@blamejs/core 0.7.77 → 0.7.79

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.79** (2026-05-06) — PQC TLS handshake key shares + DB hardening sweep (3 items). **`b.network.tls.pqc`** — operator-facing TLS 1.3 key-share configuration. The framework's app-layer envelope has been PQC-first since v0.7.28 (ML-KEM-1024 + X25519 hybrid for sealed records); this slice extends PQC posture down to the **TLS handshake itself**. `b.network.tls.pqc.setKeyShares(["X25519MLKEM768", "X25519", "secp256r1"])` configures the TLS 1.3 key-share groups the framework's `https.Server` / `https.Agent` advertises. The first listed group is the operator priority; the peer picks the first mutually supported entry. **`X25519MLKEM768`** is the IETF draft-kwiatkowski-tls-ecdhe-mlkem-02 hybrid KEM that negotiates post-quantum + classical in one handshake — forward-secrecy survives both classical-CRQC and future quantum cryptanalysis. Default list is `["X25519MLKEM768", "X25519", "secp256r1"]` so the framework attempts hybrid first, falls back to classical X25519 with peers that don't support the hybrid (most of the public web today), and to `secp256r1` for legacy peers. **`b.network.tls.applyToContext({ base })`** now threads the configured key-share list through as the `groups` option to Node's TLS context (operators who explicitly set `groups` in their `base` config keep the override). Operators wanting classical-only call `b.network.tls.pqc.setKeyShares(["X25519"])`; calling `.resetKeyShares()` restores the default. Requires Node 24+ with OpenSSL 3.5+ for the X25519MLKEM768 group; older Node falls back silently to the classical entries. **DB hardening: PRAGMA integrity_check at boot** — `b.db.init` now runs `PRAGMA integrity_check` after the existing PRAGMA block and refuses boot if SQLite reports anything other than `"ok"`. Catches B-tree corruption at boot rather than letting it surface mid-query when the engine stumbles on a bad page. Skip via `opts.skipIntegrityCheck: true` for tmpfs-only fixtures (audited reason). **DB hardening: migration-lock holder ID boot token** — `lib/external-db-migrate.js:_lockHolderId()` now appends a per-process random 8-byte boot token, so a recycled PID-on-hostname slot after a container restart can't be misattributed back to the new boot when reading stale lock rows. Closes the PID-reuse-across-container-restart concurrent-ownership window flagged in the v0.7.67 audit batch.
+
+- **0.7.78** (2026-05-06) — `b.cloudEvents.wrap` / `.parse` — CloudEvents 1.0 envelope (cloudevents.io/spec/v1.0). Vendor-neutral event-format spec adopted by AWS EventBridge, Knative, Azure Event Grid, Google Eventarc, Datadog, and the broader CNCF event ecosystem; operators wrap outbound events from webhook / pubsub / queue boundaries to interop with these consumers without each consumer learning a bespoke shape. **`b.cloudEvents.wrap({ source, type, data?, subject?, time?, id?, datacontenttype?, dataschema?, extensions? })`** produces a CloudEvents 1.0 envelope: required attributes (`id` auto-minted as RFC 4122 v4 UUID when omitted, `source`, `specversion="1.0"`, `type`, `time` auto-set to `new Date().toISOString()`), optional attributes (`subject`, `datacontenttype` auto-set to `"application/json"` when `data` is JSON-serializable or `"application/octet-stream"` when `data` is a `Buffer` — base64-encoded into `data_base64`, `dataschema`), plus operator-defined extension attributes that conform to the §3.1 naming rules (lowercase ASCII alnum, 1-20 chars). **`b.cloudEvents.parse(envelope)`** validates the envelope shape and returns a structured form with `extensions` surfaced as a separate object so consumers can route on operator-defined fields without grepping the envelope. Refuses `data` + `data_base64` together (CloudEvents §3.1.1), unsupported specversion, missing required attributes, malformed extension names. **Test cleanup**: the `testAuditSafeEmitRedacts` smoke fixture from v0.7.75 now registers the `test` audit namespace before emitting so the audit handler's noise log line ("namespace 'test' is not registered") doesn't appear in CI smoke output.
+
 - **0.7.77** (2026-05-06) — Argon2 switched from vendored prebuilds to Node's built-in `crypto.argon2*` (Node 24+). The framework's `lib/vendor/argon2/` directory (with the `argon2.cjs` bundle and the `prebuilds/` tree of platform-specific `.glibc.node` / `.musl.node` artifacts for darwin-arm64 / darwin-x64 / freebsd-arm64 / freebsd-x64 / linux-arm / linux-arm64 / linux-x64 / win32-x64) is **deleted**. New `lib/argon2-builtin.js` is a thin wrapper over `crypto.argon2Sync` that produces and parses the PHC string format (`$argon2id$v=19$m=...,t=...,p=...$<salt>$<hash>`). Wire-format compatibility preserved: existing rows in operator databases continue to verify. Behavior preserved: `b.auth.password.hash` / `.verify` / `.needsRehash` retain their async signatures and return shapes; `b.vault.wrap` and `b.backupCrypto.deriveKey` use the same `raw: true` path for raw-bytes output. Operators wanting to supply their own argon2 implementation (pinned upstream, hardware-accelerated, etc.) override at the call site via `opts.argon2` — the supplied object MUST expose the same `hash` / `verify` / `needsRehash` shape. Drops ~440 KB of platform-specific native prebuilds from the repository and shipped npm tarball; eliminates a supply-chain hop. The vendor manifest's `argon2` entry is removed; `scripts/vendor-update.sh argon2` now refuses with a pointer to `lib/argon2-builtin.js`.
 
