npm - @blamejs/core - Versions diffs - 0.9.15 → 0.9.17 - Mend

@blamejs/core 0.9.15 → 0.9.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (100) hide show

package/CHANGELOG.md +2 -0
package/lib/a2a-tasks.js +2 -2
package/lib/acme.js +2 -2
package/lib/api-snapshot.js +1 -1
package/lib/app-shutdown.js +2 -2
package/lib/app.js +2 -2
package/lib/argon2-builtin.js +1 -1
package/lib/atomic-file.js +8 -8
package/lib/audit-sign.js +3 -3
package/lib/audit-tools.js +2 -2
package/lib/auth/dpop.js +1 -1
package/lib/auth/elevation-grant.js +4 -4
package/lib/auth/fido-mds3.js +6 -6
package/lib/auth/jwt-external.js +3 -3
package/lib/auth/jwt.js +1 -1
package/lib/auth/oauth.js +1 -1
package/lib/auth/status-list.js +1 -1
package/lib/backup/bundle.js +2 -2
package/lib/backup/index.js +7 -7
package/lib/bundler.js +4 -4
package/lib/cli.js +1 -1
package/lib/cloud-events.js +1 -1
package/lib/compliance-sanctions.js +1 -1
package/lib/compliance.js +6 -7
package/lib/config.js +6 -6
package/lib/credential-hash.js +4 -4
package/lib/crypto-field.js +9 -9
package/lib/crypto-hpke.js +1 -1
package/lib/crypto.js +3 -3
package/lib/daemon.js +2 -2
package/lib/db-file-lifecycle.js +5 -5
package/lib/db-schema.js +1 -1
package/lib/db.js +3 -3
package/lib/dev.js +5 -5
package/lib/dr-runbook.js +2 -2
package/lib/external-db-migrate.js +16 -16
package/lib/flag-evaluation-context.js +3 -3
package/lib/flag-providers.js +1 -1
package/lib/http-client.js +11 -11
package/lib/http-message-signature.js +1 -1
package/lib/keychain.js +6 -6
package/lib/local-db-thin.js +2 -2
package/lib/log-stream-local.js +3 -3
package/lib/log-stream-syslog.js +4 -4
package/lib/log.js +2 -2
package/lib/mail-arc-sign.js +1 -1
package/lib/mail-dkim.js +1 -1
package/lib/mail.js +7 -7
package/lib/mcp-tool-registry.js +6 -6
package/lib/middleware/asyncapi-serve.js +1 -1
package/lib/middleware/body-parser.js +6 -6
package/lib/middleware/openapi-serve.js +1 -1
package/lib/middleware/require-bound-key.js +4 -4
package/lib/middleware/require-mtls.js +4 -4
package/lib/middleware/tus-upload.js +1 -1
package/lib/migrations.js +3 -3
package/lib/mtls-ca.js +4 -4
package/lib/network-byte-quota.js +2 -2
package/lib/network-smtp-policy.js +1 -1
package/lib/network.js +12 -12
package/lib/notify.js +8 -8
package/lib/ntp-check.js +1 -1
package/lib/object-store/azure-blob.js +3 -3
package/lib/object-store/gcs.js +3 -3
package/lib/object-store/http-put.js +1 -1
package/lib/object-store/local.js +3 -3
package/lib/object-store/sigv4-bucket-ops.js +1 -1
package/lib/object-store/sigv4.js +3 -3
package/lib/observability.js +1 -1
package/lib/parsers/safe-env.js +3 -3
package/lib/process-spawn.js +2 -2
package/lib/restore-bundle.js +3 -3
package/lib/restore-rollback.js +4 -4
package/lib/restore.js +3 -3
package/lib/retry.js +1 -1
package/lib/router.js +16 -16
package/lib/safe-url.js +2 -2
package/lib/sandbox.js +1 -1
package/lib/security-assert.js +1 -1
package/lib/seeders.js +4 -4
package/lib/self-update-standalone-verifier.js +2 -2
package/lib/self-update.js +5 -5
package/lib/session-device-binding.js +1 -1
package/lib/storage.js +1 -1
package/lib/template.js +2 -2
package/lib/testing.js +2 -2
package/lib/totp.js +1 -1
package/lib/vault/index.js +2 -2
package/lib/vault/passphrase-ops.js +2 -2
package/lib/vault/passphrase-source.js +2 -2
package/lib/vault/rotate.js +7 -7
package/lib/vault/seal-pem-file.js +8 -8
package/lib/vault-aad.js +5 -5
package/lib/vendor-data.js +1 -1
package/lib/watcher.js +5 -5
package/lib/webhook.js +1 -1
package/lib/websocket.js +3 -3
package/lib/ws-client.js +8 -8
package/package.json +1 -1
package/sbom.cdx.json +6 -6

