@blamejs/core 0.7.86 → 0.7.88

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.88** (2026-05-06) — `b.middleware.webAppManifest` + `b.middleware.assetlinks` — two static-content middlewares for PWA + Trusted Web Activity support. **`b.middleware.webAppManifest({ name, start_url, icons, ... })`** serves the W3C Web App Manifest at `/manifest.webmanifest` (and `/manifest.json` when `alsoAtJsonPath: true`). The framework JSON-serializes once at create() and serves with `Content-Type: application/manifest+json` per the W3C spec + `Cache-Control: public, max-age=86400` + `X-Content-Type-Options: nosniff`. The W3C-spec attribute set is allowlisted (name / short_name / description / start_url / scope / display / display_override / orientation / theme_color / background_color / icons / screenshots / shortcuts / categories / lang / dir / id / prefer_related_applications / related_applications) — typos throw at create. `name`, `start_url`, and at least one icon are required (W3C — installability minimum). HEAD + GET only. **`b.middleware.assetlinks({ statements })`** serves Digital Asset Links at `/.well-known/assetlinks.json` per Google's spec — used by Trusted Web Activity, Android App Links, Smart Lock for Passwords, WebAuthn for Android. Validates each statement carries `relation` (non-empty array) and `target` (object). Same Content-Type / Cache-Control / X-Content-Type-Options posture as the security.txt + manifest emitters.
+
+- **0.7.87** (2026-05-06) — Two route-guard middlewares for API hardening: `b.middleware.requireMethods` + `b.middleware.requireContentType`. **`b.middleware.requireMethods(["GET", "POST"])`** refuses any HTTP method outside the allowlist with `405 Method Not Allowed` + `Allow:` header listing the allowed methods (per RFC 9110 §15.5.6). Defends against unexpected verb routing — many CVE-class bugs trace to a route handler wired for GET that accidentally accepts arbitrary verbs (PROPFIND, OPTIONS, custom). **`b.middleware.requireContentType(["application/json"])`** refuses requests with a body (POST/PUT/PATCH by default) whose `Content-Type` isn't in the allowlist with `415 Unsupported Media Type` + `Accept:` header listing the allowed types (RFC 9110 §15.5.16). Defends against MIME-type confusion — a route that processes JSON shouldn't accept `application/x-www-form-urlencoded` even if the body parses. Both middlewares emit observability events (`middleware.requireMethods.denied` / `middleware.requireContentType.denied`) on every refusal for triage. Operators wanting to enforce content-type on idempotent verbs that DO carry bodies (rare DELETE-with-body shapes) override the default body-method list via `requireContentType(types, { methods })`.
+
 - **0.7.86** (2026-05-06) — `b.middleware.csrfProtect({ requireJsonContentType: true })` — strict-fetch mode for JSON-only API surfaces. State-changing requests (POST/PUT/PATCH/DELETE) without `Content-Type: application/json` are refused before the token check with `CSRF: state-changing requests require Content-Type: application/json.` and audit emission `csrf.denied` with `reason: "non-JSON content-type: ..."`. The browser's form-encoded POST shape is the canonical CSRF vector — a malicious page can `<form action="/transfer" method=POST>` a victim into a state-changing request without a preflight. An `application/json` body forces a CORS preflight (the browser refuses to skip it for non-simple Content-Type values), so an attacker without an operator-allowlisted CORS origin can't reach the route at all. Default `false` — operators with HTML form submissions on the same routes (mixed SPA + classic form pages) keep current behavior; pure-fetch API operators opt in.
 
