@blamejs/core 0.7.50 → 0.7.51

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.51** (2026-05-05) — `b.guardOauth` — OAuth flow-shape safety primitive (KIND="oauth-flow"). Validates user-supplied OAuth 2.x / OIDC authorization-code-flow parameter bundles before the framework's `b.auth.oauth` client exchanges them. Threat catalog: PKCE missing or non-S256 (RFC 7636 / OAuth 2.1 mandate; `plain` is the downgrade-attack class); state missing (RFC 6749 §10.12 CSRF); redirect_uri not in operator allowlist (exact-match per OAuth 2.1 — no prefix / wildcard / scheme drift); response_type allowlist drift (refuse implicit `token` deprecated in OAuth 2.1, require operator-allowed types); scope-token shape per RFC 6749 §3.3 (refuse non-printable / control / whitespace-other-than-space); issuer missing on callback (RFC 9207 IdP-mix-up defense — set `flow._isCallback = true` to enforce); authorization-code reuse via operator-supplied `seenCodeStore.hasSeen(code)` (RFC 6749 §10.5 replay class); excessive parameter / total bytes; BIDI / null / control / zero-width universal refuse. Profiles: `strict` (PKCE S256, state required, redirect_uri exact-match, RFC 9207 iss required), `balanced` (PKCE any method, state + redirect_uri allowlist required, iss audited), `permissive` (universal-refuse class still refused; rest audit). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Adaptive integration harness gains a KIND="oauth-flow" dispatcher reading `ctx.oauthFlow`. Auto-registers into `b.guardAll` as a STANDALONE_GUARD.
+
 - **0.7.50** (2026-05-05) — `b.guardJwt` — JWT identifier-safety primitive (KIND="identifier"). Validates user-supplied JWT compact-serialization strings against the canonical CVE-class refuse list before hand-off to a verifier — `b.guardJwt` never replaces signature verification, it reduces the input space the verifier sees. Threat catalog: shape malformation; `alg=none` (CVE-2015-9235 jsonwebtoken / CVE-2018-0114 java-jwt) — universally refused at every profile; alg-allowlist drift (PQC-first default: ML-DSA / SLH-DSA / EdDSA / ES* / RS* / PS*); `kid` path-traversal (operator `keyResolver` path-injection class — e.g. `kid: "../etc/passwd"` would escape a key-directory `fs.readFile(keyDir + kid)` resolver); `typ` confusion (non-JWT-shape media-type tokens coerced into the slot); oversized header / payload / signature segment defense (decompression bomb + parser DoS); `exp` / `nbf` / `iat` sanity (past `exp` = replay; far-future `nbf` / `iat` = clock-skew / attacker-shaped); required-claims enforcement (default `iss` / `exp` / `iat` at strict); unknown `crit` field refuse (RFC 7515 §4.1.11 — operator MUST refuse crit values it doesn't understand); BIDI / null / control / zero-width universal refuse. **`b.guardJwt.kidSafe(kid)`** is the documented contract for operator `keyResolver` implementations: throws on traversal indicators or control bytes, returns the validated kid on success. Profiles: `strict` (refuse everything), `balanced` (refuse alg=none / kid-traversal / unknown-crit; audit the rest), `permissive` (universal-refuse class still refused). Postures: `hipaa` / `pci-dss` / `soc2` strict overlay; `gdpr` balanced overlay. Auto-registers into `b.guardAll` as a STANDALONE_GUARD.
 
 - **0.7.49** (2026-05-05) — `b.middleware.headers(opts)` — inbound HTTP header threat-detection middleware. Sits at the top of the request lifecycle. Threat catalog: `header-name-shape` (header name not a valid RFC 9110 §5.1 token); `header-value-control-byte` (CR / LF / NUL inside any header value — header-injection defense in depth on top of Node's rejection); `header-count-cap` (default 100 inbound headers max); `header-value-cap` (default 8 KiB per value); `smuggling-cl-te` (RFC 9112 §6.1 — both Content-Length and Transfer-Encoding present, the canonical CL.TE / TE.CL request-smuggling vector); `smuggling-cl-multi` / `smuggling-te-multi` (multiple values for either header — proxy-desync class); `deprecated-trust-header` (X-Forwarded-For / -Proto / -Host / -Port / X-Real-IP present without operator-supplied `trustProxy: true` opt — operators should adopt RFC 7239 `Forwarded`). On `mode: "enforce"` + `refuseOnHigh` (default), refuses with HTTP 400 + JSON body listing detected high-severity issues; emits one audit row per issue regardless of mode. Complements the existing per-route smuggling defense in `b.middleware.bodyParser` by running the same check at the top of the chain (covers GET / HEAD requests that don't body-parse).

