@fedify/vocab-runtime 2.0.0-dev.1908 → 2.0.0-dev.206

package/dist/request-CHSKwWMf.cjs

@@ -0,0 +1,138 @@
+const require_chunk = require('./chunk-DWy1uDak.cjs');
+const node_process = require_chunk.__toESM(require("node:process"));
+
+//#region deno.json
+var name = "@fedify/vocab-runtime";
+var version = "2.0.0-dev.206+fa815928";
+var license = "MIT";
+var exports$1 = { ".": "./src/mod.ts" };
+var description = "Runtime library for @fedify/vocab";
+var author = {
+	"name": "Hong Minhee",
+	"email": "hong@minhee.org",
+	"url": "https://hongminhee.org/"
+};
+var imports = {
+	"@multiformats/base-x": "npm:@multiformats/base-x@^4.0.1",
+	"asn1js": "npm:asn1js@^3.0.6",
+	"byte-encodings": "npm:byte-encodings@^1.0.11",
+	"fetch-mock": "npm:fetch-mock@^12.5.4",
+	"multicodec": "npm:multicodec@^3.2.1",
+	"pkijs": "npm:pkijs@^3.2.5"
+};
+var exclude = ["dist", "node_modules"];
+var publish = { "exclude": ["**/*.test.ts"] };
+var tasks = {
+	"check": "deno fmt --check && deno lint && deno check src/*.ts",
+	"test": "deno test"
+};
+var deno_default = {
+	name,
+	version,
+	license,
+	exports: exports$1,
+	description,
+	author,
+	imports,
+	exclude,
+	publish,
+	tasks
+};
+
+//#endregion
+//#region src/request.ts
+/**
+* Error thrown when fetching a JSON-LD document failed.
+*/
+var FetchError = class extends Error {
+	/**
+	* The URL that failed to fetch.
+	*/
+	url;
+	/**
+	* Constructs a new `FetchError`.
+	*
+	* @param url The URL that failed to fetch.
+	* @param message Error message.
+	*/
+	constructor(url, message) {
+		super(message == null ? url.toString() : `${url}: ${message}`);
+		this.name = "FetchError";
+		this.url = typeof url === "string" ? new URL(url) : url;
+	}
+};
+/**
+* Creates a request for the given URL.
+* @param url The URL to create the request for.
+* @param options The options for the request.
+* @returns The created request.
+* @internal
+*/
+function createActivityPubRequest(url, options = {}) {
+	return new Request(url, {
+		headers: {
+			Accept: "application/activity+json, application/ld+json",
+			"User-Agent": typeof options.userAgent === "string" ? options.userAgent : getUserAgent(options.userAgent)
+		},
+		redirect: "manual"
+	});
+}
+/**
+* Gets the user agent string for the given application and URL.
+* @param options The options for making the user agent string.
+* @returns The user agent string.
+* @since 1.3.0
+*/
+function getUserAgent({ software, url } = {}) {
+	const fedify = `Fedify/${deno_default.version}`;
+	const runtime = globalThis.Deno?.version?.deno != null ? `Deno/${Deno.version.deno}` : globalThis.process?.versions?.bun != null ? `Bun/${node_process.default.versions.bun}` : "navigator" in globalThis && navigator.userAgent === "Cloudflare-Workers" ? navigator.userAgent : globalThis.process?.versions?.node != null ? `Node.js/${node_process.default.versions.node}` : null;
+	const userAgent = software == null ? [fedify] : [software, fedify];
+	if (runtime != null) userAgent.push(runtime);
+	if (url != null) userAgent.push(`+${url.toString()}`);
+	const first = userAgent.shift();
+	return `${first} (${userAgent.join("; ")})`;
+}
+/**
+* Logs the request.
+* @param request The request to log.
+* @internal
+*/
+function logRequest(logger, request) {
+	logger.debug("Fetching document: {method} {url} {headers}", {
+		method: request.method,
+		url: request.url,
+		headers: Object.fromEntries(request.headers.entries())
+	});
+}
+
+//#endregion
+Object.defineProperty(exports, 'FetchError', {
+  enumerable: true,
+  get: function () {
+    return FetchError;
+  }
+});
+Object.defineProperty(exports, 'createActivityPubRequest', {
+  enumerable: true,
+  get: function () {
+    return createActivityPubRequest;
+  }
+});
+Object.defineProperty(exports, 'deno_default', {
+  enumerable: true,
+  get: function () {
+    return deno_default;
+  }
+});
+Object.defineProperty(exports, 'getUserAgent', {
+  enumerable: true,
+  get: function () {
+    return getUserAgent;
+  }
+});
+Object.defineProperty(exports, 'logRequest', {
+  enumerable: true,
+  get: function () {
+    return logRequest;
+  }
+});

