@blamejs/core 0.16.7 → 0.16.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/lib/a2a.js +4 -4
- package/lib/cache-status.js +3 -7
- package/lib/cloud-events.js +2 -2
- package/lib/http-message-signature.js +1 -1
- package/lib/link-header.js +2 -1
- package/lib/mail-auth.js +1 -1
- package/lib/mail-server-imap.js +3 -4
- package/lib/mail-server-managesieve.js +7 -11
- package/lib/metrics.js +219 -60
- package/lib/pqc-software.js +3 -3
- package/lib/safe-buffer.js +36 -0
- package/lib/server-timing.js +2 -4
- package/lib/tls-exporter.js +3 -3
- package/lib/vendor/MANIFEST.json +10 -10
- package/lib/vendor/public-suffix-list.dat +12 -6
- package/lib/vendor/public-suffix-list.data.js +1389 -1387
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
package/lib/safe-buffer.js
CHANGED
|
@@ -872,6 +872,41 @@ function assertHeaderSafe(value, label, ErrorClass, code) {
|
|
|
872
872
|
return value;
|
|
873
873
|
}
|
|
874
874
|
|
|
875
|
+
/**
|
|
876
|
+
* @primitive b.safeBuffer.quoteString
|
|
877
|
+
* @signature b.safeBuffer.quoteString(s)
|
|
878
|
+
* @since 0.16.9
|
|
879
|
+
* @status stable
|
|
880
|
+
* @related b.safeBuffer.assertHeaderSafe, b.safeBuffer.foldHeaderText
|
|
881
|
+
*
|
|
882
|
+
* Serialize a value as an RFC quoted-string: coerce to string, escape
|
|
883
|
+
* every backslash and DQUOTE with a leading backslash, and wrap the
|
|
884
|
+
* result in DQUOTEs. One serializer for the quoted-string grammars the
|
|
885
|
+
* framework emits — RFC 8941 §3.3.3 Structured Fields sf-string
|
|
886
|
+
* (Cache-Status, Signature-Input, Server-Timing desc), RFC 8288 Link
|
|
887
|
+
* header parameters, RFC 8601 §2.2 Authentication-Results reason,
|
|
888
|
+
* RFC 3501 §4.3 IMAP quoted strings, and RFC 5804 §1.2 ManageSieve
|
|
889
|
+
* strings — so an unescaped quote can never terminate the string early
|
|
890
|
+
* and smuggle extra parameters into the protocol line.
|
|
891
|
+
*
|
|
892
|
+
* Escaping only — it does not validate a grammar's character range. A
|
|
893
|
+
* grammar that forbids bytes a quoted-string cannot carry (sf-string is
|
|
894
|
+
* printable-ASCII only; IMAP quoted strings cannot carry CR / LF)
|
|
895
|
+
* enforces its range check before calling this.
|
|
896
|
+
*
|
|
897
|
+
* @example
|
|
898
|
+
* var b = require("blamejs");
|
|
899
|
+
* b.safeBuffer.quoteString("cache miss");
|
|
900
|
+
* // → "\"cache miss\""
|
|
901
|
+
*
|
|
902
|
+
* // A quote or backslash in the value cannot break out of the string.
|
|
903
|
+
* b.safeBuffer.quoteString('say "hi"');
|
|
904
|
+
* // → "\"say \\\"hi\\\"\""
|
|
905
|
+
*/
|
|
906
|
+
function quoteString(s) {
|
|
907
|
+
return "\"" + String(s).replace(/\\/g, "\\\\").replace(/"/g, "\\\"") + "\""; // allow:regex-no-length-cap — fixed-char-set escape on caller-bounded input
|
|
908
|
+
}
|
|
909
|
+
|
|
875
910
|
module.exports = {
|
|
876
911
|
normalizeText: normalizeText,
|
|
877
912
|
toBuffer: toBuffer,
|
|
@@ -885,6 +920,7 @@ module.exports = {
|
|
|
885
920
|
stripCrlf: stripCrlf,
|
|
886
921
|
foldHeaderText: foldHeaderText,
|
|
887
922
|
assertHeaderSafe: assertHeaderSafe,
|
|
923
|
+
quoteString: quoteString,
|
|
888
924
|
stripTrailingHspace: stripTrailingHspace,
|
|
889
925
|
indexAfterOpenTag: indexAfterOpenTag,
|
|
890
926
|
HEX_RE: HEX_RE,
|
package/lib/server-timing.js
CHANGED
|
@@ -37,6 +37,7 @@
|
|
|
37
37
|
* W3C Server-Timing response header builder — per-request timing-metric collector that surfaces server-side latency in the browser's Performance API.
