@blamejs/core 0.7.75 → 0.7.77

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.77** (2026-05-06) — Argon2 switched from vendored prebuilds to Node's built-in `crypto.argon2*` (Node 24+). The framework's `lib/vendor/argon2/` directory (with the `argon2.cjs` bundle and the `prebuilds/` tree of platform-specific `.glibc.node` / `.musl.node` artifacts for darwin-arm64 / darwin-x64 / freebsd-arm64 / freebsd-x64 / linux-arm / linux-arm64 / linux-x64 / win32-x64) is **deleted**. New `lib/argon2-builtin.js` is a thin wrapper over `crypto.argon2Sync` that produces and parses the PHC string format (`$argon2id$v=19$m=...,t=...,p=...$<salt>$<hash>`). Wire-format compatibility preserved: existing rows in operator databases continue to verify. Behavior preserved: `b.auth.password.hash` / `.verify` / `.needsRehash` retain their async signatures and return shapes; `b.vault.wrap` and `b.backupCrypto.deriveKey` use the same `raw: true` path for raw-bytes output. Operators wanting to supply their own argon2 implementation (pinned upstream, hardware-accelerated, etc.) override at the call site via `opts.argon2` — the supplied object MUST expose the same `hash` / `verify` / `needsRehash` shape. Drops ~440 KB of platform-specific native prebuilds from the repository and shipped npm tarball; eliminates a supply-chain hop. The vendor manifest's `argon2` entry is removed; `scripts/vendor-update.sh argon2` now refuses with a pointer to `lib/argon2-builtin.js`.
+
+- **0.7.76** (2026-05-06) — CVE-class web hardening sweep — Trojan Source (CVE-2021-42574) log defense + drive-by-MIME attachment opt for `staticServe`. **Trojan Source defense** in `b.log` output: every log line now post-processes Unicode bidi / format-control characters (U+061C / U+200E-200F / U+202A-202E / U+2066-2069) into their `\uXXXX` literal escape on the wire so a hostile log message can't re-order the visible line in a TTY / syslog / file reader. JSON.stringify alone does NOT escape these codepoints, so a captured-error message containing `U+202E` (RIGHT-TO-LEFT OVERRIDE) survives into the log surface and silently flips visible field/key associations. The escape applies to the entire serialized JSON line including any extras / bound-context fields. **`staticServe.create({ safeAttachmentForRiskyMimes: true })`** — opt-in flag that adds `Content-Disposition: attachment` to responses whose Content-Type is in the risky-inline-MIME set (`text/html`, `text/xml`, `application/xml`, `application/xhtml+xml`, `image/svg+xml`, `application/javascript`, `text/javascript`, `application/x-javascript`). Defends against drive-by execution of user-uploaded HTML / JS / SVG (CVE-2017-15012 SVG XSS / CVE-2009-1312 HTML drive-by class). Default `false` — operators serving framework asset bundles continue to render inline; operators serving user-content directories opt in. Filename is RFC 5987-encoded (ASCII filename + `filename*=UTF-8''...`) so non-ASCII filenames survive without allowing CR/LF header injection.
+
 - **0.7.75** (2026-05-06) — Audit-emit redaction pipeline. `b.audit.safeEmit` now scrubs the `actor` / `reason` / `metadata` fields through `b.redact.redact()` before they hit the audit handler. Operators who pass `metadata: { reason: e.message }` from a caught error could land DB connection strings, bearer tokens, JWT compact-serialization fixtures, AWS access keys, PEM private keys, SSH keys, credit cards, and SSNs in audit rows; the redact pipeline catches the common shapes (sensitive field names + value-shape detectors) and replaces them with markers (`[REDACTED]`, `[REDACTED-CONN-STRING]`, `[REDACTED-JWT]`, `[REDACTED-PEM]`, `[REDACTED-AWS-KEY]`, `[REDACTED-CC]`, `[REDACTED-SSN]`, `[REDACTED-SEALED]`, `[REDACTED-SSH-KEY]`). The `b.redact` primitive existed in lib/ since v0.4.x but was dead code — `audit.safeEmit` previously passed metadata through unchanged. New connection-string detector matches `protocol://user:pass@host` shapes that surface in error messages from external-DB / SMTP / HTTP drivers (RFC 3986 generic syntax). Drop-silent on redact failure — the pipeline never breaks the caller's audit attempt.
 
 - **0.7.74** (2026-05-06) — Email receive-side parity: DMARC aggregate (RUA) report parser + ARC trust evaluation + Authentication-Results header builder + TLS-RPT receive-side report parser. Closes the "framework can send mail compliantly but can't receive compliantly" gap. **`b.mail.dmarc.parseAggregateReport(xmlBytes, { contentType? })`** parses RFC 7489 §7.2 aggregate XML reports through the framework's existing `lib/parsers/safe-xml.js` (the existing security-focused XML parser handles XXE / DOCTYPE / entity-expansion defenses by default). Auto-detects gzip via magic bytes (`0x1f 0x8b`) or `Content-Type: application/gzip`. Returns `{ reportMetadata, policyPublished, records, totals }` with per-record source-IP / count / policy-evaluated dispositions / identifiers / DKIM + SPF auth results, plus aggregated `messages` / `aligned` / `notAligned` totals operators want for dashboards. Caps report size at 8 MiB and records-per-report at 10 000. **`b.mail.arc.evaluate(rfc822, { trustedSealers })`** wraps the existing `arc.verify` cryptographic chain check with the operator-side trust decision: given a passing chain, did any hop in the chain belong to a sealer the operator trusts? Returns `{ chainStatus, trusted, trustedHop, trustedDomain }` walking hops most-recent-first so the deepest trusted sealer wins. **`b.mail.authResults.emit({ authservId, results, fold? })`** builds the RFC 8601 Authentication-Results header value — operators consume per-method results from `b.mail.spf.verify` / `b.mail.dmarc.evaluate` / `b.mail.arc.verify`, hand them to `.emit`, and the framework formats the conformant header string with method-specific properties (`smtp.mailfrom`, `header.d`, `header.from`, `policy.iprev`, `policy.ip`, `policy.tls`). Refuses unknown methods / results at config-mistake time. **`b.network.smtp.tlsRpt.parseReport(body, { contentType? })`** is the receive-side counterpart to `tlsRpt.recordShape` / `tlsRpt.submit` — accepts a Buffer or string, auto-detects gzip, parses JSON, validates the RFC 8460 §4.4 required-fields shape (`organization-name`, `date-range`, `report-id`, `policies`), aggregates `total-successful-session-count` / `total-failure-session-count` across policies. Caps report size at 8 MiB and policies-per-report at 1024.

