@blamejs/core 0.14.3 → 0.14.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/a2a-tasks.js +6 -6
- package/lib/ai-input.js +1 -1
- package/lib/auth/saml.js +2 -18
- package/lib/auth/sd-jwt-vc.js +1 -1
- package/lib/calendar.js +6 -6
- package/lib/content-credentials.js +2 -2
- package/lib/guard-cidr.js +1 -1
- package/lib/http-client-cache.js +1 -1
- package/lib/mail-auth.js +1 -1
- package/lib/mail-crypto-smime.js +1 -1
- package/lib/mail-deploy.js +1 -1
- package/lib/mail-dkim.js +1 -1
- package/lib/mail-server-jmap.js +2 -4
- package/lib/mcp.js +6 -6
- package/lib/middleware/compose-pipeline.js +1 -1
- package/lib/network-tls.js +1 -4
- package/lib/safe-decompress.js +1 -1
- package/lib/safe-url.js +1 -1
- package/lib/stream-throttle.js +2 -2
- package/lib/websocket.js +2 -2
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
package/CHANGELOG.md
CHANGED
|
@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
|
|
|
8
8
|
|
|
9
9
|
## v0.14.x
|
|
10
10
|
|
|
11
|
+
- v0.14.5 (2026-05-30) — **Finished cleaning up the mislabeled byte-literal lint suppressions, with no API or behavior changes.** A follow-up to the byte-literal lint tightening. The remaining suppression comments that named the byte-literal check on values that are not byte sizes — JSON-RPC error codes, HTTP status codes, octet ranges, day-in-milliseconds constants — are removed, keeping their explanatory text and any correctly-named companion suppression. Every byte-literal suppression that remains is now on genuine 1024-scale byte arithmetic. Source-comment hygiene only. **Changed:** *Remaining mislabeled byte-literal suppressions removed* — The byte-literal lint was previously a check on any multiple-of-8 integer, so suppression comments naming it were scattered across non-byte values. The last of those (in a handful of files, in mixed comment formats) are now removed — their explanatory text is retained as plain comments, and any correctly-named companion suppression is kept. The only byte-literal suppressions that remain are on genuine 1024-scale byte arithmetic. No change to any exported API, error code, wire format, or runtime behavior.
|
|
12
|
+
|
|
13
|
+
- v0.14.4 (2026-05-30) — **Removed three pieces of dead code from the SAML, TLS, and JMAP surfaces; no API or behavior changes.** Cleanup of unreachable code. A reverse signature-algorithm lookup in the SAML verifier was never called — the actual verification path resolves the algorithm through the supported-signature table — so it is removed and a stale comment that referenced it is corrected. A leftover no-op placeholder in the TLS certificate re-encode path (a zero-length slice that was assigned and discarded) is removed, leaving the verbatim extension re-encode it sat next to. An unused JMAP well-known-path constant that existed only to be discarded is removed. None of this changes any exported API, error code, wire format, or runtime behavior. **Removed:** *Unreachable code in SAML, TLS, and JMAP* — Removed `_sigAlgFromUri` from the SAML module (a reverse alg lookup that was never called — the embedded XML-DSig verifier resolves the algorithm via the supported-signature table, and the redirect-binding path uses the forward `_sigAlgUrn`), a discarded zero-length-slice placeholder in the TLS certificate extension re-encode path, and an unused well-known-path constant in the JMAP server. Internal cleanup only — no change to any exported API, error code, wire format, or runtime behavior.
|
|
14
|
+
|
|
11
15
|
- v0.14.3 (2026-05-30) — **A codebase check now ensures every lint-suppression marker names a real check, so a typo can't silently disable a guard.** Source files suppress an individual lint with an `// allow:<class>` comment. If the class is mistyped or stale, the comment suppresses nothing — the check it names does not exist — so the issue it was meant to explain ships unflagged. A new codebase check now verifies every `// allow:<class>` marker names a registered check class and fails if it does not, with the full set of valid classes maintained as an explicit registry. Two markers that named a non-kebab class were corrected as part of this. No runtime, API, or wire-format changes. **Detectors:** *Lint-suppression markers must name a registered check* — A new check flags any `// allow:<class>` suppression comment whose class is not one of the registered check classes — catching typos and stale markers (for example a marker that named a check which was later renamed) that would otherwise silently disable the guard they appear to explain. The valid classes are kept as an explicit registry, so adding a check with a new allow-class is a one-line registration. Source-comment hygiene only — no change to any exported API, error code, wire format, or runtime behavior.
