@blamejs/core 0.14.2 → 0.14.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/CHANGELOG.md +2 -0
  2. package/lib/graphql-federation.js +1 -1
  3. package/lib/mcp.js +1 -1
  4. package/package.json +1 -1
  5. package/sbom.cdx.json +6 -6
package/CHANGELOG.md CHANGED
@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
8
8
 
9
9
  ## v0.14.x
10
10
 
11
+ - v0.14.3 (2026-05-30) — **A codebase check now ensures every lint-suppression marker names a real check, so a typo can't silently disable a guard.** Source files suppress an individual lint with an `// allow:<class>` comment. If the class is mistyped or stale, the comment suppresses nothing — the check it names does not exist — so the issue it was meant to explain ships unflagged. A new codebase check now verifies every `// allow:<class>` marker names a registered check class and fails if it does not, with the full set of valid classes maintained as an explicit registry. Two markers that named a non-kebab class were corrected as part of this. No runtime, API, or wire-format changes. **Detectors:** *Lint-suppression markers must name a registered check* — A new check flags any `// allow:<class>` suppression comment whose class is not one of the registered check classes — catching typos and stale markers (for example a marker that named a check which was later renamed) that would otherwise silently disable the guard they appear to explain. The valid classes are kept as an explicit registry, so adding a check with a new allow-class is a one-line registration. Source-comment hygiene only — no change to any exported API, error code, wire format, or runtime behavior.
12
+
11
13
  - v0.14.2 (2026-05-29) — **Internal lint hygiene: the byte-literal check now flags only genuine byte-scale arithmetic, with no API or behavior changes.** A no-behavior-change cleanup of the source tree's internal lint markers. The byte-literal lint previously flagged every integer that was a multiple of 8 — which is most numbers — so the source carried a large number of suppression comments on values that were not byte sizes at all (status codes, counts, lengths, radixes, opcodes). The lint now flags only 1024-scale byte arithmetic (the case the C.BYTES.kib/mib/gib helpers exist to replace), and the now-unnecessary suppression comments have been removed while keeping their explanatory text. Several lint-suppression markers that named a check that does not exist were also corrected. None of this changes any API, wire format, or runtime behavior. **Changed:** *Source-tree lint markers cleaned up* — The internal byte-literal lint was tightened to flag only genuine byte-scale (`* 1024`) arithmetic, and the suppression comments it previously required on non-byte integers were removed (their explanatory text is retained as plain comments). A handful of suppression markers that referenced a non-existent check were pointed at the correct one or removed. This is source-comment hygiene only — there is no change to any exported API, error code, wire format, or runtime behavior.
12
14
 
