npm - @blamejs/core - Versions diffs - 0.14.20 → 0.14.21 - Mend

@blamejs/core 0.14.20 → 0.14.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

package/CHANGELOG.md +2 -0
package/lib/auth/oid4vci.js +124 -5
package/lib/auth/oid4vp.js +14 -4
package/lib/break-glass.js +1 -2
package/lib/config.js +28 -31
package/lib/dora.js +8 -5
package/lib/dsr.js +2 -2
package/lib/flag-evaluation-context.js +7 -0
package/lib/guard-html-wcag-aria.js +4 -2
package/lib/guard-html-wcag-forms.js +4 -2
package/lib/guard-html-wcag-tables.js +4 -2
package/lib/guard-html-wcag-tagwalk.js +20 -0
package/lib/guard-html-wcag.js +1 -1
package/lib/honeytoken.js +27 -20
package/lib/mail-deploy.js +1 -1
package/lib/mail-send-deliver.js +13 -4
package/lib/middleware/api-encrypt.js +140 -13
package/lib/middleware/asyncapi-serve.js +3 -0
package/lib/middleware/csp-report.js +13 -9
package/lib/middleware/openapi-serve.js +3 -0
package/lib/middleware/scim-server.js +297 -19
package/lib/middleware/security-txt.js +1 -2
package/lib/middleware/trace-log-correlation.js +1 -2
package/lib/network-smtp-policy.js +4 -4
package/lib/object-store/sigv4-bucket-ops.js +11 -2
package/lib/observability-tracer.js +1 -1
package/lib/problem-details.js +56 -11
package/lib/pubsub-cluster.js +16 -3
package/lib/queue-sqs.js +20 -2
package/lib/redis-client.js +32 -4
package/lib/safe-redirect.js +16 -2
package/package.json +1 -1
package/sbom.cdx.json +6 -6

package/lib/redis-client.js CHANGED Viewed

@@ -169,11 +169,36 @@ function create(opts) {
   var useTls = opts.tls !== undefined ? !!opts.tls : parsed.tls;
   var password = opts.password !== undefined ? opts.password : parsed.password;
   var username = opts.username !== undefined ? opts.username : parsed.username;
-  var db = opts.db !== undefined ? Number(opts.db) : parsed.db;
-  var connectTimeoutMs = Number(opts.connectTimeoutMs) || 5000;
-  var commandTimeoutMs = Number(opts.commandTimeoutMs) || 10000;
+  // Config-time entry-point opts: a bad type must fail at create() rather
+  // than coerce-or-default silently. connectTimeoutMs:"abc" → NaN would
+  // otherwise fall through to the default; a negative timeout would sail
+  // into setTimeout; maxReconnectAttempts:"abc" → NaN would make the
+  // `>= 0` reconnect-cap check below false and SILENTLY disable the bound
+  // (unbounded reconnects). db and maxReconnectAttempts must allow 0
+  // (db 0 = no SELECT; maxReconnectAttempts 0 = give up immediately).
+  if (opts.db !== undefined &&
+      (typeof opts.db !== "number" || !Number.isInteger(opts.db) || opts.db < 0)) {
+    throw _err("BAD_OPTS",
+      "redis.create: opts.db must be a non-negative integer, got " +
+      (typeof opts.db === "number" ? String(opts.db) : typeof opts.db));
+  }
+  if (opts.maxReconnectAttempts !== undefined &&
+      (typeof opts.maxReconnectAttempts !== "number" ||
+       !Number.isInteger(opts.maxReconnectAttempts) || opts.maxReconnectAttempts < 0)) {
+    throw _err("BAD_OPTS",
+      "redis.create: opts.maxReconnectAttempts must be a non-negative integer, got " +
+      (typeof opts.maxReconnectAttempts === "number"
+        ? String(opts.maxReconnectAttempts) : typeof opts.maxReconnectAttempts));
+  }
+  validateOpts.optionalPositiveInt(opts.connectTimeoutMs,
+    "redis.create: opts.connectTimeoutMs", RedisError, "BAD_OPTS");
+  validateOpts.optionalPositiveInt(opts.commandTimeoutMs,
+    "redis.create: opts.commandTimeoutMs", RedisError, "BAD_OPTS");
+  var db = opts.db !== undefined ? opts.db : parsed.db;
+  var connectTimeoutMs = opts.connectTimeoutMs !== undefined ? opts.connectTimeoutMs : 5000;
+  var commandTimeoutMs = opts.commandTimeoutMs !== undefined ? opts.commandTimeoutMs : 10000;
   var maxReconnectAttempts = opts.maxReconnectAttempts === undefined ? 10
-                                                                    : Number(opts.maxReconnectAttempts);
+                                                                    : opts.maxReconnectAttempts;
   // TLS verification controls. Operators using rediss:// against private
   // CAs (managed Redis services, on-prem clusters with internal PKI)
   // pin the trust roots via opts.ca; rejectUnauthorized stays on by
@@ -470,6 +495,9 @@ function create(opts) {
         pending:   pending.length, backlog: backlog.length,
         reconnect: reconnectAttempt,
         host:      host, port: port, db: db, tls: useTls,
+        connectTimeoutMs:     connectTimeoutMs,
+        commandTimeoutMs:     commandTimeoutMs,
+        maxReconnectAttempts: maxReconnectAttempts,
       };
     },
   };