|
|
12
16
|
|
|
13
17
|
- v0.14.2 (2026-05-29) — **Internal lint hygiene: the byte-literal check now flags only genuine byte-scale arithmetic, with no API or behavior changes.** A no-behavior-change cleanup of the source tree's internal lint markers. The byte-literal lint previously flagged every integer that was a multiple of 8 — which is most numbers — so the source carried a large number of suppression comments on values that were not byte sizes at all (status codes, counts, lengths, radixes, opcodes). The lint now flags only 1024-scale byte arithmetic (the case the C.BYTES.kib/mib/gib helpers exist to replace), and the now-unnecessary suppression comments have been removed while keeping their explanatory text. Several lint-suppression markers that named a check that does not exist were also corrected. None of this changes any API, wire format, or runtime behavior. **Changed:** *Source-tree lint markers cleaned up* — The internal byte-literal lint was tightened to flag only genuine byte-scale (`* 1024`) arithmetic, and the suppression comments it previously required on non-byte integers were removed (their explanatory text is retained as plain comments). A handful of suppression markers that referenced a non-existent check were pointed at the correct one or removed. This is source-comment hygiene only — there is no change to any exported API, error code, wire format, or runtime behavior.
|
package/lib/a2a-tasks.js
CHANGED
|
@@ -62,17 +62,17 @@ var A2aTasksError = defineClass("A2aTasksError", { alwaysPermanent: true });
|
|
|
62
62
|
var JSONRPC_VERSION = "2.0";
|
|
63
63
|
|
|
64
64
|
// JSON-RPC 2.0 fixed error codes — A2A inherits these.
|
|
65
|
-
var JSONRPC_PARSE_ERROR = -32700; // allow:raw-
|
|
66
|
-
var JSONRPC_INVALID_REQUEST = -32600; // allow:raw-
|
|
67
|
-
var JSONRPC_METHOD_NOT_FOUND = -32601; // allow:raw-
|
|
68
|
-
var JSONRPC_INVALID_PARAMS = -32602; // allow:raw-
|
|
69
|
-
var JSONRPC_INTERNAL_ERROR = -32603; // allow:raw-
|
|
65
|
+
var JSONRPC_PARSE_ERROR = -32700; // allow:raw-time-literal — not seconds
|
|
66
|
+
var JSONRPC_INVALID_REQUEST = -32600; // allow:raw-time-literal — not seconds
|
|
67
|
+
var JSONRPC_METHOD_NOT_FOUND = -32601; // allow:raw-time-literal — not seconds
|
|
68
|
+
var JSONRPC_INVALID_PARAMS = -32602; // allow:raw-time-literal — not seconds
|
|
69
|
+
var JSONRPC_INTERNAL_ERROR = -32603; // allow:raw-time-literal — not seconds
|
|
70
70
|
|
|
71
71
|
// A2A-specific error codes per the spec's task-error vocabulary.
|
|
72
72
|
// A2A_TASK_NOT_FOUND (-32002) + A2A_TASK_NOT_CANCELABLE (-32003) are
|
|
73
73
|
// raised by operator handlers — they're reserved here for documentation
|
|
74
74
|
// purposes only.
|
|
75
|
-
var A2A_SCOPE_DENIED = -32001; // allow:raw-
|
|
75
|
+
var A2A_SCOPE_DENIED = -32001; // allow:raw-time-literal — not seconds
|
|
76
76
|
|
|
77
77
|
var ALLOWED_METHODS = Object.freeze(["tasks/send", "tasks/get", "tasks/cancel"]);
|
|
78
78
|
|
package/lib/ai-input.js
CHANGED
|
@@ -26,7 +26,7 @@ var audit = require("./audit");
|
|
|
26
26
|
var { AiInputError } = require("./framework-error");
|
|
27
27
|
|
|
28
28
|
var SAMPLE_TRUNC = 80; // sample truncation length, not bytes
|
|
29
|
-
var CONFIDENCE_BASE = 60; // allow:raw-
|
|
29
|
+
var CONFIDENCE_BASE = 60; // allow:raw-time-literal — not seconds
|
|
30
30
|
|
|
31
31
|
var PATTERNS = [
|
|
32
32
|
{ id: "ignore-prior-instructions", severity: 3, re:
|
package/lib/auth/saml.js
CHANGED
|
@@ -1726,8 +1726,8 @@ function _decryptEncryptedAssertion(encAssertion, spPrivateKeyPem) {
|
|
|
1726
1726
|
|
|
1727
1727
|
// PQC SignatureMethod URIs used by the embedded XMLDSig signatures.
