@fedify/vocab-runtime 2.3.0-dev.1189 → 2.3.0-dev.1212

package/deno.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/vocab-runtime",
-  "version": "2.3.0-dev.1189+97e55e59",
+  "version": "2.3.0-dev.1212+3737de7f",
   "license": "MIT",
   "exports": {
     ".": "./src/mod.ts",

package/dist/mod.cjs

@@ -4346,7 +4346,7 @@ const preloadedContexts = {
 //#endregion
 //#region deno.json
 var name = "@fedify/vocab-runtime";
-var version = "2.3.0-dev.1189+97e55e59";
+var version = "2.3.0-dev.1212+3737de7f";
 //#endregion
 //#region src/link.ts
 const parametersNeedLowerCase = ["rel", "type"];
@@ -4640,29 +4640,137 @@ function validatePublicIpAddress(address, family) {
 	throw new UrlError(`Invalid or private address: ${address}`);
 }
 function isValidPublicIPv4Address(address) {
-	const parts = address.split(".");
-	const first = parseInt(parts[0]);
-	if (first === 0 || first === 10 || first === 127) return false;
-	const second = parseInt(parts[1]);
-	if (first === 169 && second === 254) return false;
-	if (first === 172 && second >= 16 && second <= 31) return false;
-	if (first === 192 && second === 168) return false;
-	return true;
+	const parts = parseIPv4Address(address);
+	if (parts == null) return false;
+	const value = ipv4PartsToNumber(parts);
+	return !nonPublicIPv4Prefixes.some(({ base, prefix }) => matchesIPv4Prefix(value, base, prefix));
 }
 function isValidPublicIPv6Address(address) {
-	address = expandIPv6Address(address);
-	if (address.at(4) !== ":") return false;
-	const firstWord = parseInt(address.substring(0, 4), 16);
-	return !(firstWord >= 64512 && firstWord <= 65023 || firstWord >= 65152 && firstWord <= 65215 || firstWord === 0 || firstWord >= 65280);
+	const words = parseIPv6Address(address);
+	if (words == null) return false;
+	if (nonPublicIPv6Prefixes.some(({ words: prefixWords, prefix }) => matchesIPv6Prefix(words, prefixWords, prefix))) return false;
+	for (const { extractIPv4, prefix, words: prefixWords } of ipv6WithIPv4Prefixes) {
+		if (!matchesIPv6Prefix(words, prefixWords, prefix)) continue;
+		const ipv4Address = extractIPv4(words);
+		if (ipv4Address != null && !isValidPublicIPv4Address(ipv4Address)) return false;
+	}
+	return true;
 }
 function expandIPv6Address(address) {
 	address = address.toLowerCase();
+	const ipv4Delimiter = address.lastIndexOf(":");
+	if (address.includes(".") && ipv4Delimiter >= 0) {
+		const ipv4Parts = parseIPv4Address(address.substring(ipv4Delimiter + 1));
+		if (ipv4Parts == null) return address;
+		const high = (ipv4Parts[0] << 8) + ipv4Parts[1];
+		const low = (ipv4Parts[2] << 8) + ipv4Parts[3];
+		address = address.substring(0, ipv4Delimiter + 1) + high.toString(16) + ":" + low.toString(16);
+	}
 	if (address === "::") return "0000:0000:0000:0000:0000:0000:0000:0000";
 	if (address.startsWith("::")) address = "0000" + address;
 	if (address.endsWith("::")) address = address + "0000";
 	address = address.replace("::", ":0000".repeat(8 - (address.match(/:/g) || []).length) + ":");
 	return address.split(":").map((part) => part.padStart(4, "0")).join(":");
 }
+const nonPublicIPv4Prefixes = [
+	ipv4Prefix("0.0.0.0/8", "RFC 6890"),
+	ipv4Prefix("10.0.0.0/8", "RFC 1918"),
+	ipv4Prefix("100.64.0.0/10", "RFC 6598"),
+	ipv4Prefix("127.0.0.0/8", "RFC 1122"),