package/index.js

@@ -116,6 +116,7 @@ var guardCidr = require("./lib/guard-cidr");
 var guardTime = require("./lib/guard-time");
 var guardMime = require("./lib/guard-mime");
 var guardJwt = require("./lib/guard-jwt");
+var guardOauth = require("./lib/guard-oauth");
 var guardAll = require("./lib/guard-all");
 var ssrfGuard = require("./lib/ssrf-guard");
 var authHeader = require("./lib/auth-header");
@@ -263,6 +264,7 @@ module.exports = {
   guardTime:        guardTime,
   guardMime:        guardMime,
   guardJwt:         guardJwt,
+  guardOauth:       guardOauth,
   guardAll:         guardAll,
   ssrfGuard:        ssrfGuard,
   authHeader:       authHeader,

package/lib/framework-error.js

@@ -297,6 +297,15 @@ var GuardMimeError        = defineClass("GuardMimeError",        { alwaysPermane
 // fields (RFC 7515 §4.1.11), BIDI / null / control / zero-width
 // universal refuse. alwaysPermanent.
 var GuardJwtError         = defineClass("GuardJwtError",         { alwaysPermanent: true });
+// GuardOauthError covers OAuth flow-shape violations: PKCE missing /
+// non-S256 (downgrade-attack class), state missing (RFC 6749 §10.12
+// CSRF class), redirect_uri not in operator allowlist (exact-match
+// per OAuth 2.1), response_type allowlist drift, scope-token shape
+// (RFC 6749 §3.3), issuer missing on callback (RFC 9207 IdP-mix-up),
+// authorization-code reuse (RFC 6749 §10.5), oversized parameter,
+// BIDI / null / control / zero-width universal refuse.
+// alwaysPermanent.
+var GuardOauthError       = defineClass("GuardOauthError",       { alwaysPermanent: true });
 // DoraError covers DORA Article 17 incident-reporting workflow errors
 // (classification refusal, report-shape validation, ESA-template
 // generation, audit-chain integration). Permanent — these are
@@ -362,6 +371,7 @@ module.exports = {
   GuardTimeError:         GuardTimeError,
   GuardMimeError:         GuardMimeError,
   GuardJwtError:          GuardJwtError,
+  GuardOauthError:        GuardOauthError,
   DoraError:              DoraError,
   ComplianceError:        ComplianceError,
   SmtpPolicyError:        SmtpPolicyError,

package/lib/guard-all.js

@@ -95,6 +95,7 @@ var STANDALONE_GUARDS = [
   require("./guard-time"),
   require("./guard-mime"),
   require("./guard-jwt"),
+  require("./guard-oauth"),
 ];
 
