@blamejs/core 0.8.82 → 0.8.83

package/CHANGELOG.md

@@ -8,6 +8,7 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
+- v0.8.83 (2026-05-11) — **ACME 47-day-cert readiness**: certificate profiles + dns-account-01 challenge + ARI renewal-window jitter. **draft-aaron-acme-profiles** lands as `acme.listProfiles()` (reads `directory.meta.profiles` and returns the CA-advertised `{ name: description }` map) + `acme.newOrder({ profile })` (passes the chosen profile name through the order payload; refuses non-string + caps length at 64 bytes). As CA/B Forum SC-081v3 phases in the 47-day mandate, profile-name vocabulary becomes the operator-facing handle for "long-lived" vs "47-day" vs "short-lived" cert selection. **draft-ietf-acme-dns-account-label** lands as `acme.dnsAccount01ChallengeRecord(token, { identifier, ttl? })` which builds the per-account-scoped TXT record (`_<accountLabel>._acme-challenge.<host>`) where `accountLabel` is the lowercase base32 of the first 80 bits of `SHA-256(accountUrl)`. Refuses pre-newAccount (label needs accountUrl as seed); caps identifier at 255 bytes; refuses negative / huge TTL. **RFC 9773 §4.2 fleet-scheduling jitter**: `acme.renewIfDue({ jitter: true })` now returns a `renewAt` ISO timestamp picked uniformly across the CA-suggested window so operator fleets running on the same poll cadence stop clustering their renewal storms at the window-start instant. Default behavior (`jitter` off or absent) preserves pre-0.8.83 "renew now" semantics. The `acme.cert.renew.scheduled` audit row carries the chosen `renewAt` when jitter is on.
 - v0.8.82 (2026-05-11) — **Privacy 2026 posture sweep**. 27 new postures land in `b.compliance.KNOWN_POSTURES` (with matching `REGIME_MAP` + `POSTURE_DEFAULTS` cascade entries) closing the privacy gap surfaced by the 2026-05-11 multi-agent compliance audit. **US federal**: `coppa` + `coppa-2025` (FTC final rule 2025-04-22, effective 2026-06-23 — biometric expansion + knowing-collection-13-and-under disclosure; cascade adds backupEncryptionRequired:true + vacuum-after-erase), `glba-safeguards` (GLBA Safeguards Rule 2024 Amendment, effective 2024-05-13; cascade matches pci-dss + nydfs-500 financial tier), `gina` (Genetic Information Nondiscrimination Act), `vppa` (Video Privacy Protection Act), `can-spam`, `il-gipa` (Illinois Genetic Information Privacy Act with post-2024 private right of action), `hhs-repro-24` (HHS Reproductive Health HIPAA Amendment 2024-12-23), `nist-pf-1.1` (NIST Privacy Framework 1.1, final 2025-04-14). **UK**: `uk-duaa` (Data (Use and Access) Act 2025 — Royal Assent 2025-06-19; replaces the abandoned DPDI Bill; cascade matches GDPR floor with vacuum-after-erase). **Latin America**: `cl-pdpa` (Chile Ley 21.719, enacted 2024-12-13, effective 2026-12-01; cascade mirrors gdpr), `mx-lfpdppp` (Mexico 2025 secondary reform), `ar-pdpa` (Argentina Ley 25.326). **APAC**: `pipa-kr` (Korea PIPA 2023 major amendment, phased 2023-09-15 / 2024-03-15), `au-privacy` (Australia Privacy Act + 2024 Amendment Act — statutory tort effective 2025-06-10), `th-pdpa`, `vn-pdp` (Vietnam PDP Law effective 2026-01-01), `id-pdp` (Indonesia PDP Law effective 2024-10-17), `my-pdpa` (Malaysia 2024 amendments effective 2025-04-30). **US state child-privacy**: `ny-safe-kids` + `ny-saffe` (NY Child Data Protection Act + Stop Addictive Feeds Exploitation, both effective 2025-06-20), `md-kids-code` (Maryland Age-Appropriate Design Code), `vt-aadc` (Vermont AADC). **EU non-personal-data + adjacent**: `dsa` (Digital Services Act, fully applicable 2024-02-17), `dga` (Data Governance Act, applicable 2023-09-24), `eu-cer` (Critical Entities Resilience Directive 2022/2557, transposition 2024-10-17), `eu-cyber-sol` (Cyber Solidarity Act 2025/38, effective 2025-02-04), `eidas-2` (eIDAS 2 / EUDI Wallet, rollout 2026-2027). New REGIME_MAP `domain` values introduced: `child-privacy`, `financial-privacy`, `consumer-privacy`, `genetic-privacy`, `platform-governance`, `identity` — operators rendering compliance dashboards grouped by domain pick up the new buckets via `b.compliance.posturesByDomain(domain)` without code changes.