 - **0.7.76** (2026-05-06) — CVE-class web hardening sweep — Trojan Source (CVE-2021-42574) log defense + drive-by-MIME attachment opt for `staticServe`. **Trojan Source defense** in `b.log` output: every log line now post-processes Unicode bidi / format-control characters (U+061C / U+200E-200F / U+202A-202E / U+2066-2069) into their `\uXXXX` literal escape on the wire so a hostile log message can't re-order the visible line in a TTY / syslog / file reader. JSON.stringify alone does NOT escape these codepoints, so a captured-error message containing `U+202E` (RIGHT-TO-LEFT OVERRIDE) survives into the log surface and silently flips visible field/key associations. The escape applies to the entire serialized JSON line including any extras / bound-context fields. **`staticServe.create({ safeAttachmentForRiskyMimes: true })`** — opt-in flag that adds `Content-Disposition: attachment` to responses whose Content-Type is in the risky-inline-MIME set (`text/html`, `text/xml`, `application/xml`, `application/xhtml+xml`, `image/svg+xml`, `application/javascript`, `text/javascript`, `application/x-javascript`). Defends against drive-by execution of user-uploaded HTML / JS / SVG (CVE-2017-15012 SVG XSS / CVE-2009-1312 HTML drive-by class). Default `false` — operators serving framework asset bundles continue to render inline; operators serving user-content directories opt in. Filename is RFC 5987-encoded (ASCII filename + `filename*=UTF-8''...`) so non-ASCII filenames survive without allowing CR/LF header injection.

package/index.js

@@ -211,6 +211,7 @@ var fileUpload = require("./lib/file-upload");
 var dualControl = require("./lib/dual-control");
 var retention = require("./lib/retention");
 var network = require("./lib/network");
+var cloudEvents = require("./lib/cloud-events");
 
 module.exports = {
   crypto:           crypto,
@@ -357,6 +358,7 @@ module.exports = {
   dualControl:      dualControl,
   retention:        retention,
   network:          network,
+  cloudEvents:      cloudEvents,
   ntpCheck:         ntpCheck,
   version:          constants.version,
 };