|
|
1728
1728
|
// Standard XMLDSig vocabulary classical signing URIs (W3C XMLDSig
|
|
1729
|
-
// Core 1.1 + RFC 9231 for Ed25519) are dispatched via _sigAlgUrn
|
|
1730
|
-
//
|
|
1729
|
+
// Core 1.1 + RFC 9231 for Ed25519) are dispatched via _sigAlgUrn (sign
|
|
1730
|
+
// side) and the SUPPORTED_SIG table (verify side). The framework adds two non-standard URNs for
|
|
1731
1731
|
// ML-DSA because no W3C/IETF XMLDSig URI registration exists for
|
|
1732
1732
|
// post-quantum signers yet (LAMPS WG has open drafts but none final).
|
|
1733
1733
|
// Operators integrating with PQC-aware IdPs that exchange those URNs
|
|
@@ -2027,22 +2027,6 @@ function _sigAlgUrn(alg) {
|
|
|
2027
2027
|
return null;
|
|
2028
2028
|
}
|
|
2029
2029
|
|
|
2030
|
-
// Reverse lookup — SignatureMethod URI on the inbound wire → alg
|
|
2031
|
-
// shorthand for _sigAlgUrn dispatch. Used by _verifyEmbeddedXmlDsig
|
|
2032
|
-
// to pick the right verifier when an IdP signs with a classical alg.
|
|
2033
|
-
function _sigAlgFromUri(uri) {
|
|
2034
|
-
if (uri === "urn:blamejs:experimental:saml-sig-alg:ml-dsa-65") return "ml-dsa-65";
|
|
2035
|
-
if (uri === "urn:blamejs:experimental:saml-sig-alg:ml-dsa-87") return "ml-dsa-87";
|
|
2036
|
-
if (uri === "http://www.w3.org/2021/04/xmldsig-more#ed25519") return "ed25519";
|
|
2037
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256") return "rsa-sha256";
|
|
2038
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384") return "rsa-sha384";
|
|
2039
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512") return "rsa-sha512";
|
|
2040
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256") return "ecdsa-sha256";
|
|
2041
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384") return "ecdsa-sha384";
|
|
2042
|
-
if (uri === "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512") return "ecdsa-sha512";
|
|
2043
|
-
return null;
|
|
2044
|
-
}
|
|
2045
|
-
|
|
2046
2030
|
/**
|
|
2047
2031
|
* @primitive b.auth.saml.fetchMdq
|
|
2048
2032
|
* @signature b.auth.saml.fetchMdq(opts)
|
package/lib/auth/sd-jwt-vc.js
CHANGED
|
@@ -597,7 +597,7 @@ async function verify(presentation, opts) {
|
|
|
597
597
|
}
|
|
598
598
|
// Verify KB-JWT signature
|
|
599
599
|
var kbHeaderObj;
|
|
600
|
-
try { kbHeaderObj = safeJson.parse(_b64uDecodeStr(maybeKbJwt.split(".")[0]), { maxBytes: 4096 }); } // allow:bare-json-parse — kb header from validated KB-JWT; signature verifies
|
|
600
|
+
try { kbHeaderObj = safeJson.parse(_b64uDecodeStr(maybeKbJwt.split(".")[0]), { maxBytes: 4096 }); } // allow:bare-json-parse — kb header from validated KB-JWT; signature verifies
|
|
601
601
|
catch (e) {
|
|
602
602
|
throw new AuthError("auth-sd-jwt-vc/bad-kb-header",
|
|
603
603
|
"verify: malformed KB-JWT header: " + e.message);
|
package/lib/calendar.js
CHANGED
|
@@ -99,7 +99,7 @@ var JSCAL_NOTE_STATUS = Object.freeze({
|
|
|
99
99
|
// Recurrence-expansion caps. Mirror b.safeIcal's RRULE limits so the
|
|
100
100
|
// expand path can't outpace what the parser already permitted.