 - v0.8.81 (2026-05-11) — **AI-governance compliance postures + ISO 42001/23894 cross-walk + privacy catalog drift fixes**. 18 new postures register in `b.compliance.KNOWN_POSTURES` (and the matching `REGIME_MAP` + `POSTURE_DEFAULTS` cascade): state AI governance (`co-ai`, `il-hb3773`, `tx-traiga`, `ut-aipa`, `nyc-ll144`, `ca-tfaia` — frontier AI critical-incident records cascade to `backupEncryptionRequired:true`), international AI (`kr-ai-basic`, `cn-ai-label`), AI management standards (`iso-42001`, `iso-23894`), California gen-AI content credentials (`ca-sb942`, `ca-ab853`), substrate-to-posture cleanup so existing primitives gain catalog entries (`eaa` for EU Accessibility Act + `b.compliance-eaa`, `wcag-2-2` for `b.guardHtml.wcag`, `eu-data-act` for `b.dataAct`, `hitech` extending HIPAA-tier, `ferpa` for student records), plus `fl-fdbr` (Florida Digital Bill of Rights) and the long-missing `dpdp` (India DPDP Act 2023 — was in `POSTURE_DEFAULTS` cascade table but not in `KNOWN_POSTURES`, so `b.compliance.set("dpdp")` threw `compliance/unknown-posture`). **ISO 42001 + 23894 cross-walk**: new `b.compliance.aiAct.crossWalkIso42001([aiActCitation])` and `crossWalkIso23894()` return a 15-row mapping table linking EU AI Act articles (Art. 9 risk management → Art. 73 incident reporting) to ISO/IEC 42001:2023 Annex A controls and ISO/IEC 23894:2023 risk-management clauses. Operators chasing ISO 42001 certification under AI Act high-risk scope use the table to produce one cross-walk artifact instead of hand-rolling two separate audits; the table is read-only metadata, defensive copies returned, no behavior change at deploy time. **DSR drift fix**: `b.dsr.stateRules("fl-fdbr")` / `stateRules("FL")` now resolve (45-day response window, 15-day extension, 30-day cure, profiling opt-out enabled, minor opt-in 13). **Citation drift fix**: four state-privacy posture citations corrected from "(effective 2026-MM-DD)" to "(effective 2025-MM-DD)" — `modpa`, `nh-nhpa`, `nj-njdpa`, `mn-mncdpa` all took effect during 2025; the year-late citations would have surfaced as audit-trail discrepancies under operator review.
 - v0.8.80 (2026-05-10) — **Bug fix — `b.config.loadDbBacked` overlapping-tick race**. `cfg.refresh()` calls `_tick()` directly and the periodic poller also invokes `_tick()` independently. When two ticks overlap (two `refresh()`es back-to-back, or `refresh()` racing a poll), the older read could resolve LAST and overwrite a newer config write — so `admin-save → await cfg.refresh()` was not guaranteed to leave the latest value active when `fetchRows` latency varied across calls. Reproducible by serving a 200ms read followed by a 20ms read; without the fix, the slower (older) result clobbered the faster (newer) one. Fix: every tick claims a monotonic sequence number at start; at apply-time, ticks whose sequence is older than the last-applied sequence drop with a `config.reload.skipped` audit emission (phase `stale-tick`). The high-water mark advances ONLY after `cfg.reload` succeeds — a newer tick whose validation fails must not suppress an older in-flight tick that still has valid data (otherwise `refresh(valid)` followed by `refresh(invalid)` could silently keep stale config active even though the valid update was about to land). Fetch / transform failures short-circuit before the apply path and likewise do NOT advance the watermark.