+	ipv4Prefix("169.254.0.0/16", "RFC 3927"),
+	ipv4Prefix("172.16.0.0/12", "RFC 1918"),
+	ipv4Prefix("192.0.0.0/24", "RFC 6890"),
+	ipv4Prefix("192.0.2.0/24", "RFC 5737"),
+	ipv4Prefix("192.88.99.0/24", "RFC 7526"),
+	ipv4Prefix("192.168.0.0/16", "RFC 1918"),
+	ipv4Prefix("198.18.0.0/15", "RFC 2544"),
+	ipv4Prefix("198.51.100.0/24", "RFC 5737"),
+	ipv4Prefix("203.0.113.0/24", "RFC 5737"),
+	ipv4Prefix("224.0.0.0/4", "RFC 5771"),
+	ipv4Prefix("240.0.0.0/4", "RFC 1112")
+];
+const nonPublicIPv6Prefixes = [
+	ipv6Prefix("::/16", "RFC 4291"),
+	ipv6Prefix("2001::/32", "RFC 4380"),
+	ipv6Prefix("2002::/16", "RFC 3056"),
+	ipv6Prefix("64:ff9b:1::/48", "RFC 8215"),
+	ipv6Prefix("fc00::/7", "RFC 4193"),
+	ipv6Prefix("fe80::/10", "RFC 4291"),
+	ipv6Prefix("ff00::/8", "RFC 4291")
+];
+const ipv6WithIPv4Prefixes = [{
+	...ipv6Prefix("64:ff9b::/96", "RFC 6052"),
+	extractIPv4: (words) => ipv4FromWords(words[6], words[7])
+}];
+function ipv4Prefix(cidr, rfc) {
+	const [address, prefixText] = cidr.split("/");
+	const prefix = parseInt(prefixText, 10);
+	const parts = parseIPv4Address(address);
+	if (parts == null || !Number.isInteger(prefix) || prefix < 0 || prefix > 32) throw new Error(`Invalid IPv4 prefix: ${cidr}`);
+	return {
+		cidr,
+		base: ipv4PartsToNumber(parts),
+		prefix,
+		rfc
+	};
+}
+function ipv6Prefix(cidr, rfc) {
+	const [address, prefixText] = cidr.split("/");
+	const prefix = parseInt(prefixText, 10);
+	const words = parseIPv6Address(address);
+	if (words == null || !Number.isInteger(prefix) || prefix < 0 || prefix > 128) throw new Error(`Invalid IPv6 prefix: ${cidr}`);
+	return {
+		cidr,
+		words,
+		prefix,
+		rfc
+	};
+}
+function parseIPv4Address(address) {
+	const parts = address.split(".").map((part) => {
+		if (!/^\d+$/.test(part)) return NaN;
+		return parseInt(part, 10);
+	});
+	if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) return null;
+	return parts;
+}
+function parseIPv6Address(address) {
+	const parts = expandIPv6Address(address).split(":");
+	if (parts.length !== 8) return null;
+	const words = parts.map((part) => {
+		if (!/^[0-9a-f]{1,4}$/i.test(part)) return NaN;
+		return parseInt(part, 16);
+	});
+	if (words.some((word) => !Number.isInteger(word) || word < 0 || word > 65535)) return null;
+	return words;
+}
+function ipv4PartsToNumber(parts) {
+	return parts[0] * 2 ** 24 + parts[1] * 2 ** 16 + parts[2] * 2 ** 8 + parts[3];
+}
+function ipv4FromWords(highWord, lowWord) {
+	return [
+		highWord >> 8,
+		highWord & 255,
+		lowWord >> 8,
+		lowWord & 255
+	].join(".");
+}
+function matchesIPv4Prefix(address, prefixBase, prefixLength) {
+	const blockSize = 2 ** (32 - prefixLength);
+	return Math.floor(address / blockSize) === Math.floor(prefixBase / blockSize);
+}
+function matchesIPv6Prefix(address, prefixWords, prefixLength) {
+	let remaining = prefixLength;
+	for (let i = 0; i < 8 && remaining > 0; i++) if (remaining >= 16) {
+		if (address[i] !== prefixWords[i]) return false;
+		remaining -= 16;
+	} else {
+		const mask = 65535 << 16 - remaining & 65535;
+		if ((address[i] & mask) !== (prefixWords[i] & mask)) return false;
+		remaining = 0;
+	}
+	return true;
+}
 //#endregion
 //#region src/docloader.ts
 const logger = (0, _logtape_logtape.getLogger)([