 // Framework-wide profile + posture vocabulary that every guard MUST

package/lib/guard-oauth.js

@@ -0,0 +1,401 @@
+"use strict";
+/**
+ * guard-oauth — OAuth flow-shape safety primitive (b.guardOauth).
+ *
+ * Validates user-supplied OAuth 2.x / OIDC authorization-code-flow
+ * parameter bundles before the framework's b.auth.oauth client
+ * exchanges them. KIND="oauth-flow" — consumes ctx.oauthFlow.
+ *
+ * Threat catalog:
+ *   - PKCE missing or non-S256 — RFC 7636 mandates code_verifier;
+ *     OAuth 2.1 mandates S256 (no plain). The plaintext "plain"
+ *     method is downgrade-attack class.
+ *   - state missing / replayed — RFC 6749 §10.12 + §10.14; without
+ *     state-binding the flow is open to CSRF.
+ *   - redirect_uri not in allowlist — RFC 6749 §3.1.2 + OAuth 2.1
+ *     mandate exact-match (no prefix / wildcard / scheme drift).
+ *   - response_type not in allowlist — refuse "token" implicit flow
+ *     (deprecated in OAuth 2.1) and "id_token" outside OIDC; require
+ *     operator-allowed types.
+ *   - scope tampering — refuse scope values containing whitespace
+ *     other than space (RFC 6749 §3.3) or non-printable bytes.
+ *   - issuer (iss) missing on callback — RFC 9207 mandates iss
+ *     parameter on authorization response to defeat the IdP-mix-up
+ *     attack.
+ *   - code reuse — operator-supplied seenCodeStore detects
+ *     authorization-code replay (RFC 6749 §10.5).
+ *   - excessive parameter / value length — defense against parser
+ *     DoS and decompression-bomb-shaped clients.
+ *   - BIDI / null / control / zero-width universal refuse.
+ *
+ *   var rv = b.guardOauth.validate({ redirect_uri, state, ... },
+ *                                  { profile: "strict" });
+ *   var g  = b.guardOauth.gate({ profile: "strict" });
+ */
+
+var codepointClass = require("./codepoint-class");
+var lazyRequire = require("./lazy-require");
+var gateContract = require("./gate-contract");
+var C = require("./constants");
+var numericBounds = require("./numeric-bounds");
+var { GuardOauthError } = require("./framework-error");
+
+var observability = lazyRequire(function () { return require("./observability"); });
+void observability;
+
+var _err = GuardOauthError.factory;
+
+var SCOPE_TOKEN_RE = /^[\x21\x23-\x5b\x5d-\x7e]+$/;                              // allow:raw-byte-literal — RFC 6749 §3.3 scope-token charset
+var DEFAULT_RESPONSE_TYPES = Object.freeze(["code"]);
+
+// ---- Profile presets ----
+
+var PROFILES = Object.freeze({
+  "strict": {
+    bidiPolicy:               "reject",
+    controlPolicy:             "reject",
+    nullBytePolicy:            "reject",
+    zeroWidthPolicy:           "reject",
+    pkcePolicy:                "require-s256",
+    statePolicy:               "require",
+    redirectUriPolicy:         "require-exact-allowlist",
+    responseTypePolicy:        "require-allowlist",
+    scopeTamperingPolicy:      "reject",
+    issuerOnCallbackPolicy:    "require",                                        // RFC 9207
+    codeReusePolicy:           "reject",
+    allowedResponseTypes:      DEFAULT_RESPONSE_TYPES,
+    maxParamBytes:             C.BYTES.kib(2),
+    maxBytes:                  C.BYTES.kib(8),
+    maxRuntimeMs:              C.TIME.seconds(2),
+  },
+  "balanced": {
+    bidiPolicy:               "reject",
+    controlPolicy:             "reject",
+    nullBytePolicy:            "reject",
+    zeroWidthPolicy:           "reject",
+    pkcePolicy:                "require-any",                                    // S256 or plain
+    statePolicy:               "require",
+    redirectUriPolicy:         "require-exact-allowlist",
+    responseTypePolicy:        "require-allowlist",
+    scopeTamperingPolicy:      "reject",
+    issuerOnCallbackPolicy:    "audit",
+    codeReusePolicy:           "reject",
+    allowedResponseTypes:      Object.freeze(["code", "code id_token"]),
+    maxParamBytes:             C.BYTES.kib(2),
+    maxBytes:                  C.BYTES.kib(8),
+    maxRuntimeMs:              C.TIME.seconds(2),
+  },
+  "permissive": {
+    bidiPolicy:               "reject",                                          // BIDI refused at every profile
