@blamejs/core 0.14.19 → 0.14.21

package/lib/problem-details.js

@@ -132,19 +132,28 @@ function getBase() {
  *   - `status` (recommended) must be an integer 100..599.
  *   - `detail` (optional) must be a string when given.
  *   - `instance` (optional) must be a URI reference string when given.
- *   - Extensions: every additional key whose name is NOT in
+ *   - Extensions: every additional top-level key whose name is NOT in
  *     `RESERVED_FIELDS` is preserved at the top level. Reserved-name
- *     collisions throw `problem-details/reserved-extension`.
+ *     collisions throw `problem-details/reserved-extension`;
+ *     prototype-pollution-shaped top-level keys throw the same.
+ *   - `extensions`: a plain object whose keys are spread as top-level
+ *     sibling members (RFC 9457 §3.2) — the literal `extensions`
+ *     member is never emitted. Keys colliding with `RESERVED_FIELDS`
+ *     are ignored (reserved fields can't be overridden by an
+ *     extension); prototype-pollution-shaped keys are dropped
+ *     silently. When the same name appears both as a direct top-level
+ *     key and inside `extensions`, the direct top-level key wins.
  *
  * Returns a frozen plain object suitable for `JSON.stringify`.
  *
  * @opts
- *   type:     string,   // problem-type URI reference (default "about:blank")
- *   title:    string,   // short summary
- *   status:   number,   // integer 100..599
- *   detail:   string,   // human-readable explanation
- *   instance: string,   // URI reference for this specific occurrence
- *   ...extensions       // additional fields preserved as-is
+ *   type:       string,   // problem-type URI reference (default "about:blank")
+ *   title:      string,   // short summary
+ *   status:     number,   // integer 100..599
+ *   detail:     string,   // human-readable explanation
+ *   instance:   string,   // URI reference for this specific occurrence
+ *   extensions: object,   // keys spread as top-level siblings (§3.2); direct top-level key wins on collision
+ *   ...extensions         // additional top-level keys preserved as-is
  *
  * @example
  *   var p = b.problemDetails.create({
@@ -213,15 +222,44 @@ function create(opts) {
 
   // Extensions — every additional key. §3.2 endorses sibling
   // extensions as long as their names don't collide with reserved.
+  // The `extensions` key itself is NOT emitted as a literal nested
+  // member: a plain-object value is spread so each of its keys lands
+  // as a top-level sibling, subject to the same reserved / poisoned
+  // guards as direct top-level keys. A direct top-level extension key
+  // wins over the same name nested under `extensions`.
   var keys = Object.keys(opts);
-  for (var i = 0; i < keys.length; i += 1) {
-    var k = keys[i];
+  var directKeys = Object.create(null);
+  var i, k;
+  for (i = 0; i < keys.length; i += 1) {
+    k = keys[i];
+    if (k === "extensions") continue;
     if (RESERVED_FIELDS.indexOf(k) !== -1) continue;
     if (POISONED_KEYS.indexOf(k) !== -1) {
       throw new ProblemDetailsError("problem-details/reserved-extension",
         "create: extension key '" + k + "' refused (prototype-pollution shape)", true);
     }
     out[k] = opts[k];
+    directKeys[k] = true;
+  }
+
+  // Spread `extensions` (RFC 9457 §3.2 sibling members). Reserved
+  // names can't be overridden by an extension key; poisoned keys are
+  // dropped silently (an inbound extension map is a less-trusted shape
+  // than a hand-authored top-level key — a direct poisoned key still
+  // throws). A direct top-level key already present wins.
+  if (opts.extensions !== undefined && opts.extensions !== null) {
+    if (typeof opts.extensions !== "object" || Array.isArray(opts.extensions)) {
+      throw new ProblemDetailsError("problem-details/bad-extensions",
+        "create: extensions must be a plain object when provided", true);
+    }
+    var extKeys = Object.keys(opts.extensions);
+    for (i = 0; i < extKeys.length; i += 1) {
+      k = extKeys[i];
+      if (RESERVED_FIELDS.indexOf(k) !== -1) continue;
+      if (POISONED_KEYS.indexOf(k) !== -1) continue;
+      if (directKeys[k]) continue;
+      out[k] = opts.extensions[k];
+    }
   }
 
