@blamejs/core 0.14.20 → 0.14.22

package/lib/queue-sqs.js

@@ -50,6 +50,7 @@ var httpClient = require("./http-client");
 var cryptoField = require("./crypto-field");
 var safeJson = require("./safe-json");
 var safeUrl = require("./safe-url");
+var validateOpts = require("./validate-opts");
 var { generateToken } = require("./crypto");
 var { QueueError } = require("./framework-error");
 
@@ -102,8 +103,25 @@ function create(opts) {
   var accountId       = opts.accountId ? String(opts.accountId) : null;
   var timeoutMs       = opts.timeoutMs;
   var allowInternal   = opts.allowInternal != null ? opts.allowInternal : null;
-  var visibilityTimeoutSec = Number(opts.visibilityTimeoutSec) || DEFAULT_VISIBILITY_TIMEOUT_SEC;
-  var waitTimeSec     = Number(opts.waitTimeSec) || DEFAULT_WAIT_TIME_SEC;
+  // Config-time: a typo (NaN-coercing string / negative / fractional)
+  // must surface at create, not silently fall back to the default and ship
+  // a mis-tuned lease loop. THROW on present-but-bad; absent keeps default.
+  validateOpts.optionalPositiveInt(opts.visibilityTimeoutSec,
+    "queue-sqs: visibilityTimeoutSec", QueueError, "INVALID_CONFIG");
+  // waitTimeSec=0 is the valid SQS short-poll sentinel (the default), so a
+  // positive-int check would wrongly reject it — allow non-negative integers.
+  if (opts.waitTimeSec !== undefined &&
+      (typeof opts.waitTimeSec !== "number" || !isFinite(opts.waitTimeSec) ||
+       opts.waitTimeSec < 0 || Math.floor(opts.waitTimeSec) !== opts.waitTimeSec)) {
+    throw _err("INVALID_CONFIG",
+      "queue-sqs: waitTimeSec must be a non-negative integer (0 = short-poll), got " +
+      (typeof opts.waitTimeSec === "number" ? String(opts.waitTimeSec) : typeof opts.waitTimeSec),
+      true);
+  }
+  var visibilityTimeoutSec = opts.visibilityTimeoutSec !== undefined
+    ? opts.visibilityTimeoutSec : DEFAULT_VISIBILITY_TIMEOUT_SEC;
+  var waitTimeSec = opts.waitTimeSec !== undefined
+    ? opts.waitTimeSec : DEFAULT_WAIT_TIME_SEC;
 
   var queueUrlResolver = typeof opts.queueUrlByName === "function"
     ? opts.queueUrlByName

package/lib/redis-client.js

@@ -169,11 +169,36 @@ function create(opts) {
   var useTls = opts.tls !== undefined ? !!opts.tls : parsed.tls;
   var password = opts.password !== undefined ? opts.password : parsed.password;
   var username = opts.username !== undefined ? opts.username : parsed.username;
-  var db = opts.db !== undefined ? Number(opts.db) : parsed.db;
-  var connectTimeoutMs = Number(opts.connectTimeoutMs) || 5000;
-  var commandTimeoutMs = Number(opts.commandTimeoutMs) || 10000;
+  // Config-time entry-point opts: a bad type must fail at create() rather
+  // than coerce-or-default silently. connectTimeoutMs:"abc" → NaN would
+  // otherwise fall through to the default; a negative timeout would sail
+  // into setTimeout; maxReconnectAttempts:"abc" → NaN would make the
+  // `>= 0` reconnect-cap check below false and SILENTLY disable the bound
+  // (unbounded reconnects). db and maxReconnectAttempts must allow 0
+  // (db 0 = no SELECT; maxReconnectAttempts 0 = give up immediately).
+  if (opts.db !== undefined &&
+      (typeof opts.db !== "number" || !Number.isInteger(opts.db) || opts.db < 0)) {
+    throw _err("BAD_OPTS",
+      "redis.create: opts.db must be a non-negative integer, got " +
+      (typeof opts.db === "number" ? String(opts.db) : typeof opts.db));
+  }
+  if (opts.maxReconnectAttempts !== undefined &&
+      (typeof opts.maxReconnectAttempts !== "number" ||
+       !Number.isInteger(opts.maxReconnectAttempts) || opts.maxReconnectAttempts < 0)) {
+    throw _err("BAD_OPTS",
+      "redis.create: opts.maxReconnectAttempts must be a non-negative integer, got " +
+      (typeof opts.maxReconnectAttempts === "number"
+        ? String(opts.maxReconnectAttempts) : typeof opts.maxReconnectAttempts));
+  }
+  validateOpts.optionalPositiveInt(opts.connectTimeoutMs,
+    "redis.create: opts.connectTimeoutMs", RedisError, "BAD_OPTS");
+  validateOpts.optionalPositiveInt(opts.commandTimeoutMs,
+    "redis.create: opts.commandTimeoutMs", RedisError, "BAD_OPTS");
+  var db = opts.db !== undefined ? opts.db : parsed.db;
+  var connectTimeoutMs = opts.connectTimeoutMs !== undefined ? opts.connectTimeoutMs : 5000;
+  var commandTimeoutMs = opts.commandTimeoutMs !== undefined ? opts.commandTimeoutMs : 10000;
   var maxReconnectAttempts = opts.maxReconnectAttempts === undefined ? 10
-                                                                    : Number(opts.maxReconnectAttempts);
+                                                                    : opts.maxReconnectAttempts;
   // TLS verification controls. Operators using rediss:// against private
   // CAs (managed Redis services, on-prem clusters with internal PKI)
   // pin the trust roots via opts.ca; rejectUnauthorized stays on by
@@ -470,6 +495,9 @@ function create(opts) {
         pending:   pending.length, backlog: backlog.length,
         reconnect: reconnectAttempt,
         host:      host, port: port, db: db, tls: useTls,
+        connectTimeoutMs:     connectTimeoutMs,
+        commandTimeoutMs:     commandTimeoutMs,
+        maxReconnectAttempts: maxReconnectAttempts,
       };
     },
   };