package/dist/mod.js

@@ -4342,7 +4342,7 @@ const preloadedContexts = {
 //#endregion
 //#region deno.json
 var name = "@fedify/vocab-runtime";
-var version = "2.3.0-dev.1189+97e55e59";
+var version = "2.3.0-dev.1212+3737de7f";
 //#endregion
 //#region src/link.ts
 const parametersNeedLowerCase = ["rel", "type"];
@@ -4636,29 +4636,137 @@ function validatePublicIpAddress(address, family) {
 	throw new UrlError(`Invalid or private address: ${address}`);
 }
 function isValidPublicIPv4Address(address) {
-	const parts = address.split(".");
-	const first = parseInt(parts[0]);
-	if (first === 0 || first === 10 || first === 127) return false;
-	const second = parseInt(parts[1]);
-	if (first === 169 && second === 254) return false;
-	if (first === 172 && second >= 16 && second <= 31) return false;
-	if (first === 192 && second === 168) return false;
-	return true;
+	const parts = parseIPv4Address(address);
+	if (parts == null) return false;
+	const value = ipv4PartsToNumber(parts);
+	return !nonPublicIPv4Prefixes.some(({ base, prefix }) => matchesIPv4Prefix(value, base, prefix));
 }
 function isValidPublicIPv6Address(address) {
-	address = expandIPv6Address(address);
-	if (address.at(4) !== ":") return false;
-	const firstWord = parseInt(address.substring(0, 4), 16);
-	return !(firstWord >= 64512 && firstWord <= 65023 || firstWord >= 65152 && firstWord <= 65215 || firstWord === 0 || firstWord >= 65280);
+	const words = parseIPv6Address(address);
+	if (words == null) return false;
+	if (nonPublicIPv6Prefixes.some(({ words: prefixWords, prefix }) => matchesIPv6Prefix(words, prefixWords, prefix))) return false;
+	for (const { extractIPv4, prefix, words: prefixWords } of ipv6WithIPv4Prefixes) {
+		if (!matchesIPv6Prefix(words, prefixWords, prefix)) continue;
+		const ipv4Address = extractIPv4(words);
+		if (ipv4Address != null && !isValidPublicIPv4Address(ipv4Address)) return false;
+	}
+	return true;
 }
 function expandIPv6Address(address) {
 	address = address.toLowerCase();
+	const ipv4Delimiter = address.lastIndexOf(":");
+	if (address.includes(".") && ipv4Delimiter >= 0) {
+		const ipv4Parts = parseIPv4Address(address.substring(ipv4Delimiter + 1));
+		if (ipv4Parts == null) return address;
+		const high = (ipv4Parts[0] << 8) + ipv4Parts[1];
+		const low = (ipv4Parts[2] << 8) + ipv4Parts[3];
+		address = address.substring(0, ipv4Delimiter + 1) + high.toString(16) + ":" + low.toString(16);
+	}
 	if (address === "::") return "0000:0000:0000:0000:0000:0000:0000:0000";
 	if (address.startsWith("::")) address = "0000" + address;
 	if (address.endsWith("::")) address = address + "0000";
 	address = address.replace("::", ":0000".repeat(8 - (address.match(/:/g) || []).length) + ":");
 	return address.split(":").map((part) => part.padStart(4, "0")).join(":");
 }
+const nonPublicIPv4Prefixes = [
+	ipv4Prefix("0.0.0.0/8", "RFC 6890"),
+	ipv4Prefix("10.0.0.0/8", "RFC 1918"),
+	ipv4Prefix("100.64.0.0/10", "RFC 6598"),
+	ipv4Prefix("127.0.0.0/8", "RFC 1122"),
+	ipv4Prefix("169.254.0.0/16", "RFC 3927"),
+	ipv4Prefix("172.16.0.0/12", "RFC 1918"),
+	ipv4Prefix("192.0.0.0/24", "RFC 6890"),