package/dist/request-CXamqU2m.js

@@ -0,0 +1,108 @@
+import process from "node:process";
+
+//#region deno.json
+var name = "@fedify/vocab-runtime";
+var version = "2.0.0-dev.206+fa815928";
+var license = "MIT";
+var exports = { ".": "./src/mod.ts" };
+var description = "Runtime library for @fedify/vocab";
+var author = {
+	"name": "Hong Minhee",
+	"email": "hong@minhee.org",
+	"url": "https://hongminhee.org/"
+};
+var imports = {
+	"@multiformats/base-x": "npm:@multiformats/base-x@^4.0.1",
+	"asn1js": "npm:asn1js@^3.0.6",
+	"byte-encodings": "npm:byte-encodings@^1.0.11",
+	"fetch-mock": "npm:fetch-mock@^12.5.4",
+	"multicodec": "npm:multicodec@^3.2.1",
+	"pkijs": "npm:pkijs@^3.2.5"
+};
+var exclude = ["dist", "node_modules"];
+var publish = { "exclude": ["**/*.test.ts"] };
+var tasks = {
+	"check": "deno fmt --check && deno lint && deno check src/*.ts",
+	"test": "deno test"
+};
+var deno_default = {
+	name,
+	version,
+	license,
+	exports,
+	description,
+	author,
+	imports,
+	exclude,
+	publish,
+	tasks
+};
+
+//#endregion
+//#region src/request.ts
+/**
+* Error thrown when fetching a JSON-LD document failed.
+*/
+var FetchError = class extends Error {
+	/**
+	* The URL that failed to fetch.
+	*/
+	url;
+	/**
+	* Constructs a new `FetchError`.
+	*
+	* @param url The URL that failed to fetch.
+	* @param message Error message.
+	*/
+	constructor(url, message) {
+		super(message == null ? url.toString() : `${url}: ${message}`);
+		this.name = "FetchError";
+		this.url = typeof url === "string" ? new URL(url) : url;
+	}
+};
+/**
+* Creates a request for the given URL.
+* @param url The URL to create the request for.
+* @param options The options for the request.
+* @returns The created request.
+* @internal
+*/
+function createActivityPubRequest(url, options = {}) {
+	return new Request(url, {
+		headers: {
+			Accept: "application/activity+json, application/ld+json",
+			"User-Agent": typeof options.userAgent === "string" ? options.userAgent : getUserAgent(options.userAgent)
+		},
+		redirect: "manual"
+	});
+}
+/**
+* Gets the user agent string for the given application and URL.
+* @param options The options for making the user agent string.
+* @returns The user agent string.
+* @since 1.3.0
+*/
+function getUserAgent({ software, url } = {}) {
+	const fedify = `Fedify/${deno_default.version}`;
+	const runtime = globalThis.Deno?.version?.deno != null ? `Deno/${Deno.version.deno}` : globalThis.process?.versions?.bun != null ? `Bun/${process.versions.bun}` : "navigator" in globalThis && navigator.userAgent === "Cloudflare-Workers" ? navigator.userAgent : globalThis.process?.versions?.node != null ? `Node.js/${process.versions.node}` : null;
+	const userAgent = software == null ? [fedify] : [software, fedify];
+	if (runtime != null) userAgent.push(runtime);
+	if (url != null) userAgent.push(`+${url.toString()}`);
+	const first = userAgent.shift();
+	return `${first} (${userAgent.join("; ")})`;
+}
+/**
+* Logs the request.
+* @param request The request to log.
+* @internal
+*/
+function logRequest(logger, request) {
+	logger.debug("Fetching document: {method} {url} {headers}", {
+		method: request.method,
+		url: request.url,
+		headers: Object.fromEntries(request.headers.entries())
+	});
+}
+
+//#endregion
+export { FetchError, createActivityPubRequest, deno_default, getUserAgent, logRequest };