package/NOTICE

@@ -24,16 +24,6 @@ Copyright:   Copyright (c) 2023 Paul Miller (https://paulmillr.com)
 Used for:    XChaCha20-Poly1305 authenticated encryption (lib/crypto.js,
              lib/vault-wrap.js, via lib/vendor/noble-ciphers.cjs)
 --------------------------------------------------------------------------------
-Component:   argon2 (node-argon2)
-Version:     0.44.0
-Source:      https://github.com/ranisalt/node-argon2
-License:     MIT
-Copyright:   Copyright (c) 2017 Ranieri Althoff
-Used for:    Argon2id passphrase-derived key derivation in the vault wrap
-             format (lib/vault-wrap.js, via lib/vendor/argon2/). Native
-             prebuilds shipped for darwin-{arm64,x64}, freebsd-{arm64,x64},
-             linux-{arm,arm64,x64}, win32-x64.
---------------------------------------------------------------------------------
 Component:   @simplewebauthn/server
 Version:     13.3.0
 Source:      https://github.com/MasterKale/SimpleWebAuthn

package/README.md

@@ -114,7 +114,6 @@ All runtime dependencies are committed to the repo — no transitive npm install
 |---|---|---|---|
 | [`@noble/ciphers`](https://github.com/paulmillr/noble-ciphers) | 2.2.0 | [Paul Miller](https://github.com/paulmillr) | XChaCha20-Poly1305 AEAD |
 | [`@simplewebauthn/server`](https://github.com/MasterKale/SimpleWebAuthn) | 13.3.0 | [Matthew Miller](https://github.com/MasterKale) | WebAuthn / passkey verification |
-| [`argon2`](https://github.com/ranisalt/node-argon2) | 0.44.0 | [Ranieri Althoff](https://github.com/ranisalt) | Password hashing (native prebuilds, 8 platforms) |
 | [`@peculiar/x509`](https://github.com/PeculiarVentures/x509) + [`pkijs`](https://github.com/PeculiarVentures/PKI.js) | 2.0.0 + 3.4.0 | [Peculiar Ventures](https://github.com/PeculiarVentures) | Pure-JS mTLS CA — ECDSA P-384 cert signing, PKCS#12 packaging (no openssl CLI) |
 | [`SecLists` 10k-most-common.txt](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10k-most-common.txt) | master snapshot | [Daniel Miessler / SecLists contributors](https://github.com/danielmiessler/SecLists) (CC-BY-3.0) | Top-10000 common-password dictionary read by `b.auth.password.policy()` for the NIST 800-63B §5.1.1.2 "previously breached" check |
 | [`prismjs`](https://prismjs.com/) | 1.30.0 | [Lea Verou + contributors](https://github.com/PrismJS/prism) | Syntax highlighting in the example wiki's code blocks (browser-side) |