   return Object.freeze(out);
@@ -386,13 +424,20 @@ function respond(res, problem, req) {
  * `Cache-Control: no-store` are written; status code defaults to
  * 500 when omitted.
  *
+ * `extensions` keys are spread as top-level sibling members (RFC 9457
+ * §3.2) via `create` — the literal `extensions` member is never
+ * emitted. Keys colliding with the reserved `type` / `title` /
+ * `status` / `detail` / `instance` are ignored; prototype-pollution-
+ * shaped keys are dropped. A direct top-level key wins over the same
+ * name nested under `extensions`.
+ *
  * @opts
  *   status:    number,           // HTTP status code (100..599); default 500
  *   title:     string,           // operator-supplied short title
  *   detail:    string,           // operator-supplied human-readable explanation
  *   type:      string,           // problem-type URI (defaults to "about:blank")
  *   instance:  string,           // optional per-occurrence URI
- *   extensions: object,          // operator-specific extension fields
+ *   extensions: object,          // keys spread as top-level siblings (§3.2); direct top-level key wins on collision
  *
  * @example
  *   // Migrating from inline JSON-error shape:

package/lib/pubsub-cluster.js

@@ -24,18 +24,31 @@
 var clusterStorage = require("./cluster-storage");
 var C = require("./constants");
 var lazyRequire = require("./lazy-require");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
 
 var logger = lazyRequire(function () { return require("./log").boot("pubsub-cluster"); });
 
+var PubsubError = defineClass("PubsubError");
+
 var DEFAULT_POLL_INTERVAL_MS = 100;
 var DEFAULT_RETENTION_MS     = C.TIME.minutes(1);
 var DEFAULT_PRUNE_EVERY_MS   = C.TIME.minutes(5);
 
 function create(opts) {
   var clusterInstance = opts.cluster;
-  var pollIntervalMs = Number(opts.pollIntervalMs) || DEFAULT_POLL_INTERVAL_MS;
-  var retentionMs    = Number(opts.retentionMs)    || DEFAULT_RETENTION_MS;
-  var pruneEveryMs   = Number(opts.pruneEveryMs)   || DEFAULT_PRUNE_EVERY_MS;
+  // Config-time: a typo (NaN-coercing string / negative / fractional) must
+  // surface at create, not silently fall back to the default and ship a
+  // mis-tuned poll loop. THROW on present-but-bad; absent keeps the default.
+  validateOpts.optionalPositiveInt(opts.pollIntervalMs,
+    "pubsub: pollIntervalMs", PubsubError, "BAD_OPT");
+  validateOpts.optionalPositiveInt(opts.retentionMs,
+    "pubsub: retentionMs", PubsubError, "BAD_OPT");
+  validateOpts.optionalPositiveInt(opts.pruneEveryMs,
+    "pubsub: pruneEveryMs", PubsubError, "BAD_OPT");
+  var pollIntervalMs = opts.pollIntervalMs !== undefined ? opts.pollIntervalMs : DEFAULT_POLL_INTERVAL_MS;
+  var retentionMs    = opts.retentionMs    !== undefined ? opts.retentionMs    : DEFAULT_RETENTION_MS;
+  var pruneEveryMs   = opts.pruneEveryMs   !== undefined ? opts.pruneEveryMs   : DEFAULT_PRUNE_EVERY_MS;
 
   var lastSeenId  = 0;
   var primed      = false;

package/lib/queue-sqs.js

@@ -50,6 +50,7 @@ var httpClient = require("./http-client");
 var cryptoField = require("./crypto-field");
 var safeJson = require("./safe-json");
 var safeUrl = require("./safe-url");
+var validateOpts = require("./validate-opts");
 var { generateToken } = require("./crypto");
 var { QueueError } = require("./framework-error");
 