package/dist/request.test.cjs

@@ -0,0 +1,44 @@
+const require_chunk = require('./chunk-DWy1uDak.cjs');
+const require_request = require('./request-CHSKwWMf.cjs');
+const node_assert = require_chunk.__toESM(require("node:assert"));
+const node_test = require_chunk.__toESM(require("node:test"));
+const node_process = require_chunk.__toESM(require("node:process"));
+
+//#region src/request.test.ts
+(0, node_test.test)("getUserAgent()", () => {
+	if ("Deno" in globalThis) {
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent(), `Fedify/${require_request.deno_default.version} (Deno/${Deno.version.deno})`);
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent({ software: "MyApp/1.0.0" }), `MyApp/1.0.0 (Fedify/${require_request.deno_default.version}; Deno/${Deno.version.deno})`);
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent({ url: "https://example.com/" }), `Fedify/${require_request.deno_default.version} (Deno/${Deno.version.deno}; +https://example.com/)`);
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent({
+			software: "MyApp/1.0.0",
+			url: new URL("https://example.com/")
+		}), `MyApp/1.0.0 (Fedify/${require_request.deno_default.version}; Deno/${Deno.version.deno}; +https://example.com/)`);
+	} else if ("Bun" in globalThis) {
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent(), `Fedify/${require_request.deno_default.version} (Bun/${Bun.version})`);
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent({ software: "MyApp/1.0.0" }), `MyApp/1.0.0 (Fedify/${require_request.deno_default.version}; Bun/${Bun.version})`);
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent({ url: "https://example.com/" }), `Fedify/${require_request.deno_default.version} (Bun/${Bun.version}; +https://example.com/)`);
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent({
+			software: "MyApp/1.0.0",
+			url: new URL("https://example.com/")
+		}), `MyApp/1.0.0 (Fedify/${require_request.deno_default.version}; Bun/${Bun.version}; +https://example.com/)`);
+	} else if (navigator.userAgent === "Cloudflare-Workers") {
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent(), `Fedify/${require_request.deno_default.version} (Cloudflare-Workers)`);
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent({ software: "MyApp/1.0.0" }), `MyApp/1.0.0 (Fedify/${require_request.deno_default.version}; Cloudflare-Workers)`);
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent({ url: "https://example.com/" }), `Fedify/${require_request.deno_default.version} (Cloudflare-Workers; +https://example.com/)`);
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent({
+			software: "MyApp/1.0.0",
+			url: new URL("https://example.com/")
+		}), `MyApp/1.0.0 (Fedify/${require_request.deno_default.version}; Cloudflare-Workers; +https://example.com/)`);
+	} else {
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent(), `Fedify/${require_request.deno_default.version} (Node.js/${node_process.default.versions.node})`);
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent({ software: "MyApp/1.0.0" }), `MyApp/1.0.0 (Fedify/${require_request.deno_default.version}; Node.js/${node_process.default.versions.node})`);
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent({ url: "https://example.com/" }), `Fedify/${require_request.deno_default.version} (Node.js/${node_process.default.versions.node}; +https://example.com/)`);
+		(0, node_assert.deepStrictEqual)(require_request.getUserAgent({
+			software: "MyApp/1.0.0",
+			url: new URL("https://example.com/")
+		}), `MyApp/1.0.0 (Fedify/${require_request.deno_default.version}; Node.js/${node_process.default.versions.node}; +https://example.com/)`);
+	}
+});
+
+//#endregion

package/dist/request.test.d.cts

@@ -0,0 +1 @@
+export { };

package/dist/request.test.d.ts

@@ -0,0 +1 @@
+export { };