package/lib/argon2-builtin.js

@@ -0,0 +1,166 @@
+"use strict";
+/**
+ * Thin wrapper over Node's built-in `crypto.argon2` that produces and
+ * parses the PHC string format
+ * (`$argon2id$v=19$m=65536,t=3,p=4$<salt>$<hash>`).
+ *
+ * Replaces the vendored `lib/vendor/argon2/` prebuilds (which the
+ * framework carried since v0.4.x). Node 24+ ships a stable
+ * `crypto.argon2*` API; vendoring the third-party native module is no
+ * longer necessary, eliminates the supply-chain weight of platform-
+ * specific prebuilds, and keeps the framework's "zero npm runtime
+ * deps" posture intact without dragging argon2 prebuild artifacts
+ * across every install.
+ *
+ * Operators wanting to supply their own argon2 implementation (e.g.
+ * pinned to a specific upstream commit, or routed through a hardware-
+ * backed accelerator) override at the call site by passing `argon2:`
+ * in opts to `b.auth.password.hash` / `.verify` / `.needsRehash`. The
+ * supplied object MUST expose the same `hash` / `verify` /
+ * `needsRehash` shape this wrapper exposes.
+ */
+
+var nodeCrypto = require("crypto");
+var blamejsCrypto = require("./crypto");
+var C = require("./constants");
+
+var ARGON2ID = "argon2id";
+
+// Argon2 v1.3 — the only version current implementations emit.
+var ARGON2_VERSION = 0x13;                                                       // allow:raw-byte-literal — argon2 algorithm version
+
+var DEFAULT_HASH_LENGTH = C.BYTES.bytes(32);
+var DEFAULT_SALT_LENGTH = C.BYTES.bytes(16);
+
+// Standard PHC base64 — no padding, alphabet [A-Za-z0-9+/].
+function _b64NoPad(buf) {
+  return buf.toString("base64").replace(/=+$/g, "");
+}
+
+function _fromB64NoPad(s) {
+  // Node tolerates missing padding in `Buffer.from(s, "base64")` so we
+  // pass straight through; the no-pad form is what PHC strings emit
+  // on the wire.
+  return Buffer.from(s, "base64");
+}
+
+function _phcEncode(salt, hash, params) {
+  return "$argon2id$v=" + ARGON2_VERSION +
+         "$m=" + params.memoryCost +
+         ",t=" + params.timeCost +
+         ",p=" + params.parallelism +
+         "$" + _b64NoPad(salt) +
+         "$" + _b64NoPad(hash);
+}
+
+// Parse a PHC string into structured form. Accepts only argon2id
+// shapes — argon2i / argon2d are intentionally not supported by the
+// framework wrapper.
+function _phcDecode(stored) {
+  if (typeof stored !== "string" || stored.length === 0) return null;
+  var parts = stored.split("$");
+  if (parts.length !== 6) return null;
+  if (parts[0] !== "" || parts[1] !== ARGON2ID) return null;
+  var ver = /^v=(\d+)$/.exec(parts[2]);
+  if (!ver) return null;
+  var version = parseInt(ver[1], 10);
+  if (!isFinite(version) || version <= 0) return null;
+  var paramTokens = parts[3].split(",");
+  var p = { memoryCost: NaN, timeCost: NaN, parallelism: NaN };
+  for (var i = 0; i < paramTokens.length; i += 1) {
+    var t = paramTokens[i];
+    var eq = t.indexOf("=");
+    if (eq === -1) return null;
+    var k = t.slice(0, eq);
+    var v = parseInt(t.slice(eq + 1), 10);
+    if (!isFinite(v)) return null;
+    if (k === "m") p.memoryCost = v;
+    else if (k === "t") p.timeCost = v;
+    else if (k === "p") p.parallelism = v;
+  }
+  if (!isFinite(p.memoryCost) || !isFinite(p.timeCost) || !isFinite(p.parallelism)) return null;
+  var salt;
+  var hash;
+  try { salt = _fromB64NoPad(parts[4]); }
+  catch (_e) { return null; }
+  try { hash = _fromB64NoPad(parts[5]); }
+  catch (_e) { return null; }
+  return { version: version, params: p, salt: salt, hash: hash };
+}
+
+function _runArgon2(message, salt, params, hashLength) {
+  // Use the async variant so the call queues onto the libuv threadpool
+  // instead of blocking the main event loop. argon2 with framework
+  // defaults (64 MiB / 3 passes / 1 lane) takes ~100ms per call;
+  // blocking the loop that long stalls every concurrent timer the
+  // test suite is also running and trips spurious flakes in
+  // safe-async-loops fixtures.
+  return new Promise(function (resolve, reject) {
+    nodeCrypto.argon2(ARGON2ID, {
+      message:     message,
+      nonce:       salt,
+      memory:      params.memoryCost,
+      passes:      params.timeCost,
+      parallelism: params.parallelism,
+      tagLength:   hashLength,
+    }, function (err, result) {
+      if (err) reject(err);
+      else resolve(result);
+    });
+  });
+}
+
+// ---- public surface ----
+
+async function hash(plain, opts) {
+  opts = opts || {};
+  var params = {
+    memoryCost:  opts.memoryCost  || C.BYTES.kib(64),                            // 64 MiB
+    timeCost:    opts.timeCost    || 3,
+    parallelism: opts.parallelism || 1,
+  };
+  var hashLength = opts.hashLength || DEFAULT_HASH_LENGTH;
+  var salt = opts.salt || nodeCrypto.randomBytes(DEFAULT_SALT_LENGTH);
+  var message = Buffer.isBuffer(plain) ? plain : Buffer.from(String(plain), "utf8");
+  var raw = await _runArgon2(message, salt, params, hashLength);
+  // raw: true — return the unwrapped Buffer (used by vault key
+  // derivation + backup KDF where the bytes feed directly into
+  // XChaCha20). Default produces a PHC-string-encoded password hash.
+  if (opts.raw === true) return raw;
+  return _phcEncode(salt, raw, params);
+}
+
+async function verify(stored, plain) {
+  var dec = _phcDecode(stored);
+  if (!dec) return false;
+  var message = Buffer.isBuffer(plain) ? plain : Buffer.from(String(plain), "utf8");
+  var actual;
+  try { actual = await _runArgon2(message, dec.salt, dec.params, dec.hash.length); }
+  catch (_e) { return false; }
+  return blamejsCrypto.timingSafeEqual(actual, dec.hash);
+}
+
+function needsRehash(stored, opts) {
+  opts = opts || {};
+  var dec = _phcDecode(stored);
+  if (!dec) return true;
+  if (dec.version !== ARGON2_VERSION) return true;
+  var memoryCost  = opts.memoryCost  || C.BYTES.kib(64);                         // same defaults as hash()
+  var timeCost    = opts.timeCost    || 3;
+  var parallelism = opts.parallelism || 1;
+  if (dec.params.memoryCost  < memoryCost)  return true;
+  if (dec.params.timeCost    < timeCost)    return true;
+  if (dec.params.parallelism < parallelism) return true;
+  return false;
+}
+
+module.exports = {
+  argon2id:    ARGON2ID,
+  hash:        hash,
+  verify:      verify,
+  needsRehash: needsRehash,
+  // Test-only — let the test harness exercise the PHC encode/decode
+  // round trip without re-running actual hashing.
+  _phcEncode:  _phcEncode,
+  _phcDecode:  _phcDecode,
+};

package/lib/auth/password.js

@@ -46,7 +46,7 @@
  * verify is NOT an error — it returns false. Errors are reserved for
  * "the call shape was wrong" (empty plain, oversize plain).
  */
-var argon2 = require("../vendor/argon2");
+var argon2 = require("../argon2-builtin");
 var C = require("../constants");
 var httpClient = require("../http-client");
 var hibpSha1 = require("../framework-sha1-hibp");

package/lib/backup/crypto.js

@@ -45,7 +45,7 @@ var nodeCrypto = require("node:crypto");
 var C = require("../constants");
 var safeBuffer = require("../safe-buffer");
 var { xchacha20poly1305 } = require("../vendor/noble-ciphers.cjs");
-var argon2 = require("../vendor/argon2");
+var argon2 = require("../argon2-builtin");
 var { FrameworkError } = require("../framework-error");
 
 class BackupCryptoError extends FrameworkError {

package/lib/log.js

@@ -279,6 +279,14 @@ function create(opts) {
         _logError: "extras not serializable",
       }) + "\n";
     }
+    // Trojan-Source defense (CVE-2021-42574). JSON.stringify does NOT
+    // escape Unicode bidi / format controls, so a hostile log message
+    // containing U+202E (RIGHT-TO-LEFT OVERRIDE) survives into TTY /
+    // syslog / file sinks where it can re-order the visible line —
+    // forging which fields appear under which keys when the operator
+    // reads the log. Escape the entire bidi/format-control set to
+    // `\uXXXX` literals on the wire.
+    line = _escapeBidiControls(line);
 
     var lvlNum = LEVELS[levelName];
     for (var s = 0; s < sinks.length; s++) {
@@ -479,6 +487,25 @@ function makeViaOrFallback(operatorLog, fallbackLog) {
 
