@blamejs/core 0.8.15 → 0.8.16

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- **0.8.16** (2026-05-08) — Email auth + transport spec-conformance fixes (DKIM / SPF / MTA-STS / OCSP). Ten RFC-cited gaps closed against shipped primitives. **DKIM (`b.mail.dkim`)** — verifier now refuses any signature whose `h=` tag does not include `from` (RFC 6376 §3.5 cornerstone bypass — without From-coverage the signature does not bind to the visible sender; receivers were treating these as valid); refuses unrecognized `v=` tag values per RFC 6376 §3.5 (only `v=1` accepted); enforces empty `p=` as explicit key revocation per RFC 6376 §3.6.1 (verdict `fail`, not `permerror` — well-formed signature against a withdrawn key); enforces `k=` algorithm-family tag agreement with the signature's `a=` family (e.g. `k=rsa` paired with `a=ed25519-sha256` permerrors per RFC 6376 §3.6.1); selector validator now accepts multi-label selectors per RFC 6376 §3.1 ABNF (`sub-domain *("." sub-domain)` — common for time-rotated keys like `2024.s1`). **SPF (`b.mail.spf`)** — refuses domains that publish multiple `v=spf1` TXT records with `permerror` per RFC 7208 §4.5 (most operators don't realize multi-record SPF was always invalid; this surfaces the misconfig instead of silently picking the first); `include:` mechanism now permerrors when the included domain has no SPF record per RFC 7208 §5.2 (closes the silent-authorization class where `include:gone-domain.example` followed by `+all` would silently allow). **MTA-STS (`b.smtpPolicy.mtaSts.fetch`)** — now requires the `_mta-sts.<domain>` TXT precondition record per RFC 8461 §3.1 before fetching the HTTPS policy (closes the silent-escalation class where the framework would fetch policies for domains that never opted in, AND defeats operator-side rotation when the `id=` in the TXT changes); cache TTL is now bounded by the policy's `max_age` value per RFC 8461 §3.2 (clamped between 1 hour floor and 1 year ceiling) instead of the framework's hardcoded 60-min default. **OCSP (`b.network.tls.ocsp.evaluate`)** — `evaluateOcspResponse` now enforces the `thisUpdate` / `nextUpdate` time window per RFC 6960 §4.2.2.1, rejecting responses whose validity window has expired or hasn't started yet (with operator-tunable `clockSkewMs`, default 5 min). Pre-v0.8.16 a captured "good" response could replay forever even after the cert was revoked; this defeats `requireGood` posture. Bug fix only — no new operator-facing primitives, no surface change beyond the additional refusals.
+
 - **0.8.15** (2026-05-08) — Transport-layer CVE absorption + AI-protocol primitives. **`b.sse`** — Server-Sent Events transport with newline-injection refusal in `event:` / `id:` / `data:` fields and the `Last-Event-ID` reconnect header (CVE-2026-33128 h3, CVE-2026-29085 Hono, CVE-2026-44217 sse-channel — three CVEs published in the same vulnerability class). Channel API: `channel.send({event,id,data,retry})` validates each field, refuses LF/CR/NUL, splits multi-line `data` into per-spec multiple `data:` lines, drives a `:keepalive` heartbeat with operator-tunable interval. `b.sse.serializeEvent({...})` exposes the encoder for buffered pipelines. **`b.mcp.serverGuard`** — Model Context Protocol server-side hardening. Bearer auth required by default (CVE-2026-33032 nginx-ui auth-bypass class), `redirect_uri` exact-match allowlist enforced per OAuth 2.1 / RFC 9700 §4.1.1 (CVE-2025-6514 mcp-remote OAuth RCE class), dynamic client-registration refused unless `allowDynamicRegister: true` with operator-supplied registration allowlist (confused-deputy class), tool/resource name allowlists at the guard layer. JSON-RPC 2.0 envelope validator. **`b.graphqlFederation.guardSdl`** — refuses `_service.sdl` / `_entities` probes without a router-token Bearer + optional single-use nonce; closes the schema-leak class where operators disable introspection thinking the schema is hidden. **`b.ai.input.classify`** — pattern-based prompt-injection classifier covering OWASP LLM01:2025 + NIST COSAIS RFI shapes: instruction-override / persona-jailbreak / role-reset markers / OpenAI system-tag templates / tool-call injection / exfil-callback / encoded-bypass (base64/rot13) / markdown+HTML smuggling / BIDI/zero-width/control char density. Severity-3 hits → `verdict: "malicious"`; 2+ severity-2 hits → `"suspicious"`; otherwise `"clean"`. Inline-on-every-request perf cost — no LLM, no network. **`b.a2a`** — A2A (Linux Foundation Agentic AI Foundation) v1.x signed agent-card primitive. `signCard` produces an envelope with a detached ML-DSA-87 signature over the SHA3-512 of the canonical-JSON serialization (RFC 8785-aligned); `verifyCard` validates signature + expiry + issuer match. Endpoints HTTPS-only (or localhost) at validation time. **`b.darkPatterns`** — FTC Negative Option Rule click-to-cancel UX-parity attestation primitive. `recordSignupFlow` / `recordCancelFlow` capture operator-attested click counts, CTA contrast / font weight, channel, confirmation steps; `assertParity` returns `{ ok, breaches }` against `ftc-2024` / `ca-sb942` / `strict` postures. `middleware({lookupAttestation, resourceIdFromReq})` refuses cancel-endpoint requests with HTTP 451 if no parity attestation is on file. **WebSocket control-frame size cap** — `lib/websocket.js` `_handleFrame` refuses any control frame (opcodes ≥ 0x8: CLOSE/PING/PONG) with payload length > 125 or `fin = false` (RFC 6455 §5.5). Closes the 2× outbound-bandwidth amplification class where a 1 MiB PING was echoed verbatim as PONG. **`b.requestHelpers.safeHeadersDistinct(req)`** — defensive accessor for `req.headersDistinct` that bypasses Node's faulty getter (Node CVE-2026-21710 — reading `__proto__` on the underlying header bag throws synchronously inside the getter, escaping handler-level try/catch). Computes the same null-prototype shape directly from `req.rawHeaders`. **TLS / SNI hardening** — `router.listen()` now wraps any operator-supplied `tlsOptions.SNICallback` so synchronous throws (Node CVE-2026-21637) become a clean async `(err, null)` callback rather than crashing the listener. Inbound TLS now defaults to `minVersion: "TLSv1.3"` when the operator's `tlsOptions` doesn't pin one (closes the gap where bare `{key, cert}` inherited Node's TLSv1.2 default). **httpClient identity decoding** — `b.httpClient` now sends `Accept-Encoding: identity` by default (h1 + h2 paths) — refuses compressed responses unless the operator explicitly opts in. Closes the undici unbounded-decompression amplification class (CVE-2026-22036). Operators that need compressed responses pass an explicit `Accept-Encoding` header. **Engine pin** — `engines.node` raised from `>=24.0.0` to `>=24.4.0` to ensure the undici fix is bundled.
 