+    controlPolicy:             "reject",                                          // controls refused at every profile
+    nullBytePolicy:            "reject",                                          // null refused at every profile
+    zeroWidthPolicy:           "reject",                                          // zero-width refused at every profile
+    pkcePolicy:                "audit",
+    statePolicy:               "audit",
+    redirectUriPolicy:         "audit",
+    responseTypePolicy:        "audit",
+    scopeTamperingPolicy:      "reject",                                          // scope tampering refused at every profile
+    issuerOnCallbackPolicy:    "audit",
+    codeReusePolicy:           "reject",                                          // code reuse refused at every profile
+    allowedResponseTypes:      null,
+    maxParamBytes:             C.BYTES.kib(4),
+    maxBytes:                  C.BYTES.kib(16),
+    maxRuntimeMs:              C.TIME.seconds(2),
+  },
+});
+
+var DEFAULTS = Object.freeze(Object.assign({}, PROFILES["strict"], {
+  mode: "enforce",
+}));
+
+var COMPLIANCE_POSTURES = Object.freeze({
+  "hipaa":   Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(256),
+  }),
+  "pci-dss": Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(256),
+  }),
+  "gdpr":    Object.assign({}, PROFILES["balanced"], {
+    forensicSnippetBytes: C.BYTES.bytes(128),
+  }),
+  "soc2":    Object.assign({}, PROFILES["strict"], {
+    forensicSnippetBytes: C.BYTES.bytes(512),
+  }),
+});
+
+function _resolveOpts(opts) {
+  return gateContract.resolveProfileAndPosture(opts, {
+    profiles:           PROFILES,
+    compliancePostures: COMPLIANCE_POSTURES,
+    defaults:           DEFAULTS,
+    errorClass:         GuardOauthError,
+    errCodePrefix:      "oauth",
+  });
+}
+
+function _detectIssues(flow, opts) {
+  var issues = [];
+  if (!flow || typeof flow !== "object") {
+    return [{ kind: "bad-input", severity: "high",
+              ruleId: "oauth.bad-input",
+              snippet: "oauth flow is not an object" }];
+  }
+
+  // Total-bytes cap — JSON-stringify proxy for input size.
+  try {
+    var serialized = JSON.stringify(flow);
+    if (Buffer.byteLength(serialized, "utf8") > opts.maxBytes) {
+      return [{ kind: "flow-cap", severity: "high",
+                ruleId: "oauth.flow-cap",
+                snippet: "oauth flow exceeds maxBytes " + opts.maxBytes }];
+    }
+  } catch (_e) { /* unstringifiable — flagged below */ }
+
+  // Codepoint-class threats applied to every string value at the
+  // top-level (operator nests via `flow` so this catches the canonical
+  // OAuth params).
+  var keys = Object.keys(flow);
+  for (var ki = 0; ki < keys.length; ki += 1) {
+    var v = flow[keys[ki]];
+    if (typeof v !== "string") continue;
+    if (Buffer.byteLength(v, "utf8") > opts.maxParamBytes) {
+      issues.push({
+        kind: "param-cap", severity: "high",
+        ruleId: "oauth.param-cap",
+        snippet: "oauth param `" + keys[ki] + "` exceeds maxParamBytes " +
+                 opts.maxParamBytes,
+      });
+      continue;
+    }
+    var charThreats = codepointClass.detectCharThreats(v, opts, "oauth");
+    for (var ci = 0; ci < charThreats.length; ci += 1) {
+      issues.push(Object.assign({}, charThreats[ci], {
+        snippet: "oauth.param `" + keys[ki] + "`: " + charThreats[ci].snippet,
+      }));
+    }
+  }
+
+  // PKCE.
+  if (opts.pkcePolicy !== "audit" && opts.pkcePolicy !== "allow") {
+    var hasVerifier  = typeof flow.code_verifier === "string" && flow.code_verifier.length > 0;
+    var hasChallenge = typeof flow.code_challenge === "string" && flow.code_challenge.length > 0;
+    if (!hasVerifier && !hasChallenge) {
+      issues.push({
+        kind: "pkce-missing", severity: "high",
+        ruleId: "oauth.pkce-missing",
+        snippet: "neither code_verifier nor code_challenge present " +
+                 "(RFC 7636 / OAuth 2.1 require PKCE for every client)",
+      });
+    }
+    if (hasChallenge && opts.pkcePolicy === "require-s256") {
+      var method = flow.code_challenge_method || "plain";
+      if (method !== "S256") {
+        issues.push({
+          kind: "pkce-method", severity: "high",