+	ipv4Prefix("192.0.2.0/24", "RFC 5737"),
+	ipv4Prefix("192.88.99.0/24", "RFC 7526"),
+	ipv4Prefix("192.168.0.0/16", "RFC 1918"),
+	ipv4Prefix("198.18.0.0/15", "RFC 2544"),
+	ipv4Prefix("198.51.100.0/24", "RFC 5737"),
+	ipv4Prefix("203.0.113.0/24", "RFC 5737"),
+	ipv4Prefix("224.0.0.0/4", "RFC 5771"),
+	ipv4Prefix("240.0.0.0/4", "RFC 1112")
+];
+const nonPublicIPv6Prefixes = [
+	ipv6Prefix("::/16", "RFC 4291"),
+	ipv6Prefix("2001::/32", "RFC 4380"),
+	ipv6Prefix("2002::/16", "RFC 3056"),
+	ipv6Prefix("64:ff9b:1::/48", "RFC 8215"),
+	ipv6Prefix("fc00::/7", "RFC 4193"),
+	ipv6Prefix("fe80::/10", "RFC 4291"),
+	ipv6Prefix("ff00::/8", "RFC 4291")
+];
+const ipv6WithIPv4Prefixes = [{
+	...ipv6Prefix("64:ff9b::/96", "RFC 6052"),
+	extractIPv4: (words) => ipv4FromWords(words[6], words[7])
+}];
+function ipv4Prefix(cidr, rfc) {
+	const [address, prefixText] = cidr.split("/");
+	const prefix = parseInt(prefixText, 10);
+	const parts = parseIPv4Address(address);
+	if (parts == null || !Number.isInteger(prefix) || prefix < 0 || prefix > 32) throw new Error(`Invalid IPv4 prefix: ${cidr}`);
+	return {
+		cidr,
+		base: ipv4PartsToNumber(parts),
+		prefix,
+		rfc
+	};
+}
+function ipv6Prefix(cidr, rfc) {
+	const [address, prefixText] = cidr.split("/");
+	const prefix = parseInt(prefixText, 10);
+	const words = parseIPv6Address(address);
+	if (words == null || !Number.isInteger(prefix) || prefix < 0 || prefix > 128) throw new Error(`Invalid IPv6 prefix: ${cidr}`);
+	return {
+		cidr,
+		words,
+		prefix,
+		rfc
+	};
+}
+function parseIPv4Address(address) {
+	const parts = address.split(".").map((part) => {
+		if (!/^\d+$/.test(part)) return NaN;
+		return parseInt(part, 10);
+	});
+	if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) return null;
+	return parts;
+}
+function parseIPv6Address(address) {
+	const parts = expandIPv6Address(address).split(":");
+	if (parts.length !== 8) return null;
+	const words = parts.map((part) => {
+		if (!/^[0-9a-f]{1,4}$/i.test(part)) return NaN;
+		return parseInt(part, 16);
+	});
+	if (words.some((word) => !Number.isInteger(word) || word < 0 || word > 65535)) return null;
+	return words;
+}
+function ipv4PartsToNumber(parts) {
+	return parts[0] * 2 ** 24 + parts[1] * 2 ** 16 + parts[2] * 2 ** 8 + parts[3];
+}
+function ipv4FromWords(highWord, lowWord) {
+	return [
+		highWord >> 8,
+		highWord & 255,
+		lowWord >> 8,
+		lowWord & 255
+	].join(".");
+}
+function matchesIPv4Prefix(address, prefixBase, prefixLength) {
+	const blockSize = 2 ** (32 - prefixLength);
+	return Math.floor(address / blockSize) === Math.floor(prefixBase / blockSize);
+}
+function matchesIPv6Prefix(address, prefixWords, prefixLength) {
+	let remaining = prefixLength;
+	for (let i = 0; i < 8 && remaining > 0; i++) if (remaining >= 16) {
+		if (address[i] !== prefixWords[i]) return false;
+		remaining -= 16;
+	} else {
+		const mask = 65535 << 16 - remaining & 65535;
+		if ((address[i] & mask) !== (prefixWords[i] & mask)) return false;
+		remaining = 0;
+	}
+	return true;
+}
 //#endregion
 //#region src/docloader.ts
 const logger = getLogger([

