@blamejs/core 0.8.89 → 0.8.90

package/CHANGELOG.md

@@ -8,7 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.8.x
 
-- v0.8.89 (2026-05-11) — **Hotfix: `b.earlyHints.send()` case-variant link bypass + new `b.mail.srs` Sender Rewriting Scheme**. **Hotfix (PRIMARY)**: pre-v0.8.89, supplying both `link` (lowercase) AND `Link` (capital, or any other case variant) to `b.earlyHints.send()` bypassed the validator. `opts.link` got the dedicated `_validateLink` pass and was assigned to `headers.link`; the trailing header loop then iterated `Object.keys(opts)`, skipped only the exact-match `"link"` key, and for `"Link"` lowercased the name and wrote `headers.link = opts.Link` — overwriting the validated value with unvalidated content. Malformed Link headers (missing `rel=`, unknown relation, oversized) reached `writeEarlyHints()` despite the API contract. The fix collapses all opt keys to a single canonical lowercase map up front; duplicate case-variants of any header (not just `link`) now refuse with `early-hints/duplicate-header` so operators see the collision instead of getting silent winner-take-all behavior. Capital `Link` alone (no lowercase variant) still works — it goes through the same validator. Tests added: case-variant-collision refuse, capital-Link-alone validates, capital-Link with malformed value still throws `bad-link`. **New**: `b.mail.srs.create({ secret, forwarderDomain, expiryDays? })` — Sender Rewriting Scheme (SRS0) implementation for forwarder envelope-from rewriting so the next-hop SPF check passes and bounces route correctly back to the original sender. Returns `{ rewrite, reverse }`. `rewrite(addr)` produces an SRS-encoded `SRS0=HHHH=TT=domain=local@forwarder.example` form; `reverse(srs)` decodes back to the original sender, verifying the HMAC-SHA-256 short-tag (operator-supplied secret), the day-stamp expiry window (default 30 days), and the canonical 4-field SRS0 grammar. Refuses tampered tags via `srs/bad-tag`, expired rewrites via `srs/expired`, double-SRS-encoding via `srs/already-rewritten` (SRS1 wrapping deferred; operator demand TBD), and bad address shapes via `srs/bad-address`. HMAC uses `b.crypto.timingSafeEqual` for tag comparison so the verification side stays constant-time against operator-controlled tag inputs.
+- v0.8.90 (2026-05-11) — **RFC 8689 REQUIRETLS support** (`b.mail.requireTls`). Per-message TLS-requirement signaling between sender and receiver MTAs. Complements MTA-STS / DANE (policy-side, domain-scoped) with a per-message knob that overrides policy when the operator wants stricter-than-policy delivery — message bounces instead of falling back to cleartext if no downstream MTA can deliver under TLS. **`peerSupports(ehloLines)`**: walks a parsed EHLO response and returns `true` when the peer advertised the `REQUIRETLS` keyword; case-insensitive per RFC 5321 §2.4; refuses substring matches (`FOO-REQUIRETLS-BAR` does NOT match); empty / non-array input returns `false`. **`mailFromExtension({ requireTls })`**: builds the trailing `" REQUIRETLS"` token to append to a MAIL FROM line; refuses non-boolean flag value (a truthy-but-wrong-shape value like `"yes"` throws instead of silently succeeding). **`parseTlsRequiredHeader(headerValue)`**: parses the RFC 8689 §5 `TLS-Required` header — returns `"no"` only when the value is the literal token `no` (case-insensitive, ignoring whitespace) per spec; any other non-empty value returns `"yes"` (RFC 8689 §5: "any value other than 'No' MUST be treated as if the field had been absent" — conservative strict path); returns `null` for absent / empty / non-string input; refuses control characters on the **raw** header value before `trim()` runs so a leading `\n` / trailing `\r` / NUL / DEL byte can no longer slip past as the literal token `no` (ASCII HT remains permitted as structural folding whitespace).