package/README.md

@@ -95,7 +95,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **AAD-bound sealed columns** — AEAD tag tied to `(table, rowId, column, schemaVersion)`; copy-paste between rows or schema-version replay surfaces as refused decrypt (`b.vault.aad`)
 - **Signed webhooks + API encryption** — SLH-DSA-SHAKE-256f default; ML-DSA-65 opt-in; ECIES API encryption (`b.webhook`, `b.crypto`)
 - **HPKE / HTTP signatures** — RFC 9180 HPKE with ML-KEM-1024 + HKDF-SHA3-512 + ChaCha20-Poly1305 (`b.crypto.hpke`); RFC 9421 HTTP Message Signatures with derived components and ed25519 / ML-DSA-65 (`b.crypto.httpSig`)
-- **TLS / channel binding** — RFC 9266 TLS-Exporter token-to-session pinning (`b.tlsExporter`); RFC 9162 CT v2 inclusion-proof verification (`b.network.tls.ct.verifyInclusion`); RFC 8555 ACME + RFC 9773 ARI for 47-day certs (`b.acme`); RFC 8470 0-RTT inbound posture refuse / replay-cache (`b.router.create({tls0Rtt})`); RFC 9794 SecP256r1MLKEM768 in preferred-group order (`b.network.tls.preferredGroups`)
+- **TLS / channel binding** — RFC 9266 TLS-Exporter token-to-session pinning (`b.tlsExporter`); RFC 9162 CT v2 inclusion-proof verification (`b.network.tls.ct.verifyInclusion`); RFC 8555 ACME + RFC 9773 ARI for 47-day certs with `{ jitter: true }` fleet-scheduling (`b.acme.renewIfDue`); draft-aaron-acme-profiles (`acme.listProfiles()` + `newOrder({ profile })`); draft-ietf-acme-dns-account-label (`acme.dnsAccount01ChallengeRecord(token, { identifier })`); RFC 8470 0-RTT inbound posture refuse / replay-cache (`b.router.create({tls0Rtt})`); RFC 9794 SecP256r1MLKEM768 in preferred-group order (`b.network.tls.preferredGroups`)
 - **mTLS CA** — pure-JS, issues clientAuth / serverAuth / dual-EKU certs with SAN; auto-detects highest-PQC signature alg (today ECDSA-P384-SHA384; self-upgrades to SLH-DSA / ML-DSA when X.509 ecosystem catches up); PQC TLS gates inbound + outbound (`b.mtlsCa`, `b.pqcGate`, `b.pqcAgent`)
 ### HTTP
 

package/lib/acme.js

@@ -565,6 +565,23 @@ function create(opts) {
     var payload = { identifiers: orderOpts.identifiers.slice() };
     if (typeof orderOpts.notBefore === "string") payload.notBefore = orderOpts.notBefore;
     if (typeof orderOpts.notAfter === "string") payload.notAfter = orderOpts.notAfter;
+    // draft-aaron-acme-profiles — operator-selected certificate profile.
+    // The CA advertises profile names + descriptions via
+    // `directory.meta.profiles`; operator passes the chosen name through
+    // newOrder. CAs honoring the draft return 400 when the name isn't
+    // in the advertised set; ones that haven't adopted the draft ignore
+    // the field. v1-defensible scope: refuse non-string + cap length so
+    // attacker-supplied profile values can't bloat the JSON payload.