package/lib/cloud-events.js

@@ -0,0 +1,210 @@
+"use strict";
+/**
+ * CloudEvents 1.0 envelope (cloudevents.io/spec/v1.0).
+ *
+ * A vendor-neutral event-format spec adopted by AWS EventBridge,
+ * Knative, Azure Event Grid, Google Eventarc, Datadog, and the
+ * CNCF event ecosystem. Operators wrap outbound events from
+ * webhook / pubsub / queue boundaries to interop with these
+ * consumers without each consumer having to learn a bespoke shape.
+ *
+ *   var ce = b.cloudEvents.wrap({
+ *     source: "/services/orders",
+ *     type:   "com.example.order.created",
+ *     subject: "order/o-1234",
+ *     data:    { id: "o-1234", total: 4250 },
+ *   });
+ *   // → {
+ *   //     specversion: "1.0",
+ *   //     id:          "<auto-uuid-v4>",
+ *   //     source:      "/services/orders",
+ *   //     type:        "com.example.order.created",
+ *   //     time:        "2026-05-06T...",
+ *   //     subject:     "order/o-1234",
+ *   //     datacontenttype: "application/json",
+ *   //     data:        { id: "o-1234", total: 4250 },
+ *   //   }
+ *
+ *   var ce = b.cloudEvents.parse(envelope);   // throws on shape violation
+ *
+ * Spec compliance — REQUIRED attributes (CloudEvents §3.1):
+ *   id, source, specversion, type
+ *
+ * OPTIONAL attributes:
+ *   datacontenttype, dataschema, subject, time, data, data_base64
+ *
+ * Operator-defined extension attributes are passed through unchanged
+ * if they conform to the spec's naming rules (lowercase ASCII letters
+ * + digits, length 1–20).
+ */
+
+var nodeCrypto = require("crypto");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var CloudEventsError = defineClass("CloudEventsError", { alwaysPermanent: true });
+
+var SPECVERSION = "1.0";
+
+// CloudEvents §3.1 — required string attributes.
+var REQUIRED_ATTRS = ["id", "source", "specversion", "type"];
+
+// CloudEvents §3.1 — known optional attributes (other strings get
+// passed through as extension attributes if they conform to the
+// naming rules).
+var KNOWN_OPTIONAL_ATTRS = {
+  datacontenttype: 1,
+  dataschema:      1,
+  subject:         1,
+  time:            1,
+  data:            1,
+  data_base64:     1,
+};
+
+// CloudEvents §3.1 attribute naming — lowercase letters + digits,
+// length 1-20.
+var EXT_ATTR_NAME_RE = /^[a-z0-9]{1,20}$/;
+
+function _isoNow() { return new Date().toISOString(); }
+
+function _genId() {
+  // RFC 4122 v4 UUID — 16 random bytes with version + variant bits.
+  return nodeCrypto.randomUUID();
+}
+
+// ---- wrap ----
+
+function wrap(opts) {
+  validateOpts.requireObject(opts, "cloudEvents.wrap", CloudEventsError);
+  validateOpts.requireNonEmptyString(opts.source,
+    "cloudEvents.wrap: source", CloudEventsError, "cloud-events/bad-source");
+  validateOpts.requireNonEmptyString(opts.type,
+    "cloudEvents.wrap: type", CloudEventsError, "cloud-events/bad-type");
+  validateOpts.optionalNonEmptyString(opts.id,
+    "cloudEvents.wrap: id", CloudEventsError, "cloud-events/bad-id");
+  validateOpts.optionalNonEmptyString(opts.subject,
+    "cloudEvents.wrap: subject", CloudEventsError, "cloud-events/bad-subject");
+  validateOpts.optionalNonEmptyString(opts.time,
+    "cloudEvents.wrap: time", CloudEventsError, "cloud-events/bad-time");
+  validateOpts.optionalNonEmptyString(opts.datacontenttype,
+    "cloudEvents.wrap: datacontenttype", CloudEventsError, "cloud-events/bad-datacontenttype");
+  validateOpts.optionalNonEmptyString(opts.dataschema,
+    "cloudEvents.wrap: dataschema", CloudEventsError, "cloud-events/bad-dataschema");
+
+  var out = {
+    specversion: SPECVERSION,
+    id:          opts.id || _genId(),
+    source:      opts.source,
+    type:        opts.type,
+    time:        opts.time || _isoNow(),
+  };
+  if (opts.subject !== undefined && opts.subject !== null) out.subject = opts.subject;
+  if (opts.dataschema !== undefined && opts.dataschema !== null) out.dataschema = opts.dataschema;
+
+  // data — choose JSON vs binary based on Buffer-ness; auto-set
+  // datacontenttype when caller doesn't supply one.
+  if (opts.data !== undefined) {
+    if (Buffer.isBuffer(opts.data)) {
+      out.data_base64 = opts.data.toString("base64");