|
|
38
38
|
*/
|
|
39
39
|
|
|
40
|
+
var safeBuffer = require("./safe-buffer");
|
|
40
41
|
var validateOpts = require("./validate-opts");
|
|
41
42
|
var { defineClass } = require("./framework-error");
|
|
42
43
|
|
|
@@ -46,9 +47,6 @@ var ServerTimingError = defineClass("ServerTimingError", { alwaysPermanent: true
|
|
|
46
47
|
// at 128 chars for sanity; operator-supplied desc is sf-string.
|
|
47
48
|
var METRIC_NAME_RE = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]{1,128}$/; // RFC 7230 token shape + length cap
|
|
48
49
|
|
|
49
|
-
function _quoteDesc(s) {
|
|
50
|
-
return "\"" + String(s).replace(/\\/g, "\\\\").replace(/"/g, "\\\"") + "\"";
|
|
51
|
-
}
|
|
52
50
|
|
|
53
51
|
/**
|
|
54
52
|
* @primitive b.serverTiming.create
|
|
@@ -120,7 +118,7 @@ function create() {
|
|
|
120
118
|
return entries.map(function (e) {
|
|
121
119
|
var parts = [e.name];
|
|
122
120
|
if (e.dur !== null) parts.push("dur=" + _formatDur(e.dur));
|
|
123
|
-
if (e.desc !== null) parts.push("desc=" +
|
|
121
|
+
if (e.desc !== null) parts.push("desc=" + safeBuffer.quoteString(e.desc));
|
|
124
122
|
return parts.join("; ");
|
|
125
123
|
}).join(", ");
|
|
126
124
|
}
|
package/lib/tls-exporter.js
CHANGED
|
@@ -106,7 +106,7 @@ function _resolveTlsSocket(socketOrReq) {
|
|
|
106
106
|
* }
|
|
107
107
|
*
|
|
108
108
|
* @example
|
|
109
|
-
* var b = require("blamejs")
|
|
109
|
+
* var b = require("blamejs");
|
|
110
110
|
* var server = b.https.createServer({ key: KEY, cert: CERT }, function (req, res) {
|
|
111
111
|
* var exporter = b.tlsExporter.fromSocket(req, { length: 32 });
|
|
112
112
|
* res.end("exporter bytes: " + exporter.length);
|
|
@@ -175,7 +175,7 @@ function fromSocket(socketOrReq, opts) {
|
|
|
175
175
|
* compare via `verifyTokenBinding` on the next request.
|
|
176
176
|
*
|
|
177
177
|
* @example
|
|
178
|
-
* var b = require("blamejs")
|
|
178
|
+
* var b = require("blamejs");
|
|
179
179
|
* b.https.createServer({ key: KEY, cert: CERT }, function (req, res) {
|
|
180
180
|
* var binding = b.tlsExporter.bindToken(req, "session-token-abc123");
|
|
181
181
|
* binding.length;
|
|
@@ -214,7 +214,7 @@ function bindToken(socketOrReq, token) {
|
|
|
214
214
|
* the input shape is wrong.