package/dist/tests/decimal.test.cjs

@@ -1,5 +1,6 @@
 require("./chunk-C2EiDwsr.cjs");
-require("./docloader-BTVuOM9A.cjs");
+require("./docloader-Fr6C1706.cjs");
+require("./url-C20FhC7p.cjs");
 require("./key-pMmqUKuo.cjs");
 require("./multibase-Bz_UUDtL.cjs");
 require("./langstr-CbAxaeEZ.cjs");

package/dist/tests/decimal.test.mjs

@@ -1,4 +1,5 @@
-import "./docloader-DaOMoQob.mjs";
+import "./docloader-Bc0sMK3E.mjs";
+import "./url-m9Qzxy-Y.mjs";
 import "./key-CrrK9mYh.mjs";
 import "./multibase-B4bvakyA.mjs";
 import "./langstr-Di5AvKpB.mjs";

package/dist/tests/{docloader-DaOMoQob.mjs → docloader-Bc0sMK3E.mjs}

@@ -1,6 +1,6 @@
-import { a as name, i as logRequest, n as createActivityPubRequest, o as version, t as FetchError } from "./request-BMd5gA10.mjs";
+import { a as name, i as logRequest, n as createActivityPubRequest, o as version, t as FetchError } from "./request-BQv_mUTP.mjs";
 import { t as HttpHeaderLink } from "./link-NUUWCdnK.mjs";
-import { a as validatePublicUrl, t as UrlError } from "./url-BzGwIxB4.mjs";
+import { a as validatePublicUrl, t as UrlError } from "./url-m9Qzxy-Y.mjs";
 import { getLogger } from "@logtape/logtape";
 import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
 //#endregion

package/dist/tests/{docloader-BTVuOM9A.cjs → docloader-Fr6C1706.cjs}

@@ -1,7 +1,7 @@
 require("./chunk-C2EiDwsr.cjs");
-const require_request = require("./request-BL-qbWNY.cjs");
+const require_request = require("./request-CM9MSL0e.cjs");
 const require_link = require("./link-FguCydMA.cjs");
-const require_url = require("./url-CEmGms8t.cjs");
+const require_url = require("./url-C20FhC7p.cjs");
 let _logtape_logtape = require("@logtape/logtape");
 let _opentelemetry_api = require("@opentelemetry/api");
 //#endregion

package/dist/tests/docloader.test.cjs

@@ -1,7 +1,7 @@
 const require_chunk = require("./chunk-C2EiDwsr.cjs");
-const require_docloader = require("./docloader-BTVuOM9A.cjs");
-const require_request = require("./request-BL-qbWNY.cjs");
-const require_url = require("./url-CEmGms8t.cjs");
+const require_docloader = require("./docloader-Fr6C1706.cjs");
+const require_request = require("./request-CM9MSL0e.cjs");
+const require_url = require("./url-C20FhC7p.cjs");
 let node_assert = require("node:assert");
 let node_test = require("node:test");
 //#region ../../node_modules/.pnpm/glob-to-regexp@0.4.1/node_modules/glob-to-regexp/index.js

