npm - @blamejs/core - Versions diffs - 0.9.16 → 0.9.18 - Mend

@blamejs/core 0.9.16 → 0.9.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (85) hide show

package/CHANGELOG.md +2 -0
package/MIGRATING.md +23 -1
package/lib/acme.js +2 -2
package/lib/api-snapshot.js +1 -1
package/lib/app-shutdown.js +2 -2
package/lib/app.js +2 -2
package/lib/argon2-builtin.js +1 -1
package/lib/atomic-file.js +8 -8
package/lib/audit-sign.js +3 -3
package/lib/audit-tools.js +2 -2
package/lib/auth/dpop.js +1 -1
package/lib/auth/elevation-grant.js +1 -1
package/lib/auth/jwt-external.js +1 -1
package/lib/auth/jwt.js +1 -1
package/lib/auth/oauth.js +1 -1
package/lib/auth/status-list.js +1 -1
package/lib/backup/bundle.js +2 -2
package/lib/backup/index.js +7 -7
package/lib/bundler.js +4 -4
package/lib/cli.js +1 -1
package/lib/cloud-events.js +1 -1
package/lib/compliance-sanctions.js +1 -1
package/lib/crypto-hpke.js +1 -1
package/lib/crypto.js +3 -3
package/lib/daemon.js +2 -2
package/lib/db-file-lifecycle.js +5 -5
package/lib/db-schema.js +1 -1
package/lib/db.js +2 -2
package/lib/dev.js +5 -5
package/lib/dr-runbook.js +2 -2
package/lib/external-db-migrate.js +1 -1
package/lib/flag-evaluation-context.js +1 -1
package/lib/flag-providers.js +1 -1
package/lib/http-client.js +11 -11
package/lib/http-message-signature.js +1 -1
package/lib/keychain.js +2 -2
package/lib/local-db-thin.js +2 -2
package/lib/log-stream-local.js +3 -3
package/lib/log-stream-syslog.js +4 -4
package/lib/mail-arc-sign.js +1 -1
package/lib/mail-dkim.js +1 -1
package/lib/mail.js +5 -5
package/lib/middleware/asyncapi-serve.js +1 -1
package/lib/middleware/body-parser.js +4 -4
package/lib/middleware/openapi-serve.js +1 -1
package/lib/middleware/tus-upload.js +1 -1
package/lib/migrations.js +1 -1
package/lib/mtls-ca.js +4 -4
package/lib/network-smtp-policy.js +1 -1
package/lib/ntp-check.js +1 -1
package/lib/object-store/azure-blob.js +3 -3
package/lib/object-store/gcs.js +3 -3
package/lib/object-store/http-put.js +1 -1
package/lib/object-store/local.js +3 -3
package/lib/object-store/sigv4-bucket-ops.js +1 -1
package/lib/object-store/sigv4.js +3 -3
package/lib/observability.js +1 -1
package/lib/process-spawn.js +2 -2
package/lib/restore-bundle.js +2 -2
package/lib/restore-rollback.js +4 -4
package/lib/restore.js +3 -3
package/lib/retry.js +1 -1
package/lib/router.js +4 -4
package/lib/safe-url.js +2 -2
package/lib/sandbox.js +1 -1
package/lib/security-assert.js +1 -1
package/lib/seeders.js +2 -2
package/lib/self-update-standalone-verifier.js +2 -2
package/lib/self-update.js +5 -5
package/lib/session-device-binding.js +1 -1
package/lib/storage.js +1 -1
package/lib/template.js +2 -2
package/lib/totp.js +1 -1
package/lib/vault/index.js +2 -2
package/lib/vault/passphrase-ops.js +2 -2
package/lib/vault/passphrase-source.js +2 -2
package/lib/vault/rotate.js +7 -7
package/lib/vault/seal-pem-file.js +8 -8
package/lib/vendor-data.js +1 -1
package/lib/watcher.js +4 -4
package/lib/webhook.js +1 -1
package/lib/websocket.js +3 -3
package/lib/ws-client.js +6 -6
package/package.json +1 -1
package/sbom.cdx.json +6 -6