|
|
101
101
|
var MAX_EXPAND_INSTANCES = 4096; // instance count cap, not bytes
|
|
102
|
-
var MAX_EXPAND_SPAN_MS = 10 * 365 * 24 * 60 * 60 * 1000; // allow:raw-
|
|
102
|
+
var MAX_EXPAND_SPAN_MS = 10 * 365 * 24 * 60 * 60 * 1000; // allow:raw-time-literal — 10 year max expansion span
|
|
103
103
|
|
|
104
104
|
/**
|
|
105
105
|
* @primitive b.calendar.validate
|
|
@@ -697,7 +697,7 @@ function _expandSingleRule(rule, startMs, ctx) {
|
|
|
697
697
|
}
|
|
698
698
|
var byHourSet = _bySet(rule.byHour, 0, 23); // RFC 5545 hour range
|
|
699
699
|
var byMinuteSet = _bySet(rule.byMinute, 0, 59); // RFC 5545 minute range
|
|
700
|
-
var bySecondSet = _bySet(rule.bySecond, 0, 60); // allow:raw-
|
|
700
|
+
var bySecondSet = _bySet(rule.bySecond, 0, 60); // allow:raw-time-literal — second-of-minute bound, not a duration
|
|
701
701
|
|
|
702
702
|
function _isoWeekParts(d) {
|
|
703
703
|
// ISO 8601 week-of-year + week-year. The week-YEAR can differ
|
|
@@ -709,7 +709,7 @@ function _expandSingleRule(rule, startMs, ctx) {
|
|
|
709
709
|
tmp.setUTCDate(tmp.getUTCDate() + 4 - dayOfWeek); // ISO week-year anchor (Thursday)
|
|
710
710
|
var weekYear = tmp.getUTCFullYear();
|
|
711
711
|
var yearStart = new Date(Date.UTC(weekYear, 0, 1));
|
|
712
|
-
var week = Math.ceil((((tmp - yearStart) / 86400000) + 1) / 7); // allow:raw-time-literal — 86400000 ms/day, 7 days/week
|
|
712
|
+
var week = Math.ceil((((tmp - yearStart) / 86400000) + 1) / 7); // allow:raw-time-literal — 86400000 ms/day, 7 days/week
|
|
713
713
|
return { week: week, year: weekYear };
|
|
714
714
|
}
|
|
715
715
|
function _isoWeekOf(d) {
|
|
@@ -717,7 +717,7 @@ function _expandSingleRule(rule, startMs, ctx) {
|
|
|
717
717
|
}
|
|
718
718
|
function _yearDayOf(d) {
|
|
719
719
|
var startOfYear = new Date(Date.UTC(d.getUTCFullYear(), 0, 1));
|
|
720
|
-
return Math.floor((d - startOfYear) / 86400000) + 1; // allow:raw-time-literal — 86400000 ms/day
|
|
720
|
+
return Math.floor((d - startOfYear) / 86400000) + 1; // allow:raw-time-literal — 86400000 ms/day
|
|
721
721
|
}
|
|
722
722
|
function _daysInYear(year) {
|
|
723
723
|
return ((year % 4 === 0 && year % 100 !== 0) || year % 400 === 0) ? 366 : 365; // Gregorian leap-year rule
|
|
@@ -869,7 +869,7 @@ function _expandWithBysetpos(ctx) {
|
|
|
869
869
|
stepBudgetRef.remaining -= 1;
|
|
870
870
|
var candidate = _withTimeOfDay(dayMs, hh, mm, ss, ms);
|
|
871
871
|
if (matchesBy(candidate)) candidates.push(candidate);
|
|
872
|
-
dayMs += 86400000; // allow:raw-time-literal — 86400000 ms/day step
|
|
872
|
+
dayMs += 86400000; // allow:raw-time-literal — 86400000 ms/day step
|
|
873
873
|
}
|
|
874
874
|
|
|
875
875
|
// Sort + apply BYSETPOS. Positive index 1-based from start;
|
|
@@ -930,7 +930,7 @@ function _periodForIndex(freq, startDate, offset) {
|
|
|
930
930
|
var dow = anchor.getUTCDay() || 7;
|
|
931
931
|
anchor.setUTCDate(anchor.getUTCDate() - (dow - 1) + offset * 7); // days/week
|
|
932
932
|
var ws = anchor.getTime();
|
|
933
|
-
var we = ws + 7 * 86400000 - 1; // allow:raw-
|
|
933
|
+
var we = ws + 7 * 86400000 - 1; // allow:raw-time-literal — 7-day window
|
|
934
934
|
return { startMs: ws, endMs: we };
|
|
935
935
|
}
|
|
936
936
|
|
|
@@ -590,7 +590,7 @@ var CAC_KIND_ENUM = Object.freeze({
|
|
|
590
590
|
text: true, image: true, audio: true, video: true,
|
|
591
591
|
"virtual-scene": true, other: true,
|
|
592
592
|
});
|
|
593
|
-
var CAC_USCC_RE = /^[0-9A-HJ-NPQRTUWXY]{18}$/; // allow:raw-
|
|
593
|
+
var CAC_USCC_RE = /^[0-9A-HJ-NPQRTUWXY]{18}$/; // allow:raw-time-literal — 18 is char-count of the credit code, not seconds