 // Boot-time minimum level (debug suppressed unless explicitly enabled).
 // Uses raw process.env per the documented load-cycle exception: log.js
+// Trojan-Source defense (CVE-2021-42574). Replace Unicode bidi /
+// format-control characters with their `\uXXXX` literal escape so a
+// hostile log message can't re-order the visible line in a TTY /
+// syslog reader. Set covers:
+//   U+061C — Arabic Letter Mark
+//   U+200E/U+200F — LRM/RLM
+//   U+202A-U+202E — LRE/RLE/PDF/LRO/RLO
+//   U+2066-U+2069 — LRI/RLI/FSI/PDI
+var _BIDI_CONTROL_RE = /[؜‎‏‪‫‬‭‮⁦⁧⁨⁩]/g;
+
+function _escapeBidiControls(s) {
+  if (typeof s !== "string" || s.length === 0) return s;
+  return s.replace(_BIDI_CONTROL_RE, function (ch) {
+    var code = ch.charCodeAt(0).toString(16);                                      // allow:raw-byte-literal — Unicode hex radix
+    while (code.length < 4) code = "0" + code;
+    return "\\u" + code;
+  });
+}
+
 // runs before safeEnv on the boot path; safeEnv requires log, so log
 // can't go through safeEnv to read its own level.
 function _bootMinLevel() {

package/lib/static.js

@@ -208,6 +208,46 @@ function _contentTypeFor(filePath, table) {
   return (table && table[ext]) || DEFAULT_CONTENT_TYPES[ext] || "application/octet-stream";
 }
 
+// Risky MIMEs that the browser executes inline. When safeAttachment is
+// on, the framework forces Content-Disposition: attachment so
+// drive-by uploads can't be executed in the user's browser. Operators
+// serving trusted assets (CSS / JS bundle / SVG icon) opt out by NOT
+// setting safeAttachmentForRiskyMimes — leaving the existing inline
+// default. The defense is per-CVE-2017-15012 (SVG XSS) /
+// CVE-2009-1312 (HTML drive-by) class.
+var RISKY_INLINE_MIMES = {
+  "text/html":              true,
+  "text/xml":               true,
+  "application/xml":        true,
+  "application/xhtml+xml":  true,
+  "image/svg+xml":          true,
+  "application/javascript": true,
+  "text/javascript":        true,
+  "application/x-javascript": true,
+};
+
+function _isRiskyInlineMime(contentType) {
+  if (typeof contentType !== "string" || contentType.length === 0) return false;
+  // Strip parameters like "; charset=utf-8".
+  var semi = contentType.indexOf(";");
+  var bare = (semi === -1 ? contentType : contentType.slice(0, semi)).trim().toLowerCase();
+  return RISKY_INLINE_MIMES[bare] === true;
+}
+
+// Build a safe Content-Disposition value for an attachment. The
+// filename is RFC 5987-encoded so non-ASCII characters survive without
+// allowing CR/LF header injection.
+function _attachmentDisposition(filePath) {
+  var name = path.basename(filePath);
+  // Refuse CR/LF/NUL outright — they're already filtered upstream by
+  // the path-traversal guard, but defense-in-depth here.
+  if (/[\r\n\0]/.test(name)) name = "download";
+  // ASCII-safe filename (replace non-ASCII with _) plus filename* = UTF-8 form.
+  var asciiName = name.replace(/[^\x20-\x7e]/g, "_").replace(/["\\]/g, "_");
+  var encName = encodeURIComponent(name);
+  return 'attachment; filename="' + asciiName + '"; filename*=UTF-8\'\'' + encName;
+}
+
 // _parseRangeHeader — RFC 7233 single-range parser. Returns null when:
 //   - header absent
 //   - syntactically malformed (not `bytes=`, multi-range, suffix syntax
@@ -331,6 +371,8 @@ function _validateCreateOpts(opts) {
   validateOpts.optionalBoolean(opts.acceptRanges, "staticServe.create: acceptRanges", StaticServeError);
   validateOpts.optionalBoolean(opts.auditSuccess, "staticServe.create: auditSuccess", StaticServeError);
   validateOpts.optionalBoolean(opts.auditFailures, "staticServe.create: auditFailures", StaticServeError);
+  validateOpts.optionalBoolean(opts.safeAttachmentForRiskyMimes,
+    "staticServe.create: safeAttachmentForRiskyMimes", StaticServeError);
   numericBounds.requireNonNegativeFiniteIntIfPresent(opts.maxBytesPerActorPerWindowMs,
     "staticServe.create: maxBytesPerActorPerWindowMs", StaticServeError, "BAD_OPT");
   numericBounds.requireNonNegativeFiniteIntIfPresent(opts.maxBytesAllActorsPerWindowMs,
@@ -507,6 +549,7 @@ function create(opts) {
   var auditSuccess    = cfg.auditSuccess;
   var auditFailures   = cfg.auditFailures;
   var acceptRanges    = cfg.acceptRanges;
+  var safeAttachment  = !!cfg.safeAttachmentForRiskyMimes;
   var perActorCap     = cfg.maxBytesPerActorPerWindowMs;
   var globalCap       = cfg.maxBytesAllActorsPerWindowMs;
   var bandwidthWindowMs = cfg.bandwidthWindowMs;
@@ -851,6 +894,13 @@ function create(opts) {
       "Last-Modified":  meta.lastModified,
       "X-Integrity":    meta.integrity,
     };
+    // Drive-by-execution defense — when safeAttachmentForRiskyMimes is
+    // on, force Content-Disposition: attachment for HTML / JS / SVG /
+    // XML so the browser downloads instead of rendering. Operator's
+    // onServe hook can override.
+    if (safeAttachment && _isRiskyInlineMime(headers["Content-Type"])) {
+      headers["Content-Disposition"] = _attachmentDisposition(absPath);
+    }
     if (acceptRanges) headers["Accept-Ranges"] = "bytes";
     if (range) headers["Content-Range"] = "bytes " + range.start + "-" + range.end + "/" + meta.size;
 

