@blamejs/core 0.8.64 → 0.8.67

package/CHANGELOG.md

@@ -8,6 +8,9 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- v0.8.67 (2026-05-10) — SAML XMLDSig Reference Transforms (`enveloped-signature` + per-Reference c14n) + full IdP-emitted SAML round-trip in the federation-auth integration test. Pre-v0.8.67 `b.auth.saml.sp.verifyResponse` only honored the SignedInfo's `CanonicalizationMethod`; it didn't process the `<ds:Transforms>` block on the Reference. Real-world IdP-signed responses (Keycloak, ADFS, Okta) attach `http://www.w3.org/2000/09/xmldsig#enveloped-signature` (strip the `<Signature>` child of the referenced element before c14n) and a per-Reference `xml-exc-c14n#` Transform — without them, the digest computed over the assertion-including-signature never matches the signed-then-signature-injected reality and verifyResponse rejected legitimate IdP responses. `_verifyXmldsig` now reads the Transforms list, applies enveloped-signature by filtering the parsed-tree's `<Signature>` element children before canonicalization, and honors the per-Reference c14n choice (with vs without comments). The single-match-by-ID invariant + signature-wrapping defense moves into the saml.js path directly so the modified subtree (signature stripped) is the one that gets canonicalized + digested. `test/integration/federation-auth.test.js` now drives Keycloak's HTML login form via cookie-jar curl-equivalent (no headless browser needed), captures the IdP-signed SAMLResponse, fetches the IdP signing certificate from `/protocol/saml/descriptor`, hands the response to `sp.verifyResponse(b64, { expectedInResponseTo })`, and asserts the extracted `nameId` / `issuer` / `audience` / `inResponseTo` match the realm's signed claims. Verified end-to-end: Keycloak alice user → SAML AuthnRequest → login form POST → signed Response → `sp.verifyResponse()` → `{ nameId: "alice", issuer: <realm>, audience: <SP entityID>, attributes: { Role: "default-roles-..." } }`. Unsupported Transform algorithms refuse loudly via `auth-saml/unsupported-transform`. No primitive surface change versus v0.8.66 (the Transforms processing is internal to `_verifyXmldsig`).
+- v0.8.66 (2026-05-10) — `b.session.updateData(token, data, opts?)`. Update the sealed `data` payload on a session WITHOUT rotating the sid. Pre-v0.8.66 the only path to mutate session data was `b.session.rotate(token, { data })` which forces an sid rotation — appropriate for security-boundary transitions (login, MFA, role escalation) but heavyweight for cart-state writes / preference flips / step-up-completion flags. Default semantics: full payload replace, `lastActivity` bumped (idle-timeout reset), reserved `__bj_fingerprint` binding preserved automatically so verify() still surfaces drift correctly. `opts.merge: true` does a one-level deep merge into the existing payload; `opts.touchLastActivity: false` skips the idle-timeout bump. Returns `false` for unknown / expired / pre-v0.8.61-raw-format tokens (no throw). Anonymous-session userIds work the same as named userIds. Leader-only. New Layer 0 tests: 13 checks covering replace / merge / null-clear / fingerprint preservation / unknown-token returns / array refusal.