package/lib/safe-redirect.js

@@ -76,8 +76,21 @@ function resolve(rawTarget, opts) {
   // Full URL — parse and check against allowlist.
   var allowedOrigins = Array.isArray(opts.allowedOrigins) ? opts.allowedOrigins : null;
   var allowedHosts   = Array.isArray(opts.allowedHosts)   ? opts.allowedHosts   : null;
-  if (!allowedOrigins && !allowedHosts) {
-    // Operator gave no allowlist — refuse all full URLs (the safe default).
+
+  // The application's own origin (opts.base) is same-origin by
+  // definition, so a full URL pointing at it is safe even when the
+  // operator supplied no explicit allowedOrigins / allowedHosts. Derive
+  // the origin from base and treat it as an implicitly-allowed origin.
+  var baseOrigin = null;
+  if (typeof opts.base === "string" && opts.base.length > 0) {
+    try {
+      baseOrigin = safeUrl.parse(opts.base, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS }).origin;
+    } catch (_e) { baseOrigin = null; }
+  }
+
+  if (!allowedOrigins && !allowedHosts && baseOrigin === null) {
+    // Operator gave no allowlist and no usable base — refuse all full
+    // URLs (the safe default).
     return fallback;
   }
 
@@ -85,6 +98,7 @@ function resolve(rawTarget, opts) {
   try { parsed = safeUrl.parse(rawTarget, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS }); }
   catch (_e) { return fallback; }
 
+  if (baseOrigin !== null && parsed.origin === baseOrigin) return rawTarget;
   if (allowedOrigins) {
     for (var i = 0; i < allowedOrigins.length; i += 1) {
       if (parsed.origin === allowedOrigins[i]) return rawTarget;

package/lib/validate-opts.js

@@ -393,6 +393,39 @@ function makeNamespacedEmitters(prefix, deps) {
   return { audit: audit, metric: metric };
 }
 
+// assignOwnEnumerable — copy a source object's own enumerable keys onto a
+// target, skipping the prototype-pollution sentinels (__proto__ /
+// constructor / prototype) and any caller-named reserved keys. Several
+// primitives that merge operator-supplied free-form fields onto a
+// spec-built object (JOSE claim sets, JWS protected headers, attestation
+// extra-claims) previously open-coded the identical
+// `for (k of Object.keys(src)) { if (sentinel) continue; if (reserved)
+// continue; dst[k] = src[k]; }` loop. Centralizing the proto-safe walk
+// keeps the merge contract in one place. Reserved keys win — they are NOT
+// overwritten — so the caller's spec-built fields can never be shadowed by
+// a same-named operator key. Returns the target.
+function assignOwnEnumerable(target, source, reservedKeys) {
+  if (!source || typeof source !== "object") return target;
+  var reserved = Object.create(null);
+  if (reservedKeys) for (var r = 0; r < reservedKeys.length; r += 1) reserved[reservedKeys[r]] = true;
+  var keys = Object.keys(source);
+  var entries = [];
+  for (var i = 0; i < keys.length; i += 1) {
+    var k = keys[i];
+    if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
+    if (reserved[k]) continue;
+    entries.push([k, source[k]]);
+  }
+  // Staged through entries + Object.assign so the copy contains no
+  // computed-name property write at all: Object.fromEntries creates own
+  // data properties (it cannot walk the prototype chain), and the
+  // sentinel skip above means the staging object carries no
+  // __proto__/constructor/prototype key for Object.assign's [[Set]] to
+  // trip over. Same observable result as a key-by-key copy, with the
+  // arbitrary-property-write shape removed instead of merely guarded.
+  return Object.assign(target, Object.fromEntries(entries));
+}
+
 // observabilityShape — operator-supplied `opts.observability` must
 // expose an `event` function. Parallel to auditShape; the n=1 catalog
 // tracks both inline-shape regexes.
@@ -426,3 +459,4 @@ module.exports.requireMethods = requireMethods;
 module.exports.applyDefaults = applyDefaults;
 module.exports.makeAuditEmitter = makeAuditEmitter;
 module.exports.makeNamespacedEmitters = makeNamespacedEmitters;
+module.exports.assignOwnEnumerable = assignOwnEnumerable;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.20",
+  "version": "0.14.22",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:e7a00583-46e2-4fd3-a1bf-9cc0789bed7f",
+  "serialNumber": "urn:uuid:6a454186-ef0a-43dd-8780-6900d4f1daf5",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-06-02T23:52:58.690Z",
+    "timestamp": "2026-06-05T17:23:40.587Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.14.20",
+      "bom-ref": "@blamejs/core@0.14.22",
       "type": "application",
       "name": "blamejs",
-      "version": "0.14.20",
+      "version": "0.14.22",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.14.20",
+      "purl": "pkg:npm/%40blamejs/core@0.14.22",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.14.20",
+      "ref": "@blamejs/core@0.14.22",
       "dependsOn": []
     }
   ]