+- v0.8.89 (2026-05-11) — **Hotfix: `b.earlyHints.send()` case-variant link bypass + new `b.mail.srs` Sender Rewriting Scheme**. **Hotfix (PRIMARY)**: pre-v0.8.89, supplying both `link` (lowercase) AND `Link` (capital, or any other case variant) to `b.earlyHints.send()` bypassed the validator. `opts.link` got the dedicated `_validateLink` pass and was assigned to `headers.link`; the trailing header loop then iterated `Object.keys(opts)`, skipped only the exact-match `"link"` key, and for `"Link"` lowercased the name and wrote `headers.link = opts.Link` — overwriting the validated value with unvalidated content. Malformed Link headers (missing `rel=`, unknown relation, oversized) reached `writeEarlyHints()` despite the API contract. The fix collapses all opt keys to a single canonical lowercase map up front; duplicate case-variants of any header (not just `link`) now refuse with `early-hints/duplicate-header` so operators see the collision instead of getting silent winner-take-all behavior. Capital `Link` alone (no lowercase variant) still works — it goes through the same validator. Tests added: case-variant-collision refuse, capital-Link-alone validates, capital-Link with malformed value still throws `bad-link`. **New**: `b.mail.srs.create({ secret, forwarderDomain, expiryDays? })` — Sender Rewriting Scheme (SRS0) implementation for forwarder envelope-from rewriting so the next-hop SPF check passes and bounces route correctly back to the original sender. Returns `{ rewrite, reverse }`. `rewrite(addr)` produces an SRS-encoded `SRS0=HHHH=TT=domain=local@forwarder.example` form; `reverse(srs)` decodes back to the original sender, verifying the HMAC-SHA-256 short-tag (operator-supplied secret), the day-stamp expiry window (default 30 days), and the canonical 4-field SRS0 grammar. Domain-binding check: `reverse(srs)` refuses with `srs/wrong-forwarder` when the SRS0 address's `@domain` part doesn't match the rewriter's `forwarderDomain` (case-insensitive per RFC 5321 §2.3.5) so a tag signed with the same secret but addressed to a different forwarder domain can no longer be accepted. Refuses tampered tags via `srs/bad-tag`, expired rewrites via `srs/expired`, double-SRS-encoding via `srs/already-rewritten`, and bad address shapes via `srs/bad-address`. HMAC uses `b.crypto.timingSafeEqual` for tag comparison so the verification side stays constant-time against operator-controlled tag inputs.
 - v0.8.88 (2026-05-11) — **Hotfix: `b.auth.fal.meets()` authorization-correctness bug + new `b.earlyHints` RFC 8297 helper**. **Hotfix (PRIMARY)**: `b.auth.fal.meets(actualBand, requiredBand)` previously compared raw ranks (`_bandRank(actual) >= _bandRank(required)`) without validating either input. Unknown bands mapped to rank `0`, so `meets("FAL1", "FALX")` returned `true` (because `1 >= 0`) and `meets("bad", "bad")` returned `true` (because `0 >= 0`) — both contradicting the documented contract that invalid bands MUST return `false`. Operators calling `meets()` directly for authorization decisions could grant access on malformed input pairs. The new implementation validates both bands via `isValidBand()` first; any invalid band on either side returns `false`. The `requireFal()` guard was already correct (it used `meets()` after a separate `isValidBand(actualBand)` check, but a defense-in-depth pass into `meets()` itself now catches direct callers too). Tests added: 7 invalid-input shapes (`FALX` actual, `FALX` required, `bad`/`bad`, `FALX`/`FALX`, null on either side, both null). **New**: `b.earlyHints.send(res, { link })` — RFC 8297 103 Early Hints interim-response helper. Wraps Node 18.11+'s built-in `res.writeEarlyHints()` with: link-header validation (RFC 8288 form with one of `preload` / `preconnect` / `prefetch` / `dns-prefetch` / `modulepreload` / `prerender` / `next` / `prev`); silent no-op when the response object lacks `writeEarlyHints` (HTTP/1.0, mocks, older Node); refusal of per-request-state headers per RFC 8297 §3 (`set-cookie`, `authorization`, `content-length`, `content-type`, etc.). Operators use it to start browser-side preload of CSS / JS / fonts / preconnect origins in parallel with the server-side composition of the final response.