+- v0.8.65 (2026-05-10) — federated-authentication integration test fixture (Keycloak as OIDC OP + SAML IdP). Adds `quay.io/keycloak/keycloak:26.0` to `docker-compose.test.yml` running with realm-import on port `:18080` (HTTP) + `:18081` (Quarkus health). Realm `blamejs-test` boots with one OIDC client (`blamejs-rp-oidc`, secret `blamejs-test-rp-secret`, frontchannel + backchannel logout enabled), one SAML SP client (entityID `https://sp.blamejs-test.example`, RSA-SHA256 assertion signature), and a test user (`alice` / `blamejs-test-password`). New `test/integration/federation-auth.test.js` exercises end-to-end against the live Keycloak: OIDC discovery, `b.auth.oauth.authorizationUrl` (state + nonce + PKCE), password-grant token retrieval, `verifyIdToken` against the realm JWKS, `fetchUserInfo` with `idTokenSub` cross-check, RP-Initiated Logout URL build, `parseFrontchannelLogoutRequest` iss-mismatch refusal, `verifyBackchannelLogoutToken` JWKS-lookup + signature + typ-check failure paths, SAML `buildAuthnRequest` POST to the IdP's `/protocol/saml` endpoint, SP `metadata()` XML emit, and CIBA `startAuthentication` wire-format check (Keycloak's `backchannel_authentication_endpoint` is at `/protocol/openid-connect/ext/ciba/auth`). `b.auth.ciba._postForm` now sets `responseMode: "always-resolve"` so deterministic OAuth-shape error JSON (`{ error, error_description }`) reaches the AuthError-mapping path instead of being rejected as a generic HTTP error. `b.auth.ciba._postForm` URL validation switched from a non-existent `safeUrl.assertHttpUrl` to `safeUrl.parse({ allowedProtocols })`. `scripts/check-services.js` registers `keycloak` + `keycloak-health` (both v4 + v6); `test/helpers/services.js` exposes `URLS.keycloak`. CLAUDE.md release-workflow §6 documents the federation-auth integration test path. OID4VCI / OID4VP / OpenID Federation deferred — Keycloak's `oid4vc-issuer` SPI is preview-only and there's no entity-statement publisher in the base image.
 - v0.8.64 (2026-05-10) — CI green-up for v0.8.63 (wiki source-comment validator). The v0.8.62 push missed `examples/wiki/test/validate-source-comment-blocks.js` — a wiki-side validator that enforces every `@primitive` block has `@signature` starting with `b.`, matching function arity, an `@opts` declaration when the function takes opts, an `@example` block, and resolvable `@related` cross-refs. 50 findings across the new federation/VC primitives. Fixed: every nested-namespace `@signature` (`b.auth.ciba.client.X`, `b.auth.oid4vci.issuer.X`, `b.auth.oid4vp.verifier.X`, `b.auth.saml.sp.X`) re-qualified with the full `b.*` prefix instead of the bare `client.X` shorthand; arity collapsed to `(opts)` where the function takes a single opts arg; `@example` block added to every primitive; `@opts` block added to ciba.client.startAuthentication / parseNotification + openidFederation.resolveLeaf; `@primitive` block added to xmlC14n.parse; `@related` cross-refs scrubbed of dangling references to undocumented primitives (oauth.create / sdJwtVc.issuer aren't @primitive-documented yet); the parse-as-JS check on oid4vci's @example caught a `{...}` literal with no target — replaced with a concrete object spread. No primitive surface change versus v0.8.63.
 - v0.8.63 (2026-05-10) — CI green-up for v0.8.62. The v0.8.62 npm-publish workflow's lint gate flagged ten ESLint findings the local pre-ship audit missed (eslint not run before commit): unused vars (`openTag` in xml-c14n; `cache` + unused `C` import + `DEFAULT_CHAIN_TTL_MS` in openid-federation; `safeJson` in oid4vp; `sdJwtVcCore` + `SUPPORTED_PROOF_TYPES` in oid4vci), an unnecessary `\-` escape in xml-c14n's name-character regex, and a control-character regex in ciba's binding_message validator (eslint's `no-control-regex` refuses control-char ranges in regex literals regardless of `\u` escaping). Fixed by removing the dead vars + dead escape, and replacing the regex with an explicit codepoint scan in `_validateBindingMessage` that walks `msg.charCodeAt(i)` and refuses C0 / DEL+C1 / zero-width / bidi-mark / bidi-isolate / BOM ranges. No primitive surface change versus v0.8.62.