+    if (typeof orderOpts.profile === "string") {
+      if (orderOpts.profile.length === 0 || orderOpts.profile.length > C.BYTES.bytes(64)) {
+        throw _err("acme/bad-profile",
+          "newOrder: profile name must be a non-empty string <= 64 bytes", true);
+      }
+      payload.profile = orderOpts.profile;
+    } else if (orderOpts.profile !== undefined) {
+      throw _err("acme/bad-profile",
+        "newOrder: profile must be a string when provided", true);
+    }
     var rsp = await _signedPost(state.directory.newOrder, payload);
     if (rsp.statusCode !== 201) {
       _emitAudit(audit, "acme.order.created", "failure",
@@ -710,7 +727,31 @@ function create(opts) {
   async function renewIfDue(opts2) {
     var ari = await fetchAri(opts2);
     var nowMs = Date.now();
-    if (nowMs < ari.suggestedWindow.startMs) {
+    // RFC 9773 §4.2 — when called inside the suggested window, return
+    // a renewAt timestamp picked uniformly across the remaining window
+    // so a fleet of operators running on the same poll cadence don't
+    // cluster their renewal storms at the window-start instant. Operators
+    // opt in via `{ jitter: true }`; default behavior preserves the
+    // pre-0.8.83 "renew now" semantics.
+    var jitter   = opts2 && opts2.jitter === true;
+    var beforeWindow = nowMs < ari.suggestedWindow.startMs;
+    var pastWindow   = nowMs > ari.suggestedWindow.endMs;
+    var renewAtMs    = null;
+    if (jitter) {
+      // Uniform random point in [max(now, start), end].
+      var jLo = beforeWindow ? ari.suggestedWindow.startMs : nowMs;
+      var jHi = ari.suggestedWindow.endMs;
+      if (jHi >= jLo) {
+        // Non-crypto: RFC 9773 §4.2 fleet-scheduling jitter inside the
+        // CA-suggested renewal window. Predictability is not a threat
+        // here; uniform distribution across the window is the goal.
+        renewAtMs = jLo + Math.floor(Math.random() * (jHi - jLo + 1));   // allow:math-random-noncrypto — RFC 9773 fleet jitter, predictability not a threat
+      } else {
+        // Past-window — renew immediately, no jitter.
+        renewAtMs = nowMs;
+      }
+    }
+    if (beforeWindow) {
       _emitAudit(audit, "acme.cert.renew.skipped", "success", {
         certId:         ari.certId,
         windowStart:    ari.suggestedWindow.start,
@@ -718,24 +759,31 @@ function create(opts) {
         nowIso:         new Date(nowMs).toISOString(),
       });
       _emitObs("acme.cert.renew.skipped", { reason: "before-window" });
-      return { shouldRenew: false, reason: "before-window", ari: ari };
+      var ret = { shouldRenew: false, reason: "before-window", ari: ari };
+      if (jitter) ret.renewAt = new Date(renewAtMs).toISOString();
+      return ret;
     }
-    if (nowMs > ari.suggestedWindow.endMs) {
+    if (pastWindow) {
       _emitAudit(audit, "acme.cert.renew.scheduled", "warning", {
         certId:         ari.certId,
         reason:         "past-window",
         windowEnd:      ari.suggestedWindow.end,
       });
       _emitObs("acme.cert.renew.scheduled", { reason: "past-window" });
-      return { shouldRenew: true, reason: "past-window", ari: ari };
+      var rp = { shouldRenew: true, reason: "past-window", ari: ari };
+      if (jitter) rp.renewAt = new Date(renewAtMs).toISOString();
+      return rp;
     }
     _emitAudit(audit, "acme.cert.renew.scheduled", "success", {
       certId:         ari.certId,
       windowStart:    ari.suggestedWindow.start,
       windowEnd:      ari.suggestedWindow.end,
+      renewAt:        jitter ? new Date(renewAtMs).toISOString() : null,
     });
     _emitObs("acme.cert.renew.scheduled", { reason: "in-window" });
-    return { shouldRenew: true, reason: "in-window", ari: ari };
+    var ri = { shouldRenew: true, reason: "in-window", ari: ari };
+    if (jitter) ri.renewAt = new Date(renewAtMs).toISOString();
+    return ri;
   }
 
   /**
@@ -896,6 +944,118 @@ function create(opts) {
     return crypto.createHash("sha256").update(keyAuth, "utf8").digest();
   }
 
+  /**
+   * @primitive b.acme.create.listProfiles
+   * @signature b.acme.create.listProfiles()
+   * @since     0.8.83
+   * @status    experimental
+   *
+   * Returns the CA-advertised certificate profile catalog as
+   * `{ name: description }` per draft-aaron-acme-profiles. Operators
+   * pass the chosen name through `newOrder({ profile: name })`; CAs
+   * use the profile to select certificate lifetime + key-usage +
+   * validation rigor. As CA/B Forum 47-day cert TTLs phase in (Mar
+   * 2026 ballot SC-081v3), profile-name vocabulary becomes the
+   * operator-facing handle for "long-lived" vs "47-day" vs "short-
+   * lived". Returns an empty object when the directory has no
+   * `meta.profiles` map (CA hasn't adopted the draft). Refreshes the
+   * directory cache when none has been fetched yet.