+          ruleId: "oauth.pkce-method",
+          snippet: "code_challenge_method `" + method + "` not S256 " +
+                   "(OAuth 2.1 forbids `plain` — downgrade-attack class)",
+        });
+      }
+    }
+  }
+
+  // state.
+  if (opts.statePolicy === "require") {
+    if (typeof flow.state !== "string" || flow.state.length === 0) {
+      issues.push({
+        kind: "state-missing", severity: "high",
+        ruleId: "oauth.state-missing",
+        snippet: "state parameter missing — required for CSRF defense " +
+                 "(RFC 6749 §10.12)",
+      });
+    }
+  }
+
+  // redirect_uri.
+  if (typeof flow.redirect_uri === "string" &&
+      opts.redirectUriPolicy === "require-exact-allowlist") {
+    var allowlist = opts.allowedRedirectUris;
+    // When the operator hasn't configured an allowlist, the gate can't
+    // enforce exact-match; skip the check entirely. Operator-side
+    // configuration warnings live in the operator's startup audit, not
+    // in per-request issue lists.
+    if (Array.isArray(allowlist) && allowlist.length > 0 &&
+        allowlist.indexOf(flow.redirect_uri) === -1) {
+      issues.push({
+        kind: "redirect-uri-not-allowed", severity: "high",
+        ruleId: "oauth.redirect-uri-not-allowed",
+        snippet: "redirect_uri `" + flow.redirect_uri + "` not in " +
+                 "operator allowlist (RFC 6749 §3.1.2 / OAuth 2.1 " +
+                 "mandate exact-match)",
+      });
+    }
+  }
+
+  // response_type.
+  if (typeof flow.response_type === "string" &&
+      opts.responseTypePolicy === "require-allowlist" &&
+      Array.isArray(opts.allowedResponseTypes)) {
+    if (opts.allowedResponseTypes.indexOf(flow.response_type) === -1) {
+      issues.push({
+        kind: "response-type-not-allowed", severity: "high",
+        ruleId: "oauth.response-type-not-allowed",
+        snippet: "response_type `" + flow.response_type + "` not in " +
+                 "operator allowedResponseTypes",
+      });
+    }
+  }
+
+  // scope tampering.
+  if (typeof flow.scope === "string" &&
+      opts.scopeTamperingPolicy !== "allow") {
+    var scopes = flow.scope.split(" ");
+    for (var si = 0; si < scopes.length; si += 1) {
+      var s = scopes[si];
+      if (s.length === 0) continue;
+      if (!SCOPE_TOKEN_RE.test(s)) {                                             // allow:regex-no-length-cap — scope value bounded by maxParamBytes
+        issues.push({
+          kind: "scope-token-shape",
+          severity: opts.scopeTamperingPolicy === "reject" ? "high" : "warn",
+          ruleId: "oauth.scope-token-shape",
+          snippet: "scope token `" + s + "` violates RFC 6749 §3.3 " +
+                   "scope-token charset (whitespace / control / non-printable)",
+        });
+      }
+    }
+  }
+
+  // RFC 9207 issuer on callback.
+  if (opts.issuerOnCallbackPolicy === "require" &&
+      flow._isCallback === true) {
+    if (typeof flow.iss !== "string" || flow.iss.length === 0) {
+      issues.push({
+        kind: "issuer-missing", severity: "high",
+        ruleId: "oauth.issuer-missing",
+        snippet: "iss parameter missing on callback — RFC 9207 mandates " +
+                 "issuer identification to defeat IdP-mix-up attack",
+      });
+    }
+  }
+
+  // code reuse — operator supplies seenCodeStore + reportSeen() / hasSeen().
+  if (typeof flow.code === "string" &&
+      opts.codeReusePolicy !== "allow" &&
+      opts.seenCodeStore && typeof opts.seenCodeStore.hasSeen === "function") {
+    try {
+      if (opts.seenCodeStore.hasSeen(flow.code)) {
+        issues.push({
+          kind: "code-reused", severity: "critical",
+          ruleId: "oauth.code-reused",
+          snippet: "authorization code already exchanged — replay class " +
+                   "(RFC 6749 §10.5)",
+        });
+      }
+    } catch (_e) { /* drop-silent — operator-supplied store */ }
+  }
+
+  return issues;
+}
+
+function validate(input, opts) {
+  opts = _resolveOpts(opts);
+  numericBounds.requireAllPositiveFiniteIntIfPresent(opts,
+    ["maxBytes", "maxParamBytes"],
+    "guardOauth.validate", GuardOauthError, "oauth.bad-opt");
+  return gateContract.aggregateIssues(_detectIssues(input, opts));
+}
+