package/dist/request.test.js

@@ -0,0 +1,43 @@
+import { deno_default, getUserAgent } from "./request-CXamqU2m.js";
+import { deepStrictEqual } from "node:assert";
+import { test } from "node:test";
+import process from "node:process";
+
+//#region src/request.test.ts
+test("getUserAgent()", () => {
+	if ("Deno" in globalThis) {
+		deepStrictEqual(getUserAgent(), `Fedify/${deno_default.version} (Deno/${Deno.version.deno})`);
+		deepStrictEqual(getUserAgent({ software: "MyApp/1.0.0" }), `MyApp/1.0.0 (Fedify/${deno_default.version}; Deno/${Deno.version.deno})`);
+		deepStrictEqual(getUserAgent({ url: "https://example.com/" }), `Fedify/${deno_default.version} (Deno/${Deno.version.deno}; +https://example.com/)`);
+		deepStrictEqual(getUserAgent({
+			software: "MyApp/1.0.0",
+			url: new URL("https://example.com/")
+		}), `MyApp/1.0.0 (Fedify/${deno_default.version}; Deno/${Deno.version.deno}; +https://example.com/)`);
+	} else if ("Bun" in globalThis) {
+		deepStrictEqual(getUserAgent(), `Fedify/${deno_default.version} (Bun/${Bun.version})`);
+		deepStrictEqual(getUserAgent({ software: "MyApp/1.0.0" }), `MyApp/1.0.0 (Fedify/${deno_default.version}; Bun/${Bun.version})`);
+		deepStrictEqual(getUserAgent({ url: "https://example.com/" }), `Fedify/${deno_default.version} (Bun/${Bun.version}; +https://example.com/)`);
+		deepStrictEqual(getUserAgent({
+			software: "MyApp/1.0.0",
+			url: new URL("https://example.com/")
+		}), `MyApp/1.0.0 (Fedify/${deno_default.version}; Bun/${Bun.version}; +https://example.com/)`);
+	} else if (navigator.userAgent === "Cloudflare-Workers") {
+		deepStrictEqual(getUserAgent(), `Fedify/${deno_default.version} (Cloudflare-Workers)`);
+		deepStrictEqual(getUserAgent({ software: "MyApp/1.0.0" }), `MyApp/1.0.0 (Fedify/${deno_default.version}; Cloudflare-Workers)`);
+		deepStrictEqual(getUserAgent({ url: "https://example.com/" }), `Fedify/${deno_default.version} (Cloudflare-Workers; +https://example.com/)`);
+		deepStrictEqual(getUserAgent({
+			software: "MyApp/1.0.0",
+			url: new URL("https://example.com/")
+		}), `MyApp/1.0.0 (Fedify/${deno_default.version}; Cloudflare-Workers; +https://example.com/)`);
+	} else {
+		deepStrictEqual(getUserAgent(), `Fedify/${deno_default.version} (Node.js/${process.versions.node})`);
+		deepStrictEqual(getUserAgent({ software: "MyApp/1.0.0" }), `MyApp/1.0.0 (Fedify/${deno_default.version}; Node.js/${process.versions.node})`);
+		deepStrictEqual(getUserAgent({ url: "https://example.com/" }), `Fedify/${deno_default.version} (Node.js/${process.versions.node}; +https://example.com/)`);
+		deepStrictEqual(getUserAgent({
+			software: "MyApp/1.0.0",
+			url: new URL("https://example.com/")
+		}), `MyApp/1.0.0 (Fedify/${deno_default.version}; Node.js/${process.versions.node}; +https://example.com/)`);
+	}
+});
+
+//#endregion