 - **0.7.85** (2026-05-06) — `b.auth.statusList` — OAuth Token Status List (draft-ietf-oauth-status-list-20). The canonical credential-revocation mechanism for SD-JWT VC and OpenID for Verifiable Credentials. An issuer publishes a JWT-wrapped bitstring at a URL; relying parties fetch + check the bit at index N to determine if the credential whose `status_list` claim points at that URL+index is valid / invalid / suspended / application-specific. **`b.auth.statusList.create({ size, bits?, fill? })`** allocates a bit-packed buffer (`bits` ∈ {1, 2, 4, 8} per draft §6.1.1, default 1). The returned object exposes `.set(idx, status)` / `.get(idx)` / `.snapshot()` / `.toJwt({ issuer, subject, privateKey, algorithm, expiresInSec?, ... })`. **`b.auth.statusList.fromJwt(token, { publicKey | keyResolver, algorithms?, expectedIssuer?, ... })`** verifies the JWT through `b.auth.jwt.verify` and returns `{ list, claims }` — the list exposes `.get(idx)` to check status of an individual credential without decompressing into a separate Buffer. The bitstring is zlib-deflated (RFC 1951 raw deflate per draft §6.1.4) before base64url encoding so a million-entry list collapses to ~125 KB on the wire when most bits are zero. Caps the compressed payload at 1 MiB; operators publishing larger lists shard. Status constants exported as `b.auth.statusList.STATUS_{VALID,INVALID,SUSPENDED,APPLICATION_SPECIFIC}`. Foundational for the v0.7.58 EU AI Act + eIDAS 2.0 wallet slice.

package/lib/middleware/assetlinks.js

@@ -0,0 +1,97 @@
+"use strict";
+/**
+ * assetlinks middleware — emits Digital Asset Links at
+ * `/.well-known/assetlinks.json` per Google's Digital Asset Links
+ * spec (used by Trusted Web Activity / Android App Links / Smart
+ * Lock for Passwords / Web Authentication for Android, etc.).
+ *
+ *   var al = b.middleware.assetlinks({
+ *     statements: [
+ *       {
+ *         relation: ["delegate_permission/common.handle_all_urls"],
+ *         target: {
+ *           namespace:        "android_app",
+ *           package_name:     "com.example.app",
+ *           sha256_cert_fingerprints: ["AB:CD:..."],
+ *         },
+ *       },
+ *     ],
+ *   });
+ *   router.use(al);
+ *
+ * The framework JSON-serializes the statements array once at
+ * create() and serves with `Content-Type: application/json` per
+ * Google's spec. Operators with multiple linked apps include
+ * multiple statement entries.
+ */
+
+var lazyRequire = require("../lazy-require");
+var safeJson = require("../safe-json");
+var validateOpts = require("../validate-opts");
+var { defineClass } = require("../framework-error");
+
+var AssetlinksError = defineClass("AssetlinksError", { alwaysPermanent: true });
+
+var observability = lazyRequire(function () { return require("../observability"); });
+
+function create(opts) {
+  validateOpts.requireObject(opts, "middleware.assetlinks", AssetlinksError);
+  validateOpts(opts, ["statements", "audit"], "middleware.assetlinks");
+
+  if (!Array.isArray(opts.statements) || opts.statements.length === 0) {
+    throw new AssetlinksError("assetlinks/no-statements",
+      "middleware.assetlinks: opts.statements must be a non-empty array of statement objects");
+  }
+  for (var i = 0; i < opts.statements.length; i += 1) {
+    var stmt = opts.statements[i];
+    if (!stmt || typeof stmt !== "object" || Array.isArray(stmt)) {
+      throw new AssetlinksError("assetlinks/bad-statement",
+        "middleware.assetlinks: statements[" + i + "] must be a plain object");
+    }
+    if (!Array.isArray(stmt.relation) || stmt.relation.length === 0) {
+      throw new AssetlinksError("assetlinks/bad-statement",
+        "middleware.assetlinks: statements[" + i + "].relation must be a non-empty array");
+    }
+    if (!stmt.target || typeof stmt.target !== "object") {
+      throw new AssetlinksError("assetlinks/bad-statement",
+        "middleware.assetlinks: statements[" + i + "].target must be an object");
+    }
+  }
+
+  var body = safeJson.stringify(opts.statements, { space: 2 });
+  var bodyBuf = Buffer.from(body, "utf8");
+  var auditOn = opts.audit !== false;
+
+  return function assetlinksMiddleware(req, res, next) {
+    var url = req.url || "";
+    var qIdx = url.indexOf("?");
+    var path = qIdx === -1 ? url : url.slice(0, qIdx);
+    if (path !== "/.well-known/assetlinks.json") return next();
+    if (req.method !== "GET" && req.method !== "HEAD") {
+      var bodyMsg = "Method Not Allowed";
+      res.writeHead(405, {                                                       // allow:raw-byte-literal — HTTP 405 status
+        "Allow":          "GET, HEAD",
+        "Content-Type":   "text/plain; charset=utf-8",
+        "Content-Length": Buffer.byteLength(bodyMsg),
+      });
+      res.end(bodyMsg);
+      return;
+    }
+    res.writeHead(200, {                                                         // allow:raw-byte-literal — HTTP 200 status
+      "Content-Type":     "application/json; charset=utf-8",
+      "Content-Length":   bodyBuf.length,
+      "Cache-Control":    "public, max-age=86400",
+      "X-Content-Type-Options": "nosniff",
+    });
+    if (req.method === "HEAD") { res.end(); return; }
+    res.end(bodyBuf);
+    if (auditOn) {
+      try { observability().safeEvent("middleware.assetlinks.served", 1, {}); }
+      catch (_e) { /* obs best-effort */ }
+    }
+  };
+}
+
+module.exports = {
+  create: create,
+};