package/lib/vault/wrap.js

@@ -25,7 +25,7 @@
  * This module is PURE — no filesystem I/O. Callers handle reading/writing.
  * wrap() and unwrap() are async because Argon2 is async via its native binding.
  */
-var argon2 = require("../vendor/argon2");
+var argon2 = require("../argon2-builtin");
 var C = require("../constants");
 var { xchacha20poly1305 } = require("../vendor/noble-ciphers.cjs");
 var { generateBytes } = require("../crypto");

package/lib/vendor/MANIFEST.json

@@ -18,36 +18,6 @@
         "server": "sha256:5d539dfc9ef47121d4c09bd7256d76448a1f5ac47ee09ac44c78ff6a062af9ab"
       }
     },
-    "argon2": {
-      "version": "0.44.0",
-      "license": "MIT",
-      "author": "Ranieri Althoff",
-      "source": "https://github.com/ranisalt/node-argon2",
-      "exports": [
-        "hash",
-        "verify"
-      ],
-      "files": {
-        "server": "lib/vendor/argon2/argon2.cjs",
-        "prebuilds": "lib/vendor/argon2/prebuilds/"
-      },
-      "platforms": [
-        "darwin-arm64",
-        "darwin-x64",
-        "freebsd-arm64",
-        "freebsd-x64",
-        "linux-arm",
-        "linux-arm64",
-        "linux-x64",
-        "win32-x64"
-      ],
-      "bundler": "esbuild --format=cjs --platform=node (inlines @phc/format + node-gyp-build)",
-      "bundledAt": "2026-04-25",
-      "hashes": {
-        "server": "sha256:93b8d2fb7f24dc1b3304dc9420844d5e1afc199c41ab1f9a90c8de48cc7c2359",
-        "prebuilds": "sha256-tree:65921b7cf331e0a9430a1b52440da8f26cdf9d215a4cd490edbc4804dd713df3"
-      }
-    },
     "@simplewebauthn/server": {
       "version": "13.3.0",
       "license": "MIT",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.75",
+  "version": "0.7.77",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:029bc278-cc4e-40cb-9b56-3102289527e4",
+  "serialNumber": "urn:uuid:3d6aa43b-6da6-44c8-a687-434e93ef3b07",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T04:13:02.729Z",
+    "timestamp": "2026-05-06T04:48:07.561Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.75",
+      "bom-ref": "@blamejs/core@0.7.77",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.75",
+      "version": "0.7.77",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.75",
+      "purl": "pkg:npm/%40blamejs/core@0.7.77",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.75",
+      "ref": "@blamejs/core@0.7.77",
       "dependsOn": []
     }
   ]