package/lib/seeders.js CHANGED Viewed

@@ -15,7 +15,7 @@
  *
  *   module.exports = {
  *     description: "Create default admin user for local dev",
- *     // Optional — when omitted, the env is inferred from the nodePath.
+ *     // Optional — when omitted, the env is inferred from the path.
  *     // When present, this seed only applies under one of these envs.
  *     envs:        ["dev", "test"],
  *     // Default false — applied once and recorded in registry.
@@ -54,7 +54,7 @@
  *     applied state)
  */
-var nodePath = require("path");
+var nodePath = require("node:path");
 var atomicFile = require("./atomic-file");
 var C = require("./constants");
 var dbSchema = require("./db-schema");
@@ -67,7 +67,7 @@ var { SeederError } = require("./framework-error");
 var log = boot("seeders");
-var dbModule = lazyRequire(function () { return require("./db"); });
+var db = lazyRequire(function () { return require("./db"); });
 var observability = lazyRequire(function () { return require("./observability"); });
 var _err = SeederError.factory;
@@ -151,7 +151,7 @@ function _validateCreateOpts(opts) {
 function _resolveDb(opts) {
   if (opts && opts.db && typeof opts.db.prepare === "function") return opts.db;
-  var d = dbModule();
+  var d = db();
   if (typeof d.prepare !== "function") {
     throw _err("NO_DB", "seeders: no db handle: pass opts.db or initialize b.db before create()");
   }

package/lib/self-update-standalone-verifier.js CHANGED Viewed

@@ -83,8 +83,8 @@
  *   or systemd `install.sh`. node:crypto + node:fs only.
  */
-var nodeCrypto = require("crypto");
-var nodeFs     = require("fs");
+var nodeCrypto = require("node:crypto");
+var nodeFs     = require("node:fs");
 // _streamHashAndVerify — read the asset in 64 KiB chunks, feed each
 // chunk into sha256, sha3-512, AND the signature verifier in parallel.

package/lib/self-update.js CHANGED Viewed

@@ -47,16 +47,16 @@
  *   Framework / vendored-deps integrity check plus version pinning — refuses to install a new build when the asset's detached signature does not verify against the operator-supplied public key, or when the vendored SHA the new build would ship does not match the manifest the opera...
  */
-var nodeFs = require("fs");
-var nodePath = require("path");
-var nodeCrypto = require("crypto");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
+var nodeCrypto = require("node:crypto");
 var numericBounds = require("./numeric-bounds");
 var atomicFile = require("./atomic-file");
 var validateOpts = require("./validate-opts");
 var bCrypto = require("./crypto");
 var httpClient = require("./http-client");
 var safeJson = require("./safe-json");
-var { URL: NodeUrl } = require("url");
+var { URL: NodeUrl } = require("node:url");
 var lazyRequire = require("./lazy-require");
 var C = require("./constants");
 var standaloneVerifier = require("./self-update-standalone-verifier");
@@ -178,7 +178,7 @@ function _matchAsset(name, pattern, fallback) {
  * Fetch a releases feed and report whether a newer tag is available.
  * Tags are compared semver-style with a leading `v` stripped. When
  * `opts.etag` is supplied an `If-None-Match` header makes a 304 a fast
- * "no update" nodePath. The match against asset and signature URLs uses
+ * "no update" path. The match against asset and signature URLs uses
  * `opts.assetPattern` and `opts.signaturePattern` (RegExp or substring)
  * with conservative fallbacks. Throws SelfUpdateError on a non-2xx
  * upstream, malformed JSON, or unexpected shape.