 - v0.8.62 (2026-05-10) — federation / VC primitive family + standalone DB-file lifecycle + anonymous-session ergonomics. **OpenID Connect Front-Channel + Back-Channel Logout 1.0** on `b.auth.oauth`: `parseFrontchannelLogoutRequest(req)` validates iss + sid query params; `verifyBackchannelLogoutToken(jwt, vopts)` verifies the JWS (typ=logout+jwt), validates the events claim per OIDC §2.6, refuses logout-tokens carrying nonce, requires sub OR sid, and runs an operator-supplied `seen({jti,iss,iat})` callback for jti-replay defense. Discovery surface extended to `check_session_iframe` + `backchannel_authentication_endpoint`. **CIBA Core 1.0** at `b.auth.ciba.client.create({ deliveryMode: "poll"|"ping"|"push", ... })` with `startAuthentication` / `pollToken` / `parseNotification`; supports JWT-bearer / mTLS / shared-secret client auth, binding_message + acr_values + requested_expiry, ping/push notification token (timing-safe compared via sha3 hash), and the urn:openid:params:grant-type:ciba grant. **OpenID4VCI 1.0** at `b.auth.oid4vci.issuer.create({ sdJwtIssuer, supportedCredentials, ... })` — issuer-initiated credential_offer with pre-authorized_code + tx_code, /token grant exchange, /credential endpoint with proof-JWT verification (typ=openid4vci-proof+jwt, iat freshness, nonce-replay defense, holder-key binding via header.jwk + JWS verify), c_nonce rotation per request, /.well-known/openid-credential-issuer metadata. Composes `b.auth.sdJwtVc.issuer` for SD-JWT VC minting. **OpenID4VP 1.0 + DCQL** at `b.auth.oid4vp.verifier.create({ ... })` — `createRequest` builds a vp_token authz request with a DCQL query; `verifyResponse` parses the wallet's vp_token, runs each presentation through `b.auth.sdJwtVc.verify` (audience + nonce + KB-JWT bound, optional key_attestation verifier), then runs the DCQL matcher. DCQL implementation covers credentials[] (id / format / meta vct_values / meta issuer_values / claims with path + values) and credential_sets[] (options + required) per OID4VP §6. **OpenID Federation 1.0** at `b.auth.openidFederation.{parseEntityStatement, verifyEntityStatement, buildTrustChain, applyMetadataPolicy, resolveLeaf}` — fetches entity configs from `<entity>/.well-known/openid-federation`, walks `authority_hints` up to a trust anchor (operator-pinned JWKS), verifies each subordinate-statement JWS, and applies the federation's metadata_policy (value / default / add / one_of / subset_of / superset_of / essential — unknown operators refuse). **SAML 2.0 SP** at `b.auth.saml.sp.create({ entityId, idpEntityId, idpCertPem, ... })` — AuthnRequest builder for HTTP-Redirect/POST bindings, Response parser that verifies XMLDSig (Response-level OR Assertion-level signature), defends against signature-wrapping via `b.xmlC14n.canonicalizeElementById`'s single-match invariant, validates SubjectConfirmation Bearer (NotOnOrAfter / NotBefore / Recipient / InResponseTo) + Conditions audience + Status. Plus `b.auth.saml.fetchMdq({ baseUrl, entityId, trustCertPem? })` for MDQ-style metadata fetch with optional XMLDSig verification. **`b.xmlC14n`** — RFC 3741 Exclusive XML Canonicalization 1.0 (SAML/XMLDSig subset): `canonicalize(input, opts?)` and `canonicalizeElementById(xml, id, opts?)`. The `canonicalizeElementById` single-match invariant is the core defense against XML signature-wrapping attacks (refuses ID collisions + zero-match references). Doctype + ENTITY refused at parse time. **SD-JWT VC `key_attestation` extension** — `b.auth.sdJwtVc.holder.store({..., keyAttestation })` persists a holder-side attestation JWT alongside the credential; `b.auth.sdJwtVc.present({..., keyAttestation })` embeds it in the KB-JWT header; `b.auth.sdJwtVc.verify(presentation, { keyAttestationVerifier, requireKeyAttestation })` surfaces the attestation token to an operator-supplied verifier so trust-anchor decisions (TEE / FIDO MDS3 / App Attest / Play Integrity) stay operator-side. **`b.db.fileLifecycle({ dataDir, vault, ... })`** — standalone encrypted-DB-file lifecycle for consumers that own their own SQLite handle (own schema, own migrations, own connection). Decrypts `<dataDir>/db.enc` to a tmpfs path (`/dev/shm` on Linux), exposes `dbPath` for the operator to open, runs a periodic re-encrypt flush via `startFlushTimer(db)`, returns an in-memory snapshot via `snapshot(db)`, and runs a graceful flush + cleanup via `flushAndCleanup(db, opts)`. Same envelope shape as `b.db`; no schema / audit-chain coupling. **`b.session.create({ anonymous: true })`** auto-mints `userId = "anon:" + crypto.randomUUID()` so operators running pre-login flows keep the full sealed-cookie + sealed-userId + sidHash + idle/absolute-timeout posture without rolling their own opaque-id pattern. `b.session.isAnonymous(userId)` helper for post-auth gates. `destroyAllForUser` refuses anon-prefix ids (per-session, not portable). **`validateOpts.makeNamespacedEmitters(prefix, { audit, observability })`** — collapses the recurring per-primitive `_emitAudit / _emitMetric` boilerplate into one call; new federation/VC primitives consume it. Wiki e2e regex updated for the v0.8.61 sealed-cookie format (`vault:<base64>` instead of pre-v0.8.61 hex).

