@blamejs/core 0.14.3 → 0.14.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +2 -0
- package/lib/auth/saml.js +2 -18
- package/lib/mail-server-jmap.js +0 -2
- package/lib/network-tls.js +1 -4
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
package/CHANGELOG.md
CHANGED
|
@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
|
|
|
8
8
|
|
|
9
9
|
## v0.14.x
|
|
10
10
|
|
|
11
|
+
- v0.14.4 (2026-05-30) — **Removed three pieces of dead code from the SAML, TLS, and JMAP surfaces; no API or behavior changes.** Cleanup of unreachable code. A reverse signature-algorithm lookup in the SAML verifier was never called — the actual verification path resolves the algorithm through the supported-signature table — so it is removed and a stale comment that referenced it is corrected. A leftover no-op placeholder in the TLS certificate re-encode path (a zero-length slice that was assigned and discarded) is removed, leaving the verbatim extension re-encode it sat next to. An unused JMAP well-known-path constant that existed only to be discarded is removed. None of this changes any exported API, error code, wire format, or runtime behavior. **Removed:** *Unreachable code in SAML, TLS, and JMAP* — Removed `_sigAlgFromUri` from the SAML module (a reverse alg lookup that was never called — the embedded XML-DSig verifier resolves the algorithm via the supported-signature table, and the redirect-binding path uses the forward `_sigAlgUrn`), a discarded zero-length-slice placeholder in the TLS certificate extension re-encode path, and an unused well-known-path constant in the JMAP server. Internal cleanup only — no change to any exported API, error code, wire format, or runtime behavior.
|
|
12
|
+
|
|
11
13
|
- v0.14.3 (2026-05-30) — **A codebase check now ensures every lint-suppression marker names a real check, so a typo can't silently disable a guard.** Source files suppress an individual lint with an `// allow:<class>` comment. If the class is mistyped or stale, the comment suppresses nothing — the check it names does not exist — so the issue it was meant to explain ships unflagged. A new codebase check now verifies every `// allow:<class>` marker names a registered check class and fails if it does not, with the full set of valid classes maintained as an explicit registry. Two markers that named a non-kebab class were corrected as part of this. No runtime, API, or wire-format changes. **Detectors:** *Lint-suppression markers must name a registered check* — A new check flags any `// allow:<class>` suppression comment whose class is not one of the registered check classes — catching typos and stale markers (for example a marker that named a check which was later renamed) that would otherwise silently disable the guard they appear to explain. The valid classes are kept as an explicit registry, so adding a check with a new allow-class is a one-line registration. Source-comment hygiene only — no change to any exported API, error code, wire format, or runtime behavior.
|
|
12
14
|
|
|
13
15
|
- v0.14.2 (2026-05-29) — **Internal lint hygiene: the byte-literal check now flags only genuine byte-scale arithmetic, with no API or behavior changes.** A no-behavior-change cleanup of the source tree's internal lint markers. The byte-literal lint previously flagged every integer that was a multiple of 8 — which is most numbers — so the source carried a large number of suppression comments on values that were not byte sizes at all (status codes, counts, lengths, radixes, opcodes). The lint now flags only 1024-scale byte arithmetic (the case the C.BYTES.kib/mib/gib helpers exist to replace), and the now-unnecessary suppression comments have been removed while keeping their explanatory text. Several lint-suppression markers that named a check that does not exist were also corrected. None of this changes any API, wire format, or runtime behavior. **Changed:** *Source-tree lint markers cleaned up* — The internal byte-literal lint was tightened to flag only genuine byte-scale (`* 1024`) arithmetic, and the suppression comments it previously required on non-byte integers were removed (their explanatory text is retained as plain comments). A handful of suppression markers that referenced a non-existent check were pointed at the correct one or removed. This is source-comment hygiene only — there is no change to any exported API, error code, wire format, or runtime behavior.
|
package/lib/auth/saml.js
CHANGED
|
@@ -1726,8 +1726,8 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
|
|
|
1726
1726
|
|
|
1727
1727
|
// PQC SignatureMethod URIs used by the embedded XMLDSig signatures.
|
|
1728
1728
|
// Standard XMLDSig vocabulary classical signing URIs (W3C XMLDSig
|
|
1729
|
-
// Core 1.1 + RFC 9231 for Ed25519) are dispatched via _sigAlgUrn
|
|
1730
|
-
//
|
|
1729
|
+
// Core 1.1 + RFC 9231 for Ed25519) are dispatched via _sigAlgUrn (sign
|
|
1730
|
+
// side) and the SUPPORTED_SIG table (verify side). The framework adds two non-standard URNs for
|
|
1731
1731
|
// ML-DSA because no W3C/IETF XMLDSig URI registration exists for
|
|
1732
1732
|
// post-quantum signers yet (LAMPS WG has open drafts but none final).
|
|
1733
1733
|
// Operators integrating with PQC-aware IdPs that exchange those URNs
|
|
@@ -2027,22 +2027,6 @@ function _sigAlgUrn(alg) {
|
|
|
2027
2027
|
return null;
|
|
2028
2028
|
}
|
|
2029
2029
|
|
|
2030
|
-
// Reverse lookup — SignatureMethod URI on the inbound wire → alg
|
|
2031
|
-
// shorthand for _sigAlgUrn dispatch. Used by _verifyEmbeddedXmlDsig
|
|
2032
|
-
// to pick the right verifier when an IdP signs with a classical alg.
