@blamejs/core 0.8.42 → 0.8.43

package/CHANGELOG.md

@@ -8,6 +8,7 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- v0.8.43 (2026-05-07) — `examples/wiki/Dockerfile` declares an explicit `USER 65532:65532` directive in the runtime stage. Chainguard's `cgr.dev/chainguard/node:latest` already runs as `nonroot` (UID 65532) by default, but Trivy's static Dockerfile checker (DS-0002) flags any image without a literal `USER` line regardless of base-image default. Behavior unchanged.
 - v0.8.42 (2026-05-07) — DB hardening + H6 vault-PEM sub-issues + OWASP-1: `b.cryptoField.derivedHashes` now binds a per-deployment 32-byte salt (persisted at `<dataDir>/vault.derived-hash-salt`) so the same plaintext produces different hashes across deployments (D-H1, HIPAA Safe Harbor §164.514(b)(2)(i) defense). `_blamejs_break_glass_grants.kwGrantHalf` is now sealed under the vault key (D-H8). `b.externalDb.transaction({statementTimeoutMs, idleInTransactionTimeoutMs, deadlockRetries})` enforces SET-LOCAL Postgres timeouts and auto-retries 40P01/40001 with jittered backoff (D-H4 / D-M7 / D-M8). Boot-time warning when SQLite tmpfs path doesn't resolve under /dev/shm /run/shm /run/user /tmp (D-H7). `b.db.prepare` now caches Statement handles (LRU 256, cleared on init/close) so long-running daemons don't leak fds (D-M6). New: `b.db.vacuumAfterErase({mode, pages})` runs `VACUUM` / `PRAGMA incremental_vacuum` after large erasures (F-RTBF-1). `__erasedAt` now coarse-bucketed to 1-day floor (F-RTBF-4) to remove the sub-day forensic timing fingerprint. `b.auditTools.withRecordedAtIso(row)` surfaces ISO-8601 alongside Unix-ms (F-AUD-4) without disturbing the chain-hash canonical form. New `b.processSpawn.spawn(command, args, {allowEnv})` strips `DATABASE_URL` / `PG*` / `AWS_*` / `*_API_KEY` / `*_SECRET` / `*_TOKEN` etc. from the child env by default (OWASP-1). H6 sub-issues #4-#6: vault.sealPemFile asserts parent-dir mode 0o755 or stricter, fsyncs the destination directory after rename, and reduced fs.watchFile cadence from 2s to 500ms.
 - v0.8.41 (2026-05-07) — **breaking envelope wire-format bump**: `b.crypto.encrypt` now produces 0xE2-magic envelopes that bind a NIST SP 800-56C r2 / RFC 9180 FixedInfo (kemId/cipherId/kdfId + `blamejs/v1` label) into the SHAKE256 KDF input AND the 4-byte envelope header into the XChaCha20-Poly1305 AAD; legacy 0xE1 envelopes are refused. Operators with framework-sealed data must regenerate it. Adds `b.canonicalJson.stringifyJcs` (RFC 8785 strict mode), `b.auth.password.gate(n)` (process-global Argon2id concurrency semaphore), `b.pqcSoftware.runKnownAnswerTest` (boot-time KAT), `b.resourceAccessLock` (three-mode lock for non-HTTP resources), `b.config.loadDbBacked` (DB-row-backed hot-reload), `b.backup.runInWorker` (worker_threads dispatch), `b.config.create({...}).reload/subscribe`. Tightens ARC hop-instance regex (RFC 8617 §4.2.1 — bounded), Authentication-Results pvalue ABNF (RFC 8601 §2.3), MTA-STS HTTPS cert validation against `mta-sts.<domain>` (RFC 8461 §3.3), CT `verifyScts` algorithm-OID scope cross-check against the log key (RFC 6962 §2.1.4). New release-named test-file detector at `codebase-patterns.test.js` + `smoke.js` entry refuses release-bucket and slot-bucket test filenames.
 - v0.8.40 (2026-05-07) — operator enhancements (2/2): `b.honeytoken.create({audit})` issues canary api-key / session / URL / row-id values that emit `honeytoken.tripped` audit on any positive lookup; `b.middleware.cspReport.create({onReport})` is a Reporting-API endpoint that ingests CSP / COEP / COOP violations as `csp.violation` audit rows; `b.auditTools.forensicSnapshot({out, since, passphrase, reason})` composes an audit-export slice + IR context manifest into one tamper-evident bundle for legal / regulator handover; `b.network.tls.pinsetDriftMonitor({intervalMs})` periodically compares the trust-store fingerprint set to the captured baseline and emits `network.tls.pinset.drifted` when CAs are added or removed. Adds the OpenSSF Scorecard CI workflow at `.github/workflows/scorecard.yml`. Defers items 11 (operator-supplied transform sandbox), 14 (chaos / fault-injection drills), and 15 (exploit replay corpus harness) with re-open conditions: surface when (a) operator demand surfaces OR (b) a CVE replay needs a vendored harness.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.42",
+  "version": "0.8.43",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:6b316a2e-756a-4aa8-90a8-b6c414dbdc39",
+  "serialNumber": "urn:uuid:ee1628bb-0575-4a66-b601-38962996ca75",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-07T17:47:29.804Z",
+    "timestamp": "2026-05-07T20:54:17.715Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.42",
+      "bom-ref": "@blamejs/core@0.8.43",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.42",
+      "version": "0.8.43",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.42",
+      "purl": "pkg:npm/%40blamejs/core@0.8.43",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.42",
+      "ref": "@blamejs/core@0.8.43",
       "dependsOn": []
     }
   ]