 - **0.8.14** (2026-05-07) — `b.vault.sealPemFile` — auto-resealing wrapper for at-rest PEM files. Operators with ACME / Let's Encrypt renewals get fresh certs every 30-60 days; the renewal writes plaintext PEM to disk, signals the application to reload, and leaves the cleartext file unencrypted between the renewal write and the next manual re-seal. `b.vault.sealPemFile({ source, destination })` closes that window: the framework reads the source, vault-seals it, atomically writes `<destination>` (`.tmp` + `fsync` + `rename` + `fsyncDir`), and registers an `fs.watchFile` poll on the source. Every mtime change triggers an automatic re-seal — the operator-visible `<destination>.rewriting` marker is created before the rename and removed after, giving crash recovery a signal: when `sealPemFile()` starts and the marker is present, it re-seals from source idempotently. Returns `{ stop, generation, lastResealedAt, lastError, watching, forceReseal }` so operators can wire the watcher into existing lifecycle hooks (`b.appShutdown.addPhase({ name: "pem-watcher", run: () => watcher.stop() })`). `pollInterval` defaults to 2s — ACME renewal cadence is days, so polling latency is irrelevant against the renewal interval; operators with sub-second requirements override. `fs.watchFile` (the polling backend) is used instead of `fs.watch` (inotify / kqueue) because watchFile is consistent across platforms — Linux fires multiple change events per rename, macOS doesn't fire on renamed-into files, and the polling cadence is acceptable here.