package/lib/safe-redirect.js CHANGED Viewed

@@ -76,8 +76,21 @@ function resolve(rawTarget, opts) {
   // Full URL — parse and check against allowlist.
   var allowedOrigins = Array.isArray(opts.allowedOrigins) ? opts.allowedOrigins : null;
   var allowedHosts   = Array.isArray(opts.allowedHosts)   ? opts.allowedHosts   : null;
-  if (!allowedOrigins && !allowedHosts) {
-    // Operator gave no allowlist — refuse all full URLs (the safe default).
+  // The application's own origin (opts.base) is same-origin by
+  // definition, so a full URL pointing at it is safe even when the
+  // operator supplied no explicit allowedOrigins / allowedHosts. Derive
+  // the origin from base and treat it as an implicitly-allowed origin.
+  var baseOrigin = null;
+  if (typeof opts.base === "string" && opts.base.length > 0) {
+    try {
+      baseOrigin = safeUrl.parse(opts.base, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS }).origin;
+    } catch (_e) { baseOrigin = null; }
+  }
+  if (!allowedOrigins && !allowedHosts && baseOrigin === null) {
+    // Operator gave no allowlist and no usable base — refuse all full
+    // URLs (the safe default).
     return fallback;
   }
@@ -85,6 +98,7 @@ function resolve(rawTarget, opts) {
   try { parsed = safeUrl.parse(rawTarget, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS }); }
   catch (_e) { return fallback; }
+  if (baseOrigin !== null && parsed.origin === baseOrigin) return rawTarget;
   if (allowedOrigins) {
     for (var i = 0; i < allowedOrigins.length; i += 1) {
       if (parsed.origin === allowedOrigins[i]) return rawTarget;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.20",
+  "version": "0.14.21",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:e7a00583-46e2-4fd3-a1bf-9cc0789bed7f",
+  "serialNumber": "urn:uuid:37cb0e0e-7cba-440b-89c3-febfeb9f7eef",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-06-02T23:52:58.690Z",
+    "timestamp": "2026-06-05T04:48:42.555Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.14.20",
+      "bom-ref": "@blamejs/core@0.14.21",
       "type": "application",
       "name": "blamejs",
-      "version": "0.14.20",
+      "version": "0.14.21",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.14.20",
+      "purl": "pkg:npm/%40blamejs/core@0.14.21",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.14.20",
+      "ref": "@blamejs/core@0.14.21",
       "dependsOn": []
     }
   ]