 - v0.8.87 (2026-05-11) — **NIST 800-63-4 FAL classifier + RFC 7505 Null-MX helper + Gmail FBL Feedback-ID builder + vendor-update.sh stale-entry cleanup**. **`b.auth.fal`** lands as the federation-side counterpart to the existing `b.auth.aal` band classifier. `fromAssertion({ channel, encrypted?, replayProtected?, hokBinding? })` classifies an incoming federation assertion as `"FAL1"` / `"FAL2"` / `"FAL3"` per NIST 800-63C-4: Holder-of-Key (mTLS / DPoP / SAML HoK) with replay-protection → FAL3; back-channel OR encrypted front-channel with replay-protection → FAL2; bare bearer front-channel → FAL1. Conservative: missing replay-protection on a back-channel assertion downgrades to FAL1 because §5.2 requires nonce / jti binding before back-channel can claim FAL2. `requireFal(minimumBand)` builds a band-check guard that throws `auth/fal-insufficient` for stale-band requests; compose with the request-scope auth state to gate sensitive operations. **`b.network.dns.isNullMx(records)`** lands as the RFC 7505 Null-MX classifier: returns `true` when an operator-supplied MX-record array signals "this domain does not accept email" (single record, priority 0, exchange `.` per RFC 7505 §3). Operators send-side check this before delivery to skip domains that have explicitly opted out — `node:dns.resolveMx` returns `exchange: ""` for the same RDATA, so the classifier accepts both shapes. **`b.mail.feedbackId({ campaignId, customerId, mailType, senderId })`** builds a Gmail Feedback-Loop (FBL) Feedback-ID header value as the canonical 4-tuple `CampaignID:CustomerID:MailType:SenderID`. Refuses missing / empty fields, fields containing `:` (would corrupt the field separator), fields >64 chars (Gmail FBL truncation threshold), and control-char content (CR/LF header-injection defense). Setting Feedback-ID on outbound mail lets Gmail Postmaster Tools surface per-campaign abuse-rate metrics keyed by the operator's vocabulary instead of by SMTP envelope-sender alone. **vendor-update.sh cleanup**: `scripts/vendor-update.sh --check` removed the stale `argon2` entry from `VENDORED_PACKAGES`. argon2 was removed from `lib/vendor/` back in v0.4.x when Node 24's built-in `crypto.argon2*` API replaced the third-party prebuilds (per `lib/argon2-builtin.js`); the script still listed it in the check array, producing a false "UPDATE AVAILABLE" line for an unvendored package. The case-block error path that still says "argon2 is no longer vendored" stays so anyone running `./scripts/vendor-update.sh argon2` gets the operator-friendly explanation.
 - v0.8.86 (2026-05-11) — **Sectoral + cybersecurity posture sweep + HTTP-hygiene primitives + npm-publish hotfix**. **npm-publish hotfix**: the v0.8.85 `npm audit signatures` step failed with `npm error found no installed dependencies to audit` because the framework's zero-runtime-deps posture produces an empty install tree; the gate now treats that specific message as success while keeping every other failure mode loud (v0.8.85 npm tarball never published — operators upgrade `0.8.83 → 0.8.86` to pick up the carried v0.8.84 + v0.8.85 surface plus the new v0.8.86 primitives). **10 new compliance postures**: `cmmc-2.0` (DoD Cybersecurity Maturity Model Certification 2.0), `cjis-v6` (FBI CJIS Security Policy v6.0), `iso-27001-2022` + `iso-27002-2022` + `iso-27017` + `iso-27018` + `iso-27701` (ISO/IEC 27001 family), `nist-800-66-r2` (HIPAA Security Rule implementation guidance), `ehds` (European Health Data Space), `circia` (US Cyber Incident Reporting for Critical Infrastructure Act). Cascade defaults set encrypted-backup + signed-audit-chain + TLS 1.3 + vacuum-after-erase for the data-tier postures; `iso-27002-2022` + `circia` defer the data-tier mandate to operator choice. **`b.cacheStatus`** — RFC 9211 Cache-Status response-header builder + parser. `append(prev, entry)` chains the operator's current cache decision onto whatever upstream caches wrote; `entry({...})` formats a single entry; `parse(headerValue)` returns the parsed chain as `[{ cache, params }]` records with `hit`/`stored`/`collapsed` as booleans, `ttl`/`fwdStatus` as numbers, `fwd` as the RFC 9211 §2 enum string, `key`/`detail` as unquoted sf-strings. Operators diagnose CDN/reverse-proxy/app-cache decision chains by reading the header instead of guessing from elapsed-time metrics. **`b.serverTiming`** — W3C Server-Timing response-header builder. `create()` returns a per-request collector with `mark(name, durationMs?, description?)` / `measure(name, fn)` async-timing wrapper / `toHeader()` serializer. Surfaces server-side latency in the browser's Performance API. **`b.middleware.noCache`** — RFC 9111 §5.2.2.5 `Cache-Control: no-store` middleware for auth-gated / individualized response paths. Sets `Cache-Control: no-store`, `Pragma: no-cache` (HTTP/1.0 compatibility), `Vary: Cookie, Authorization` so intermediate caches don't store personalized responses keyed by URL alone. Optional `opts.when(req)` predicate for conditional application; `opts.skipExisting:true` skips when `Cache-Control` is already set.