package/lib/mail-auth.js

@@ -109,8 +109,12 @@ function _parseSpfRecord(text) {
   return mechanisms;
 }
 
-// Fetch the SPF TXT record for a domain. Returns the joined record
-// text or null if no v=spf1 record found.
+// Fetch the SPF TXT record for a domain. Returns:
+//   { kind: "found",    record: "<text>" }  — exactly one v=spf1 record
+//   { kind: "none" }                          — zero v=spf1 records
+//   { kind: "permerror", reason: "<msg>" }    — multiple v=spf1 records
+//                                              (RFC 7208 §4.5 — domain
+//                                              MUST publish at most one)
 async function _fetchSpfRecord(domain, dnsLookup) {
   var records;
   try {
@@ -118,17 +122,24 @@ async function _fetchSpfRecord(domain, dnsLookup) {
       ? await dnsLookup(domain, "TXT")
       : await dnsPromises.resolveTxt(domain);
   } catch (e) {
-    if (e && (e.code === "ENOTFOUND" || e.code === "ENODATA")) return null;
+    if (e && (e.code === "ENOTFOUND" || e.code === "ENODATA")) return { kind: "none" };
     throw new MailAuthError("mail-auth/spf-lookup-failed",
       "SPF TXT lookup for " + domain + " failed: " +
       ((e && e.message) || String(e)));
   }
-  if (!Array.isArray(records)) return null;
+  if (!Array.isArray(records)) return { kind: "none" };
+  var matches = [];
   for (var i = 0; i < records.length; i += 1) {
     var rec = Array.isArray(records[i]) ? records[i].join("") : records[i];
-    if (typeof rec === "string" && rec.indexOf("v=spf1") === 0) return rec;
+    if (typeof rec === "string" && rec.indexOf("v=spf1") === 0) matches.push(rec);
   }
-  return null;
+  if (matches.length === 0) return { kind: "none" };
+  if (matches.length > 1) {
+    return { kind: "permerror",
+             reason: "domain " + domain + " publishes " + matches.length +
+                     " v=spf1 records; RFC 7208 §4.5 requires at most one" };
+  }
+  return { kind: "found", record: matches[0] };
 }
 
 // SPF verify — recursive include resolution + ip4/ip6/all/+a/+mx
@@ -166,17 +177,20 @@ async function _spfEvaluateDomain(domain, ip, dnsLookup, lookups) {
   }
   lookups.count += 1;
 
-  var record;
-  try { record = await _fetchSpfRecord(domain, dnsLookup); }
+  var fetched;
+  try { fetched = await _fetchSpfRecord(domain, dnsLookup); }
   catch (e) {
     return { verdict: "temperror", explanation: e.message };
   }
-  if (!record) {
+  if (fetched.kind === "permerror") {
+    return { verdict: "permerror", explanation: fetched.reason };
+  }
+  if (fetched.kind === "none") {
     return { verdict: "none", explanation: "no SPF record at " + domain };
   }
 
   var mechanisms;
-  try { mechanisms = _parseSpfRecord(record); }
+  try { mechanisms = _parseSpfRecord(fetched.record); }
   catch (e) {
     return { verdict: "permerror", explanation: e.message };
   }
@@ -201,6 +215,15 @@ async function _spfEvaluateDomain(domain, ip, dnsLookup, lookups) {
       else if (inner.verdict === "permerror" || inner.verdict === "temperror") {
         return inner;
       }
+      // RFC 7208 §5.2 — when the included domain has no SPF record at
+      // all, the include itself MUST permerror (the included policy is
+      // missing, the operator's intent is unverifiable). Without this
+      // check `include:gone-domain.example` silently authorizes whatever
+      // mechanism follows, including `+all`.
+      else if (inner.verdict === "none") {
+        return { verdict: "permerror",
+                 explanation: "include:" + m.arg + " has no SPF record (RFC 7208 §5.2)" };
+      }
     } else if (m.mechanism === "a" || m.mechanism === "mx" ||
                m.mechanism === "exists" || m.mechanism === "ptr" ||
                m.mechanism === "redirect") {