package/dist/url-C5Vs9nYh.cjs

@@ -0,0 +1,93 @@
+const require_chunk = require('./chunk-DWy1uDak.cjs');
+const node_dns_promises = require_chunk.__toESM(require("node:dns/promises"));
+const node_net = require_chunk.__toESM(require("node:net"));
+
+//#region src/url.ts
+var UrlError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "UrlError";
+	}
+};
+/**
+* Validates a URL to prevent SSRF attacks.
+*/
+async function validatePublicUrl(url) {
+	const parsed = new URL(url);
+	if (parsed.protocol !== "http:" && parsed.protocol !== "https:") throw new UrlError(`Unsupported protocol: ${parsed.protocol}`);
+	let hostname = parsed.hostname;
+	if (hostname.startsWith("[") && hostname.endsWith("]")) hostname = hostname.substring(1, hostname.length - 2);
+	if (hostname === "localhost") throw new UrlError("Localhost is not allowed");
+	if ("Deno" in globalThis && !(0, node_net.isIP)(hostname)) {
+		const netPermission = await Deno.permissions.query({ name: "net" });
+		if (netPermission.state !== "granted") return;
+	}
+	if ("Bun" in globalThis) {
+		if (hostname === "example.com" || hostname.endsWith(".example.com")) return;
+		else if (hostname === "fedify-test.internal") throw new UrlError("Invalid or private address: fedify-test.internal");
+	}
+	let addresses;
+	try {
+		addresses = await (0, node_dns_promises.lookup)(hostname, { all: true });
+	} catch {
+		addresses = [];
+	}
+	for (const { address, family } of addresses) if (family === 4 && !isValidPublicIPv4Address(address) || family === 6 && !isValidPublicIPv6Address(address) || family < 4 || family === 5 || family > 6) throw new UrlError(`Invalid or private address: ${address}`);
+}
+function isValidPublicIPv4Address(address) {
+	const parts = address.split(".");
+	const first = parseInt(parts[0]);
+	if (first === 0 || first === 10 || first === 127) return false;
+	const second = parseInt(parts[1]);
+	if (first === 169 && second === 254) return false;
+	if (first === 172 && second >= 16 && second <= 31) return false;
+	if (first === 192 && second === 168) return false;
+	return true;
+}
+function isValidPublicIPv6Address(address) {
+	address = expandIPv6Address(address);
+	if (address.at(4) !== ":") return false;
+	const firstWord = parseInt(address.substring(0, 4), 16);
+	return !(firstWord >= 64512 && firstWord <= 65023 || firstWord >= 65152 && firstWord <= 65215 || firstWord === 0 || firstWord >= 65280);
+}
+function expandIPv6Address(address) {
+	address = address.toLowerCase();
+	if (address === "::") return "0000:0000:0000:0000:0000:0000:0000:0000";
+	if (address.startsWith("::")) address = "0000" + address;
+	if (address.endsWith("::")) address = address + "0000";
+	address = address.replace("::", ":0000".repeat(8 - (address.match(/:/g) || []).length) + ":");
+	const parts = address.split(":");
+	return parts.map((part) => part.padStart(4, "0")).join(":");
+}
+
+//#endregion
+Object.defineProperty(exports, 'UrlError', {
+  enumerable: true,
+  get: function () {
+    return UrlError;
+  }
+});
+Object.defineProperty(exports, 'expandIPv6Address', {
+  enumerable: true,
+  get: function () {
+    return expandIPv6Address;
+  }
+});
+Object.defineProperty(exports, 'isValidPublicIPv4Address', {
+  enumerable: true,
+  get: function () {
+    return isValidPublicIPv4Address;
+  }
+});
+Object.defineProperty(exports, 'isValidPublicIPv6Address', {
+  enumerable: true,
+  get: function () {
+    return isValidPublicIPv6Address;
+  }
+});
+Object.defineProperty(exports, 'validatePublicUrl', {
+  enumerable: true,
+  get: function () {
+    return validatePublicUrl;
+  }
+});

package/dist/url-fW_DHbih.js

@@ -0,0 +1,63 @@
+import { lookup } from "node:dns/promises";
+import { isIP } from "node:net";
+
+//#region src/url.ts
+var UrlError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "UrlError";
+	}
+};
+/**
+* Validates a URL to prevent SSRF attacks.
+*/
+async function validatePublicUrl(url) {
+	const parsed = new URL(url);
+	if (parsed.protocol !== "http:" && parsed.protocol !== "https:") throw new UrlError(`Unsupported protocol: ${parsed.protocol}`);
+	let hostname = parsed.hostname;
+	if (hostname.startsWith("[") && hostname.endsWith("]")) hostname = hostname.substring(1, hostname.length - 2);
+	if (hostname === "localhost") throw new UrlError("Localhost is not allowed");
+	if ("Deno" in globalThis && !isIP(hostname)) {
+		const netPermission = await Deno.permissions.query({ name: "net" });
+		if (netPermission.state !== "granted") return;
+	}
+	if ("Bun" in globalThis) {
+		if (hostname === "example.com" || hostname.endsWith(".example.com")) return;
+		else if (hostname === "fedify-test.internal") throw new UrlError("Invalid or private address: fedify-test.internal");
+	}
+	let addresses;
+	try {
+		addresses = await lookup(hostname, { all: true });
+	} catch {
+		addresses = [];
+	}
+	for (const { address, family } of addresses) if (family === 4 && !isValidPublicIPv4Address(address) || family === 6 && !isValidPublicIPv6Address(address) || family < 4 || family === 5 || family > 6) throw new UrlError(`Invalid or private address: ${address}`);
+}
+function isValidPublicIPv4Address(address) {
+	const parts = address.split(".");
+	const first = parseInt(parts[0]);
+	if (first === 0 || first === 10 || first === 127) return false;
+	const second = parseInt(parts[1]);
+	if (first === 169 && second === 254) return false;
+	if (first === 172 && second >= 16 && second <= 31) return false;
+	if (first === 192 && second === 168) return false;
+	return true;
+}
+function isValidPublicIPv6Address(address) {
+	address = expandIPv6Address(address);
+	if (address.at(4) !== ":") return false;
+	const firstWord = parseInt(address.substring(0, 4), 16);
+	return !(firstWord >= 64512 && firstWord <= 65023 || firstWord >= 65152 && firstWord <= 65215 || firstWord === 0 || firstWord >= 65280);
+}
+function expandIPv6Address(address) {
+	address = address.toLowerCase();
+	if (address === "::") return "0000:0000:0000:0000:0000:0000:0000:0000";
+	if (address.startsWith("::")) address = "0000" + address;
+	if (address.endsWith("::")) address = address + "0000";
+	address = address.replace("::", ":0000".repeat(8 - (address.match(/:/g) || []).length) + ":");
+	const parts = address.split(":");
+	return parts.map((part) => part.padStart(4, "0")).join(":");
+}
+
+//#endregion
+export { UrlError, expandIPv6Address, isValidPublicIPv4Address, isValidPublicIPv6Address, validatePublicUrl };