package/lib/middleware/index.js

@@ -17,6 +17,7 @@
  *   7. errorHandler     — must be LAST so it catches everything that throws
  */
 var apiEncrypt = require("./api-encrypt");
+var assetlinks = require("./assetlinks");
 var attachUser = require("./attach-user");
 var bearerAuth = require("./bearer-auth");
 var bodyParser = require("./body-parser");
@@ -40,9 +41,12 @@ var requestId = require("./request-id");
 var requestLog = require("./request-log");
 var requireAal = require("./require-aal");
 var requireAuth = require("./require-auth");
+var requireContentType = require("./require-content-type");
+var requireMethods = require("./require-methods");
 var securityHeaders = require("./security-headers");
 var securityTxt = require("./security-txt");
 var sse = require("./sse");
+var webAppManifest = require("./web-app-manifest");
 
 module.exports = {
   requestId:        requestId.create,
@@ -55,6 +59,8 @@ module.exports = {
   bearerAuth:       bearerAuth.create,
   requireAal:       requireAal.create,
   requireAuth:      requireAuth.create,
+  requireContentType: requireContentType.create,
+  requireMethods:   requireMethods.create,
   csrfProtect:      csrfProtect.create,
   fetchMetadata:    fetchMetadata.create,
   gpc:              gpc.create,
@@ -68,10 +74,12 @@ module.exports = {
   sse:              sse.create,
   requestLog:       requestLog.create,
   apiEncrypt:       apiEncrypt,
+  assetlinks:       assetlinks.create,
   dbRoleFor:        dbRoleFor.create,
   dpop:             dpop.create,
   hostAllowlist:    hostAllowlist.create,
   networkAllowlist: networkAllowlist.create,
+  webAppManifest:   webAppManifest.create,
 
   // Module exports for advanced use (constants, raw factory access)
   _modules: {
@@ -85,6 +93,8 @@ module.exports = {
     bearerAuth:       bearerAuth,
     requireAal:       requireAal,
     requireAuth:      requireAuth,
+    requireContentType: requireContentType,
+    requireMethods:   requireMethods,
     csrfProtect:      csrfProtect,
     fetchMetadata:    fetchMetadata,
     bodyParser:       bodyParser,
@@ -95,9 +105,11 @@ module.exports = {
     sse:              sse,
     requestLog:       requestLog,
     apiEncrypt:       apiEncrypt,
+    assetlinks:       assetlinks,
     dbRoleFor:        dbRoleFor,
     dpop:             dpop,
     hostAllowlist:    hostAllowlist,
     networkAllowlist: networkAllowlist,
+    webAppManifest:   webAppManifest,
   },
 };