package/lib/vault/seal-pem-file.js CHANGED Viewed

@@ -19,7 +19,7 @@
  *     source:       "/etc/letsencrypt/live/example.com/privkey.pem",
  *     destination:  "/var/lib/blamejs/server.key.sealed",
  *     audit:        true,                 // default
- *     pollInterval: b.constants.TIME.seconds(2),  // nodeFs.watchFile cadence
+ *     pollInterval: b.constants.TIME.seconds(2),  // fs.watchFile cadence
  *     onResealed:   function (info) { ... }, // { srcPath, destPath, bytes,
  *                                                resealedAt, generation }
  *     onError:      function (err)  { ... }, // sealing failed
@@ -42,10 +42,10 @@
  * (rename did not happen). The recovery routine re-runs the seal from
  * source — idempotent because the source PEM is the source of truth.
  *
- * nodeFs.watchFile semantics:
+ * fs.watchFile semantics:
  *
- * Node's nodeFs.watchFile is a polling stat() loop with the configured
- * pollInterval. It fires on mtime / size change. nodeFs.watch (the
+ * Node's fs.watchFile is a polling stat() loop with the configured
+ * pollInterval. It fires on mtime / size change. fs.watch (the
  * inotify / kqueue backend) is more efficient but inconsistent across
  * platforms — single rename events surface as multiple change events
  * on Linux (events fire on the directory entry, the file, and the
@@ -54,8 +54,8 @@
  * pollInterval) is acceptable for renewal cadences measured in days.
  */
-var nodeFs = require("fs");
-var nodePath = require("path");
+var nodeFs = require("node:fs");
+var nodePath = require("node:path");
 var atomicFile = require("../atomic-file");
 var C = require("../constants");
 var lazyRequire = require("../lazy-require");
@@ -76,7 +76,7 @@ var SealPemFileError = defineClass("SealPemFileError", { alwaysPermanent: true }
 // 2-second worst-case re-seal latency — negligible against the
 // renewal cadence. Operators with sub-second-sensitive use cases
 // override via opts.pollInterval.
-// H6 #6 — nodeFs.watchFile default cadence reduced from 2s to 500ms so a
+// H6 #6 — fs.watchFile default cadence reduced from 2s to 500ms so a
 // fast renewal-then-revert (mtime bump then second bump within ~2s)
 // doesn't sneak past the watcher. Operators with extremely-quiet
 // renewal cycles can override via opts.pollInterval; the cost of
@@ -126,7 +126,7 @@ var DEFAULT_MAX_SOURCE_BYTES = C.BYTES.mib(1);
  *     source:         string,    // plaintext PEM path (required)
  *     destination:    string,    // sealed-output path (required, must differ from source)
  *     audit:          boolean,   // emit b.audit events on every reseal (default true)
- *     pollInterval:   number,    // nodeFs.watchFile cadence in ms (default 500)
+ *     pollInterval:   number,    // fs.watchFile cadence in ms (default 500)
  *     onResealed:     function,  // (info) => void — { srcPath, destPath, bytes, resealedAt, generation }
  *     onError:        function,  // (err)  => void — sealing failed
  *     maxSourceBytes: number,    // refuse source larger than this (default 1 MiB)

package/lib/vendor-data.js CHANGED Viewed

@@ -36,7 +36,7 @@
  *   not `fs.readFileSync`-loaded.
  */
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var safeEnv = require("./parsers/safe-env");
 var { defineClass } = require("./framework-error");
 var pqcSoftware = require("./pqc-software");

package/lib/watcher.js CHANGED Viewed

@@ -3,7 +3,7 @@
  * b.watcher — recursive filesystem-watch primitive with cross-platform
  * event normalization.
  *
- * Wraps `nodeFs.watch(root, { recursive: true })` and turns the per-platform
+ * Wraps `fs.watch(root, { recursive: true })` and turns the per-platform
  * event soup (Linux inotify "rename" + "change", macOS FSEvents
  * coalesced "rename", Windows ReadDirectoryChangesW pure "rename" /
  * "change") into a single shape:
@@ -15,7 +15,7 @@
  * `type` is one of "file" or "dir". The watcher is build-tool-shaped:
  * use it to drive incremental rebuilds, hot-reload-on-change,
  * config-file watching, or content-store cache busts. It is NOT a
- * security primitive — nodeFs.watch is best-effort across kernels and the
+ * security primitive — fs.watch is best-effort across kernels and the
  * caller must not rely on it for audit-grade change detection.
  *
  * Cross-platform notes baked in:
@@ -45,8 +45,8 @@
  *   watcher.WatcherError
  */
-var nodeFs   = require("fs");
-var nodePath = require("path");
+var nodeFs   = require("node:fs");
+var nodePath = require("node:path");
 var lazyRequire = require("./lazy-require");
 var validateOpts = require("./validate-opts");
 var { WatcherError } = require("./framework-error");