package/lib/mail-dkim.js

@@ -216,9 +216,15 @@ function create(opts) {
     throw new DkimError("dkim/bad-domain",
       "domain must be a valid DNS name (e.g. 'example.com')");
   }
-  if (typeof opts.selector !== "string" || !/^[a-z0-9_-]+$/i.test(opts.selector)) {
+  // RFC 6376 §3.1 ABNF: selector = sub-domain *("." sub-domain). Multi-
+  // label selectors like "2024.s1" are valid (and common for time-rotated
+  // keys). Each label is the LDH set; refuse leading/trailing dots and
+  // empty labels.
+  if (typeof opts.selector !== "string" ||
+      opts.selector.length === 0 || opts.selector.length > 253 ||                            // allow:raw-byte-literal — DNS label length cap (RFC 1035)
+      !/^[a-z0-9_-]+(?:\.[a-z0-9_-]+)*$/i.test(opts.selector)) {
     throw new DkimError("dkim/bad-selector",
-      "selector must be a non-empty token of [A-Za-z0-9_-]");
+      "selector must be a non-empty LDH token, optionally dot-separated (e.g. 's1', '2024.s1') (RFC 6376 §3.1)");
   }
   if (!opts.privateKey || (typeof opts.privateKey !== "string" &&
       typeof opts.privateKey !== "object")) {
@@ -566,6 +572,14 @@ function _verifySingleSignature(rfc822, parsedHeaders, sigHeader, keyTags, sigTa
   var headerNames = (sigTags.h || "").split(":").map(function (s) {
     return s.trim().toLowerCase();
   });
+  // RFC 6376 §3.5 — "from" MUST be in h=. Without From-coverage the
+  // signature does not bind to the visible sender, and the receiver's
+  // "this domain signed for that From" claim is meaningless. Cornerstone
+  // bypass class — refuse the signature outright.
+  if (headerNames.indexOf("from") === -1) {
+    return { result: "permerror",
+             errors: ["DKIM-Signature h= tag does not include 'from' (RFC 6376 §3.5)"] };
+  }
   var lcNames = parsedHeaders.map(function (h) { return h.name.toLowerCase(); });
   var canonicalizedHeaders = "";
   for (var j = 0; j < headerNames.length; j += 1) {
@@ -659,6 +673,13 @@ async function verify(rfc822, opts) {
     var d = sigTags.d;
     var s = sigTags.s;
     var alg = sigTags.a;
+    // RFC 6376 §3.5 — v= tag is REQUIRED and MUST be "1". Unrecognized
+    // version → permerror per spec; refuse rather than guess at intent.
+    if (sigTags.v !== undefined && sigTags.v !== "1") {
+      results.push({ d: d || null, s: s || null, alg: alg || null,
+        result: "permerror", errors: ["DKIM-Signature v=" + sigTags.v + " unsupported (RFC 6376 §3.5 — only v=1)"] });
+      continue;
+    }
     if (!d || !s) {
       results.push({ d: d || null, s: s || null, alg: alg || null,
         result: "permerror", errors: ["DKIM-Signature missing d= or s="] });
@@ -671,11 +692,32 @@ async function verify(rfc822, opts) {
       results.push({ d: d, s: s, alg: alg, result: verdict, errors: [e.message] });
       continue;
     }
+    if (keyTags.p === "") {
+      // RFC 6376 §3.6.1 — empty p= explicitly revokes the key. Verdict
+      // is "fail" (not "permerror") — the signature is well-formed but
+      // the key authority intentionally withdrew it.
+      results.push({ d: d, s: s, alg: alg, result: "fail",
+        errors: ["DKIM key revoked (empty p= per RFC 6376 §3.6.1)"] });
+      continue;
+    }
     if (!keyTags.p) {
       results.push({ d: d, s: s, alg: alg, result: "permerror",
         errors: ["DKIM key record missing p="] });
       continue;
     }
+    // RFC 6376 §3.6.1 — k= tag declares the key's algorithm family.
+    // Default is "rsa" when absent. If the key's k= disagrees with the
+    // signature's a= family, the operator who published the key intends
+    // a different algorithm; refuse rather than guess.
+    if (keyTags.k !== undefined) {
+      var kFamily   = String(keyTags.k).toLowerCase();
+      var sigFamily = String(alg || "").toLowerCase().split("-")[0];
+      if (kFamily !== sigFamily) {
+        results.push({ d: d, s: s, alg: alg, result: "permerror",
+          errors: ["DKIM key k=" + kFamily + " does not match signature a=" + alg + " (RFC 6376 §3.6.1)"] });
+        continue;
+      }
+    }
     var rv = _verifySingleSignature(rfc822, parsedHeaders, sigHeaders[i], keyTags, sigTags);
     results.push(Object.assign({ d: d, s: s, alg: alg }, rv));
   }