package/lib/middleware/require-content-type.js

@@ -0,0 +1,81 @@
+"use strict";
+/**
+ * require-content-type middleware — refuses requests with a body
+ * (POST/PUT/PATCH) whose `Content-Type` header isn't in the
+ * operator-supplied allowlist.
+ *
+ * Defense against MIME-type confusion: a route that processes JSON
+ * shouldn't accept `application/x-www-form-urlencoded` even if the
+ * body parses (and vice versa). The middleware refuses with 415
+ * before the body parser runs, per RFC 9110 §15.5.16.
+ *
+ *   router.use(b.middleware.requireContentType(["application/json"]));
+ *
+ * GET / HEAD / DELETE / OPTIONS without a body bypass the check by
+ * default. Operators wanting to enforce content-type on idempotent
+ * verbs that DO carry bodies (rare DELETE-with-body shapes) pass
+ * `methods` to override.
+ */
+
+var lazyRequire = require("../lazy-require");
+var { defineClass } = require("../framework-error");
+
+var RequireContentTypeError = defineClass("RequireContentTypeError", { alwaysPermanent: true });
+
+var observability = lazyRequire(function () { return require("../observability"); });
+
+var DEFAULT_BODY_METHODS = ["POST", "PUT", "PATCH"];
+
+function _normalizeAllowed(types) {
+  if (!Array.isArray(types) || types.length === 0) return null;
+  var out = [];
+  for (var i = 0; i < types.length; i += 1) {
+    var t = types[i];
+    if (typeof t !== "string" || t.length === 0) return null;
+    var bare = t.split(";")[0].trim().toLowerCase();
+    if (bare.length === 0) return null;
+    out.push(bare);
+  }
+  return out;
+}
+
+function create(allowed, opts) {
+  var normalized = _normalizeAllowed(allowed);
+  if (!normalized) {
+    throw new RequireContentTypeError("require-content-type/no-allowlist",
+      "middleware.requireContentType: first argument must be a non-empty array of content-type strings");
+  }
+  opts = opts || {};
+  var methods = Array.isArray(opts.methods) && opts.methods.length > 0
+                  ? opts.methods.map(function (m) { return m.toUpperCase(); })
+                  : DEFAULT_BODY_METHODS.slice();
+  var auditOn = opts.audit !== false;
+
+  return function requireContentTypeMiddleware(req, res, next) {
+    var m = (req.method || "").toUpperCase();
+    if (methods.indexOf(m) === -1) return next();
+    var ct = req.headers && req.headers["content-type"];
+    var bare = (typeof ct === "string" ? ct.split(";")[0].trim().toLowerCase() : "");
+    if (bare.length > 0 && normalized.indexOf(bare) !== -1) return next();
+    if (!res.headersSent) {
+      var body = "Unsupported Media Type";
+      res.writeHead(415, {                                                       // allow:raw-byte-literal — HTTP 415 status
+        "Accept":         normalized.join(", "),
+        "Content-Type":   "text/plain; charset=utf-8",
+        "Content-Length": Buffer.byteLength(body),
+      });
+      res.end(body);
+    }
+    if (auditOn) {
+      try {
+        observability().safeEvent("middleware.requireContentType.denied", 1, {
+          method: m, contentType: bare || "<absent>", route: req.url,
+        });
+      } catch (_e) { /* drop-silent */ }
+    }
+  };
+}
+
+module.exports = {
+  create: create,
+};

package/lib/middleware/require-methods.js

@@ -0,0 +1,70 @@
+"use strict";
+/**
+ * require-methods middleware — refuses HTTP methods outside an
+ * operator-supplied allowlist.
+ *
+ * Defense against unexpected verb routing. Many CVE-class bugs trace
+ * to a route handler that was wired for GET but accidentally also
+ * accepts arbitrary verbs (PROPFIND, OPTIONS, custom). Mounting
+ * `requireMethods(["GET", "POST"])` on the route blocks anything
+ * outside the allowlist before the handler sees the request.
+ *
+ *   router.use(b.middleware.requireMethods(["GET", "POST"]));
+ *
+ * Refusal returns 405 with `Allow:` listing the allowed methods, per
+ * RFC 9110 §15.5.6.
+ */
+
+var lazyRequire = require("../lazy-require");
+var { defineClass } = require("../framework-error");
+
+var RequireMethodsError = defineClass("RequireMethodsError", { alwaysPermanent: true });
+
+var observability = lazyRequire(function () { return require("../observability"); });
+
+function create(allowed, opts) {
+  if (!Array.isArray(allowed) || allowed.length === 0) {
+    throw new RequireMethodsError("require-methods/no-allowlist",
+      "middleware.requireMethods: first argument must be a non-empty array of HTTP methods");
+  }
+  var normalized = [];
+  for (var i = 0; i < allowed.length; i += 1) {
+    if (typeof allowed[i] !== "string" || allowed[i].length === 0) {
+      throw new RequireMethodsError("require-methods/bad-method",
+        "middleware.requireMethods: method[" + i + "] must be a non-empty string");
+    }
+    if (/[\r\n\0\s,;]/.test(allowed[i])) {
+      throw new RequireMethodsError("require-methods/bad-method",
+        "middleware.requireMethods: method[" + i + "] contains forbidden whitespace / separator characters");
+    }
+    normalized.push(allowed[i].toUpperCase());
+  }
+  var allowHeader = normalized.join(", ");
+  opts = opts || {};
+  var auditOn = opts.audit !== false;
+
+  return function requireMethodsMiddleware(req, res, next) {
+    var m = (req.method || "").toUpperCase();
+    if (normalized.indexOf(m) !== -1) return next();
+    if (!res.headersSent) {
+      var body = "Method Not Allowed";
+      res.writeHead(405, {                                                       // allow:raw-byte-literal — HTTP 405 status
+        "Allow":          allowHeader,
+        "Content-Type":   "text/plain; charset=utf-8",
+        "Content-Length": Buffer.byteLength(body),
+      });
+      res.end(body);
+    }
+    if (auditOn) {
+      try {
+        observability().safeEvent("middleware.requireMethods.denied", 1, {
+          method: m, route: req.url,
+        });
+      } catch (_e) { /* drop-silent */ }
+    }
+  };
+}
+
+module.exports = {
+  create: create,
+};