package/lib/vendor/argon2/argon2.cjs

@@ -1,466 +0,0 @@
-// argon2 v0.44.0 — MIT License (c) Ranieri Althoff — https://github.com/ranisalt/node-argon2
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __commonJS = (cb, mod) => function __require() {
-  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
-};
-
-// node_modules/@phc/format/index.js
-var require_format = __commonJS({
-  "node_modules/@phc/format/index.js"(exports2, module2) {
-    var idRegex = /^[a-z0-9-]{1,32}$/;
-    var nameRegex = /^[a-z0-9-]{1,32}$/;
-    var valueRegex = /^[a-zA-Z0-9/+.-]+$/;
-    var b64Regex = /^([a-zA-Z0-9/+.-]+|)$/;
-    var decimalRegex = /^((-)?[1-9]\d*|0)$/;
-    var versionRegex = /^v=(\d+)$/;
-    function objToKeyVal(obj) {
-      return objectKeys(obj).map((k) => [k, obj[k]].join("=")).join(",");
-    }
-    function keyValtoObj(str) {
-      const obj = {};
-      str.split(",").forEach((ps) => {
-        const pss = ps.split("=");
-        if (pss.length < 2) {
-          throw new TypeError(`params must be in the format name=value`);
-        }
-        obj[pss.shift()] = pss.join("=");
-      });
-      return obj;
-    }
-    function objectKeys(object) {
-      return Object.keys(object);
-    }
-    function objectValues(object) {
-      if (typeof Object.values === "function") return Object.values(object);
-      return objectKeys(object).map((k) => object[k]);
-    }
-    function serialize(opts) {
-      const fields = [""];
-      if (typeof opts !== "object" || opts === null) {
-        throw new TypeError("opts must be an object");
-      }
-      if (typeof opts.id !== "string") {
-        throw new TypeError("id must be a string");
-      }
-      if (!idRegex.test(opts.id)) {
-        throw new TypeError(`id must satisfy ${idRegex}`);
-      }
-      fields.push(opts.id);
-      if (typeof opts.version !== "undefined") {
-        if (typeof opts.version !== "number" || opts.version < 0 || !Number.isInteger(opts.version)) {
-          throw new TypeError("version must be a positive integer number");
-        }
-        fields.push(`v=${opts.version}`);
-      }
-      if (typeof opts.params !== "undefined") {
-        if (typeof opts.params !== "object" || opts.params === null) {
-          throw new TypeError("params must be an object");
-        }
-        const pk = objectKeys(opts.params);
-        if (!pk.every((p) => nameRegex.test(p))) {
-          throw new TypeError(`params names must satisfy ${nameRegex}`);
-        }
-        pk.forEach((k) => {
-          if (typeof opts.params[k] === "number") {
-            opts.params[k] = opts.params[k].toString();
-          } else if (Buffer.isBuffer(opts.params[k])) {
-            opts.params[k] = opts.params[k].toString("base64").split("=")[0];
-          }
-        });
-        const pv = objectValues(opts.params);
-        if (!pv.every((v) => typeof v === "string")) {
-          throw new TypeError("params values must be strings");
-        }
-        if (!pv.every((v) => valueRegex.test(v))) {
-          throw new TypeError(`params values must satisfy ${valueRegex}`);
-        }
-        const strpar = objToKeyVal(opts.params);
-        fields.push(strpar);
-      }
-      if (typeof opts.salt !== "undefined") {
-        if (!Buffer.isBuffer(opts.salt)) {
-          throw new TypeError("salt must be a Buffer");
-        }
-        fields.push(opts.salt.toString("base64").split("=")[0]);
-        if (typeof opts.hash !== "undefined") {
-          if (!Buffer.isBuffer(opts.hash)) {
-            throw new TypeError("hash must be a Buffer");
-          }
-          fields.push(opts.hash.toString("base64").split("=")[0]);
-        }
-      }
-      const phcstr = fields.join("$");
-      return phcstr;
-    }
-    function deserialize(phcstr) {
-      if (typeof phcstr !== "string" || phcstr === "") {
-        throw new TypeError("pchstr must be a non-empty string");
-      }
-      if (phcstr[0] !== "$") {
-        throw new TypeError("pchstr must contain a $ as first char");
-      }
-      const fields = phcstr.split("$");
-      fields.shift();
-      let maxf = 5;
-      if (!versionRegex.test(fields[1])) maxf--;
-      if (fields.length > maxf) {
-        throw new TypeError(
-          `pchstr contains too many fileds: ${fields.length}/${maxf}`
-        );
-      }
-      const id = fields.shift();
-      if (!idRegex.test(id)) {
-        throw new TypeError(`id must satisfy ${idRegex}`);
-      }
-      let version;
-      if (versionRegex.test(fields[0])) {
-        version = parseInt(fields.shift().match(versionRegex)[1], 10);
-      }
-      let hash;
-      let salt;
-      if (b64Regex.test(fields[fields.length - 1])) {
-        if (fields.length > 1 && b64Regex.test(fields[fields.length - 2])) {
-          hash = Buffer.from(fields.pop(), "base64");
-          salt = Buffer.from(fields.pop(), "base64");
-        } else {
-          salt = Buffer.from(fields.pop(), "base64");
-        }
-      }
-      let params;
-      if (fields.length > 0) {
-        const parstr = fields.pop();
-        params = keyValtoObj(parstr);
-        if (!objectKeys(params).every((p) => nameRegex.test(p))) {
-          throw new TypeError(`params names must satisfy ${nameRegex}`);
-        }
-        const pv = objectValues(params);
-        if (!pv.every((v) => valueRegex.test(v))) {
-          throw new TypeError(`params values must satisfy ${valueRegex}`);
-        }
-        const pk = objectKeys(params);
-        pk.forEach((k) => {
-          params[k] = decimalRegex.test(params[k]) ? parseInt(params[k], 10) : params[k];
-        });
-      }
-      if (fields.length > 0) {
-        throw new TypeError(`pchstr contains unrecognized fileds: ${fields}`);
-      }
-      const phcobj = { id };
-      if (version) phcobj.version = version;
-      if (params) phcobj.params = params;
-      if (salt) phcobj.salt = salt;
-      if (hash) phcobj.hash = hash;
-      return phcobj;
-    }
-    module2.exports = {
-      serialize,
-      deserialize
-    };
-  }
-});
-
-// node_modules/node-gyp-build/node-gyp-build.js
-var require_node_gyp_build = __commonJS({
-  "node_modules/node-gyp-build/node-gyp-build.js"(exports2, module2) {
-    var fs = require("fs");
-    var path = require("path");
-    var os = require("os");
-    var runtimeRequire = typeof __webpack_require__ === "function" ? __non_webpack_require__ : require;
-    var vars = process.config && process.config.variables || {};
-    var prebuildsOnly = !!process.env.PREBUILDS_ONLY;
-    var abi = process.versions.modules;
-    var runtime = isElectron() ? "electron" : isNwjs() ? "node-webkit" : "node";
-    var arch = process.env.npm_config_arch || os.arch();
-    var platform = process.env.npm_config_platform || os.platform();
-    var libc = process.env.LIBC || (isAlpine(platform) ? "musl" : "glibc");
-    var armv = process.env.ARM_VERSION || (arch === "arm64" ? "8" : vars.arm_version) || "";
-    var uv = (process.versions.uv || "").split(".")[0];
-    module2.exports = load;
-    function load(dir) {
-      return runtimeRequire(load.resolve(dir));
-    }
-    load.resolve = load.path = function(dir) {
-      dir = path.resolve(dir || ".");
-      try {
-        var name = runtimeRequire(path.join(dir, "package.json")).name.toUpperCase().replace(/-/g, "_");
-        if (process.env[name + "_PREBUILD"]) dir = process.env[name + "_PREBUILD"];
-      } catch (err) {
-      }
-      if (!prebuildsOnly) {
-        var release = getFirst(path.join(dir, "build/Release"), matchBuild);
-        if (release) return release;
-        var debug = getFirst(path.join(dir, "build/Debug"), matchBuild);
-        if (debug) return debug;
-      }
-      var prebuild = resolve(dir);
-      if (prebuild) return prebuild;
-      var nearby = resolve(path.dirname(process.execPath));
-      if (nearby) return nearby;
-      var target = [
-        "platform=" + platform,
-        "arch=" + arch,
-        "runtime=" + runtime,
-        "abi=" + abi,
-        "uv=" + uv,
-        armv ? "armv=" + armv : "",
-        "libc=" + libc,
-        "node=" + process.versions.node,
-        process.versions.electron ? "electron=" + process.versions.electron : "",
-        typeof __webpack_require__ === "function" ? "webpack=true" : ""
-        // eslint-disable-line
-      ].filter(Boolean).join(" ");