package/lib/auth/ciba.js

@@ -237,7 +237,9 @@ function create(opts) {
   }
 
   async function _postForm(url, body, headers) {
-    safeUrl.assertHttpUrl(url, opts.allowHttp === true);
+    safeUrl.parse(url, {
+      allowedProtocols: opts.allowHttp === true ? safeUrl.ALLOW_HTTP_ALL : safeUrl.ALLOW_HTTP_TLS,
+    });
     var hc = httpClient();
     var basic = _basicAuthHeader();
     var hdrs = Object.assign({
@@ -246,10 +248,16 @@ function create(opts) {
     }, headers || {});
     if (basic) hdrs["Authorization"] = basic;
     var req = {
-      url:    url,
-      method: "POST",
-      headers: hdrs,
-      body:    body.toString(),
+      url:          url,
+      method:       "POST",
+      headers:      hdrs,
+      body:         body.toString(),
+      // OAuth / CIBA 4xx responses carry structured error JSON
+      // (`{ error, error_description }`) the framework inspects to
+      // raise the right `auth-ciba/<code>` AuthError below. Default
+      // http-client behavior throws on >=400 — opt into resolve-and-
+      // surface so the body reaches us.
+      responseMode: "always-resolve",
     };
     Object.assign(req, opts.httpClientOpts || {});
     if (opts.allowHttp === true) req.allowedProtocols = safeUrl.ALLOW_HTTP_ALL;

package/lib/auth/saml.js

@@ -191,10 +191,75 @@ function _verifyXmldsig(envelope, signatureNode, certPem) {
     throw new AuthError("auth-saml/no-digest-value", "Reference missing DigestValue");
   }
   var withComments = canonAlgo.indexOf("#WithComments") !== -1;
-  // Single-match invariant — anti-wrapping defense
-  var canonical = xmlC14n().canonicalizeElementById(envelope, refId, {
-    withComments: withComments,
-  });
+
+  // XMLDSig Reference Transforms — applied in order before the digest.
+  // SAML responses commonly use:
+  //   1. http://www.w3.org/2000/09/xmldsig#enveloped-signature  (strip
+  //      the <Signature> child of the referenced element)
+  //   2. http://www.w3.org/2001/10/xml-exc-c14n#                (canonicalize)
+  // Without the enveloped-signature transform, the digest is computed
+  // over the assertion-including-signature, which never matches the
+  // signed-then-signature-injected reality.
+  var transformsNode = _findChild(refNode, "Transforms");
+  var transformList = transformsNode ? _findAllChildren(transformsNode, "Transform") : [];
+  var stripSignature = false;
+  var refC14nWithComments = withComments;
+  for (var ti = 0; ti < transformList.length; ti++) {
+    var algo = _attr(transformList[ti], "Algorithm");
+    switch (algo) {
+      case "http://www.w3.org/2000/09/xmldsig#enveloped-signature":
+        stripSignature = true;
+        break;
+      case "http://www.w3.org/2001/10/xml-exc-c14n#":
+        refC14nWithComments = false;
+        break;
+      case "http://www.w3.org/2001/10/xml-exc-c14n#WithComments":
+        refC14nWithComments = true;
+        break;
+      default:
+        throw new AuthError("auth-saml/unsupported-transform",
+          "Unsupported Transform: " + algo + " (supported: enveloped-signature, xml-exc-c14n)");
+    }
+  }
+
+  // Locate the referenced element with the single-match invariant
+  // (anti-wrapping defense) — if zero or duplicate IDs match, refuse.
+  // We then optionally strip its <Signature> child(ren) per the
+  // enveloped-signature transform and canonicalize the result.