|
|
594
594
|
var ISO8601_RE = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?Z$/;
|
|
595
595
|
|
|
596
596
|
function cacImplicitLabel(opts) {
|
|
@@ -605,7 +605,7 @@ function cacImplicitLabel(opts) {
|
|
|
605
605
|
throw new ContentCredentialsError("cac-implicit-label/oversize-provider-name",
|
|
606
606
|
"cacImplicitLabel: providerName exceeds " + STR_LEN_MAX + " bytes (UTF-8)");
|
|
607
607
|
}
|
|
608
|
-
if (typeof opts.providerCode !== "string" || opts.providerCode.length !== 18 || // allow:raw-
|
|
608
|
+
if (typeof opts.providerCode !== "string" || opts.providerCode.length !== 18 || // allow:raw-time-literal — string length, not seconds
|
|
609
609
|
!CAC_USCC_RE.test(opts.providerCode)) { // allow:regex-no-length-cap — length-bounded immediately above
|
|
610
610
|
throw new ContentCredentialsError("cac-implicit-label/bad-provider-code",
|
|
611
611
|
"cacImplicitLabel: providerCode must be an 18-char unified social credit code " +
|
package/lib/guard-cidr.js
CHANGED
|
@@ -73,7 +73,7 @@ var IPV4_RESERVED = Object.freeze([
|
|
|
73
73
|
{ net: _ipv4ToUint32([127, 0, 0, 0]), prefix: 8, label: "loopback" }, // IPv4 octets
|
|
74
74
|
{ net: _ipv4ToUint32([169, 254, 0, 0]), prefix: 16, label: "link-local" }, // IPv4 octets
|
|
75
75
|
{ net: _ipv4ToUint32([224, 0, 0, 0]), prefix: 4, label: "multicast" }, // IPv4 octets
|
|
76
|
-
{ net: _ipv4ToUint32([240, 0, 0, 0]), prefix: 4, label: "reserved-class-e" }, // allow:raw-
|
|
76
|
+
{ net: _ipv4ToUint32([240, 0, 0, 0]), prefix: 4, label: "reserved-class-e" }, // allow:raw-time-literal — 240 is an IPv4 octet not seconds
|
|
77
77
|
{ net: _ipv4ToUint32([192, 0, 2, 0]), prefix: 24, label: "documentation-test-net-1" }, // IPv4 octets
|
|
78
78
|
{ net: _ipv4ToUint32([198, 51, 100, 0]), prefix: 24, label: "documentation-test-net-2" }, // IPv4 octets
|
|
79
79
|
{ net: _ipv4ToUint32([203, 0, 113, 0]), prefix: 24, label: "documentation-test-net-3" }, // IPv4 octets
|
package/lib/http-client-cache.js
CHANGED
|
@@ -66,7 +66,7 @@ var HEURISTIC_MAX_AGE_MS = C.TIME.hours(24);
|
|
|
66
66
|
// Statuses RFC 9110 designates as heuristically cacheable. (Plus 200/206
|
|
67
67
|
// which are universally cacheable when a freshness lifetime is given.)
|
|
68
68
|
var CACHEABLE_STATUSES = new Set([
|
|
69
|
-
200, 203, 204, 206, 300, 301, 308, 404, 405, 410, 414, 501, // allow:raw-
|
|
69
|
+
200, 203, 204, 206, 300, 301, 308, 404, 405, 410, 414, 501, // allow:raw-time-literal — same line, status codes not seconds
|
|
70
70
|
]);
|
|
71
71
|
|
|
72
72
|
// Headers that MUST not be forwarded when serving a 304-updated entry.
|
package/lib/mail-auth.js
CHANGED
|
@@ -1476,7 +1476,7 @@ async function _verifyAmsViaDkim(rfc822, hop, sigValue, tags, dkim, dnsLookup) {
|
|
|
1476
1476
|
|
|
1477
1477
|
function _parseArcTagList(value) {
|
|
1478
1478
|
var tags = {};
|
|
1479
|
-
var parts = String(value).split(";"); // allow:bare-split-on-quoted-header —
|
|
1479
|
+
var parts = String(value).split(";"); // allow:bare-split-on-quoted-header — RFC 8617 §4 ARC tag-list grammar (same as the DKIM RFC's): `tag-spec *( ";" tag-spec )`, tag-value contains no DQUOTE
|
|
1480
1480
|
|
|
1481
1481
|
for (var i = 0; i < parts.length; i += 1) {
|
|
1482
1482
|
var p = parts[i].trim();
|
package/lib/mail-crypto-smime.js
CHANGED
|
@@ -754,7 +754,7 @@ function checkCert(opts) {
|
|
|
754
754
|
if (pub && pub.asymmetricKeyType === "rsa") {
|
|
755
755
|
var jwk = pub.export({ format: "jwk" });
|
|
756
756
|
var nBytes = Buffer.from(jwk.n, "base64url");
|
|
757
|
-