package/lib/middleware/web-app-manifest.js

@@ -0,0 +1,111 @@
+"use strict";
+/**
+ * web-app-manifest middleware — emits the W3C Web App Manifest at
+ * `/manifest.webmanifest` (and `/manifest.json` when `alsoAtJsonPath`
+ * is true) per the W3C Web App Manifest specification.
+ *
+ *   var mf = b.middleware.webAppManifest({
+ *     name:        "Example App",
+ *     short_name:  "Example",
+ *     start_url:   "/",
+ *     display:     "standalone",
+ *     theme_color: "#1976d2",
+ *     background_color: "#ffffff",
+ *     icons: [
+ *       { src: "/icons/192.png", sizes: "192x192", type: "image/png" },
+ *       { src: "/icons/512.png", sizes: "512x512", type: "image/png" },
+ *     ],
+ *   });
+ *   router.use(mf);
+ *
+ * The manifest is JSON-serialized once at create() and served with
+ * `Content-Type: application/manifest+json` per the W3C spec.
+ *
+ * Per W3C — `name`, `start_url`, and at least one icon are required
+ * for an installable PWA. The framework throws at create() when any
+ * of those are missing.
+ */
+
+var lazyRequire = require("../lazy-require");
+var safeJson = require("../safe-json");
+var validateOpts = require("../validate-opts");
+var { defineClass } = require("../framework-error");
+
+var WebAppManifestError = defineClass("WebAppManifestError", { alwaysPermanent: true });
+
+var observability = lazyRequire(function () { return require("../observability"); });
+
+function _isPlainArray(x) { return Array.isArray(x); }
+
+function create(opts) {
+  validateOpts.requireObject(opts, "middleware.webAppManifest", WebAppManifestError);
+  // Allowlist subset of W3C-spec attributes operators commonly set.
+  // Anything outside the list throws at create — typos surface at boot.
+  validateOpts(opts, [
+    "name", "short_name", "description", "start_url", "scope",
+    "display", "display_override", "orientation",
+    "theme_color", "background_color",
+    "icons", "screenshots", "shortcuts",
+    "categories", "lang", "dir", "id",
+    "prefer_related_applications", "related_applications",
+    "alsoAtJsonPath", "audit",
+  ], "middleware.webAppManifest");
+
+  validateOpts.requireNonEmptyString(opts.name,
+    "middleware.webAppManifest: name", WebAppManifestError, "manifest/no-name");
+  validateOpts.requireNonEmptyString(opts.start_url,
+    "middleware.webAppManifest: start_url", WebAppManifestError, "manifest/no-start-url");
+  if (!_isPlainArray(opts.icons) || opts.icons.length === 0) {
+    throw new WebAppManifestError("manifest/no-icons",
+      "middleware.webAppManifest: icons array is required (W3C spec — at least one icon for installability)");
+  }
+
+  // Build the JSON body once at create.
+  var manifest = {};
+  var keys = Object.keys(opts).filter(function (k) {
+    return k !== "alsoAtJsonPath" && k !== "audit";
+  });
+  for (var i = 0; i < keys.length; i += 1) {
+    var k = keys[i];
+    if (opts[k] !== undefined && opts[k] !== null) manifest[k] = opts[k];
+  }
+  var body = safeJson.stringify(manifest, { space: 2 });
+  var bodyBuf = Buffer.from(body, "utf8");
+  var alsoAtJsonPath = opts.alsoAtJsonPath === true;
+  var auditOn = opts.audit !== false;
+
+  return function webAppManifestMiddleware(req, res, next) {
+    var url = req.url || "";
+    var qIdx = url.indexOf("?");
+    var path = qIdx === -1 ? url : url.slice(0, qIdx);
+    var matches = (path === "/manifest.webmanifest") ||
+                  (alsoAtJsonPath && path === "/manifest.json");
+    if (!matches) return next();
+    if (req.method !== "GET" && req.method !== "HEAD") {
+      var bodyMsg = "Method Not Allowed";
+      res.writeHead(405, {                                                       // allow:raw-byte-literal — HTTP 405 status
+        "Allow":          "GET, HEAD",
+        "Content-Type":   "text/plain; charset=utf-8",
+        "Content-Length": Buffer.byteLength(bodyMsg),
+      });
+      res.end(bodyMsg);
+      return;
+    }
+    res.writeHead(200, {                                                         // allow:raw-byte-literal — HTTP 200 status
+      "Content-Type":     "application/manifest+json",
+      "Content-Length":   bodyBuf.length,
+      "Cache-Control":    "public, max-age=86400",
+      "X-Content-Type-Options": "nosniff",
+    });
+    if (req.method === "HEAD") { res.end(); return; }
+    res.end(bodyBuf);
+    if (auditOn) {
+      try { observability().safeEvent("middleware.webAppManifest.served", 1, { path: path }); }
+      catch (_e) { /* obs best-effort */ }
+    }
+  };
+}
+
+module.exports = {
+  create: create,
+};