@@ -102,8 +103,25 @@ function create(opts) {
   var accountId       = opts.accountId ? String(opts.accountId) : null;
   var timeoutMs       = opts.timeoutMs;
   var allowInternal   = opts.allowInternal != null ? opts.allowInternal : null;
-  var visibilityTimeoutSec = Number(opts.visibilityTimeoutSec) || DEFAULT_VISIBILITY_TIMEOUT_SEC;
-  var waitTimeSec     = Number(opts.waitTimeSec) || DEFAULT_WAIT_TIME_SEC;
+  // Config-time: a typo (NaN-coercing string / negative / fractional)
+  // must surface at create, not silently fall back to the default and ship
+  // a mis-tuned lease loop. THROW on present-but-bad; absent keeps default.
+  validateOpts.optionalPositiveInt(opts.visibilityTimeoutSec,
+    "queue-sqs: visibilityTimeoutSec", QueueError, "INVALID_CONFIG");
+  // waitTimeSec=0 is the valid SQS short-poll sentinel (the default), so a
+  // positive-int check would wrongly reject it — allow non-negative integers.
+  if (opts.waitTimeSec !== undefined &&
+      (typeof opts.waitTimeSec !== "number" || !isFinite(opts.waitTimeSec) ||
+       opts.waitTimeSec < 0 || Math.floor(opts.waitTimeSec) !== opts.waitTimeSec)) {
+    throw _err("INVALID_CONFIG",
+      "queue-sqs: waitTimeSec must be a non-negative integer (0 = short-poll), got " +
+      (typeof opts.waitTimeSec === "number" ? String(opts.waitTimeSec) : typeof opts.waitTimeSec),
+      true);
+  }
+  var visibilityTimeoutSec = opts.visibilityTimeoutSec !== undefined
+    ? opts.visibilityTimeoutSec : DEFAULT_VISIBILITY_TIMEOUT_SEC;
+  var waitTimeSec = opts.waitTimeSec !== undefined
+    ? opts.waitTimeSec : DEFAULT_WAIT_TIME_SEC;
 
   var queueUrlResolver = typeof opts.queueUrlByName === "function"
     ? opts.queueUrlByName

package/lib/redis-client.js

@@ -169,11 +169,36 @@ function create(opts) {
   var useTls = opts.tls !== undefined ? !!opts.tls : parsed.tls;
   var password = opts.password !== undefined ? opts.password : parsed.password;
   var username = opts.username !== undefined ? opts.username : parsed.username;
-  var db = opts.db !== undefined ? Number(opts.db) : parsed.db;
-  var connectTimeoutMs = Number(opts.connectTimeoutMs) || 5000;
-  var commandTimeoutMs = Number(opts.commandTimeoutMs) || 10000;
+  // Config-time entry-point opts: a bad type must fail at create() rather
+  // than coerce-or-default silently. connectTimeoutMs:"abc" → NaN would
+  // otherwise fall through to the default; a negative timeout would sail
+  // into setTimeout; maxReconnectAttempts:"abc" → NaN would make the
+  // `>= 0` reconnect-cap check below false and SILENTLY disable the bound
+  // (unbounded reconnects). db and maxReconnectAttempts must allow 0
+  // (db 0 = no SELECT; maxReconnectAttempts 0 = give up immediately).
+  if (opts.db !== undefined &&
+      (typeof opts.db !== "number" || !Number.isInteger(opts.db) || opts.db < 0)) {
+    throw _err("BAD_OPTS",
+      "redis.create: opts.db must be a non-negative integer, got " +
+      (typeof opts.db === "number" ? String(opts.db) : typeof opts.db));
+  }
+  if (opts.maxReconnectAttempts !== undefined &&
+      (typeof opts.maxReconnectAttempts !== "number" ||
+       !Number.isInteger(opts.maxReconnectAttempts) || opts.maxReconnectAttempts < 0)) {
+    throw _err("BAD_OPTS",
+      "redis.create: opts.maxReconnectAttempts must be a non-negative integer, got " +
+      (typeof opts.maxReconnectAttempts === "number"
+        ? String(opts.maxReconnectAttempts) : typeof opts.maxReconnectAttempts));
+  }
+  validateOpts.optionalPositiveInt(opts.connectTimeoutMs,
+    "redis.create: opts.connectTimeoutMs", RedisError, "BAD_OPTS");
+  validateOpts.optionalPositiveInt(opts.commandTimeoutMs,
+    "redis.create: opts.commandTimeoutMs", RedisError, "BAD_OPTS");
+  var db = opts.db !== undefined ? opts.db : parsed.db;
+  var connectTimeoutMs = opts.connectTimeoutMs !== undefined ? opts.connectTimeoutMs : 5000;
+  var commandTimeoutMs = opts.commandTimeoutMs !== undefined ? opts.commandTimeoutMs : 10000;
   var maxReconnectAttempts = opts.maxReconnectAttempts === undefined ? 10
-                                                                    : Number(opts.maxReconnectAttempts);
+                                                                    : opts.maxReconnectAttempts;
   // TLS verification controls. Operators using rediss:// against private
   // CAs (managed Redis services, on-prem clusters with internal PKI)
   // pin the trust roots via opts.ca; rejectUnauthorized stays on by
@@ -470,6 +495,9 @@ function create(opts) {
         pending:   pending.length, backlog: backlog.length,
         reconnect: reconnectAttempt,
         host:      host, port: port, db: db, tls: useTls,
+        connectTimeoutMs:     connectTimeoutMs,
+        commandTimeoutMs:     commandTimeoutMs,
+        maxReconnectAttempts: maxReconnectAttempts,
       };
     },
   };