package/lib/session-device-binding.js CHANGED Viewed

@@ -70,7 +70,7 @@
 var C            = require("./constants");
 var bCrypto = require("./crypto");
-var nodeCrypto   = require("crypto");
+var nodeCrypto   = require("node:crypto");
 var lazyRequire  = require("./lazy-require");
 var requestHelpers = require("./request-helpers");
 var validateOpts = require("./validate-opts");

package/lib/storage.js CHANGED Viewed

@@ -399,7 +399,7 @@ async function getFileStream(key, sealedKey, opts) {
   // to the consumer. Chunked-encryption with per-chunk AEAD would let us
   // stream end-to-end, but at the cost of finer-grained tampering windows.
   var buf = await getFileBuffer(key, sealedKey, opts);
-  return require("stream").Readable.from(buf);
+  return require("node:stream").Readable.from(buf);
 }
 /**

package/lib/template.js CHANGED Viewed

@@ -89,8 +89,8 @@
  * is the second line: even if a template loaded, it can't execute
  * arbitrary JS — only the limited expression grammar above.
  */
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");

package/lib/testing.js CHANGED Viewed

@@ -62,7 +62,7 @@ var { TestingError } = require("./framework-error");
 // metrics is the only place that exposes the global `tap` slot the
 // captureMetricsTap helper swaps; pulling it lazily keeps testing.js
 // safe to require at any framework load order.
-var metricsModule = lazyRequire(function () { return require("./metrics"); });
+var metrics = lazyRequire(function () { return require("./metrics"); });
 var _err = TestingError.factory;
@@ -563,7 +563,7 @@ function captureObservability() {
  *   }
  */
 function captureMetricsTap() {
-  var m = metricsModule();
+  var m = metrics();
   var original = m.tap;
   var captured = [];
   m.tap = function (name, value, labels) {

package/lib/totp.js CHANGED Viewed

@@ -59,7 +59,7 @@
  * operators should choose an authenticator that does (Authy,
  * 1Password, Bitwarden, Aegis, Microsoft Authenticator all do).
  */
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var C = require("./constants");
 var { generateBytes, generateToken, timingSafeEqual } = require("./crypto");
 var { AuthError } = require("./framework-error");

package/lib/vault/index.js CHANGED Viewed

@@ -62,8 +62,8 @@
  * @card
  *   Sealed keystore that anchors every other framework subsystem holding secrets at rest: db field encryption, encrypted session storage, audit-log signing keys, OAuth refresh tokens, anything that flows through `b.vault.seal` / `b.vault.unseal`.
  */
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var atomicFile = require("../atomic-file");
 var C = require("../constants");
 var { generateEncryptionKeyPair, encrypt, decrypt } = require("../crypto");

package/lib/vault/passphrase-ops.js CHANGED Viewed

@@ -35,8 +35,8 @@
  * with the original file untouched.
  */
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var atomicFile = require("../atomic-file");
 var vaultWrap = require("./wrap");
 var { defineClass } = require("../framework-error");

package/lib/vault/passphrase-source.js CHANGED Viewed

@@ -23,8 +23,8 @@
  * exposure to later env-dump surfaces. This doesn't zero the memory
  * (JavaScript can't) but does remove the env-object reference.
  */
-var nodeFs = require("fs");
-var readline = require("readline");
+var nodeFs = require("node:fs");
+var readline = require("node:readline");
 var safeEnv = require("../parsers/safe-env");
 var safeBuffer = require("../safe-buffer");