|
|
215
215
|
*
|
|
216
216
|
* @example
|
|
217
|
-
* var b = require("blamejs")
|
|
217
|
+
* var b = require("blamejs");
|
|
218
218
|
* b.https.createServer({ key: KEY, cert: CERT }, function (req, res) {
|
|
219
219
|
* var stored = b.tlsExporter.bindToken(req, "session-token-abc123");
|
|
220
220
|
* var ok = b.tlsExporter.verifyTokenBinding(req, "session-token-abc123", stored);
|
package/lib/vendor/MANIFEST.json
CHANGED
|
@@ -18,7 +18,7 @@
|
|
|
18
18
|
"hashes": {
|
|
19
19
|
"server": "sha256:5d539dfc9ef47121d4c09bd7256d76448a1f5ac47ee09ac44c78ff6a062af9ab"
|
|
20
20
|
},
|
|
21
|
-
"refreshedAt": "2026-07-
|
|
21
|
+
"refreshedAt": "2026-07-10T14:22:17.414Z"
|
|
22
22
|
},
|
|
23
23
|
"@noble/curves": {
|
|
24
24
|
"version": "2.2.0",
|
|
@@ -40,7 +40,7 @@
|
|
|
40
40
|
"hashes": {
|
|
41
41
|
"server": "sha256:ebf254d5eb56aef8705a1c4af9603f47987b4870a9bb5e657e06907b701e2731"
|
|
42
42
|
},
|
|
43
|
-
"refreshedAt": "2026-07-
|
|
43
|
+
"refreshedAt": "2026-07-10T14:22:17.414Z"
|
|
44
44
|
},
|
|
45
45
|
"@noble/post-quantum": {
|
|
46
46
|
"version": "0.6.1",
|
|
@@ -71,7 +71,7 @@
|
|
|
71
71
|
"hashes": {
|
|
72
72
|
"server": "sha256:f9190309daadca4c2e2cc2b76beaa6b96e463429cc3c390bd9f0ceaf7b588c68"
|
|
73
73
|
},
|
|
74
|
-
"refreshedAt": "2026-07-
|
|
74
|
+
"refreshedAt": "2026-07-10T14:22:17.414Z"
|
|
75
75
|
},
|
|
76
76
|
"@simplewebauthn/server": {
|
|
77
77
|
"version": "13.3.2",
|
|
@@ -94,7 +94,7 @@
|
|
|
94
94
|
"hashes": {
|
|
95
95
|
"server": "sha256:49411d893f5e9b0e2fcaa564b4ec7921f73a9a06229b5e53d49c1453ea1a365c"
|
|
96
96
|
},
|
|
97
|
-
"refreshedAt": "2026-07-
|
|
97
|
+
"refreshedAt": "2026-07-10T14:22:17.414Z"
|
|
98
98
|
},
|
|
99
99
|
"SecLists-common-passwords-top-10000": {
|
|
100
100
|
"version": "10k-most-common (master)",
|
|
@@ -114,7 +114,7 @@
|
|
|
114
114
|
},
|
|
115
115
|
"runtime_artifact": "lib/vendor/common-passwords-top-10000.data.js",
|
|
116
116
|
"integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)",
|
|
117
|
-
"refreshedAt": "2026-07-
|
|
117
|
+
"refreshedAt": "2026-07-10T14:22:17.414Z"
|
|
118
118
|
},
|
|
119
119
|
"bimi-trust-anchors": {
|
|
120
120
|
"version": "operator-managed",
|
|
@@ -139,7 +139,7 @@
|
|
|
139
139
|
},
|
|
140
140
|
"runtime_artifact": "lib/vendor/bimi-trust-anchors.data.js",
|
|
141
141
|
"integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)",
|
|
142
|
-
"refreshedAt": "2026-07-
|
|
142
|
+
"refreshedAt": "2026-07-10T14:22:17.414Z"
|
|
143
143
|
},
|
|
144
144
|
"publicsuffix-list": {
|
|
145
145
|
"version": "master",
|
|
@@ -154,12 +154,12 @@
|
|
|
154
154
|
"bundler": "curl https://publicsuffix.org/list/public_suffix_list.dat",
|
|
155
155
|
"bundledAt": "2026-06-24T00:00:00Z",
|
|
156
156
|
"hashes": {
|
|
157
|
-
"server": "sha256:
|
|
158
|
-
"data_js": "sha256:
|
|
157