-      throw new Error("No native build was found for " + target + "\n    loaded from: " + dir + "\n");
-      function resolve(dir2) {
-        var tuples = readdirSync(path.join(dir2, "prebuilds")).map(parseTuple);
-        var tuple = tuples.filter(matchTuple(platform, arch)).sort(compareTuples)[0];
-        if (!tuple) return;
-        var prebuilds = path.join(dir2, "prebuilds", tuple.name);
-        var parsed = readdirSync(prebuilds).map(parseTags);
-        var candidates = parsed.filter(matchTags(runtime, abi));
-        var winner = candidates.sort(compareTags(runtime))[0];
-        if (winner) return path.join(prebuilds, winner.file);
-      }
-    };
-    function readdirSync(dir) {
-      try {
-        return fs.readdirSync(dir);
-      } catch (err) {
-        return [];
-      }
-    }
-    function getFirst(dir, filter) {
-      var files = readdirSync(dir).filter(filter);
-      return files[0] && path.join(dir, files[0]);
-    }
-    function matchBuild(name) {
-      return /\.node$/.test(name);
-    }
-    function parseTuple(name) {
-      var arr = name.split("-");
-      if (arr.length !== 2) return;
-      var platform2 = arr[0];
-      var architectures = arr[1].split("+");
-      if (!platform2) return;
-      if (!architectures.length) return;
-      if (!architectures.every(Boolean)) return;
-      return { name, platform: platform2, architectures };
-    }
-    function matchTuple(platform2, arch2) {
-      return function(tuple) {
-        if (tuple == null) return false;
-        if (tuple.platform !== platform2) return false;
-        return tuple.architectures.includes(arch2);
-      };
-    }
-    function compareTuples(a, b) {
-      return a.architectures.length - b.architectures.length;
-    }
-    function parseTags(file) {
-      var arr = file.split(".");
-      var extension = arr.pop();
-      var tags = { file, specificity: 0 };
-      if (extension !== "node") return;
-      for (var i = 0; i < arr.length; i++) {
-        var tag = arr[i];
-        if (tag === "node" || tag === "electron" || tag === "node-webkit") {
-          tags.runtime = tag;
-        } else if (tag === "napi") {
-          tags.napi = true;
-        } else if (tag.slice(0, 3) === "abi") {
-          tags.abi = tag.slice(3);
-        } else if (tag.slice(0, 2) === "uv") {
-          tags.uv = tag.slice(2);
-        } else if (tag.slice(0, 4) === "armv") {
-          tags.armv = tag.slice(4);
-        } else if (tag === "glibc" || tag === "musl") {
-          tags.libc = tag;
-        } else {
-          continue;
-        }
-        tags.specificity++;
-      }
-      return tags;
-    }
-    function matchTags(runtime2, abi2) {
-      return function(tags) {
-        if (tags == null) return false;
-        if (tags.runtime && tags.runtime !== runtime2 && !runtimeAgnostic(tags)) return false;
-        if (tags.abi && tags.abi !== abi2 && !tags.napi) return false;
-        if (tags.uv && tags.uv !== uv) return false;
-        if (tags.armv && tags.armv !== armv) return false;
-        if (tags.libc && tags.libc !== libc) return false;
-        return true;
-      };
-    }
-    function runtimeAgnostic(tags) {
-      return tags.runtime === "node" && tags.napi;
-    }
-    function compareTags(runtime2) {
-      return function(a, b) {
-        if (a.runtime !== b.runtime) {
-          return a.runtime === runtime2 ? -1 : 1;
-        } else if (a.abi !== b.abi) {
-          return a.abi ? -1 : 1;
-        } else if (a.specificity !== b.specificity) {
-          return a.specificity > b.specificity ? -1 : 1;
-        } else {
-          return 0;
-        }
-      };
-    }
-    function isNwjs() {
-      return !!(process.versions && process.versions.nw);
-    }
-    function isElectron() {
-      if (process.versions && process.versions.electron) return true;
-      if (process.env.ELECTRON_RUN_AS_NODE) return true;
-      return typeof window !== "undefined" && window.process && window.process.type === "renderer";
-    }
-    function isAlpine(platform2) {
-      return platform2 === "linux" && fs.existsSync("/etc/alpine-release");
-    }
-    load.parseTags = parseTags;
-    load.matchTags = matchTags;
-    load.compareTags = compareTags;
-    load.parseTuple = parseTuple;
-    load.matchTuple = matchTuple;
-    load.compareTuples = compareTuples;
-  }
-});
-
-// node_modules/node-gyp-build/index.js
-var require_node_gyp_build2 = __commonJS({
-  "node_modules/node-gyp-build/index.js"(exports2, module2) {
-    var runtimeRequire = typeof __webpack_require__ === "function" ? __non_webpack_require__ : require;
-    if (typeof runtimeRequire.addon === "function") {
-      module2.exports = runtimeRequire.addon.bind(runtimeRequire);
-    } else {
-      module2.exports = require_node_gyp_build();
-    }
-  }
-});
-
-// node_modules/argon2/argon2.cjs
-var require_argon2 = __commonJS({
-  "node_modules/argon2/argon2.cjs"(exports2, module2) {
-    var { randomBytes, timingSafeEqual } = require("node:crypto");
-    var { promisify } = require("node:util");
-    var { deserialize, serialize } = require_format();
-    var gypBuild = require_node_gyp_build2();
-    var { hash: bindingsHash } = gypBuild(__dirname);
-    var generateSalt = promisify(randomBytes);
-    var argon2d = 0;
-    var argon2i = 1;
-    var argon2id = 2;
-    module2.exports.argon2d = argon2d;
-    module2.exports.argon2i = argon2i;
-    module2.exports.argon2id = argon2id;
-    var types = Object.freeze({ argon2d, argon2i, argon2id });
-    var names = Object.freeze({
-      [types.argon2d]: "argon2d",
-      [types.argon2i]: "argon2i",
-      [types.argon2id]: "argon2id"
-    });
-    var defaults = {
-      hashLength: 32,
-      timeCost: 3,
-      memoryCost: 1 << 16,
-      parallelism: 4,
-      type: argon2id,
-      version: 19
-    };
-    async function hash(password, options) {
-      let { raw, salt, ...rest } = { ...defaults, ...options };
-      if (rest.hashLength > 2 ** 32 - 1) {
-        throw new RangeError("Hash length is too large");
-      }
-      if (rest.memoryCost > 2 ** 32 - 1) {
-        throw new RangeError("Memory cost is too large");
-      }
-      if (rest.timeCost > 2 ** 32 - 1) {
-        throw new RangeError("Time cost is too large");
-      }
-      if (rest.parallelism > 2 ** 24 - 1) {
-        throw new RangeError("Parallelism is too large");
-      }
-      salt = salt ?? await generateSalt(16);
-      const {
-        hashLength,
-        secret = Buffer.alloc(0),
-        type,
-        version,
-        memoryCost: m,
-        timeCost: t,
-        parallelism: p,
-        associatedData: data = Buffer.alloc(0)
-      } = rest;
-      const hash2 = await bindingsHash({
-        password: Buffer.from(password),
-        salt,
-        secret,
-        data,
-        hashLength,
-        m,
-        t,
-        p,
-        version,
-        type
-      });
-      if (raw) {
-        return hash2;
-      }
-      return serialize({
-        id: names[type],
-        version,
-        params: { m, t, p, ...data.byteLength > 0 ? { data } : {} },
-        salt,
-        hash: hash2
-      });
-    }
-    module2.exports.hash = hash;
-    function needsRehash(digest, options = {}) {
-      const { memoryCost, timeCost, parallelism, version } = {
-        ...defaults,
-        ...options
-      };
-      const {
-        version: v,
-        params: { m, t, p }
-      } = deserialize(digest);
-      return +v !== +version || +m !== +memoryCost || +t !== +timeCost || +p !== +parallelism;
-    }
-    module2.exports.needsRehash = needsRehash;
-    async function verify(digest, password, options = {}) {
-      const { id, ...rest } = deserialize(digest);
-      if (!(id in types)) {
-        return false;
-      }
-      const {
-        version = 16,
-        params: { m, t, p, data = "" },
-        salt,
-        hash: hash2
-      } = rest;
-      const { secret = Buffer.alloc(0) } = options;
-      return timingSafeEqual(
-        await bindingsHash({
-          password: Buffer.from(password),
-          salt,
-          secret,
-          data: Buffer.from(data, "base64"),
-          hashLength: hash2.byteLength,
-          m: +m,
-          t: +t,
-          p: +p,
-          version: +version,
-          type: types[id]
-        }),
-        hash2
-      );
-    }
-    module2.exports.verify = verify;
-  }
-});
-
-// _bundle-argon2.cjs
-module.exports = require_argon2();