package/lib/vault/rotate.js CHANGED Viewed

@@ -48,8 +48,8 @@
  * sampler skips them.
  */
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var { DatabaseSync } = require("node:sqlite");
 var atomicFile = require("../atomic-file");
 var safeSql = require("../safe-sql");
@@ -709,9 +709,9 @@ async function rotate(opts) {
     // one for this run); log at debug so the cleanup attempt isn't
     // silently swallowed when something genuinely unexpected fails.
     try { nodeFs.unlinkSync(tmpDbPath + "-wal"); }
-    catch (e) { rotateLog.debug("cleanup-failed", { op: "nodeFs.unlinkSync", path: tmpDbPath + "-wal", error: e.message }); }
+    catch (e) { rotateLog.debug("cleanup-failed", { op: "fs.unlinkSync", path: tmpDbPath + "-wal", error: e.message }); }
     try { nodeFs.unlinkSync(tmpDbPath + "-shm"); }
-    catch (e) { rotateLog.debug("cleanup-failed", { op: "nodeFs.unlinkSync", path: tmpDbPath + "-shm", error: e.message }); }
+    catch (e) { rotateLog.debug("cleanup-failed", { op: "fs.unlinkSync", path: tmpDbPath + "-shm", error: e.message }); }
     var rotatedBytes = nodeFs.readFileSync(tmpDbPath);
     nodeFs.writeFileSync(nodePath.join(stagingDir, paths.encryptedDb),
@@ -729,11 +729,11 @@ async function rotate(opts) {
     } finally {
       vdb.close();
       try { nodeFs.unlinkSync(verifyTmp); }
-      catch (e) { rotateLog.debug("cleanup-failed", { op: "nodeFs.unlinkSync", path: verifyTmp, error: e.message }); }
+      catch (e) { rotateLog.debug("cleanup-failed", { op: "fs.unlinkSync", path: verifyTmp, error: e.message }); }
       try { nodeFs.unlinkSync(verifyTmp + "-wal"); }
-      catch (e) { rotateLog.debug("cleanup-failed", { op: "nodeFs.unlinkSync", path: verifyTmp + "-wal", error: e.message }); }
+      catch (e) { rotateLog.debug("cleanup-failed", { op: "fs.unlinkSync", path: verifyTmp + "-wal", error: e.message }); }
       try { nodeFs.unlinkSync(verifyTmp + "-shm"); }
-      catch (e) { rotateLog.debug("cleanup-failed", { op: "nodeFs.unlinkSync", path: verifyTmp + "-shm", error: e.message }); }
+      catch (e) { rotateLog.debug("cleanup-failed", { op: "fs.unlinkSync", path: verifyTmp + "-shm", error: e.message }); }
     }
     if (!verifyResult.ok) {
       throw new VaultRotateError("vault-rotate/verify-failed",

package/lib/vault/seal-pem-file.js CHANGED Viewed

@@ -19,7 +19,7 @@
  *     source:       "/etc/letsencrypt/live/example.com/privkey.pem",
  *     destination:  "/var/lib/blamejs/server.key.sealed",
  *     audit:        true,                 // default
- *     pollInterval: b.constants.TIME.seconds(2),  // nodeFs.watchFile cadence
+ *     pollInterval: b.constants.TIME.seconds(2),  // fs.watchFile cadence
  *     onResealed:   function (info) { ... }, // { srcPath, destPath, bytes,
  *                                                resealedAt, generation }
  *     onError:      function (err)  { ... }, // sealing failed
@@ -42,10 +42,10 @@
  * (rename did not happen). The recovery routine re-runs the seal from
  * source — idempotent because the source PEM is the source of truth.
  *
- * nodeFs.watchFile semantics:
+ * fs.watchFile semantics:
  *
- * Node's nodeFs.watchFile is a polling stat() loop with the configured
- * pollInterval. It fires on mtime / size change. nodeFs.watch (the
+ * Node's fs.watchFile is a polling stat() loop with the configured
+ * pollInterval. It fires on mtime / size change. fs.watch (the
  * inotify / kqueue backend) is more efficient but inconsistent across
  * platforms — single rename events surface as multiple change events
  * on Linux (events fire on the directory entry, the file, and the
@@ -54,8 +54,8 @@
  * pollInterval) is acceptable for renewal cadences measured in days.
  */
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var atomicFile = require("../atomic-file");
 var C = require("../constants");
 var lazyRequire = require("../lazy-require");
@@ -76,7 +76,7 @@ var SealPemFileError = defineClass("SealPemFileError", { alwaysPermanent: true }
 // 2-second worst-case re-seal latency — negligible against the
 // renewal cadence. Operators with sub-second-sensitive use cases
 // override via opts.pollInterval.
-// H6 #6 — nodeFs.watchFile default cadence reduced from 2s to 500ms so a
+// H6 #6 — fs.watchFile default cadence reduced from 2s to 500ms so a
 // fast renewal-then-revert (mtime bump then second bump within ~2s)
 // doesn't sneak past the watcher. Operators with extremely-quiet
 // renewal cycles can override via opts.pollInterval; the cost of
@@ -126,7 +126,7 @@ var DEFAULT_MAX_SOURCE_BYTES = C.BYTES.mib(1);
  *     source:         string,    // plaintext PEM path (required)
  *     destination:    string,    // sealed-output path (required, must differ from source)
  *     audit:          boolean,   // emit b.audit events on every reseal (default true)
- *     pollInterval:   number,    // nodeFs.watchFile cadence in ms (default 500)
+ *     pollInterval:   number,    // fs.watchFile cadence in ms (default 500)
  *     onResealed:     function,  // (info) => void — { srcPath, destPath, bytes, resealedAt, generation }
  *     onError:        function,  // (err)  => void — sealing failed
  *     maxSourceBytes: number,    // refuse source larger than this (default 1 MiB)