|
+
"server": "sha256:b86d21bda9c627f0fdbb0182a16a441992e53dc74eb3e866e7885660df863dbd",
|
|
158
|
+
"data_js": "sha256:72fb435e03a25bece67f744601e75e3fb7972f264336ddf7cfcb13ddccedb73e"
|
|
159
159
|
},
|
|
160
160
|
"runtime_artifact": "lib/vendor/public-suffix-list.data.js",
|
|
161
161
|
"integrity_layers": "sha256 + sha3-512 + SLH-DSA-SHAKE-256f signature + in-payload canary (where applicable)",
|
|
162
|
-
"refreshedAt": "2026-07-
|
|
162
|
+
"refreshedAt": "2026-07-10T14:22:17.414Z"
|
|
163
163
|
},
|
|
164
164
|
"peculiar-pki": {
|
|
165
165
|
"version": "2.0.0+pkijs-3.4.0",
|
|
@@ -190,7 +190,7 @@
|
|
|
190
190
|
"hashes": {
|
|
191
191
|
"server": "sha256:9bbc191afaaa2b1e5757f00480457c08134cdc2c55d541df18d9155bba9cbf77"
|
|
192
192
|
},
|
|
193
|
-
"refreshedAt": "2026-07-
|
|
193
|
+
"refreshedAt": "2026-07-10T14:22:17.414Z"
|
|
194
194
|
}
|
|
195
195
|
}
|
|
196
196
|
}
|
|
@@ -5,8 +5,8 @@
|
|
|
5
5
|
// Please pull this list from, and only from https://publicsuffix.org/list/public_suffix_list.dat,
|
|
6
6
|
// rather than any other VCS sites. Pulling from any other URL is not guaranteed to be supported.
|
|
7
7
|
|
|
8
|
-
// VERSION: 2026-07-
|
|
9
|
-
// COMMIT:
|
|
8
|
+
// VERSION: 2026-07-09_11-59-23_UTC
|
|
9
|
+
// COMMIT: b9a86cf0cd115f1e60b5815533f3fcfd2f9e8f4b
|
|
10
10
|
|
|
11
11
|
// Instructions on pulling and using this list can be found at https://publicsuffix.org/list/.
|
|
12
12
|
|
|
@@ -12751,6 +12751,12 @@ co.ca
|
|
|
12751
12751
|
// Submitted by Gavin Brown <gavin.brown@centralnic.com>
|
|
12752
12752
|
co.com
|
|
12753
12753
|
|
|
12754
|
+
// Code For Host Inc Ltd : https://codeforhost.com
|
|
12755
|
+
// Submitted by Mehedi Hasan <support@codeforhost.com>
|
|
12756
|
+
sch.ac
|
|
12757
|
+
dev.cv
|
|
12758
|
+
store.cv
|
|
12759
|
+
|
|
12754
12760
|
// Codeberg e. V. : https://codeberg.org
|
|
12755
12761
|
// Submitted by Moritz Marquardt <git@momar.de>
|
|
12756
12762
|
codeberg.page
|
|
@@ -14150,10 +14156,6 @@ in-vpn.org
|
|
|
14150
14156
|
// Submitted by Connor McFarlane <noc@inferno.co.uk>
|
|
14151
14157
|
oninferno.net
|
|
14152
14158
|
|
|
14153
|
-
// info.at : http://www.info.at/
|
|
14154
|
-
biz.at
|
|
14155
|
-
info.at
|
|
14156
|
-
|
|
14157
14159
|
// info.cx : http://info.cx
|
|
14158
14160
|
// Submitted by June Slater <whois@igloo.to>
|
|
14159
14161
|
info.cx
|
|
@@ -16328,6 +16330,10 @@ weeklylottery.org.uk
|
|
|
16328
16330
|
wpenginepowered.com
|
|
16329
16331
|
js.wpenginepowered.com
|
|
16330
16332
|
|
|
16333
|
+
// xAI : https://x.ai/
|
|
16334
|
+
// Submitted by Asim Shrestha <security@x.ai>
|
|
16335
|
+
grok.me
|
|
16336
|
+
|
|
16331
16337
|
// XenonCloud GbR : https://xenoncloud.net
|
|
16332
16338
|
// Submitted by Julian Uphoff <publicsuffixlist@xenoncloud.net>
|
|
16333
16339
|
*.xenonconnect.de
|