypass class)");
     }
     if (parts.length !== 3) {
       throw new OAuthError("auth-oauth/malformed-jwt", "ID token does not have 3 parts");
@@ -1039,13 +1039,14 @@ function create(opts) {
     if (!header || typeof header.alg !== "string") {
       throw new OAuthError("auth-oauth/malformed-jwt", "ID token header missing 'alg'");
     }
-    // CVE-2026-23993 — refuse unknown alg BEFORE any key resolution.
+    // Alg-allowlist gate (CWE-347 / CWE-757) — refuse unknown alg BEFORE
+    // any key resolution.
     // The acceptedAlgorithms list is the operator's posture; an alg
     // outside it never reaches the JWKS lookup or node:crypto.verify.
     if (acceptedAlgorithms.indexOf(header.alg) === -1) {
       throw new OAuthError("auth-oauth/alg-not-accepted",
         "ID token signed with '" + header.alg + "' which is not in the accepted-algorithm list " +
-        "(CVE-2026-23993 — refused before key lookup)");
+        "(alg-allowlist gate — refused before key lookup)");
     }
     // RFC 7515 §4.1.11 — refuse JWS with `crit` header. Every other
     // verifier in the framework (jwt.js, jwt-external.js, dpop.js)

package/lib/auth/oid4vci.js

@@ -108,14 +108,14 @@ function _verifyProofJwt(proofJwt, expectedAud, expectedCNonce, expectedClientId
     throw new AuthError("auth-oid4vci/wrong-proof-typ",
       "credential issuance: proof JWT typ must be \"openid4vci-proof+jwt\" (got \"" + header.typ + "\")");
   }
-  // CVE-2026-23993 — refuse unknown / unsupported alg BEFORE any
-  // verify-side work. The supportedAlgs list is the issuer's posture;
+  // Alg-allowlist gate (CWE-347 / CWE-757) — refuse unknown / unsupported
+  // alg BEFORE any verify-side work. The supportedAlgs list is the issuer's posture;
   // refusing here mirrors the discipline in oauth.verifyIdToken /
   // jwt-external.verifyExternal.
   if (!header.alg || supportedAlgs.indexOf(header.alg) === -1) {
     throw new AuthError("auth-oid4vci/unsupported-proof-alg",
       "credential issuance: proof JWT alg \"" + header.alg + "\" not in issuer-supported set " +
-      "(CVE-2026-23993 — refused before key lookup)");
+      "(alg-allowlist gate — refused before key lookup)");
   }
   // AUTH-5 / RFC 7515 §4.1.11 — refuse non-empty `crit`. Pre-v0.9.x
   // silently ignored, letting an attacker-controlled wallet declare

package/lib/auth/sd-jwt-vc.js

@@ -441,15 +441,15 @@ async function verify(presentation, opts) {
       "verify: malformed JWT header: " + e.message);
   }
   var alg = headerObj.alg;
-  // CVE-2026-23993 — refuse unknown / unsupported alg BEFORE any key
-  // resolution. The shared `_assertAlgKtyMatch` helper repeats this
+  // Alg-allowlist gate (CWE-347 / CWE-757) — refuse unknown / unsupported
+  // alg BEFORE any key resolution. The shared `_assertAlgKtyMatch` helper repeats this
   // check after the issuer key is resolved; doing it here too closes
   // the gap where an issuerKeyResolver with side effects (network
   // fetch, audit emit) would run even when the alg is unsupported.
   if (typeof alg !== "string" || SUPPORTED_ALGS.indexOf(alg) === -1) {
     throw new AuthError("auth-sd-jwt-vc/unsupported-alg",
       "verify: header alg \"" + alg + "\" not in supported set " +
-      "(CVE-2026-23993 — refused before key lookup)");
+      "(alg-allowlist gate — refused before key lookup)");
   }
   // draft-ietf-oauth-sd-jwt-vc §3.1 — typ MUST be `vc+sd-jwt` (or
   // `dc+sd-jwt` for digital-credential profile). Pre-v0.9.x the absent-

package/lib/calendar.js

@@ -354,7 +354,14 @@ function validate(jsCal) {
  *   // → { "@type":"Event", uid:"a@b", updated:"2026-05-21T10:00:00Z", ... }
  */
 function fromIcal(text, opts) {
-  var ast = safeIcal.parse(text, opts || {});
+  // Forward parser options to b.safeIcal.parse. Accept BOTH the
+  // documented nested form (`{ safeIcalOpts: { profile, caps, ... } }`)
+  // AND the historically-working top-level form (`{ profile: "balanced" }`)
+  // so neither caller regresses; the nested form wins on conflict. The
+  // `safeIcalOpts` wrapper key itself is stripped before forwarding.
+  var icalOpts = Object.assign({}, opts || {}, (opts && opts.safeIcalOpts) || {});
+  delete icalOpts.safeIcalOpts;
+  var ast = safeIcal.parse(text, icalOpts);
   var events   = (ast && ast.vcalendar && ast.vcalendar.vevent)   || [];
   var todos    = (ast && ast.vcalendar && ast.vcalendar.vtodo)    || [];
   var journals = (ast && ast.vcalendar && ast.vcalendar.vjournal) || [];

package/lib/circuit-breaker.js

@@ -42,10 +42,11 @@ var retryHelper = require("./retry");
  * with the framework's `create(opts)` vocabulary.
  *
  * The `CIRCUIT_OPEN` error code is a pre-v1 artifact — every other
- * framework error class uses namespaced codes (`retry/...`). The
- * rename is deferred to v0.10 with a deprecation cycle so existing
- * operators who match `err.code === "CIRCUIT_OPEN"` aren't broken
- * in a patch.
+ * framework error class uses namespaced codes (`retry/...`). It is
+ * kept through the pre-1.0 line so existing operators who match
+ * `err.code === "CIRCUIT_OPEN"` aren't broken in a patch; the rename
+ * to a namespaced code lands at v1.0 alongside the namespaced-error
+ * sweep, with a deprecation warning shipping a minor ahead.
  *
  * @opts
  *   name:             string,    // identifier used in audit + state-change events

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.13.9",
+  "version": "0.13.10",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:8b6b1445-7522-46ce-ab72-88ef073536dd",
+  "serialNumber": "urn:uuid:62fe872e-bfa6-4982-9eb9-f37d3f139663",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-27T07:12:04.477Z",
+    "timestamp": "2026-05-27T08:47:25.364Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.13.9",
+      "bom-ref": "@blamejs/core@0.13.10",
       "type": "application",
       "name": "blamejs",
-      "version": "0.13.9",
+      "version": "0.13.10",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.13.9",
+      "purl": "pkg:npm/%40blamejs/core@0.13.10",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.13.9",
+      "ref": "@blamejs/core@0.13.10",
       "dependsOn": []
     }
   ]