+   *
+   * @example
+   *   await acme.fetchDirectory();
+   *   var profiles = acme.listProfiles();
+   *   // → { "default": "Standard 90-day certificate",
+   *   //     "shortlived": "47-day certificate (CA/B Forum SC-081v3)",
+   *   //     "tlsserver":  "TLS server profile with Must-Staple" }
+   *
+   *   await acme.newOrder({ identifiers: [{ type: "dns", value: "example.com" }],
+   *                          profile: "shortlived" });
+   */
+  function listProfiles() {
+    if (!state.directory) return {};
+    var meta = state.directory.meta;
+    if (!meta || typeof meta !== "object") return {};
+    var profiles = meta.profiles;
+    if (!profiles || typeof profiles !== "object") return {};
+    var out = {};
+    var keys = Object.keys(profiles);
+    for (var i = 0; i < keys.length; i += 1) {
+      var k = keys[i];
+      var v = profiles[k];
+      out[k] = typeof v === "string" ? v : "";
+    }
+    return out;
+  }
+
+  /**
+   * @primitive b.acme.create.dnsAccount01ChallengeRecord
+   * @signature b.acme.create.dnsAccount01ChallengeRecord(token, opts?)
+   * @since     0.8.83
+   * @status    experimental
+   * @related   b.acme.create.tlsAlpn01KeyAuthorization
+   *
+   * Build the DNS TXT record an operator publishes to satisfy a
+   * `dns-account-01` challenge per draft-ietf-acme-dns-account-label.
+   * Unlike `dns-01` (record at `_acme-challenge.<host>`),
+   * `dns-account-01` scopes the record by account so the same domain
+   * can be validated from multiple ACME accounts without record-name
+   * collisions; the record name becomes
+   * `_<accountLabel>._acme-challenge.<identifier>` where
+   * `accountLabel` is the SHA-256 truncated-base32 of the account URL.
+   *
+   * Returns `{ name, value, ttl }` where `name` is the FQDN to publish
+   * the TXT record at (with operator-supplied `identifier` substituted
+   * in) and `value` is the SHA-256 of the key authorization in
+   * unpadded base64url (same as `dns-01`). Refuses when `newAccount`
+   * has not run (no accountUrl yet); refuses non-string token /
+   * identifier.
+   *
+   * @opts
+   *   identifier: string,   // host being validated (required)
+   *   ttl:        number,   // suggested DNS TTL in seconds; default: 60
+   *
+   * @example
+   *   await acme.newAccount({ contact: ["mailto:ops@example.com"] });
+   *   var rec = acme.dnsAccount01ChallengeRecord("token123", {
+   *     identifier: "example.com",
+   *   });
+   *   // rec.name  → "_<accountLabel>._acme-challenge.example.com"
+   *   // rec.value → "<base64url-of-sha256(token123.<thumbprint>)>"
+   *   // rec.ttl   → 60
+   */
+  function dnsAccount01ChallengeRecord(token, opts2) {
+    if (typeof token !== "string" || token.length === 0) {
+      throw _err("acme/bad-token", "dnsAccount01ChallengeRecord: token must be a non-empty string", true);
+    }
+    if (!opts2 || typeof opts2 !== "object" || typeof opts2.identifier !== "string" || opts2.identifier.length === 0) {
+      throw _err("acme/bad-identifier", "dnsAccount01ChallengeRecord: opts.identifier (host) is required", true);
+    }
+    if (opts2.identifier.length > C.BYTES.bytes(255)) {
+      throw _err("acme/bad-identifier", "dnsAccount01ChallengeRecord: identifier exceeds 255 bytes", true);
+    }
+    if (!state.accountUrl) {
+      throw _err("acme/no-account",
+        "dnsAccount01ChallengeRecord: newAccount() must run first (account URL is the label seed)", true);
+    }
+    if (opts2.ttl !== undefined && (typeof opts2.ttl !== "number" || !isFinite(opts2.ttl) || opts2.ttl < 1 || opts2.ttl > C.TIME.hours(24) / C.TIME.seconds(1))) {
+      throw _err("acme/bad-ttl",
+        "dnsAccount01ChallengeRecord: ttl must be a positive integer <= 86400 seconds", true);
+    }
+    var crypto = require("node:crypto");
+    // Account label: lowercase base32 of first 10 bytes of SHA-256(accountUrl)
+    // (per draft-ietf-acme-dns-account-label §3.1 — 80-bit truncated label).