package/lib/vault-aad.js CHANGED Viewed

@@ -52,7 +52,7 @@ var C               = require("./constants");
 var { defineClass } = require("./framework-error");
 var VaultAadError = defineClass("VaultAadError", { alwaysPermanent: true });
-var crypto = lazyRequire(function () { return require("./crypto"); });
+var bCrypto = lazyRequire(function () { return require("./crypto"); });
 var vault  = lazyRequire(function () { return require("./vault"); });
 var audit  = lazyRequire(function () { return require("./audit"); });
@@ -154,11 +154,11 @@ function _deriveKey(aadBytes) {
   // this is a deterministic derivation; rotating vault keys produces
   // a different root and breaks all prior AAD-sealed values (operator
   // intent: rotation = re-seal).
-  var rootHash = crypto().sha3Hash(keysJson);
+  var rootHash = bCrypto().sha3Hash(keysJson);
   var prefix   = Buffer.from("vault.aad/v1/", "utf8");
   var rootBuf  = Buffer.from(rootHash, "hex");
   var input    = Buffer.concat([prefix, rootBuf, aadBytes]);
-  return crypto().kdf(input, C.BYTES.bytes(32));
+  return bCrypto().kdf(input, C.BYTES.bytes(32));
 }
 function seal(plaintext, aadParts) {
@@ -178,7 +178,7 @@ function seal(plaintext, aadParts) {
   var aadBytes = _canonicalize(aadParts);
   var key = _deriveKey(aadBytes);
   var ptBuf = Buffer.from(plaintext, "utf8");
-  var packed = crypto().encryptPacked(ptBuf, key, aadBytes);
+  var packed = bCrypto().encryptPacked(ptBuf, key, aadBytes);
   try {
     audit().safeEmit({
@@ -213,7 +213,7 @@ function unseal(value, aadParts) {
       "unseal: base64 decode failed - " + e.message);
   }
   var pt;
-  try { pt = crypto().decryptPacked(packed, key, aadBytes); }
+  try { pt = bCrypto().decryptPacked(packed, key, aadBytes); }
   catch (e) {
     try {
       audit().safeEmit({

package/lib/vendor-data.js CHANGED Viewed

@@ -36,7 +36,7 @@
  *   not `fs.readFileSync`-loaded.
  */
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var safeEnv = require("./parsers/safe-env");
 var { defineClass } = require("./framework-error");
 var pqcSoftware = require("./pqc-software");

package/lib/watcher.js CHANGED Viewed

@@ -3,7 +3,7 @@
  * b.watcher — recursive filesystem-watch primitive with cross-platform
  * event normalization.
  *
- * Wraps `nodeFs.watch(root, { recursive: true })` and turns the per-platform
+ * Wraps `fs.watch(root, { recursive: true })` and turns the per-platform
  * event soup (Linux inotify "rename" + "change", macOS FSEvents
  * coalesced "rename", Windows ReadDirectoryChangesW pure "rename" /
  * "change") into a single shape:
@@ -15,7 +15,7 @@
  * `type` is one of "file" or "dir". The watcher is build-tool-shaped:
  * use it to drive incremental rebuilds, hot-reload-on-change,
  * config-file watching, or content-store cache busts. It is NOT a
- * security primitive — nodeFs.watch is best-effort across kernels and the
+ * security primitive — fs.watch is best-effort across kernels and the
  * caller must not rely on it for audit-grade change detection.
  *
  * Cross-platform notes baked in:
@@ -45,8 +45,8 @@
  *   watcher.WatcherError
  */
-var nodeFs   = require("fs");
-var nodePath = require("path");
+var nodeFs   = require("node:fs");
+var nodePath = require("node:path");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 var { WatcherError } = require("./framework-error");
@@ -434,7 +434,7 @@ function create(opts) {
           ((e && e.message) || String(e)) + " — pass mode: \"poll\" to fall back to interval polling");
       }
       throw new WatcherError("watcher/start-failed",
-        "watcher.create: nodeFs.watch failed: " + ((e && e.message) || String(e)));
+        "watcher.create: fs.watch failed: " + ((e && e.message) || String(e)));
     }
   }

