npm - @blamejs/core - Versions diffs - 0.8.90 → 0.9.1 - Mend

@blamejs/core 0.8.90 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/CHANGELOG.md +848 -846
package/index.js +6 -0
package/lib/ai-pref.js +8 -2
package/lib/auth/oauth.js +36 -6
package/lib/auth/openid-federation.js +41 -10
package/lib/auth/saml.js +74 -19
package/lib/auth/sd-jwt-vc.js +76 -6
package/lib/auth/step-up.js +14 -5
package/lib/cdn-cache-control.js +473 -0
package/lib/client-hints.js +318 -0
package/lib/http-client-cache.js +15 -8
package/lib/http-client-cookie-jar.js +18 -7
package/lib/http-message-signature.js +18 -11
package/lib/log-stream.js +25 -1
package/lib/mail-auth.js +3 -2
package/lib/mail-require-tls.js +7 -18
package/lib/middleware/body-parser.js +24 -12
package/lib/middleware/scim-server.js +2 -2
package/lib/middleware/tus-upload.js +12 -7
package/lib/network-dns.js +178 -0
package/lib/network-smtp-policy.js +2 -2
package/lib/request-helpers.js +15 -0
package/lib/security-assert.js +23 -1
package/lib/structured-fields.js +244 -0
package/lib/websocket.js +15 -9
package/lib/xml-c14n.js +7 -0
package/package.json +1 -1
package/sbom.cdx.json +6 -6

package/lib/websocket.js CHANGED Viewed

@@ -77,10 +77,11 @@
 var nodeCrypto = require("crypto");
 var zlib = require("zlib");
 var { EventEmitter } = require("events");
-var C = require("./constants");
-var requestHelpers = require("./request-helpers");
-var safeAsync = require("./safe-async");
-var safeBuffer = require("./safe-buffer");
+var C                = require("./constants");
+var requestHelpers   = require("./request-helpers");
+var safeAsync        = require("./safe-async");
+var safeBuffer       = require("./safe-buffer");
+var structuredFields = require("./structured-fields");
 var { FrameworkError } = require("./framework-error");
 var { boot } = require("./log");
@@ -517,11 +518,16 @@ var DEFLATE_TRAILING = Buffer.from([0x00, 0x00, 0xff, 0xff]);
 function _parseExtensionHeader(header) {
   // Sec-WebSocket-Extensions: foo; param=val; param2, bar; ...
   // Returns [{ name, params: { paramName: value | true } }]
+  // RFC 6455 §9.1 + RFC 7230 token-or-quoted-string — param values
+  // can technically be quoted-string. Current registered extensions
+  // (permessage-deflate) only use token values in practice, but the
+  // quote-aware split is defensive against any future extension
+  // shipping quoted parameter values.
   if (!header) return [];
-  var entries = String(header).split(",");
+  var entries = structuredFields.splitTopLevel(String(header), ",");
   var out = [];
   for (var i = 0; i < entries.length; i++) {
-    var parts = entries[i].split(";").map(function (s) { return s.trim(); });
+    var parts = structuredFields.splitTopLevel(entries[i], ";").map(function (s) { return s.trim(); });
     if (!parts[0]) continue;
     var ext = { name: parts[0].toLowerCase(), params: {} };
     for (var j = 1; j < parts.length; j++) {
@@ -530,9 +536,9 @@ function _parseExtensionHeader(header) {
       if (!k) continue;
       var v = kv.length > 1 ? kv.slice(1).join("=").trim() : true;
       // Strip surrounding quotes per the token-or-quoted-string grammar.
-      if (typeof v === "string" && v.length >= 2 &&
-          v.charAt(0) === '"' && v.charAt(v.length - 1) === '"') {
-        v = v.slice(1, -1);
+      if (typeof v === "string") {
+        var _unq = structuredFields.unquoteSfString(v);
+        if (_unq !== null) v = _unq;
       }
       ext.params[k] = v;
     }

package/lib/xml-c14n.js CHANGED Viewed

@@ -495,5 +495,12 @@ module.exports = {
   parse:                   parse,
   canonicalize:            canonicalize,
   canonicalizeElementById: canonicalizeElementById,
+  // Exported so SAML metadata / AuthnRequest builders can interpolate
+  // operator-supplied URLs and IDs without raw string concatenation.
+  // _escapeAttrValue handles double-quoted attribute-value escaping
+  // (`"`, `&`, `<`, CR/LF/HT); _escapeText handles element text-node
+  // escaping (`&`, `<`, `>`, CR). Both are RFC 3741 §1.3.x compliant.
+  escapeAttrValue:         _escapeAttrValue,
+  escapeText:              _escapeText,
   XmlC14nError:            XmlC14nError,
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.8.90",
+  "version": "0.9.1",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:860a5246-eb35-4113-adf2-886982273421",
+  "serialNumber": "urn:uuid:bffe9a17-1586-474d-aa8f-75dd58525185",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-11T19:04:39.738Z",
+    "timestamp": "2026-05-11T23:22:03.045Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.8.90",
+      "bom-ref": "@blamejs/core@0.9.1",
       "type": "library",
       "name": "blamejs",
-      "version": "0.8.90",
+      "version": "0.9.1",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.8.90",
+      "purl": "pkg:npm/%40blamejs/core@0.9.1",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.8.90",
+      "ref": "@blamejs/core@0.9.1",
       "dependsOn": []
     }
   ]