package/lib/mail-require-tls.js

@@ -0,0 +1,209 @@
+"use strict";
+/**
+ * @module     b.mail.requireTls
+ * @nav        Mail
+ * @title      REQUIRETLS — RFC 8689
+ * @order      460
+ *
+ * @intro
+ *   RFC 8689 SMTP REQUIRETLS — per-message TLS-requirement signaling
+ *   between sender and receiver MTAs. The sender advertises that the
+ *   message MUST NOT be relayed over a cleartext (non-TLS) hop; if
+ *   no downstream MTA can deliver under TLS, the message bounces
+ *   instead of falling back to cleartext. Complements MTA-STS / DANE
+ *   (which are policy-side, domain-scoped) with a per-message
+ *   knob that overrides the policy when the operator wants
+ *   stricter-than-policy delivery.
+ *
+ *   Wire surface (RFC 8689 §3):
+ *
+ *     EHLO peer advertises:  250 REQUIRETLS
+ *     Client sends:          MAIL FROM:<sender> REQUIRETLS
+ *     Server replies:        250 OK             (or 550 if it can't honor)
+ *
+ *   Header surface (RFC 8689 §5):
+ *
+ *     TLS-Required: No       Explicit operator override; sender
+ *                            requests REQUIRETLS-style behavior be
+ *                            DISABLED for this message even if the
+ *                            policy infrastructure (MTA-STS / DANE)
+ *                            says otherwise. Use sparingly — primary
+ *                            use case is delivery to legacy peers
+ *                            during a controlled migration.
+ *
+ *   This module ships:
+ *
+ *     b.mail.requireTls.peerSupports(ehloLines) → boolean
+ *       Walks EHLO response lines and returns true when the peer
+ *       advertised the REQUIRETLS keyword.
+ *
+ *     b.mail.requireTls.mailFromExtension({ requireTls }) → string
+ *       Returns the trailing " REQUIRETLS" token (or empty string)
+ *       to append to a MAIL FROM line.
+ *
+ *     b.mail.requireTls.parseTlsRequiredHeader(headerValue) → "yes" | "no" | null
+ *       Parses the TLS-Required header field per §5. Returns "no"
+ *       only when the value is the literal token "no" (case-
+ *       insensitive); any other value returns "yes" (the conservative
+ *       default — operators must opt OUT explicitly, never default to
+ *       fall-back-to-cleartext). null when the header is absent.
+ *
+ * @card
+ *   RFC 8689 REQUIRETLS — per-message TLS-requirement signaling between MTAs (EHLO keyword + MAIL FROM extension + TLS-Required header parser).
+ */
+
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var RequireTlsError = defineClass("RequireTlsError", { alwaysPermanent: true });
+
+var REQUIRETLS_TOKEN = "REQUIRETLS";
+
+/**
+ * @primitive b.mail.requireTls.peerSupports
+ * @signature b.mail.requireTls.peerSupports(ehloLines)
+ * @since     0.8.90
+ * @status    stable
+ *
+ * Walk a parsed EHLO response and return `true` when the peer
+ * advertised the `REQUIRETLS` keyword. `ehloLines` is the array of
+ * post-greeting capability lines returned by the SMTP transport
+ * (each entry is the capability token, e.g. `"SIZE 10485760"`,
+ * `"PIPELINING"`, `"REQUIRETLS"`). Case-insensitive match per RFC
+ * 5321 §2.4 (EHLO keywords are uppercase by convention but
+ * comparison is case-insensitive).
