npm - @blamejs/core - Versions diffs - 0.14.21 → 0.14.24 - Mend

@blamejs/core 0.14.21 → 0.14.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/CHANGELOG.md +6 -0
package/README.md +2 -2
package/index.js +5 -1
package/lib/auth/jar.js +190 -28
package/lib/auth/jwt-external.js +213 -0
package/lib/auth/oauth.js +115 -101
package/lib/compliance.js +37 -0
package/lib/crypto-field.js +111 -5
package/lib/db-query.js +123 -0
package/lib/external-db-migrate.js +19 -7
package/lib/external-db.js +508 -20
package/lib/framework-error.js +6 -0
package/lib/http-client.js +3 -4
package/lib/lro.js +3 -4
package/lib/mail-auth.js +236 -0
package/lib/mail-dkim.js +1 -0
package/lib/mail-server-mx.js +276 -7
package/lib/mail.js +8 -4
package/lib/middleware/deny-response.js +2 -10
package/lib/middleware/health.js +1 -4
package/lib/middleware/trace-log-correlation.js +3 -6
package/lib/validate-opts.js +34 -0
package/package.json +1 -1
package/sbom.cdx.json +6 -6

package/lib/middleware/deny-response.js CHANGED Viewed

@@ -34,18 +34,10 @@
  */
 var problemDetails = require("../problem-details");
+var validateOpts = require("../validate-opts");
 function _isFn(x) { return typeof x === "function"; }
-function _mergeInto(target, extra) {
-  if (!extra || typeof extra !== "object") return target;
-  var keys = Object.keys(extra);
-  for (var i = 0; i < keys.length; i += 1) {
-    target[keys[i]] = extra[keys[i]];
-  }
-  return target;
-}
 /**
  * Resolve a deny-path refusal through the uniform hook / problem+json
  * / default chain. Returns whatever the `onDeny` hook returns when it
@@ -144,7 +136,7 @@ function denyResponse(req, res, ctx) {
     return undefined;
   }
-  var head = _mergeInto({ "Content-Type": ctx.contentType }, extra);
+  var head = validateOpts.assignOwnEnumerable({ "Content-Type": ctx.contentType }, extra);
   var denyOut = (ctx.body === undefined || ctx.body === null) ? ""
     : (typeof ctx.body === "string" ? ctx.body : JSON.stringify(ctx.body));
   if (ctx.body !== undefined && ctx.body !== null && req && typeof req.apiEncryptEncode === "function") {

package/lib/middleware/health.js CHANGED Viewed

@@ -317,10 +317,7 @@ function create(opts) {
       var entry = { ok: r.ok, ms: r.ms };
       if (r.detail) {
         // Merge detail keys other than `ok` into the entry.
-        var keys = Object.keys(r.detail);
-        for (var n = 0; n < keys.length; n++) {
-          if (keys[n] !== "ok") entry[keys[n]] = r.detail[keys[n]];
-        }
+        validateOpts.assignOwnEnumerable(entry, r.detail, ["ok"]);
       }
       if (r.error) entry.error = r.error;
       if (!r.critical) entry.critical = false;

package/lib/middleware/trace-log-correlation.js CHANGED Viewed

@@ -52,13 +52,10 @@ function _baggageToObject(entries) {
 function _wrapLogger(baseLogger, req, opts) {
   if (!baseLogger || typeof baseLogger !== "object") return baseLogger;
-  var wrapped = Object.create(null);
   // Preserve any non-level properties the operator put on the
-  // logger (e.g. boot context, child-logger metadata).
-  var keys = Object.keys(baseLogger);
-  for (var i = 0; i < keys.length; i++) {
-    if (LOG_LEVELS.indexOf(keys[i]) === -1) wrapped[keys[i]] = baseLogger[keys[i]];
-  }
+  // logger (e.g. boot context, child-logger metadata); the level
+  // methods themselves are re-wrapped below.
+  var wrapped = validateOpts.assignOwnEnumerable(Object.create(null), baseLogger, LOG_LEVELS);
   function _enrichMeta(meta) {
     var enriched = Object.assign({}, meta || {});

package/lib/validate-opts.js CHANGED Viewed

@@ -393,6 +393,39 @@ function makeNamespacedEmitters(prefix, deps) {
   return { audit: audit, metric: metric };
 }
+// assignOwnEnumerable — copy a source object's own enumerable keys onto a
+// target, skipping the prototype-pollution sentinels (__proto__ /
+// constructor / prototype) and any caller-named reserved keys. Several
+// primitives that merge operator-supplied free-form fields onto a
+// spec-built object (JOSE claim sets, JWS protected headers, attestation
+// extra-claims) previously open-coded the identical
+// `for (k of Object.keys(src)) { if (sentinel) continue; if (reserved)
+// continue; dst[k] = src[k]; }` loop. Centralizing the proto-safe walk
+// keeps the merge contract in one place. Reserved keys win — they are NOT
+// overwritten — so the caller's spec-built fields can never be shadowed by
+// a same-named operator key. Returns the target.
+function assignOwnEnumerable(target, source, reservedKeys) {
+  if (!source || typeof source !== "object") return target;
+  var reserved = Object.create(null);
+  if (reservedKeys) for (var r = 0; r < reservedKeys.length; r += 1) reserved[reservedKeys[r]] = true;
+  var keys = Object.keys(source);
+  var entries = [];
+  for (var i = 0; i < keys.length; i += 1) {
+    var k = keys[i];
+    if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
+    if (reserved[k]) continue;
+    entries.push([k, source[k]]);
+  }
+  // Staged through entries + Object.assign so the copy contains no
+  // computed-name property write at all: Object.fromEntries creates own
+  // data properties (it cannot walk the prototype chain), and the
+  // sentinel skip above means the staging object carries no
+  // __proto__/constructor/prototype key for Object.assign's [[Set]] to
+  // trip over. Same observable result as a key-by-key copy, with the
+  // arbitrary-property-write shape removed instead of merely guarded.
+  return Object.assign(target, Object.fromEntries(entries));
+}
 // observabilityShape — operator-supplied `opts.observability` must
 // expose an `event` function. Parallel to auditShape; the n=1 catalog
 // tracks both inline-shape regexes.
@@ -426,3 +459,4 @@ module.exports.requireMethods = requireMethods;
 module.exports.applyDefaults = applyDefaults;
 module.exports.makeAuditEmitter = makeAuditEmitter;
 module.exports.makeNamespacedEmitters = makeNamespacedEmitters;
+module.exports.assignOwnEnumerable = assignOwnEnumerable;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.14.21",
+  "version": "0.14.24",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:37cb0e0e-7cba-440b-89c3-febfeb9f7eef",
+  "serialNumber": "urn:uuid:0697fb13-faa3-47c7-8ac0-7a29c980f002",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-06-05T04:48:42.555Z",
+    "timestamp": "2026-06-06T15:36:19.660Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.14.21",
+      "bom-ref": "@blamejs/core@0.14.24",
       "type": "application",
       "name": "blamejs",
-      "version": "0.14.21",
+      "version": "0.14.24",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.14.21",
+      "purl": "pkg:npm/%40blamejs/core@0.14.24",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.14.21",
+      "ref": "@blamejs/core@0.14.24",
       "dependsOn": []
     }
   ]