package/lib/safe-redirect.js

@@ -76,8 +76,21 @@ function resolve(rawTarget, opts) {
   // Full URL — parse and check against allowlist.
   var allowedOrigins = Array.isArray(opts.allowedOrigins) ? opts.allowedOrigins : null;
   var allowedHosts   = Array.isArray(opts.allowedHosts)   ? opts.allowedHosts   : null;
-  if (!allowedOrigins && !allowedHosts) {
-    // Operator gave no allowlist — refuse all full URLs (the safe default).
+
+  // The application's own origin (opts.base) is same-origin by
+  // definition, so a full URL pointing at it is safe even when the
+  // operator supplied no explicit allowedOrigins / allowedHosts. Derive
+  // the origin from base and treat it as an implicitly-allowed origin.
+  var baseOrigin = null;
+  if (typeof opts.base === "string" && opts.base.length > 0) {
+    try {
+      baseOrigin = safeUrl.parse(opts.base, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS }).origin;
+    } catch (_e) { baseOrigin = null; }
+  }
+
+  if (!allowedOrigins && !allowedHosts && baseOrigin === null) {
+    // Operator gave no allowlist and no usable base — refuse all full
+    // URLs (the safe default).
     return fallback;
   }
 
@@ -85,6 +98,7 @@ function resolve(rawTarget, opts) {
   try { parsed = safeUrl.parse(rawTarget, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS }); }
   catch (_e) { return fallback; }
 
+  if (baseOrigin !== null && parsed.origin === baseOrigin) return rawTarget;
   if (allowedOrigins) {
     for (var i = 0; i < allowedOrigins.length; i += 1) {
       if (parsed.origin === allowedOrigins[i]) return rawTarget;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.19",
+  "version": "0.14.21",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:c7c9f488-0e96-4295-af9d-359b64bbfce6",
+  "serialNumber": "urn:uuid:37cb0e0e-7cba-440b-89c3-febfeb9f7eef",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-06-02T19:28:34.781Z",
+    "timestamp": "2026-06-05T04:48:42.555Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.14.19",
+      "bom-ref": "@blamejs/core@0.14.21",
       "type": "application",
       "name": "blamejs",
-      "version": "0.14.19",
+      "version": "0.14.21",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.14.19",
+      "purl": "pkg:npm/%40blamejs/core@0.14.21",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.14.19",
+      "ref": "@blamejs/core@0.14.21",
       "dependsOn": []
     }
   ]