13
15
  - v0.14.1 (2026-05-29) — **Correctness fixes: JAR request-object typ enforcement, byte-faithful PGP multipart/signed, and SAML InResponseTo binding.** A set of correctness fixes across the auth, mail-crypto, TLS, and encoder surfaces. The most important: JWT-secured authorization requests (RFC 9101) now require the request object to carry the registered `oauth-authz-req+jwt` typ, closing a cross-JWT-confusion vector; the PGP multipart/signed wrapper is now assembled byte-faithfully so non-ASCII signed content can't be corrupted; and SAML response verification now returns the InResponseTo of the SubjectConfirmation that actually validated. Two of these change behavior — see Changed — and are bug fixes rather than new features. **Changed:** *JAR parsing rejects untyped request objects (breaking)* — Following the typ enforcement above, a request object whose header omits `typ` is now refused. An authorization server whose clients sign request objects without the `oauth-authz-req+jwt` typ must update those clients to set it. · *PGP sign() returns multipartSigned as a Buffer (breaking)* — `b.mail.crypto.pgp.sign(...).multipartSigned` is now a Buffer instead of a string. The OpenPGP signature covers the signed-part bytes exactly, and a JS-string round trip through latin1/utf8 could corrupt non-ASCII signed content and break verification, so the RFC 3156 multipart/signed wrapper is now assembled as bytes. Code that wrote the previous string to the wire works unchanged when it writes the Buffer; code that did string operations on the value should treat it as a Buffer (its `indexOf` / `toString` still work). **Fixed:** *SAML response verification binds InResponseTo to the validated confirmation* — `verifyResponse` returned the InResponseTo of the first SubjectConfirmationData in the assertion rather than of the SubjectConfirmation that actually passed bearer validation. When a response carried more than one SubjectConfirmation, the returned value could come from a non-validated confirmation. It is now the InResponseTo of the confirmation that validated. · *checkServerIdentity9525 emits the documented CN-fallback audit code* — A CN-only legacy certificate (a Common Name present, no subjectAltName) is now refused by the exported `b.network.tls.checkServerIdentity9525` with the distinct `tls/pkix-cn-fallback-refused` code its documentation promised, so audit logs can tell a CN-only certificate apart from one carrying neither a SAN nor a CN (which still yields `tls/pkix-san-required`). The accept/refuse outcome is unchanged — both are refused; only the audit granularity improved. · *OIDC back-channel logout / JARM no longer accept dead override parameters* — `verifyBackchannelLogoutToken` and `parseJarmResponse` passed `acceptedAlgs` / `jwksUri` / `maxClockSkewMs` through to the ID-token verifier, which ignored them and applied the configured (create()-time) values. The pass-throughs are removed so the code no longer reads as if those can be overridden per call; the configured trust anchor was — and remains — what applies. · *Queue lease failures are logged* — The consumer loop's lease-acquisition error path swallowed the backend error silently; it now logs at debug so a flapping backend that has not yet tripped the circuit breaker is visible. · *Protobuf and ASN.1 encoders reject out-of-range tags* — The protobuf tag encoder rejected nothing and would have emitted a wrong tag for field numbers at or above 2^28 (where the 32-bit shift overflows); the ASN.1 context-tag writers silently truncated tag numbers above 30 (which require the multi-byte high-tag-number form). Both now throw a RangeError rather than encode silently-wrong output. The values these encoders serve are well within range, so no current caller is affected. · *oid4vci proofAlgorithms default documented accurately* — The documented default proof-algorithm list now matches the code (`["ES256", "ES384", "EdDSA"]`); the doc previously omitted EdDSA, which the runtime has always accepted by default. **Security:** *JAR request objects must carry the registered typ (RFC 9101)* — `b.auth.jar.parse` now requires the request-object JWS header to carry `typ: "oauth-authz-req+jwt"` (with or without the `application/` prefix); a request object with an absent or different typ is refused with `auth-jar/bad-typ`. RFC 9101 §10.8 specifies this media type precisely to stop a JWT minted for another purpose (an ID token, an access token, a logout token) and signed by the same client key from being replayed as a request object. The existing `iss` / `aud` / `client_id` bindings already constrained that; this restores the explicit type check as well. This is stricter than before — see Changed.
package/lib/graphql-federation.js CHANGED
@@ -175,7 +175,7 @@ function guardSdl(opts) {
175
175
  return _readBody(req, errorClass).then(function (rawBody) {
176
176
  var query = null;
177
177
  try {
178
- var parsed = typeof rawBody === "string" ? safeJson.parse(rawBody, { maxBytes: C.BYTES.mib(1) }) : rawBody; // allow:JSON.parse — routed via safeJson.parse
178
+ var parsed = typeof rawBody === "string" ? safeJson.parse(rawBody, { maxBytes: C.BYTES.mib(1) }) : rawBody; // routed via safeJson.parse
179
179
  query = parsed && typeof parsed === "object" ? parsed.query : null;
180
180
  } catch (_e) { /* not JSON; pass through */ }
181
181
  if (req.body === undefined) req.body = rawBody;
package/lib/mcp.js CHANGED
@@ -79,7 +79,7 @@ function parseRequest(body, opts) {
79
79
  var errorClass = opts.errorClass || McpError;
80
80
  var parsed;
81
81
  try {
82
- parsed = typeof body === "string" ? safeJson.parse(body, { maxBytes: C.BYTES.mib(1) }) : body; // allow:JSON.parse — routed via safeJson.parse
82
+ parsed = typeof body === "string" ? safeJson.parse(body, { maxBytes: C.BYTES.mib(1) }) : body; // routed via safeJson.parse
83
83
  } catch (_e) {
84
84
  throw errorClass.factory("mcp/bad-json",
85
85
  "mcp.parseRequest: body is not valid JSON");
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@blamejs/core",
3
- "version": "0.14.2",
3
+ "version": "0.14.3",
4
4
  "description": "The Node framework that owns its stack.",
5
5
  "license": "Apache-2.0",
6
6
  "author": "blamejs contributors",
package/sbom.cdx.json CHANGED
@@ -2,10 +2,10 @@
2
2
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
3
3
  "bomFormat": "CycloneDX",
4
4
  "specVersion": "1.5",
5
- "serialNumber": "urn:uuid:95f2c7cc-00a1-4b32-bc6e-c58843b25ec2",
5
+ "serialNumber": "urn:uuid:bfe58661-57c7-4e95-87a0-d0a82ae37a6b",
6
6
  "version": 1,
7
7
  "metadata": {
8
- "timestamp": "2026-05-30T07:09:18.952Z",
8
+ "timestamp": "2026-05-30T08:21:39.433Z",
9
9
  "lifecycles": [
10
10
  {
11
11
  "phase": "build"
@@ -19,14 +19,14 @@
19
19
  }
20
20
  ],
21
21
  "component": {
22
- "bom-ref": "@blamejs/core@0.14.2",
22
+ "bom-ref": "@blamejs/core@0.14.3",
23
23
  "type": "application",
24
24
  "name": "blamejs",
25
- "version": "0.14.2",
25
+ "version": "0.14.3",
26
26
  "scope": "required",
27
27
  "author": "blamejs contributors",
28
28
  "description": "The Node framework that owns its stack.",
29
- "purl": "pkg:npm/%40blamejs/core@0.14.2",
29
+ "purl": "pkg:npm/%40blamejs/core@0.14.3",
30
30
  "properties": [],
31
31
  "externalReferences": [
32
32
  {
@@ -54,7 +54,7 @@
54
54
  "components": [],
55
55
  "dependencies": [
56
56
  {
57
- "ref": "@blamejs/core@0.14.2",
57
+ "ref": "@blamejs/core@0.14.3",
58
58
  "dependsOn": []
59
59
  }
60
60
  ]