package/lib/vendor/argon2/argon2.d.cts

@@ -1,62 +0,0 @@
-export type Options = {
-    hashLength?: number | undefined;
-    timeCost?: number | undefined;
-    memoryCost?: number | undefined;
-    parallelism?: number | undefined;
-    type?: 0 | 1 | 2 | undefined;
-    version?: number | undefined;
-    salt?: Buffer | undefined;
-    associatedData?: Buffer | undefined;
-    secret?: Buffer | undefined;
-};
-export const argon2d: 0;
-export const argon2i: 1;
-export const argon2id: 2;
-/**
- * Hashes a password with Argon2, producing a raw hash
- *
- * @overload
- * @param {Buffer | string} password The plaintext password to be hashed
- * @param {Options & { raw: true }} options The parameters for Argon2
- * @returns {Promise<Buffer>} The raw hash generated from `password`
- */
-export function hash(password: Buffer | string, options: Options & {
-    raw: true;
-}): Promise<Buffer>;
-/**
- * Hashes a password with Argon2, producing an encoded hash
- *
- * @overload
- * @param {Buffer | string} password The plaintext password to be hashed
- * @param {Options & { raw?: boolean }} [options] The parameters for Argon2
- * @returns {Promise<string>} The encoded hash generated from `password`
- */
-export function hash(password: Buffer | string, options?: (Options & {
-    raw?: boolean;
-}) | undefined): Promise<string>;
-/**
- * @param {string} digest The digest to be checked
- * @param {Object} [options] The current parameters for Argon2
- * @param {number} [options.timeCost=3]
- * @param {number} [options.memoryCost=65536]
- * @param {number} [options.parallelism=4]
- * @param {number} [options.version=0x13]
- * @returns {boolean} `true` if the digest parameters do not match the parameters in `options`, otherwise `false`
- */
-export function needsRehash(digest: string, options?: {
-    timeCost?: number | undefined;
-    memoryCost?: number | undefined;
-    parallelism?: number | undefined;
-    version?: number | undefined;
-} | undefined): boolean;
-/**
- * @param {string} digest The digest to be checked
- * @param {Buffer | string} password The plaintext password to be verified
- * @param {Object} [options] The current parameters for Argon2
- * @param {Buffer} [options.secret]
- * @returns {Promise<boolean>} `true` if the digest parameters matches the hash generated from `password`, otherwise `false`
- */
-export function verify(digest: string, password: Buffer | string, options?: {
-    secret?: Buffer | undefined;
-} | undefined): Promise<boolean>;
-//# sourceMappingURL=argon2.d.cts.map

package/lib/vendor/argon2/package.json

@@ -1 +0,0 @@
-{"name":"argon2","version":"0.44.0","main":"argon2.cjs"}