+      out.datacontenttype = opts.datacontenttype || "application/octet-stream";
+    } else {
+      out.data = opts.data;
+      out.datacontenttype = opts.datacontenttype || "application/json";
+    }
+  } else if (opts.datacontenttype) {
+    out.datacontenttype = opts.datacontenttype;
+  }
+
+  // Extension attributes — operator-defined, must conform to the
+  // §3.1 naming rules (lowercase ASCII alnum, 1-20 chars).
+  if (opts.extensions !== undefined && opts.extensions !== null) {
+    validateOpts.optionalPlainObject(opts.extensions,
+      "cloudEvents.wrap: extensions", CloudEventsError, "cloud-events/bad-extensions");
+    var extKeys = Object.keys(opts.extensions);
+    for (var i = 0; i < extKeys.length; i += 1) {
+      var k = extKeys[i];
+      // bound BEFORE regex test — k.length > 0 && k.length <= 20
+      if (typeof k !== "string" || k.length === 0 || k.length > 20 || !EXT_ATTR_NAME_RE.test(k)) {
+        throw new CloudEventsError("cloud-events/bad-extension-name",
+          "cloudEvents.wrap: extension '" + k + "' must match [a-z0-9]{1,20}");
+      }
+      if (REQUIRED_ATTRS.indexOf(k) !== -1 || KNOWN_OPTIONAL_ATTRS[k]) {
+        throw new CloudEventsError("cloud-events/extension-conflicts-with-spec",
+          "cloudEvents.wrap: extension '" + k + "' conflicts with a spec attribute");
+      }
+      out[k] = opts.extensions[k];
+    }
+  }
+  return out;
+}
+
+// ---- parse ----
+
+function parse(envelope) {
+  if (!envelope || typeof envelope !== "object" || Array.isArray(envelope)) {
+    throw new CloudEventsError("cloud-events/bad-envelope",
+      "cloudEvents.parse: envelope must be a plain object");
+  }
+  for (var i = 0; i < REQUIRED_ATTRS.length; i += 1) {
+    var k = REQUIRED_ATTRS[i];
+    if (typeof envelope[k] !== "string" || envelope[k].length === 0) {
+      throw new CloudEventsError("cloud-events/missing-required",
+        "cloudEvents.parse: required attribute '" + k + "' missing or empty (CloudEvents §3.1)");
+    }
+  }
+  if (envelope.specversion !== SPECVERSION) {
+    throw new CloudEventsError("cloud-events/unsupported-specversion",
+      "cloudEvents.parse: specversion='" + envelope.specversion +
+      "' is not supported (this primitive implements CloudEvents 1.0)");
+  }
+  if (envelope.data !== undefined && envelope.data_base64 !== undefined) {
+    throw new CloudEventsError("cloud-events/data-conflict",
+      "cloudEvents.parse: envelope has both 'data' and 'data_base64' (CloudEvents §3.1.1)");
+  }
+
+  // Decode binary data if the envelope used base64 mode.
+  var decodedData = envelope.data;
+  if (envelope.data_base64 !== undefined) {
+    if (typeof envelope.data_base64 !== "string") {
+      throw new CloudEventsError("cloud-events/bad-data-base64",
+        "cloudEvents.parse: data_base64 must be a string");
+    }
+    try { decodedData = Buffer.from(envelope.data_base64, "base64"); }
+    catch (e) {
+      throw new CloudEventsError("cloud-events/bad-data-base64",
+        "cloudEvents.parse: data_base64 decode failed: " + ((e && e.message) || String(e)));
+    }
+  }
+
+  // Surface extension attributes separately so consumers can route on
+  // operator-defined fields without grepping the envelope.
+  var extensions = {};
+  var keys = Object.keys(envelope);
+  for (var j = 0; j < keys.length; j += 1) {
+    var key = keys[j];
+    if (REQUIRED_ATTRS.indexOf(key) !== -1) continue;
+    if (KNOWN_OPTIONAL_ATTRS[key]) continue;
+    extensions[key] = envelope[key];
+  }
+
+  return {
+    specversion:     envelope.specversion,
+    id:              envelope.id,
+    source:          envelope.source,
+    type:            envelope.type,
+    time:            envelope.time || null,
+    subject:         envelope.subject || null,
+    datacontenttype: envelope.datacontenttype || null,
+    dataschema:      envelope.dataschema || null,
+    data:            decodedData,
+    extensions:      extensions,
+  };
+}
+
+module.exports = {
+  wrap:             wrap,
+  parse:            parse,
+  SPECVERSION:      SPECVERSION,
+  REQUIRED_ATTRS:   REQUIRED_ATTRS,
+  CloudEventsError: CloudEventsError,
+};