+    var hash = crypto.createHash("sha256").update(state.accountUrl, "utf8").digest();
+    var label = _base32lc(hash.subarray(0, 10));
+    // Record value: same key-authorization digest shape as dns-01.
+    var keyAuth = token + "." + _jwkThumbprint(publicJwk);
+    var digest  = crypto.createHash("sha256").update(keyAuth, "utf8").digest();
+    return {
+      name:  "_" + label + "._acme-challenge." + opts2.identifier,
+      value: _b64u(digest),
+      ttl:   typeof opts2.ttl === "number" ? Math.floor(opts2.ttl) : (C.TIME.minutes(1) / C.TIME.seconds(1)),
+    };
+  }
+
   return Object.freeze({
     fetchDirectory:  fetchDirectory,
     newAccount:      newAccount,
@@ -908,6 +1068,8 @@ function create(opts) {
     accountKeyRollover: accountKeyRollover,
     deactivateAccount:  deactivateAccount,
     tlsAlpn01KeyAuthorization: tlsAlpn01KeyAuthorization,
+    listProfiles:    listProfiles,
+    dnsAccount01ChallengeRecord: dnsAccount01ChallengeRecord,
     accountUrl:      function () { return state.accountUrl; },
     directory:       function () { return state.directory; },
     publicJwk:       function () { return Object.assign({}, publicJwk); },
@@ -955,6 +1117,28 @@ function _sleep(ms) {
   });
 }
 
+// RFC 4648 §6 base32 lowercase (no padding) — used by
+// draft-ietf-acme-dns-account-label to derive the 80-bit account label
+// from SHA-256(accountUrl). 5-bit groups MSB-first.
+function _base32lc(buf) {
+  var alphabet = "abcdefghijklmnopqrstuvwxyz234567";
+  var out = "";
+  var bits = 0;
+  var value = 0;
+  for (var i = 0; i < buf.length; i += 1) {
+    value = (value << 8) | buf[i];   // allow:raw-byte-literal — bit-shift count, byte boundary
+    bits += 8;                       // allow:raw-byte-literal — bits-per-byte constant
+    while (bits >= 5) {
+      out += alphabet[(value >>> (bits - 5)) & 31];
+      bits -= 5;
+    }
+  }
+  if (bits > 0) {
+    out += alphabet[(value << (5 - bits)) & 31];
+  }
+  return out;
+}
+
 module.exports = {
   create:    create,
   AcmeError: AcmeError,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.82",
+  "version": "0.8.83",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:309a8ed5-6be3-41c5-b29a-f23cdc9a41ca",
+  "serialNumber": "urn:uuid:eac2848d-d02f-43f8-9152-ffdf0f6a1cba",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-11T15:08:03.856Z",
+    "timestamp": "2026-05-11T15:13:25.519Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.82",
+      "bom-ref": "@blamejs/core@0.8.83",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.82",
+      "version": "0.8.83",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.82",
+      "purl": "pkg:npm/%40blamejs/core@0.8.83",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.82",
+      "ref": "@blamejs/core@0.8.83",
       "dependsOn": []
     }
   ]