package/lib/network-smtp-policy.js

@@ -117,13 +117,51 @@ function _parseStsPolicy(text) {
   return policy;
 }
 
-async function mtaStsFetch(domain) {
+// RFC 8461 §3.1 precondition. The TXT record at _mta-sts.<domain> is
+// the rotation signal: receivers re-fetch the HTTPS policy when the
+// `id=` value changes. Without it the fetcher would re-pull the same
+// cached policy forever (defeating operator rotation), and would also
+// fetch policies from domains that don't publish one.
+async function _fetchStsTxt(domain, dnsLookup) {
+  var records;
+  try {
+    records = dnsLookup
+      ? await dnsLookup("_mta-sts." + domain, "TXT")
+      : await dnsPromises.resolveTxt("_mta-sts." + domain);
+  } catch (e) {
+    if (e && (e.code === "ENOTFOUND" || e.code === "ENODATA")) return null;
+    throw new SmtpPolicyError("smtp/mta-sts-txt-lookup-failed",
+      "_mta-sts." + domain + " TXT lookup failed: " +
+      ((e && e.message) || String(e)));
+  }
+  if (!Array.isArray(records)) return null;
+  for (var i = 0; i < records.length; i += 1) {
+    var rec = Array.isArray(records[i]) ? records[i].join("") : records[i];
+    if (typeof rec !== "string") continue;
+    if (rec.indexOf("v=STSv1") === -1) continue;
+    var idMatch = /\bid=([A-Za-z0-9]{1,32})/.exec(rec);
+    return { record: rec, id: idMatch ? idMatch[1] : null };
+  }
+  return null;
+}
+
+async function mtaStsFetch(domain, opts) {
   if (typeof domain !== "string" || domain.length === 0) {
     throw new SmtpPolicyError("smtp/bad-domain",
       "mtaSts.fetch: domain must be a non-empty string");
   }
+  opts = opts || {};
   var lcDomain = domain.toLowerCase();
-  return await _getStsCache().wrap(lcDomain, async function () {
+  // RFC 8461 §3.1 — refuse to fetch the HTTPS policy if the
+  // _mta-sts TXT record is absent. Closes the silent-escalation
+  // class.
+  var txt = await _fetchStsTxt(lcDomain, opts.dnsLookup);
+  if (!txt) return null;
+
+  // Cache key includes the policy id so operator-side rotations (id
+  // changes) invalidate the cached policy without operator action.
+  var cacheKey = lcDomain + "|" + (txt.id || "noid");
+  return await _getStsCache().wrap(cacheKey, async function () {
     var url = "https://mta-sts." + lcDomain + "/.well-known/mta-sts.txt";
     safeUrl.parse(url, { allowedProtocols: safeUrl.ALLOW_HTTP_TLS });
     var res;
@@ -135,8 +173,6 @@ async function mtaStsFetch(domain) {
         timeoutMs: C.TIME.seconds(10),
       });
     } catch (_e) {
-      // Domain doesn't publish MTA-STS — return null (not an error;
-      // operators decide policy via their own gate).
       return null;
     }
     if (res.statusCode === 404) return null;                                     // allow:raw-byte-literal — HTTP 404
@@ -144,7 +180,23 @@ async function mtaStsFetch(domain) {
       throw new SmtpPolicyError("smtp/mta-sts-fetch-failed",
         "MTA-STS fetch returned " + res.statusCode + " for " + url);
     }
-    return _parseStsPolicy(res.body.toString("utf8"));
+    var parsed = _parseStsPolicy(res.body.toString("utf8"));
+    parsed.id = txt.id || null;
+    parsed.fetchedAt = Date.now();
+    // RFC 8461 §3.2 — max_age caps the cache TTL. Bound between 1 hour
+    // (floor — operators using shorter values are below the spec
+    // recommended floor) and 31557600 seconds (RFC 8461 ceiling). When
+    // max_age is missing, fall back to the framework default.
+    var maxAgeSec = parsed.max_age;
+    if (typeof maxAgeSec === "number" && isFinite(maxAgeSec) && maxAgeSec > 0) {
+      var hourSec = C.TIME.hours(1) / C.TIME.seconds(1);
+      var ceilingSec = C.TIME.weeks(52) / C.TIME.seconds(1);                                   // RFC 8461 §3.2 — ~1 year ceiling
+      var clamped = Math.max(hourSec, Math.min(ceilingSec, maxAgeSec));
+      parsed._cacheTtlMs = clamped * C.TIME.seconds(1);
+    } else {
+      parsed._cacheTtlMs = DEFAULT_POLICY_CACHE_MS;
+    }
+    return parsed;
   });
 }
 