package/lib/db.js

@@ -681,6 +681,28 @@ async function init(opts) {
   // structured `foreignKeys` declarations actually constrain writes.
   runSql(database, "PRAGMA foreign_keys=ON");
 
+  // PRAGMA integrity_check — refuse boot on B-tree corruption (per
+  // audit-batch finding). SQLite returns "ok" for a healthy database;
+  // any other result means corruption. Catching it at boot beats
+  // stumbling on it later in a query that hits the bad page. Skip
+  // when opts.skipIntegrityCheck is set (e.g. tmpfs-only fixtures).
+  if (opts.skipIntegrityCheck !== true) {
+    var integrityRows = [];
+    try {
+      // .all-style read; runSql is for statements without rows.
+      integrityRows = database.prepare("PRAGMA integrity_check").all();
+    } catch (e) {
+      throw new DbError("db/integrity-check-failed",
+        "PRAGMA integrity_check failed at boot: " + ((e && e.message) || String(e)));
+    }
+    if (integrityRows.length !== 1 ||
+        !integrityRows[0] || integrityRows[0].integrity_check !== "ok") {
+      throw new DbError("db/integrity-check-failed",
+        "PRAGMA integrity_check reported corruption: " +
+        JSON.stringify(integrityRows));
+    }
+  }
+
   // Refuse app schema entries that collide with framework-reserved names
   for (var ri = 0; ri < opts.schema.length; ri++) {
     if (RESERVED_TABLE_NAMES.has(opts.schema[ri].name)) {

package/lib/external-db-migrate.js

@@ -86,8 +86,16 @@ function _err(code, message) {
   return new ExternalDbMigrateError(code, message);
 }
 
+// Boot-token suffix ensures _lockHolderId() is unique across container
+// restarts even if the OS recycles a PID into the same hostname slot —
+// without it, a stolen-and-released migration lock could be wrongly
+// attributed back to the new boot. The token is process-scoped so
+// every replica picks a fresh one at module load.
+var _BOOT_TOKEN = require("node:crypto").randomBytes(8).toString("hex");          // allow:raw-byte-literal — boot-id token entropy
+
 function _lockHolderId() {
-  return String(process.pid) + "@" + (require("node:os").hostname() || "unknown");
+  return String(process.pid) + "@" +
+    (require("node:os").hostname() || "unknown") + "@" + _BOOT_TOKEN;
 }
 
 async function _ensureTrackingTable(xdb) {

package/lib/network-tls.js

@@ -17,10 +17,15 @@ var observability = lazyRequire(function () { return require("./observability");
 var audit = lazyRequire(function () { return require("./audit"); });
 var asn1 = require("./asn1-der");
 
+// STATE.tlsKeyShares is initialized to the default PQC group list at
+// module load — operator setKeyShares() overrides; resetKeyShares()
+// restores the default. Empty array means "fall back to Node's TLS
+// default groups" (operator opt-out).
 var STATE = {
   cas:             [],
   systemTrust:     false,
   baselineFingerprints: null,
+  tlsKeyShares:    ["X25519MLKEM768", "X25519", "secp256r1"],
 };
 
 function _normalizePem(pem) {
@@ -267,9 +272,77 @@ function applyToContext(opts) {
     }
   }
   if (caStrings.length > 0) base.ca = caStrings;
+  // PQC TLS handshake — apply the operator-configured key-share groups
+  // (default ["X25519MLKEM768", "X25519"]) so https.Server / https.Agent
+  // negotiate the hybrid KEM with peers that support it and fall back
+  // to classical X25519 with peers that don't. Operators who explicitly
+  // pass `groups` in their base config keep the override.
+  if (base.groups === undefined && STATE.tlsKeyShares.length > 0) {
+    base.groups = STATE.tlsKeyShares.join(":");
+  }
   return base;
 }
 