package/dist/tests/docloader.test.mjs

@@ -1,6 +1,6 @@
-import { n as preloadedContexts, t as getDocumentLoader } from "./docloader-DaOMoQob.mjs";
-import { t as FetchError } from "./request-BMd5gA10.mjs";
-import { t as UrlError } from "./url-BzGwIxB4.mjs";
+import { n as preloadedContexts, t as getDocumentLoader } from "./docloader-Bc0sMK3E.mjs";
+import { t as FetchError } from "./request-BQv_mUTP.mjs";
+import { t as UrlError } from "./url-m9Qzxy-Y.mjs";
 import { deepStrictEqual, ok, rejects } from "node:assert";
 import { test } from "node:test";
 //#region \0rolldown/runtime.js

package/dist/tests/{request-BMd5gA10.mjs → request-BQv_mUTP.mjs}

@@ -1,7 +1,7 @@
 import process from "node:process";
 //#region deno.json
 var name = "@fedify/vocab-runtime";
-var version = "2.3.0-dev.1189+97e55e59";
+var version = "2.3.0-dev.1212+3737de7f";
 //#endregion
 //#region src/request.ts
 /**

package/dist/tests/{request-BL-qbWNY.cjs → request-CM9MSL0e.cjs}

@@ -3,7 +3,7 @@ let node_process = require("node:process");
 node_process = require_chunk.__toESM(node_process, 1);
 //#region deno.json
 var name = "@fedify/vocab-runtime";
-var version = "2.3.0-dev.1189+97e55e59";
+var version = "2.3.0-dev.1212+3737de7f";
 //#endregion
 //#region src/request.ts
 /**

package/dist/tests/request.test.cjs

@@ -1,5 +1,5 @@
 const require_chunk = require("./chunk-C2EiDwsr.cjs");
-const require_request = require("./request-BL-qbWNY.cjs");
+const require_request = require("./request-CM9MSL0e.cjs");
 let node_assert = require("node:assert");
 let node_test = require("node:test");
 let node_process = require("node:process");

package/dist/tests/request.test.mjs

@@ -1,4 +1,4 @@
-import { o as version, r as getUserAgent } from "./request-BMd5gA10.mjs";
+import { o as version, r as getUserAgent } from "./request-BQv_mUTP.mjs";
 import { deepStrictEqual } from "node:assert";
 import { test } from "node:test";
 import process from "node:process";