+  var c14n = xmlC14n();
+  var rootForRef = c14n.parse(envelope);
+  var matches = [];
+  (function _walk(node) {
+    if (node.type !== "element") return;
+    if (node.attrs) {
+      for (var ai = 0; ai < node.attrs.length; ai++) {
+        if (node.attrs[ai].name === "ID" && node.attrs[ai].value === refId) {
+          matches.push(node);
+          break;
+        }
+      }
+    }
+    for (var ci = 0; ci < node.children.length; ci++) _walk(node.children[ci]);
+  })(rootForRef);
+  if (matches.length === 0) {
+    throw new AuthError("auth-saml/no-id-match",
+      "Reference URI #" + refId + " resolves to no element");
+  }
+  if (matches.length > 1) {
+    throw new AuthError("auth-saml/duplicate-id",
+      "Reference URI #" + refId + " matches " + matches.length +
+      " elements — refused (signature-wrapping defense)");
+  }
+  var refTarget = matches[0];
+  if (stripSignature) {
+    refTarget.children = refTarget.children.filter(function (c) {
+      if (c.type !== "element") return true;
+      var colon = c.name.indexOf(":");
+      var local = colon !== -1 ? c.name.substring(colon + 1) : c.name;
+      return local !== "Signature";
+    });
+  }
+  var canonical = c14n.canonicalize(refTarget, { withComments: refC14nWithComments });
   var actualDigest = nodeCrypto.createHash(SUPPORTED_DIGEST[digestAlgo]).update(canonical).digest();
   if (Buffer.from(expectedDigestB64, "base64").compare(actualDigest) !== 0) {
     throw new AuthError("auth-saml/digest-mismatch",

package/lib/session.js

@@ -885,6 +885,135 @@ async function rotate(oldToken, opts) {
   return { token: _sealCookieToken(newSid), expiresAt: expiresAt };
 }
 
+/**
+ * @primitive b.session.updateData
+ * @signature b.session.updateData(token, data, opts?)
+ * @since     0.8.66
+ * @related   b.session.verify, b.session.rotate
+ *
+ * Update the sealed `data` payload on a session WITHOUT rotating the
+ * sid. Use cases: cart-state writes, user-preference flips, step-up-
+ * auth completion flags, fingerprint-anomaly score updates. Anything
+ * that doesn't change the security boundary (login transition, role
+ * escalation, multifactor verified) — those still go through
+ * `b.session.rotate({ data })` so the sid moves and any pre-login
+ * tokens an attacker may have planted become invalid.
+ *
+ * Default semantics:
+ *   - `data` REPLACES the existing payload (full overwrite). The
+ *     reserved `__bj_fingerprint` key is preserved automatically so
+ *     fingerprint-binding survives the update.
+ *   - `lastActivity` is bumped (idle-timeout reset) unless
+ *     `opts.touchLastActivity: false`.
+ *   - The session must be live (not expired) for the write to land;
+ *     returns `false` for unknown / expired tokens.
+ *
+ * Pass `opts.merge: true` to deep-merge top-level keys into the
+ * existing payload instead of replacing — useful for incremental
+ * writes where the operator doesn't want to round-trip read+merge
+ * themselves. Inner objects merge ONE LEVEL DEEP; arrays REPLACE.
+ *
+ * Leader-only.
+ *
+ * @opts
+ *   {
+ *     merge?:              boolean,   // default false (full replace)
+ *     touchLastActivity?:  boolean,   // default true
+ *   }
+ *
+ * @example
+ *   // Replace the data payload entirely.
+ *   await b.session.updateData(req.cookies.sid, { roles: ["admin"], theme: "dark" });
+ *
+ *   // Merge a single field without disturbing the rest of the payload.
+ *   await b.session.updateData(req.cookies.sid,
+ *     { stepUpAt: Date.now() }, { merge: true });
+ *   // → true
+ */
+async function updateData(token, data, opts) {
+  cluster.requireLeader();
+  opts = opts || {};
+  if (typeof token !== "string" || token.length === 0) return false;
+  if (data !== null && (typeof data !== "object" || Array.isArray(data))) {
+    throw _err("INVALID_ARG",
+      "session.updateData: data must be a plain object or null", true);
+  }
+  var sid = _unsealCookieToken(token);
+  if (sid === null) return false;
+  var sidHash = _hashSid(sid);
+  var nowMs = Date.now();
+
+  // Read the live row so we can preserve __bj_fingerprint and (in
+  // merge mode) carry forward existing keys. Single SELECT + UPDATE
+  // — racing concurrent updateData calls fall through to last-write-
+  // wins on the same sid, which is the right shape for cart-style
+  // writes; operators needing strict serialization wrap with
+  // b.resourceAccessLock.