|
|
2033
|
-
function _sigAlgFromUri(uri) {
|
|
2034
|
-
if (uri === "urn:blamejs:experimental:saml-sig-alg:ml-dsa-65") return "ml-dsa-65";
|
|
2035
|
-
if (uri === "urn:blamejs:experimental:saml-sig-alg:ml-dsa-87") return "ml-dsa-87";
|
|
2036
|
-
if (uri === "http://www.w3.org/2021/04/xmldsig-more#ed25519") return "ed25519";
|
|
2037
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256") return "rsa-sha256";
|
|
2038
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384") return "rsa-sha384";
|
|
2039
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512") return "rsa-sha512";
|
|
2040
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256") return "ecdsa-sha256";
|
|
2041
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384") return "ecdsa-sha384";
|
|
2042
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512") return "ecdsa-sha512";
|
|
2043
|
-
return null;
|
|
2044
|
-
}
|
|
2045
|
-
|
|
2046
2030
|
/**
|
|
2047
2031
|
* @primitive b.auth.saml.fetchMdq
|
|
2048
2032
|
* @signature b.auth.saml.fetchMdq(opts)
|
package/lib/mail-server-jmap.js
CHANGED
|
@@ -133,9 +133,7 @@ var audit = lazyRequire(function () { return require("./audit"); });
|
|
|
133
133
|
var MailServerJmapError = defineClass("MailServerJmapError", { alwaysPermanent: true });
|
|
134
134
|
|
|
135
135
|
var DEFAULT_PROFILE = "strict";
|
|
136
|
-
var WELL_KNOWN_PATH = "/.well-known/jmap";
|
|
137
136
|
void C; // reserved for future cap constants
|
|
138
|
-
void WELL_KNOWN_PATH;
|
|
139
137
|
|
|
140
138
|
/**
|
|
141
139
|
* @primitive b.mail.server.jmap.create
|
package/lib/network-tls.js
CHANGED
|
@@ -1797,11 +1797,8 @@ function _stripSctExtensionFromCert(certDer) {
|
|
|
1797
1797
|
if (oid === OID_CT_SCT_LIST) continue; // drop the SCT extension
|
|
1798
1798
|
} catch (_e) { /* not an OID — keep the extension as-is */ }
|
|
1799
1799
|
}
|
|
1800
|
-
// Re-encode this extension verbatim
|
|
1801
|
-
var origExt = certDer.slice(0, 0); // placeholder; we rebuild from the parsed node below
|
|
1802
|
-
void origExt;
|
|
1800
|
+
// Re-encode this extension verbatim from its parsed bytes.
|
|
1803
1801
|
keptExtBytes.push(_encodeAsn1(asn1.TAG.SEQUENCE, true, extBytes));
|
|
1804
|
-
void extBytes;
|
|
1805
1802
|
}
|
|
1806
1803
|
var newExtSeq = _encodeAsn1(asn1.TAG.SEQUENCE, true, Buffer.concat(keptExtBytes));
|
|
1807
1804
|
var newExplicit3 = _encodeContextExplicit(3, newExtSeq);
|
package/package.json
CHANGED
package/sbom.cdx.json
CHANGED
|
@@ -2,10 +2,10 @@
|
|
|
2
2
|
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
|
|
3
3
|
"bomFormat": "CycloneDX",
|
|
4
4
|
"specVersion": "1.5",
|
|
5
|
-
"serialNumber": "urn:uuid:
|
|
5
|
+
"serialNumber": "urn:uuid:3b6688f8-8f17-4d81-9bad-f0e6166a53c7",
|
|
6
6
|
"version": 1,
|
|
7
7
|
"metadata": {
|
|
8
|
-
"timestamp": "2026-05-30T08:
|
|
8
|
+
"timestamp": "2026-05-30T08:50:20.572Z",
|
|
9
9
|
"lifecycles": [
|
|
10
10
|
{
|
|
11
11
|
"phase": "build"
|
|
@@ -19,14 +19,14 @@
|
|
|
19
19
|
}
|
|
20
20
|
],
|
|
21
21
|
"component": {
|
|
22
|
-
"bom-ref": "@blamejs/core@0.14.
|
|
22
|
+
"bom-ref": "@blamejs/core@0.14.4",
|
|
23
23
|
"type": "application",
|
|
24
24
|
"name": "blamejs",
|
|
25
|
-
"version": "0.14.
|
|
25
|
+
"version": "0.14.4",
|
|
26
26
|
"scope": "required",
|
|
27
27
|
"author": "blamejs contributors",
|
|
28
28
|
"description": "The Node framework that owns its stack.",
|
|
29
|
-
"purl": "pkg:npm/%40blamejs/core@0.14.
|
|
29
|
+
"purl": "pkg:npm/%40blamejs/core@0.14.4",
|
|
30
30
|
"properties": [],
|
|
31
31
|
"externalReferences": [
|
|
32
32
|
{
|
|
@@ -54,7 +54,7 @@
|
|
|
54
54
|
"components": [],
|
|
55
55
|
"dependencies": [
|
|
56
56
|
{
|
|
57
|
-
"ref": "@blamejs/core@0.14.
|
|
57
|
+
"ref": "@blamejs/core@0.14.4",
|
|
58
58
|
"dependsOn": []
|
|
59
59
|
}
|
|
60
60
|
]
|