+function sanitize(input, opts) {
+  opts = _resolveOpts(opts);
+  // OAuth flows can't be repaired — sanitize either passes through
+  // valid input or throws.
+  var issues = _detectIssues(input, opts);
+  for (var i = 0; i < issues.length; i += 1) {
+    if (issues[i].severity === "critical" || issues[i].severity === "high") {
+      throw _err(issues[i].ruleId || "oauth.refused",
+        "guardOauth.sanitize: " + issues[i].snippet);
+    }
+  }
+  return input;
+}
+
+function gate(opts) {
+  opts = _resolveOpts(opts);
+  return gateContract.buildGuardGate(
+    opts.name || "guardOauth:" + (opts.profile || "default"),
+    opts,
+    async function (ctx) {
+      var flow = ctx && (ctx.oauthFlow || ctx.flow);
+      if (!flow) return { ok: true, action: "serve" };
+      var rv = validate(flow, opts);
+      if (rv.issues.length === 0) return { ok: true, action: "serve" };
+      var hasCritical = rv.issues.some(function (i) {
+        return i.severity === "critical";
+      });
+      var hasHigh = rv.issues.some(function (i) {
+        return i.severity === "high";
+      });
+      if (!hasCritical && !hasHigh) {
+        return { ok: true, action: "audit-only", issues: rv.issues };
+      }
+      return { ok: false, action: "refuse", issues: rv.issues };
+    });
+}
+
+var buildProfile = gateContract.makeProfileBuilder(PROFILES);
+
+function compliancePosture(name) {
+  return gateContract.lookupCompliancePosture(name, COMPLIANCE_POSTURES,
+    _err, "oauth");
+}
+
+var _oauthRulePacks = gateContract.makeRulePackLoader(GuardOauthError, "oauth");
+var loadRulePack = _oauthRulePacks.load;
+
+module.exports = {
+  // ---- guard-* family registry exports ----
+  NAME:                "oauth",
+  KIND:                "oauth-flow",
+  INTEGRATION_FIXTURES: Object.freeze({
+    kind:              "oauth-flow",
+    benignBytes:       Buffer.from(JSON.stringify({
+      response_type: "code",
+      redirect_uri:  "https://app.example.com/callback",
+      state:         "csrf-rand-1",
+      scope:         "openid profile",
+      code_challenge: "abc123def456ghi789jkl012mno345pqr678",                   // allow:raw-byte-literal — base64url-shaped fixture
+      code_challenge_method: "S256",
+    }), "utf8"),
+    hostileBytes:      Buffer.from(JSON.stringify({
+      response_type: "code",
+      redirect_uri:  "https://attacker.example/callback",
+      // state missing — CSRF class
+      scope:         "openid",
+    }), "utf8"),
+    benignOauthFlow: {
+      response_type: "code",
+      redirect_uri:  "https://app.example.com/callback",
+      state:         "csrf-rand-1",
+      scope:         "openid profile",
+      code_challenge: "abc123def456ghi789jkl012mno345pqr678",                   // allow:raw-byte-literal — base64url-shaped fixture
+      code_challenge_method: "S256",
+    },
+    hostileOauthFlow: {
+      response_type: "code",
+      redirect_uri:  "https://attacker.example/callback",
+      // state missing → state-missing refuse
+      scope:         "openid",
+    },
+  }),
+  // ---- primitive surface ----
+  validate:            validate,
+  sanitize:            sanitize,
+  gate:                gate,
+  buildProfile:        buildProfile,
+  compliancePosture:   compliancePosture,
+  loadRulePack:        loadRulePack,
+  PROFILES:            PROFILES,
+  DEFAULTS:            DEFAULTS,
+  COMPLIANCE_POSTURES: COMPLIANCE_POSTURES,
+  GuardOauthError:     GuardOauthError,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.50",
+  "version": "0.7.51",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:fd92fe0b-46b7-4794-836b-2b5e010a0fd5",
+  "serialNumber": "urn:uuid:dab55eee-319c-4677-a33f-e9950e36d7d8",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-05T22:18:17.867Z",
+    "timestamp": "2026-05-05T22:37:56.695Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.50",
+      "bom-ref": "@blamejs/core@0.7.51",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.50",
+      "version": "0.7.51",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.50",
+      "purl": "pkg:npm/%40blamejs/core@0.7.51",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.50",
+      "ref": "@blamejs/core@0.7.51",
       "dependsOn": []
     }
   ]