package/lib/ntp-check.js

@@ -124,10 +124,22 @@ function querySingle(server, opts) {
         return done({ code: "ntp/bad-reply", message: "reply too short (" + (msg && msg.length) + " bytes)" });
       }
       // Bytes 40-47 = Transmit Timestamp (NTP epoch seconds.fraction)
-      var ntpSeconds  = msg.readUInt32BE(40);
-      var ntpFraction = msg.readUInt32BE(44);
+      var ntpSeconds  = msg.readUInt32BE(40);                                    // allow:raw-byte-literal — NTP packet offset
+      var ntpFraction = msg.readUInt32BE(44);                                    // allow:raw-byte-literal — NTP packet offset
+      // Refuse a reply whose Transmit Timestamp is zero or earlier than
+      // the NTP epoch (1900-01-01). RFC 5905 §7.3 — a Stratum-16
+      // unsynchronized server emits 0 here; fed to the Unix-offset
+      // subtraction it produces a large-negative serverUnixSeconds
+      // that crashes downstream C.TIME helpers (which require non-
+      // negative finite). Treat as "unsynchronized peer — no drift
+      // measurement possible" rather than throw out of the dgram
+      // 'message' handler.
+      if (ntpSeconds < NTP_TO_UNIX_OFFSET_SECONDS) {
+        return done({ code: "ntp/unsynchronized",
+          message: "server returned NTP transmit timestamp < Unix epoch (likely Stratum-16 unsynchronized)" });
+      }
       var serverUnixSeconds = ntpSeconds - NTP_TO_UNIX_OFFSET_SECONDS;
-      var fracMs = Math.round(C.TIME.seconds(ntpFraction / 0x100000000));
+      var fracMs = Math.round(C.TIME.seconds(ntpFraction / 0x100000000));       // allow:raw-byte-literal — NTP fraction divisor (2^32)
       var serverTimeMs = C.TIME.seconds(serverUnixSeconds) + fracMs;
 
       // Round-trip-corrected drift: assume the server's reply transmit

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.86",
+  "version": "0.7.88",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:256e94d1-19a3-4626-8930-d068f5ff939f",
+  "serialNumber": "urn:uuid:5980b589-6ae2-43c3-88ad-31cb87e43594",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T06:31:01.232Z",
+    "timestamp": "2026-05-06T06:50:00.974Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.86",
+      "bom-ref": "@blamejs/core@0.7.88",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.86",
+      "version": "0.7.88",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.86",
+      "purl": "pkg:npm/%40blamejs/core@0.7.88",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.86",
+      "ref": "@blamejs/core@0.7.88",
       "dependsOn": []
     }
   ]