+ *
+ * Returns `false` for empty / non-array input — operators who can't
+ * parse the EHLO get a definitive "not supported" verdict rather
+ * than a throw, matching the "defensive request-shape reader"
+ * convention used elsewhere.
+ *
+ * @example
+ *   var ehlo = ["mail.example.com", "PIPELINING", "SIZE 10485760", "REQUIRETLS", "STARTTLS"];
+ *   b.mail.requireTls.peerSupports(ehlo);  // → true
+ *
+ *   b.mail.requireTls.peerSupports(["PIPELINING", "SIZE 10485760"]);  // → false
+ */
+function peerSupports(ehloLines) {
+  if (!Array.isArray(ehloLines)) return false;
+  for (var i = 0; i < ehloLines.length; i += 1) {
+    var line = ehloLines[i];
+    if (typeof line !== "string") continue;
+    // Keyword is everything up to the first space (RFC 5321 §4.1.1.1).
+    var sp = line.indexOf(" ");
+    var keyword = sp === -1 ? line : line.slice(0, sp);
+    if (keyword.toUpperCase() === REQUIRETLS_TOKEN) return true;
+  }
+  return false;
+}
+
+/**
+ * @primitive b.mail.requireTls.mailFromExtension
+ * @signature b.mail.requireTls.mailFromExtension(opts)
+ * @since     0.8.90
+ * @status    stable
+ *
+ * Build the trailing SMTP MAIL FROM extension token for REQUIRETLS.
+ * Returns `" REQUIRETLS"` (with a leading space, ready to append)
+ * when `opts.requireTls === true`; empty string otherwise. The
+ * primitive does NOT validate the operator's address — that's the
+ * SMTP transport's job. This only emits the standard-defined token
+ * suffix.
+ *
+ * Refuses non-object opts. `requireTls` must be a boolean when
+ * provided (any other type throws `mail-require-tls/bad-flag`) so
+ * a truthy-but-wrong-shape value (e.g. `"yes"`) doesn't silently
+ * succeed.
+ *
+ * @opts
+ *   requireTls: boolean,   // true to emit " REQUIRETLS"; falsy/absent → ""
+ *
+ * @example
+ *   var line = "MAIL FROM:<alice@example.com>" +
+ *              b.mail.requireTls.mailFromExtension({ requireTls: true });
+ *   // → "MAIL FROM:<alice@example.com> REQUIRETLS"
+ */
+function mailFromExtension(opts) {
+  if (!opts || typeof opts !== "object" || Array.isArray(opts)) {
+    throw new RequireTlsError("mail-require-tls/bad-opts",
+      "mailFromExtension: opts must be a non-null object", true);
+  }
+  if (opts.requireTls === undefined || opts.requireTls === false) return "";
+  if (opts.requireTls !== true) {
+    throw new RequireTlsError("mail-require-tls/bad-flag",
+      "mailFromExtension: requireTls must be a boolean (got " + typeof opts.requireTls + ")");
+  }
+  return " " + REQUIRETLS_TOKEN;
+}
+
+/**
+ * @primitive b.mail.requireTls.parseTlsRequiredHeader
+ * @signature b.mail.requireTls.parseTlsRequiredHeader(headerValue)
+ * @since     0.8.90
+ * @status    stable
+ *
+ * Parse the RFC 8689 §5 `TLS-Required` header field. Returns:
+ *
+ *   - `"no"` when the value is the literal token `no` (case-
+ *     insensitive, ignoring surrounding whitespace) — the sender
+ *     EXPLICITLY opts out of REQUIRETLS-style behavior for this
+ *     message.
+ *   - `"yes"` for any other non-empty value — conservative default
+ *     so an operator who set a typo / malformed value still gets
+ *     the strict path (RFC 8689 §5: "if a recipient receives a
+ *     message containing a TLS-Required field with any value other
+ *     than 'No', it MUST be treated as if the field had been
+ *     absent").