package/dist/tests/url-C20FhC7p.cjs

@@ -0,0 +1,206 @@
+require("./chunk-C2EiDwsr.cjs");
+let node_dns_promises = require("node:dns/promises");
+let node_net = require("node:net");
+//#region src/url.ts
+var UrlError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "UrlError";
+	}
+};
+/**
+* Validates a URL to prevent SSRF attacks.
+*/
+async function validatePublicUrl(url) {
+	const parsed = new URL(url);
+	if (parsed.protocol !== "http:" && parsed.protocol !== "https:") throw new UrlError(`Unsupported protocol: ${parsed.protocol}`);
+	let hostname = parsed.hostname;
+	if (hostname.startsWith("[") && hostname.endsWith("]")) hostname = hostname.slice(1, -1);
+	if (hostname === "localhost") throw new UrlError("Localhost is not allowed");
+	const hostnameFamily = (0, node_net.isIP)(hostname);
+	if (hostnameFamily !== 0) {
+		validatePublicIpAddress(hostname, hostnameFamily);
+		return;
+	}
+	if ("Deno" in globalThis && !(0, node_net.isIP)(hostname)) {
+		if ((await Deno.permissions.query({ name: "net" })).state !== "granted") return;
+	}
+	if ("Bun" in globalThis) {
+		if (hostname === "example.com" || hostname.endsWith(".example.com")) return;
+		else if (hostname === "fedify-test.internal") throw new UrlError("Invalid or private address: fedify-test.internal");
+	}
+	let addresses;
+	try {
+		addresses = await (0, node_dns_promises.lookup)(hostname, { all: true });
+	} catch {
+		addresses = [];
+	}
+	for (const { address, family } of addresses) validatePublicIpAddress(address, family);
+}
+function validatePublicIpAddress(address, family) {
+	if (family === 4 && isValidPublicIPv4Address(address) || family === 6 && isValidPublicIPv6Address(address)) return;
+	throw new UrlError(`Invalid or private address: ${address}`);
+}
+function isValidPublicIPv4Address(address) {
+	const parts = parseIPv4Address(address);
+	if (parts == null) return false;
+	const value = ipv4PartsToNumber(parts);
+	return !nonPublicIPv4Prefixes.some(({ base, prefix }) => matchesIPv4Prefix(value, base, prefix));
+}
+function isValidPublicIPv6Address(address) {
+	const words = parseIPv6Address(address);
+	if (words == null) return false;
+	if (nonPublicIPv6Prefixes.some(({ words: prefixWords, prefix }) => matchesIPv6Prefix(words, prefixWords, prefix))) return false;
+	for (const { extractIPv4, prefix, words: prefixWords } of ipv6WithIPv4Prefixes) {
+		if (!matchesIPv6Prefix(words, prefixWords, prefix)) continue;
+		const ipv4Address = extractIPv4(words);
+		if (ipv4Address != null && !isValidPublicIPv4Address(ipv4Address)) return false;
+	}
+	return true;
+}
+function expandIPv6Address(address) {
+	address = address.toLowerCase();
+	const ipv4Delimiter = address.lastIndexOf(":");
+	if (address.includes(".") && ipv4Delimiter >= 0) {
+		const ipv4Parts = parseIPv4Address(address.substring(ipv4Delimiter + 1));
+		if (ipv4Parts == null) return address;
+		const high = (ipv4Parts[0] << 8) + ipv4Parts[1];
+		const low = (ipv4Parts[2] << 8) + ipv4Parts[3];
+		address = address.substring(0, ipv4Delimiter + 1) + high.toString(16) + ":" + low.toString(16);
+	}
+	if (address === "::") return "0000:0000:0000:0000:0000:0000:0000:0000";
+	if (address.startsWith("::")) address = "0000" + address;
+	if (address.endsWith("::")) address = address + "0000";
+	address = address.replace("::", ":0000".repeat(8 - (address.match(/:/g) || []).length) + ":");
+	return address.split(":").map((part) => part.padStart(4, "0")).join(":");
+}
+const nonPublicIPv4Prefixes = [
+	ipv4Prefix("0.0.0.0/8", "RFC 6890"),
+	ipv4Prefix("10.0.0.0/8", "RFC 1918"),
+	ipv4Prefix("100.64.0.0/10", "RFC 6598"),
+	ipv4Prefix("127.0.0.0/8", "RFC 1122"),
+	ipv4Prefix("169.254.0.0/16", "RFC 3927"),
+	ipv4Prefix("172.16.0.0/12", "RFC 1918"),