+  var row = await _currentStore().executeOne(
+    'SELECT "userId", "userIdHash", "data", "createdAt", "expiresAt", "lastActivity" ' +
+    'FROM _blamejs_sessions WHERE sidHash = ? AND expiresAt >= ?',
+    [sidHash, nowMs]
+  );
+  if (!row) return false;
+
+  // Recover the existing data + reserved fingerprint key (vault-
+  // sealed at rest). Operators that want a fresh fingerprint also
+  // call b.session.rotate; updateData preserves the binding.
+  var unsealed = cryptoField.unsealRow("_blamejs_sessions", row);
+  var existing = null;
+  var storedFingerprint = null;
+  if (unsealed.data) {
+    try {
+      existing = safeJson.parse(unsealed.data);
+      if (existing && typeof existing === "object" &&
+          typeof existing.__bj_fingerprint === "string") {
+        storedFingerprint = existing.__bj_fingerprint;
+      }
+    } catch (_e) {
+      // Decrypt-then-parse failure mirrors verify() — drop existing
+      // and proceed with the new payload only. Operator gets the
+      // same auth.session.data_unparseable signal next verify().
+      existing = null;
+      storedFingerprint = null;
+    }
+  }
+
+  // Build the next payload. merge:true does a one-level deep merge
+  // into the existing object (arrays at the top level REPLACE);
+  // default replaces wholesale.
+  var next;
+  if (opts.merge === true && existing && typeof existing === "object") {
+    next = Object.assign({}, existing);
+    if (data && typeof data === "object") {
+      Object.keys(data).forEach(function (k) {
+        if (k === "__bj_fingerprint") return;       // reserved — only fingerprint binding writes this
+        next[k] = data[k];
+      });
+    }
+  } else {
+    next = (data && typeof data === "object") ? Object.assign({}, data) : null;
+    if (next) delete next.__bj_fingerprint;          // reserved — operator can't overwrite the binding
+  }
+  if (storedFingerprint && next) next.__bj_fingerprint = storedFingerprint;
+
+  // Re-seal the data column. cryptoField.sealRow handles the AAD
+  // binding + sealedFields registration automatically.
+  var sealedRow = cryptoField.sealRow("_blamejs_sessions", {
+    data: next ? JSON.stringify(next) : null,
+  });
+
+  var setParts = ['"data" = ?'];
+  var setParams = [sealedRow.data];
+  if (opts.touchLastActivity !== false) {
+    setParts.push('"lastActivity" = ?');
+    setParams.push(nowMs);
+  }
+  var sql = "UPDATE _blamejs_sessions SET " + setParts.join(", ") +
+            " WHERE sidHash = ? AND expiresAt >= ?";
+  var result = await _currentStore().execute(sql, setParams.concat([sidHash, nowMs]));
+  return (result.rowCount || 0) > 0;
+}
+
 /**
  * @primitive b.session.purgeExpired
  * @signature b.session.purgeExpired()
@@ -1021,6 +1150,7 @@ module.exports = {
   destroyAllForUser:    destroyAllForUser,
   touch:                touch,
   rotate:               rotate,
+  updateData:           updateData,
   purgeExpired:         purgeExpired,
   count:                count,
   useStore:             useStore,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.64",
+  "version": "0.8.67",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:23c254f3-eb31-48e9-84e5-285c0cd30ffe",
+  "serialNumber": "urn:uuid:7b747b8f-4f21-448f-a73e-50b8615f6937",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-10T06:15:43.727Z",
+    "timestamp": "2026-05-10T14:43:14.112Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.64",
+      "bom-ref": "@blamejs/core@0.8.67",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.64",
+      "version": "0.8.67",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.64",
+      "purl": "pkg:npm/%40blamejs/core@0.8.67",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.64",
+      "ref": "@blamejs/core@0.8.67",
       "dependsOn": []
     }
   ]