var bits = nBytes.length * 8; // allow:raw-
|
|
757
|
+
var bits = nBytes.length * 8; // allow:raw-time-literal — RFC 5280 in comment, not seconds
|
|
758
758
|
if (bits < RSA_MIN_BITS) {
|
|
759
759
|
throw new MailCryptoError("mail-crypto/smime/rsa-too-small",
|
|
760
760
|
"cert public key is " + bits + " RSA bits; minimum is " + RSA_MIN_BITS +
|
package/lib/mail-deploy.js
CHANGED
|
@@ -155,7 +155,7 @@ function mtaStsPublish(opts) {
|
|
|
155
155
|
throw new MailDeployError("mail-deploy/bad-max-age",
|
|
156
156
|
"mtaStsPublish: opts.maxAgeSec must be a positive integer");
|
|
157
157
|
}
|
|
158
|
-
if (opts.maxAgeSec > 31557600) { // allow:raw-time-literal — 1 year in seconds (RFC 8461 §3.2 max_age unit)
|
|
158
|
+
if (opts.maxAgeSec > 31557600) { // allow:raw-time-literal — 1 year in seconds (RFC 8461 §3.2 max_age unit)
|
|
159
159
|
throw new MailDeployError("mail-deploy/bad-max-age",
|
|
160
160
|
"mtaStsPublish: opts.maxAgeSec exceeds 1 year (RFC 8461 §3.2 SHOULD ≤ 31557600)");
|
|
161
161
|
}
|
package/lib/mail-dkim.js
CHANGED
|
@@ -950,7 +950,7 @@ async function verify(rfc822, opts) {
|
|
|
950
950
|
// Allow up to 24h future-skew; beyond that, refuse — neither
|
|
951
951
|
// operator clock drift nor delivery latency explains a future-
|
|
952
952
|
// dated signing time of more than a day.
|
|
953
|
-
if (isFinite(tSec) && tSec - (24 * 60 * 60) > nowSec) { // allow:raw-
|
|
953
|
+
if (isFinite(tSec) && tSec - (24 * 60 * 60) > nowSec) { // allow:raw-time-literal — 24h future-date sanity ceiling
|
|
954
954
|
results.push({ d: d || null, s: s || null, alg: alg || null,
|
|
955
955
|
result: "permerror",
|
|
956
956
|
errors: ["DKIM-Signature t=" + tSec + " is more than 24h in the future (RFC 6376 §3.5 sanity)"] });
|
package/lib/mail-server-jmap.js
CHANGED
|
@@ -133,9 +133,7 @@ var audit = lazyRequire(function () { return require("./audit"); });
|
|
|
133
133
|
var MailServerJmapError = defineClass("MailServerJmapError", { alwaysPermanent: true });
|
|
134
134
|
|
|
135
135
|
var DEFAULT_PROFILE = "strict";
|
|
136
|
-
var WELL_KNOWN_PATH = "/.well-known/jmap";
|
|
137
136
|
void C; // reserved for future cap constants
|
|
138
|
-
void WELL_KNOWN_PATH;
|
|
139
137
|
|
|
140
138
|
/**
|
|
141
139
|
* @primitive b.mail.server.jmap.create
|
|
@@ -597,7 +595,7 @@ function create(opts) {
|
|
|
597
595
|
} else {
|
|
598
596
|
pingN = parseInt(params.ping, 10);
|
|
599
597
|
if (!isFinite(pingN) || pingN < 5) pingN = 30; // RFC 8620 §7.3 default ping seconds
|
|
600
|
-
if (pingN > 900) pingN = 900; // allow:raw-
|
|
598
|
+
if (pingN > 900) pingN = 900; // allow:raw-time-literal — explicit max-ping cap (15 minutes)
|
|
601
599
|
}
|
|
602
600
|
|
|
603
601
|
// SSE wire headers per the HTML5 spec § "Server-sent events"
|
|
@@ -678,7 +676,7 @@ function create(opts) {
|
|
|
678
676
|
}
|
|
679
677
|
unsubscribe = typeof unsub === "function" ? unsub : null;
|
|
680
678
|
if (!pingDisabled) {
|
|
681
|
-
pingTimer = setInterval(_pingTick, pingN * 1000); // allow:raw-time-literal — seconds → ms conversion
|
|
679
|
+
pingTimer = setInterval(_pingTick, pingN * 1000); // allow:raw-time-literal — seconds → ms conversion
|
|
682
680
|
if (pingTimer && typeof pingTimer.unref === "function") pingTimer.unref();
|
|
683
681
|
}
|
|
684
682
|
})
|
package/lib/mcp.js
CHANGED
|
@@ -45,12 +45,12 @@ var METHOD_NAME_MAX = 256;
|
|
|
45
45
|
// JSON-RPC 2.0 error codes (https://www.jsonrpc.org/specification#error_object).
|
|
46
46
|
// Negative numerics by spec; mapped to HTTP status for the framework's
|
|
47
47
|
// HTTP-shaped reply envelope.