+	ipv4Prefix("192.0.0.0/24", "RFC 6890"),
+	ipv4Prefix("192.0.2.0/24", "RFC 5737"),
+	ipv4Prefix("192.88.99.0/24", "RFC 7526"),
+	ipv4Prefix("192.168.0.0/16", "RFC 1918"),
+	ipv4Prefix("198.18.0.0/15", "RFC 2544"),
+	ipv4Prefix("198.51.100.0/24", "RFC 5737"),
+	ipv4Prefix("203.0.113.0/24", "RFC 5737"),
+	ipv4Prefix("224.0.0.0/4", "RFC 5771"),
+	ipv4Prefix("240.0.0.0/4", "RFC 1112")
+];
+const nonPublicIPv6Prefixes = [
+	ipv6Prefix("::/16", "RFC 4291"),
+	ipv6Prefix("2001::/32", "RFC 4380"),
+	ipv6Prefix("2002::/16", "RFC 3056"),
+	ipv6Prefix("64:ff9b:1::/48", "RFC 8215"),
+	ipv6Prefix("fc00::/7", "RFC 4193"),
+	ipv6Prefix("fe80::/10", "RFC 4291"),
+	ipv6Prefix("ff00::/8", "RFC 4291")
+];
+const ipv6WithIPv4Prefixes = [{
+	...ipv6Prefix("64:ff9b::/96", "RFC 6052"),
+	extractIPv4: (words) => ipv4FromWords(words[6], words[7])
+}];
+function ipv4Prefix(cidr, rfc) {
+	const [address, prefixText] = cidr.split("/");
+	const prefix = parseInt(prefixText, 10);
+	const parts = parseIPv4Address(address);
+	if (parts == null || !Number.isInteger(prefix) || prefix < 0 || prefix > 32) throw new Error(`Invalid IPv4 prefix: ${cidr}`);
+	return {
+		cidr,
+		base: ipv4PartsToNumber(parts),
+		prefix,
+		rfc
+	};
+}
+function ipv6Prefix(cidr, rfc) {
+	const [address, prefixText] = cidr.split("/");
+	const prefix = parseInt(prefixText, 10);
+	const words = parseIPv6Address(address);
+	if (words == null || !Number.isInteger(prefix) || prefix < 0 || prefix > 128) throw new Error(`Invalid IPv6 prefix: ${cidr}`);
+	return {
+		cidr,
+		words,
+		prefix,
+		rfc
+	};
+}
+function parseIPv4Address(address) {
+	const parts = address.split(".").map((part) => {
+		if (!/^\d+$/.test(part)) return NaN;
+		return parseInt(part, 10);
+	});
+	if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) return null;
+	return parts;
+}
+function parseIPv6Address(address) {
+	const parts = expandIPv6Address(address).split(":");
+	if (parts.length !== 8) return null;
+	const words = parts.map((part) => {
+		if (!/^[0-9a-f]{1,4}$/i.test(part)) return NaN;
+		return parseInt(part, 16);
+	});
+	if (words.some((word) => !Number.isInteger(word) || word < 0 || word > 65535)) return null;
+	return words;
+}
+function ipv4PartsToNumber(parts) {
+	return parts[0] * 2 ** 24 + parts[1] * 2 ** 16 + parts[2] * 2 ** 8 + parts[3];
+}
+function ipv4FromWords(highWord, lowWord) {
+	return [
+		highWord >> 8,
+		highWord & 255,
+		lowWord >> 8,
+		lowWord & 255
+	].join(".");
+}
+function matchesIPv4Prefix(address, prefixBase, prefixLength) {
+	const blockSize = 2 ** (32 - prefixLength);
+	return Math.floor(address / blockSize) === Math.floor(prefixBase / blockSize);
+}
+function matchesIPv6Prefix(address, prefixWords, prefixLength) {
+	let remaining = prefixLength;
+	for (let i = 0; i < 8 && remaining > 0; i++) if (remaining >= 16) {
+		if (address[i] !== prefixWords[i]) return false;
+		remaining -= 16;
+	} else {
+		const mask = 65535 << 16 - remaining & 65535;
+		if ((address[i] & mask) !== (prefixWords[i] & mask)) return false;
+		remaining = 0;
+	}
+	return true;
+}
+//#endregion
+Object.defineProperty(exports, "UrlError", {
+	enumerable: true,
+	get: function() {
+		return UrlError;
+	}
+});
+Object.defineProperty(exports, "expandIPv6Address", {
+	enumerable: true,
+	get: function() {
+		return expandIPv6Address;
+	}
+});
+Object.defineProperty(exports, "isValidPublicIPv4Address", {
+	enumerable: true,
+	get: function() {
+		return isValidPublicIPv4Address;
+	}
+});
+Object.defineProperty(exports, "isValidPublicIPv6Address", {
+	enumerable: true,
+	get: function() {
+		return isValidPublicIPv6Address;
+	}
+});
+Object.defineProperty(exports, "validatePublicUrl", {
+	enumerable: true,
+	get: function() {
+		return validatePublicUrl;
+	}
+});