package/dist/url.test.cjs

@@ -0,0 +1,37 @@
+const require_chunk = require('./chunk-DWy1uDak.cjs');
+const require_url = require('./url-C5Vs9nYh.cjs');
+const node_assert = require_chunk.__toESM(require("node:assert"));
+const node_test = require_chunk.__toESM(require("node:test"));
+
+//#region src/url.test.ts
+(0, node_test.test)("validatePublicUrl()", async () => {
+	await (0, node_assert.rejects)(() => require_url.validatePublicUrl("ftp://localhost"), require_url.UrlError);
+	await (0, node_assert.rejects)(() => require_url.validatePublicUrl("data:text/plain;base64,SGVsbG8sIFdvcmxkIQ=="), require_url.UrlError);
+	await (0, node_assert.rejects)(() => require_url.validatePublicUrl("https://localhost"), require_url.UrlError);
+	await (0, node_assert.rejects)(() => require_url.validatePublicUrl("https://127.0.0.1"), require_url.UrlError);
+	await (0, node_assert.rejects)(() => require_url.validatePublicUrl("https://[::1]"), require_url.UrlError);
+});
+(0, node_test.test)("isValidPublicIPv4Address()", () => {
+	(0, node_assert.ok)(require_url.isValidPublicIPv4Address("8.8.8.8"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("192.168.1.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("127.0.0.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("10.0.0.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("127.16.0.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("169.254.0.1"));
+});
+(0, node_test.test)("isValidPublicIPv6Address()", () => {
+	(0, node_assert.ok)(require_url.isValidPublicIPv6Address("2001:db8::1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("::1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("fc00::1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("fe80::1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("ff00::1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("::"));
+});
+(0, node_test.test)("expandIPv6Address()", () => {
+	(0, node_assert.deepStrictEqual)(require_url.expandIPv6Address("::"), "0000:0000:0000:0000:0000:0000:0000:0000");
+	(0, node_assert.deepStrictEqual)(require_url.expandIPv6Address("::1"), "0000:0000:0000:0000:0000:0000:0000:0001");
+	(0, node_assert.deepStrictEqual)(require_url.expandIPv6Address("2001:db8::"), "2001:0db8:0000:0000:0000:0000:0000:0000");
+	(0, node_assert.deepStrictEqual)(require_url.expandIPv6Address("2001:db8::1"), "2001:0db8:0000:0000:0000:0000:0000:0001");
+});
+
+//#endregion

package/dist/url.test.d.cts

@@ -0,0 +1 @@
+export { };

package/dist/url.test.d.ts

@@ -0,0 +1 @@
+export { };