+ *   - `null` when the header is absent / empty / not a string —
+ *     operator code branches on null vs "yes" / "no".
+ *
+ * Refuses CR / LF / NUL in the value (header-injection-shape inputs
+ * shouldn't reach a parser that's downstream of header splitters
+ * anyway, but a defensive check here catches operator-side mistakes).
+ *
+ * @example
+ *   b.mail.requireTls.parseTlsRequiredHeader("No");      // → "no"
+ *   b.mail.requireTls.parseTlsRequiredHeader("no");      // → "no"
+ *   b.mail.requireTls.parseTlsRequiredHeader("  no  ");  // → "no"
+ *   b.mail.requireTls.parseTlsRequiredHeader("yes");     // → "yes"
+ *   b.mail.requireTls.parseTlsRequiredHeader("anything"); // → "yes" (RFC 8689 §5 default)
+ *   b.mail.requireTls.parseTlsRequiredHeader("");        // → null
+ *   b.mail.requireTls.parseTlsRequiredHeader(undefined); // → null
+ */
+function parseTlsRequiredHeader(headerValue) {
+  if (typeof headerValue !== "string") return null;
+  // Refuse control characters defensively on the RAW value — scanning
+  // after trim() would strip leading/trailing \r\n\t etc. before the
+  // check ran, letting a header-injection-shape input like "\nno" or
+  // "no\r" slip past as the literal "no" token. Validate the original
+  // string so the contract ("control bytes are refused") holds for any
+  // position in the value.
+  for (var i = 0; i < headerValue.length; i += 1) {
+    var code = headerValue.charCodeAt(i);
+    // ASCII HT (0x09) is structural folding whitespace in HTTP/email
+    // headers — strip-equivalent at the parser layer, so the trim()
+    // below absorbs it. Everything else in C0 + DEL is rejected.
+    if (code === 9) continue;                                                                       // allow:raw-byte-literal — ASCII HT codepoint
+    if (code < 32 || code === 127) {                                                               // allow:raw-byte-literal — C0 + DEL codepoint range
+      throw new RequireTlsError("mail-require-tls/bad-header-value",
+        "parseTlsRequiredHeader: value contains control characters");
+    }
+  }
+  var trimmed = headerValue.trim();
+  if (trimmed.length === 0) return null;
+  if (trimmed.toLowerCase() === "no") return "no";
+  // RFC 8689 §5 — any other value treated as if absent (strict path).
+  return "yes";
+}
+
+module.exports = {
+  peerSupports:            peerSupports,
+  mailFromExtension:       mailFromExtension,
+  parseTlsRequiredHeader:  parseTlsRequiredHeader,
+  REQUIRETLS_TOKEN:        REQUIRETLS_TOKEN,
+  RequireTlsError:         RequireTlsError,
+};
+
+// Reserved for future field validation paths; kept in canonical
+// require ordering.
+void validateOpts;

package/lib/mail.js

@@ -1818,11 +1818,13 @@ function feedbackId(opts) {
   return parts.join(":");
 }
 
-var mailSrs = require("./mail-srs");
+var mailRequireTls = require("./mail-require-tls");
+var mailSrs        = require("./mail-srs");
 
 module.exports = {
   create:      create,
   feedbackId:  feedbackId,
+  requireTls:  mailRequireTls,
   srs:         mailSrs,
   MailError:   MailError,
   unsubscribe: mailUnsubscribe,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.89",
+  "version": "0.8.90",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:76b81036-9214-4a75-8cc8-d7f4aa841982",
+  "serialNumber": "urn:uuid:860a5246-eb35-4113-adf2-886982273421",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-11T18:49:35.055Z",
+    "timestamp": "2026-05-11T19:04:39.738Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.89",
+      "bom-ref": "@blamejs/core@0.8.90",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.89",
+      "version": "0.8.90",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.89",
+      "purl": "pkg:npm/%40blamejs/core@0.8.90",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.89",
+      "ref": "@blamejs/core@0.8.90",
       "dependsOn": []
     }
   ]