|
|
48
|
-
var JSONRPC_PARSE_ERROR = -32700; // allow:raw-
|
|
49
|
-
var JSONRPC_INVALID_REQUEST = -32600; // allow:raw-
|
|
50
|
-
var JSONRPC_METHOD_NOT_FOUND= -32601; // allow:raw-
|
|
51
|
-
var JSONRPC_INVALID_PARAMS = -32602; // allow:raw-
|
|
52
|
-
var JSONRPC_INTERNAL_ERROR = -32603; // allow:raw-
|
|
53
|
-
var JSONRPC_AUTH_REQUIRED = -32001; // allow:raw-
|
|
48
|
+
var JSONRPC_PARSE_ERROR = -32700; // allow:raw-time-literal — not seconds
|
|
49
|
+
var JSONRPC_INVALID_REQUEST = -32600; // allow:raw-time-literal — not seconds
|
|
50
|
+
var JSONRPC_METHOD_NOT_FOUND= -32601; // allow:raw-time-literal — not seconds
|
|
51
|
+
var JSONRPC_INVALID_PARAMS = -32602; // allow:raw-time-literal — not seconds
|
|
52
|
+
var JSONRPC_INTERNAL_ERROR = -32603; // allow:raw-time-literal — not seconds
|
|
53
|
+
var JSONRPC_AUTH_REQUIRED = -32001; // allow:raw-time-literal — not seconds
|
|
54
54
|
var TOOL_NAME_RE = /^[a-zA-Z][a-zA-Z0-9._-]{0,63}$/;
|
|
55
55
|
var RESOURCE_NAME_RE = /^[a-zA-Z][a-zA-Z0-9._/-]{0,255}$/;
|
|
56
56
|
|
|
@@ -97,7 +97,7 @@ var CANONICAL_POSITIONS = Object.freeze({
|
|
|
97
97
|
botGuard: 42, // canonical position bucket
|
|
98
98
|
requireAuth: 50, // canonical position bucket
|
|
99
99
|
attachUser: 52, // canonical position bucket
|
|
100
|
-
handler: 60, // allow:raw-
|
|
100
|
+
handler: 60, // allow:raw-time-literal — pipeline position int, not seconds
|
|
101
101
|
errorHandler: 90, // canonical position bucket
|
|
102
102
|
});
|
|
103
103
|
|
package/lib/network-tls.js
CHANGED
|
@@ -1797,11 +1797,8 @@ function _stripSctExtensionFromCert(certDer) {
|
|
|
1797
1797
|
if (oid === OID_CT_SCT_LIST) continue; // drop the SCT extension
|
|
1798
1798
|
} catch (_e) { /* not an OID — keep the extension as-is */ }
|
|
1799
1799
|
}
|
|
1800
|
-
// Re-encode this extension verbatim
|
|
1801
|
-
var origExt = certDer.slice(0, 0); // placeholder; we rebuild from the parsed node below
|
|
1802
|
-
void origExt;
|
|
1800
|
+
// Re-encode this extension verbatim from its parsed bytes.
|
|
1803
1801
|
keptExtBytes.push(_encodeAsn1(asn1.TAG.SEQUENCE, true, extBytes));
|
|
1804
|
-
void extBytes;
|
|
1805
1802
|
}
|
|
1806
1803
|
var newExtSeq = _encodeAsn1(asn1.TAG.SEQUENCE, true, Buffer.concat(keptExtBytes));
|
|
1807
1804
|
var newExplicit3 = _encodeContextExplicit(3, newExtSeq);
|
package/lib/safe-decompress.js
CHANGED
|
@@ -105,7 +105,7 @@ var _algorithms = {
|
|
|
105
105
|
// classic bomb shapes (1000:1) while leaving headroom for legitimate
|
|
106
106
|
// text / JSON / XML payloads (which compress 20-50:1 commonly). Per
|
|
107
107
|
// RFC 8460 §5.2 community guidance for TLS-RPT report decompression.
|
|
108
|
-
var DEFAULT_MAX_RATIO = 50; // allow:raw-
|
|
108
|
+
var DEFAULT_MAX_RATIO = 50; // allow:raw-time-literal — RFC number not seconds
|
|
109
109
|
|
|
110
110
|
// Default input cap when operator omits opts.maxCompressedBytes —
|
|
111
111
|
// 4 MiB matches the TLS-RPT receive surface and is a reasonable
|
package/lib/safe-url.js
CHANGED
|
@@ -407,7 +407,7 @@ function format(url) {
|
|
|
407
407
|
}
|
|
408
408
|
// Constructing URL() is the path that surfaces the IDN-crash on
|
|
409
409
|
// older Node — wrap so the listener never crashes.
|
|
410
|
-
var u = new URL(url); // allow:raw-new-url — safeUrl.format wraps URL ctor for CVE-2026-21712; this IS the safe wrapper.