package/lib/webhook.js CHANGED Viewed

@@ -47,7 +47,7 @@
  *   Outbound webhook delivery with cryptographic signing in a single `Webhook-Signature` header, retry + dead-letter via `b.retry`, and idempotency keys baked into the signed string so a captured signature cannot be replayed with a fresh id.
  */
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var bCrypto = require("./crypto");
 var httpClient = require("./http-client");
 var safeBuffer = require("./safe-buffer");

package/lib/websocket.js CHANGED Viewed

@@ -74,9 +74,9 @@
  *   RFC 6455 WebSocket server on top of Node's `'upgrade'` event, plus RFC 8441 Extended CONNECT for HTTP/2.
  */
-var nodeCrypto = require("crypto");
-var zlib = require("zlib");
-var { EventEmitter } = require("events");
+var nodeCrypto = require("node:crypto");
+var zlib = require("node:zlib");
+var { EventEmitter } = require("node:events");
 var C                = require("./constants");
 var requestHelpers   = require("./request-helpers");
 var safeAsync        = require("./safe-async");

package/lib/ws-client.js CHANGED Viewed

@@ -45,16 +45,16 @@
  * (operator opts in to mTLS via tlsOpts). HSTS-style, no soft-fail.
  */
-var net          = require("net");
-var nodeUrl      = require("url");
-var nodeCrypto   = require("crypto");
-var EventEmitter = require("events");
+var net          = require("node:net");
+var nodeUrl      = require("node:url");
+var nodeCrypto   = require("node:crypto");
+var { EventEmitter } = require("node:events");
 var lazyRequire    = require("./lazy-require");
 var validateOpts   = require("./validate-opts");
 var safeAsync      = require("./safe-async");
 var safeBuffer     = require("./safe-buffer");
-var fwCrypto       = lazyRequire(function () { return require("./crypto"); });
+var bCrypto        = lazyRequire(function () { return require("./crypto"); });
 var websocket      = lazyRequire(function () { return require("./websocket"); });
 var audit          = lazyRequire(function () { return require("./audit"); });
 var networkTls     = lazyRequire(function () { return require("./network-tls"); });
@@ -137,7 +137,7 @@ function _inflateRawCappedSync(zlib, compressed, maxBytes, windowBits) {
 }
 function _generateKey() {
-  return fwCrypto().generateBytes(C.BYTES.bytes(16)).toString("base64");
+  return bCrypto().generateBytes(C.BYTES.bytes(16)).toString("base64");
 }
 function _expectedAccept(secKey, handshakeGuid) {
@@ -389,7 +389,7 @@ class WsClient extends EventEmitter {
     var socket;
     if (parsed.protocol === "wss:") {
-      var tls = require("tls");                                                          // allow:inline-require — node:tls only on TLS path
+      var tls = require("node:tls");                                                          // allow:inline-require — node:tls only on TLS path
       var tlsOpts = Object.assign({
         host:         host,
         port:         port,
@@ -710,7 +710,7 @@ class WsClient extends EventEmitter {
       this._fragmentRsv1 = false;
       if (this._negotiatedDeflate && firstFrameRsv1) {
         try {
-          var zlib = require("zlib");                                                     // allow:inline-require — zlib only on deflate-negotiated path
+          var zlib = require("node:zlib");                                                     // allow:inline-require — zlib only on deflate-negotiated path
           var compressed = Buffer.concat([fullPayload, Buffer.from([0x00, 0x00, 0xff, 0xff])]); // allow:raw-byte-literal — RFC 7692 §7.2.2 deflate trailer
           // Decompression-bomb defense: zlib.inflateRawSync's
           // `maxOutputLength` aborts the inflate the moment the

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.9.15",
+  "version": "0.9.17",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:40df0b28-c547-4f48-9bbf-f005b59cbd1b",
+  "serialNumber": "urn:uuid:bfd9c116-6a09-4b5c-a673-96fa322cab83",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-14T00:04:25.956Z",
+    "timestamp": "2026-05-14T06:23:47.607Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.9.15",
+      "bom-ref": "@blamejs/core@0.9.17",
       "type": "library",
       "name": "blamejs",
-      "version": "0.9.15",
+      "version": "0.9.17",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.9.15",
+      "purl": "pkg:npm/%40blamejs/core@0.9.17",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.9.15",
+      "ref": "@blamejs/core@0.9.17",
       "dependsOn": []
     }
   ]