+// ---- PQC TLS key shares (RFC draft-ietf-tls-hybrid-design) ----
+//
+// b.network.tls.pqc.setKeyShares(["X25519MLKEM768", "X25519"]) — set the
+// TLS 1.3 key-share groups the framework's https.Server / https.Agent
+// will advertise. The first listed group is the priority; the peer
+// picks the first mutually supported entry. Hybrid groups
+// (X25519MLKEM768) negotiate post-quantum + classical in one
+// handshake so forward-secrecy survives both classical-CRQC and
+// future quantum cryptanalysis.
+//
+//   getKeyShares()                                    → string[] (current)
+//   setKeyShares(["X25519MLKEM768", "X25519"])        → string[] (after)
+//   resetKeyShares()                                  → restores default
+
+var DEFAULT_PQC_KEY_SHARES = Object.freeze([
+  "X25519MLKEM768",                                                              // hybrid KEM, draft-kwiatkowski-tls-ecdhe-mlkem-02
+  "X25519",                                                                      // classical fallback
+  "secp256r1",                                                                   // legacy peers
+]);
+
+function _validateKeyShare(name) {
+  if (typeof name !== "string" || name.length === 0 || name.length > C.BYTES.bytes(64)) {  // bound
+    throw new TlsTrustError("tls/bad-key-share",
+      "tls.pqc.setKeyShares: each entry must be a non-empty string up to 64 chars");
+  }
+  // RFC draft-ietf-tls-hybrid-design + IANA TLS Group Registry only
+  // emit alphanumeric + underscore identifiers. Refuse `:` (the join
+  // separator) outright so an operator can't smuggle a second entry
+  // through one slot.
+  if (!/^[A-Za-z0-9_]+$/.test(name)) {
+    throw new TlsTrustError("tls/bad-key-share",
+      "tls.pqc.setKeyShares: '" + name + "' has illegal characters " +
+      "(must match [A-Za-z0-9_]+)");
+  }
+}
+
+function setKeyShares(list) {
+  if (!Array.isArray(list) || list.length === 0) {
+    throw new TlsTrustError("tls/bad-key-shares",
+      "tls.pqc.setKeyShares: must be a non-empty array of group names");
+  }
+  for (var i = 0; i < list.length; i += 1) _validateKeyShare(list[i]);
+  STATE.tlsKeyShares = list.slice();
+  return getKeyShares();
+}
+
+function getKeyShares() { return STATE.tlsKeyShares.slice(); }
+
+function resetKeyShares() {
+  STATE.tlsKeyShares = DEFAULT_PQC_KEY_SHARES.slice();
+  return getKeyShares();
+}
+
+var pqc = Object.freeze({
+  setKeyShares:           setKeyShares,
+  getKeyShares:           getKeyShares,
+  resetKeyShares:         resetKeyShares,
+  DEFAULT_KEY_SHARES:     DEFAULT_PQC_KEY_SHARES,
+});
+
 function getCaPems() {
   return STATE.cas.map(function (e) { return e.pem; });
 }
@@ -307,6 +380,7 @@ function _resetForTest() {
   STATE.cas = [];
   STATE.systemTrust = false;
   STATE.baselineFingerprints = null;
+  STATE.tlsKeyShares = DEFAULT_PQC_KEY_SHARES.slice();
 }
 
 // ---- OCSP / OCSP-stapling wrappers around node:tls ----------------
@@ -1492,6 +1566,7 @@ module.exports = {
   getCaPems:           getCaPems,
   ocsp:                ocsp,
   ct:                  ct,
+  pqc:                 pqc,
   TlsTrustError:       TlsTrustError,
   _resetForTest:       _resetForTest,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.77",
+  "version": "0.7.79",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:3d6aa43b-6da6-44c8-a687-434e93ef3b07",
+  "serialNumber": "urn:uuid:70a3e68a-1a5d-4506-ae41-38e159762dfe",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T04:48:07.561Z",
+    "timestamp": "2026-05-06T05:26:16.435Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.77",
+      "bom-ref": "@blamejs/core@0.7.79",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.77",
+      "version": "0.7.79",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.77",
+      "purl": "pkg:npm/%40blamejs/core@0.7.79",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.77",
+      "ref": "@blamejs/core@0.7.79",
       "dependsOn": []
     }
   ]