|
|
410
|
+
var u = new URL(url); // allow:raw-new-url — safeUrl.format wraps URL ctor for CVE-2026-21712; this IS the safe wrapper.
|
|
411
411
|
return u.href;
|
|
412
412
|
} catch (e) {
|
|
413
413
|
if (e && e.isSafeUrlError) throw e;
|
package/lib/stream-throttle.js
CHANGED
|
@@ -71,9 +71,9 @@ var StreamThrottleError = defineClass("StreamThrottleError", { alwaysPermanent:
|
|
|
71
71
|
// (bytes/sec ↔ wait-ms). This is a unit-conversion constant, not a
|
|
72
72
|
// memory cap or protocol-byte literal; the framework's C.TIME / C.BYTES
|
|
73
73
|
// helpers don't apply.
|
|
74
|
-
var MS_PER_SECOND = 1000; // allow:raw-
|
|
74
|
+
var MS_PER_SECOND = 1000; // allow:raw-time-literal — ms/sec unit conversion
|
|
75
75
|
var NS_PER_MS = 1e6; // ns/ms unit conversion
|
|
76
|
-
var MS_PER_SECOND_HRTIME = 1000; // allow:raw-
|
|
76
|
+
var MS_PER_SECOND_HRTIME = 1000; // allow:raw-time-literal — hrtime seconds→ms
|
|
77
77
|
|
|
78
78
|
/**
|
|
79
79
|
* @primitive b.streamThrottle.create
|
package/lib/websocket.js
CHANGED
|
@@ -190,8 +190,8 @@ var CLOSE_GRACE_MS = C.TIME.seconds(2);
|
|
|
190
190
|
// invalid.
|
|
191
191
|
function _isValidCloseCode(code) {
|
|
192
192
|
if (code === 1004 || code === 1005 || code === 1006 || code === 1015) return false; // RFC 6455 §7.4.2 reserved codes
|
|
193
|
-
if (code >= 1000 && code <= 1011) return true; // allow:raw-
|
|
194
|
-
if (code >= 3000 && code <= 4999) return true; // allow:raw-
|
|
193
|
+
if (code >= 1000 && code <= 1011) return true; // allow:raw-time-literal — code is a numeric, not seconds
|
|
194
|
+
if (code >= 3000 && code <= 4999) return true; // allow:raw-time-literal — code is a numeric, not seconds
|
|
195
195
|
return false;
|
|
196
196
|
}
|
|
197
197
|
|
package/package.json
CHANGED
package/sbom.cdx.json
CHANGED
|
@@ -2,10 +2,10 @@
|
|
|
2
2
|
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
|
|
3
3
|
"bomFormat": "CycloneDX",
|
|
4
4
|
"specVersion": "1.5",
|
|
5
|
-
"serialNumber": "urn:uuid:
|
|
5
|
+
"serialNumber": "urn:uuid:5c0853e1-1ea7-4fb1-8fb6-58b2ae51671f",
|
|
6
6
|
"version": 1,
|
|
7
7
|
"metadata": {
|
|
8
|
-
"timestamp": "2026-05-
|
|
8
|
+
"timestamp": "2026-05-30T15:10:40.322Z",
|
|
9
9
|
"lifecycles": [
|
|
10
10
|
{
|
|
11
11
|
"phase": "build"
|
|
@@ -19,14 +19,14 @@
|
|
|
19
19
|
}
|
|
20
20
|
],
|
|
21
21
|
"component": {
|
|
22
|
-
"bom-ref": "@blamejs/core@0.14.
|
|
22
|
+
"bom-ref": "@blamejs/core@0.14.5",
|
|
23
23
|
"type": "application",
|
|
24
24
|
"name": "blamejs",
|
|
25
|
-
"version": "0.14.
|
|
25
|
+
"version": "0.14.5",
|
|
26
26
|
"scope": "required",
|
|
27
27
|
"author": "blamejs contributors",
|
|
28
28
|
"description": "The Node framework that owns its stack.",
|
|
29
|
-
"purl": "pkg:npm/%40blamejs/core@0.14.
|
|
29
|
+
"purl": "pkg:npm/%40blamejs/core@0.14.5",
|
|
30
30
|
"properties": [],
|
|
31
31
|
"externalReferences": [
|
|
32
32
|
{
|
|
@@ -54,7 +54,7 @@
|
|
|
54
54
|
"components": [],
|
|
55
55
|
"dependencies": [
|
|
56
56
|
{
|
|
57
|
-
"ref": "@blamejs/core@0.14.
|
|
57
|
+
"ref": "@blamejs/core@0.14.5",
|
|
58
58
|
"dependsOn": []
|
|
59
59
|
}
|
|
60
60
|
]
|