package/dist/url.test.js

@@ -0,0 +1,36 @@
+import { UrlError, expandIPv6Address, isValidPublicIPv4Address, isValidPublicIPv6Address, validatePublicUrl } from "./url-fW_DHbih.js";
+import { deepStrictEqual, ok, rejects } from "node:assert";
+import { test } from "node:test";
+
+//#region src/url.test.ts
+test("validatePublicUrl()", async () => {
+	await rejects(() => validatePublicUrl("ftp://localhost"), UrlError);
+	await rejects(() => validatePublicUrl("data:text/plain;base64,SGVsbG8sIFdvcmxkIQ=="), UrlError);
+	await rejects(() => validatePublicUrl("https://localhost"), UrlError);
+	await rejects(() => validatePublicUrl("https://127.0.0.1"), UrlError);
+	await rejects(() => validatePublicUrl("https://[::1]"), UrlError);
+});
+test("isValidPublicIPv4Address()", () => {
+	ok(isValidPublicIPv4Address("8.8.8.8"));
+	ok(!isValidPublicIPv4Address("192.168.1.1"));
+	ok(!isValidPublicIPv4Address("127.0.0.1"));
+	ok(!isValidPublicIPv4Address("10.0.0.1"));
+	ok(!isValidPublicIPv4Address("127.16.0.1"));
+	ok(!isValidPublicIPv4Address("169.254.0.1"));
+});
+test("isValidPublicIPv6Address()", () => {
+	ok(isValidPublicIPv6Address("2001:db8::1"));
+	ok(!isValidPublicIPv6Address("::1"));
+	ok(!isValidPublicIPv6Address("fc00::1"));
+	ok(!isValidPublicIPv6Address("fe80::1"));
+	ok(!isValidPublicIPv6Address("ff00::1"));
+	ok(!isValidPublicIPv6Address("::"));
+});
+test("expandIPv6Address()", () => {
+	deepStrictEqual(expandIPv6Address("::"), "0000:0000:0000:0000:0000:0000:0000:0000");
+	deepStrictEqual(expandIPv6Address("::1"), "0000:0000:0000:0000:0000:0000:0000:0001");
+	deepStrictEqual(expandIPv6Address("2001:db8::"), "2001:0db8:0000:0000:0000:0000:0000:0000");
+	deepStrictEqual(expandIPv6Address("2001:db8::1"), "2001:0db8:0000:0000:0000:0000:0000:0001");
+});
+
+//#endregion

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/vocab-runtime",
-  "version": "2.0.0-dev.1908+c31cc639",
+  "version": "2.0.0-dev.206+fa815928",
   "homepage": "https://fedify.dev/",
   "repository": {
     "type": "git",
@@ -55,12 +55,13 @@
     "typescript": "^5.9.3"
   },
   "dependencies": {
-    "@logtape/logtape": "^1.1.1",
+    "@logtape/logtape": "^2.0.0",
     "@multiformats/base-x": "^4.0.1",
+    "@opentelemetry/api": "^1.9.0",
     "asn1js": "^3.0.6",
     "byte-encodings": "^1.0.11",
     "multicodec": "^3.2.1",
-    "pkijs": "^3.2.5"
+    "pkijs": "^3.3.3"
   },
   "scripts": {
     "build": "tsdown",

package/src/docloader.test.ts

@@ -1,5 +1,5 @@
 import fetchMock from "fetch-mock";
-import { deepStrictEqual, rejects } from "node:assert";
+import { deepStrictEqual, ok, rejects } from "node:assert";
 import { test } from "node:test";
 import preloadedContexts from "./contexts.ts";
 import { getDocumentLoader } from "./docloader.ts";
@@ -361,5 +361,33 @@ test("getDocumentLoader()", async (t) => {
     );
   });
 
+  // Regression test for ReDoS vulnerability (CVE-2025-68475)
+  // Malicious HTML payload: <a a="b" a="b" ... (unclosed tag)
+  // With the vulnerable regex, this causes catastrophic backtracking
+  const maliciousPayload = "<a" + ' a="b"'.repeat(30) + " ";
+
+  fetchMock.get("https://example.com/redos", {
+    body: maliciousPayload,
+    headers: { "Content-Type": "text/html; charset=utf-8" },
+  });
+
+  await t.test("ReDoS resistance (CVE-2025-68475)", async () => {
+    const start = performance.now();
+    // The malicious HTML will fail JSON parsing, but the important thing is
+    // that it should complete quickly (not hang due to ReDoS)
+    await rejects(
+      () => fetchDocumentLoader("https://example.com/redos"),
+      SyntaxError,
+    );
+    const elapsed = performance.now() - start;
+
+    // Should complete in under 1 second. With the vulnerable regex,
+    // this would take 14+ seconds for 30 repetitions.
+    ok(
+      elapsed < 1000,
+      `Potential ReDoS vulnerability detected: ${elapsed}ms (expected < 1000ms)`,
+    );
+  });
+
   fetchMock.hardReset();
 });