package/lib/network-tls.js

@@ -882,6 +882,39 @@ function evaluateOcspResponse(ocspDer, opts) {
   } else if (parsed.basic.nonce) {
     nonceCheck = "present-not-checked";
   }
+  // RFC 6960 §4.2.2.1 — time-window enforcement. A "good" response is
+  // valid only between thisUpdate and nextUpdate (with operator-tunable
+  // skew). Without this check a stapled response is replayable forever:
+  // an attacker captures a pre-revocation "good" reply, the cert later
+  // gets revoked, the attacker keeps presenting the cached "good" and
+  // the framework keeps accepting it. requireGood postures depend on
+  // freshness — reject expired or future-dated responses outright.
+  var clockSkewMs = typeof opts.clockSkewMs === "number" && opts.clockSkewMs >= 0           // allow:numeric-opt-Infinity — operator-supplied skew, default 5 min if absent or invalid
+    ? opts.clockSkewMs : C.TIME.minutes(5);
+  var now = typeof opts.now === "number" ? opts.now : Date.now();
+  var thisUpdateMs = match.thisUpdate ? Date.parse(match.thisUpdate) : NaN;
+  var nextUpdateMs = match.nextUpdate ? Date.parse(match.nextUpdate) : NaN;
+  if (!isFinite(thisUpdateMs)) {
+    return { ok: false, status: parsed.status, signatureValid: true,
+             certStatus: match.certStatus,
+             thisUpdate: match.thisUpdate, nextUpdate: match.nextUpdate,
+             nonce: nonceCheck,
+             errors: ["OCSP response missing thisUpdate (RFC 6960 §4.2.2.1)"] };
+  }
+  if (thisUpdateMs - clockSkewMs > now) {
+    return { ok: false, status: parsed.status, signatureValid: true,
+             certStatus: match.certStatus,
+             thisUpdate: match.thisUpdate, nextUpdate: match.nextUpdate,
+             nonce: nonceCheck,
+             errors: ["OCSP thisUpdate is in the future (RFC 6960 §4.2.2.1 — possible clock skew or response replay)"] };
+  }
+  if (isFinite(nextUpdateMs) && nextUpdateMs + clockSkewMs < now) {
+    return { ok: false, status: parsed.status, signatureValid: true,
+             certStatus: match.certStatus,
+             thisUpdate: match.thisUpdate, nextUpdate: match.nextUpdate,
+             nonce: nonceCheck,
+             errors: ["OCSP response is past nextUpdate (RFC 6960 §4.2.2.1 — stale response, possible replay)"] };
+  }
   return {
     ok:             match.certStatus === "good",
     status:         parsed.status,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.15",
+  "version": "0.8.16",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:4f393a0e-4209-4c8e-8e7b-be64de2e522f",
+  "serialNumber": "urn:uuid:9d91dfe3-4449-4315-ac6c-d78f5dd92d0c",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T07:06:37.437Z",
+    "timestamp": "2026-05-07T07:18:43.056Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.15",
+      "bom-ref": "@blamejs/core@0.8.16",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.15",
+      "version": "0.8.16",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.15",
+      "purl": "pkg:npm/%40blamejs/core@0.8.16",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.15",
+      "ref": "@blamejs/core@0.8.16",
       "dependsOn": []
     }
   ]