package/lib/webhook.js CHANGED Viewed

@@ -47,7 +47,7 @@
  *   Outbound webhook delivery with cryptographic signing in a single `Webhook-Signature` header, retry + dead-letter via `b.retry`, and idempotency keys baked into the signed string so a captured signature cannot be replayed with a fresh id.
  */
-var nodeCrypto = require("crypto");
+var nodeCrypto = require("node:crypto");
 var bCrypto = require("./crypto");
 var httpClient = require("./http-client");
 var safeBuffer = require("./safe-buffer");

package/lib/websocket.js CHANGED Viewed

@@ -74,9 +74,9 @@
  *   RFC 6455 WebSocket server on top of Node's `'upgrade'` event, plus RFC 8441 Extended CONNECT for HTTP/2.
  */
-var nodeCrypto = require("crypto");
-var zlib = require("zlib");
-var { EventEmitter } = require("events");
+var nodeCrypto = require("node:crypto");
+var zlib = require("node:zlib");
+var { EventEmitter } = require("node:events");
 var C                = require("./constants");
 var requestHelpers   = require("./request-helpers");
 var safeAsync        = require("./safe-async");

package/lib/ws-client.js CHANGED Viewed

@@ -45,10 +45,10 @@
  * (operator opts in to mTLS via tlsOpts). HSTS-style, no soft-fail.
  */
-var net          = require("net");
-var nodeUrl      = require("url");
-var nodeCrypto   = require("crypto");
-var EventEmitter = require("events");
+var net          = require("node:net");
+var nodeUrl      = require("node:url");
+var nodeCrypto   = require("node:crypto");
+var { EventEmitter } = require("node:events");
 var lazyRequire    = require("./lazy-require");
 var validateOpts   = require("./validate-opts");
@@ -389,7 +389,7 @@ class WsClient extends EventEmitter {
     var socket;
     if (parsed.protocol === "wss:") {
-      var tls = require("tls");                                                          // allow:inline-require — node:tls only on TLS path
+      var tls = require("node:tls");                                                          // allow:inline-require — node:tls only on TLS path
       var tlsOpts = Object.assign({
         host:         host,
         port:         port,
@@ -710,7 +710,7 @@ class WsClient extends EventEmitter {
       this._fragmentRsv1 = false;
       if (this._negotiatedDeflate && firstFrameRsv1) {
         try {
-          var zlib = require("zlib");                                                     // allow:inline-require — zlib only on deflate-negotiated path
+          var zlib = require("node:zlib");                                                     // allow:inline-require — zlib only on deflate-negotiated path
           var compressed = Buffer.concat([fullPayload, Buffer.from([0x00, 0x00, 0xff, 0xff])]); // allow:raw-byte-literal — RFC 7692 §7.2.2 deflate trailer
           // Decompression-bomb defense: zlib.inflateRawSync's
           // `maxOutputLength` aborts the inflate the moment the

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.9.16",
+  "version": "0.9.18",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json CHANGED Viewed

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:8e662af8-d254-46ec-8625-aa19174598d2",
+  "serialNumber": "urn:uuid:d20f1496-b984-415b-977d-5f669aa8e4da",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-14T04:47:34.904Z",
+    "timestamp": "2026-05-14T15:36:22.065Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.9.16",
+      "bom-ref": "@blamejs/core@0.9.18",
       "type": "library",
       "name": "blamejs",
-      "version": "0.9.16",
+      "version": "0.9.18",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.9.16",
+      "purl": "pkg:npm/%40blamejs/core@0.9.18",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.9.16",
+      "ref": "@blamejs/core@0.9.18",
       "dependsOn": []
     }
   ]