@fedify/vocab-runtime 2.3.0-dev.994 → 2.3.0-pr.809.36

package/src/temporal.test.ts

@@ -0,0 +1,121 @@
+import { Temporal } from "@js-temporal/polyfill";
+import { strictEqual } from "node:assert";
+import { test } from "node:test";
+import { isTemporalDuration, isTemporalInstant } from "./temporal.ts";
+
+test("isTemporalInstant() accepts polyfill instances", () => {
+  strictEqual(
+    isTemporalInstant(Temporal.Instant.from("2026-05-14T00:00:00Z")),
+    true,
+  );
+});
+
+test("isTemporalInstant() accepts spec-compliant non-polyfill objects", () => {
+  // Mimics the shape of a native `Temporal.Instant` from a host that does
+  // not share class identity with the bundled polyfill.
+  const nativeLike = Object.create(null, {
+    [Symbol.toStringTag]: { value: "Temporal.Instant" },
+    epochNanoseconds: { value: 0n },
+    toString: { value: () => "1970-01-01T00:00:00Z" },
+  });
+  strictEqual(isTemporalInstant(nativeLike), true);
+});
+
+test("isTemporalInstant() rejects unrelated values", () => {
+  strictEqual(isTemporalInstant(null), false);
+  strictEqual(isTemporalInstant(undefined), false);
+  strictEqual(isTemporalInstant("2026-05-14T00:00:00Z"), false);
+  strictEqual(isTemporalInstant(new Date()), false);
+  strictEqual(
+    isTemporalInstant(Temporal.Duration.from({ seconds: 1 })),
+    false,
+  );
+});
+
+test("isTemporalInstant() rejects bare objects tagged but missing shape", () => {
+  const decoy = Object.create(null, {
+    [Symbol.toStringTag]: { value: "Temporal.Instant" },
+  });
+  strictEqual(isTemporalInstant(decoy), false);
+});
+
+test("isTemporalInstant() rejects non-bigint epochNanoseconds", () => {
+  const decoy = Object.create(null, {
+    [Symbol.toStringTag]: { value: "Temporal.Instant" },
+    epochNanoseconds: { value: 0 },
+    toString: { value: () => "1970-01-01T00:00:00Z" },
+  });
+  strictEqual(isTemporalInstant(decoy), false);
+});
+
+test("isTemporalInstant() rejects default Object.prototype.toString", () => {
+  // A plain object inherits `toString` from `Object.prototype`, so calling
+  // it would produce `"[object Temporal.Instant]"` instead of an RFC 3339
+  // timestamp.  The guard must reject these to keep the serializer honest.
+  const decoy = {
+    [Symbol.toStringTag]: "Temporal.Instant",
+    epochNanoseconds: 0n,
+  };
+  strictEqual(isTemporalInstant(decoy), false);
+});
+
+test("isTemporalDuration() accepts polyfill instances", () => {
+  strictEqual(
+    isTemporalDuration(Temporal.Duration.from({ hours: 1 })),
+    true,
+  );
+});
+
+test("isTemporalDuration() accepts spec-compliant non-polyfill objects", () => {
+  const nativeLike = Object.create(null, {
+    [Symbol.toStringTag]: { value: "Temporal.Duration" },
+    sign: { value: 0 },
+    toString: { value: () => "PT0S" },
+  });
+  strictEqual(isTemporalDuration(nativeLike), true);
+});
+
+test("isTemporalDuration() rejects unrelated values", () => {
+  strictEqual(isTemporalDuration(null), false);
+  strictEqual(isTemporalDuration(undefined), false);
+  strictEqual(isTemporalDuration("PT1H"), false);
+  strictEqual(
+    isTemporalDuration(Temporal.Instant.from("2026-05-14T00:00:00Z")),
+    false,
+  );
+});
+
+test("isTemporalDuration() rejects bare objects tagged but missing shape", () => {
+  const decoy = Object.create(null, {
+    [Symbol.toStringTag]: { value: "Temporal.Duration" },
+  });
+  strictEqual(isTemporalDuration(decoy), false);
+});
+
+test("isTemporalDuration() rejects non-number sign", () => {
+  const decoy = Object.create(null, {
+    [Symbol.toStringTag]: { value: "Temporal.Duration" },
+    sign: { value: "0" },
+    toString: { value: () => "PT0S" },
+  });
+  strictEqual(isTemporalDuration(decoy), false);
+});
+
+test("isTemporalDuration() rejects out-of-range sign values", () => {
+  // Real Temporal.Duration#sign is `-1 | 0 | 1` per spec, so anything else
+  // (here, 42) must be rejected even though it is a number.
+  const decoy = Object.create(null, {
+    [Symbol.toStringTag]: { value: "Temporal.Duration" },
+    sign: { value: 42 },
+    toString: { value: () => "PT42S" },
+  });
+  strictEqual(isTemporalDuration(decoy), false);
+});
+
+test("isTemporalDuration() rejects default Object.prototype.toString", () => {
+  const decoy = {
+    [Symbol.toStringTag]: "Temporal.Duration",
+    sign: 0,
+  };
+  strictEqual(isTemporalDuration(decoy), false);
+});

package/src/temporal.ts

@@ -0,0 +1,74 @@
+/**
+ * Type guards for `Temporal` namespace objects.
+ *
+ * Fedify accepts both runtime polyfills (e.g. `@js-temporal/polyfill`,
+ * `temporal-polyfill`) and the host's native `Temporal` implementation
+ * (Node.js 26+, Bun, Deno). The guards below rely on `Symbol.toStringTag`,
+ * which is mandated by the Temporal specification, so they accept any
+ * spec-conformant implementation regardless of which class produced the
+ * value.
+ *
+ * @module
+ */
+
+/**
+ * Checks whether the given value is a `Temporal.Instant` object, regardless
+ * of whether it came from a polyfill or the host's native implementation.
+ *
+ * The guard verifies the spec-mandated `Symbol.toStringTag`, that the
+ * `epochNanoseconds` accessor exposes a `bigint`, and that `toString` is
+ * not the default inherited from `Object.prototype`.  Together they reject
+ * bare objects whose tag was set to `"Temporal.Instant"` without exposing
+ * the rest of the shape; the `toString` check in particular prevents a
+ * spoof from reaching the JSON-LD serializer (which calls `toString()`)
+ * and emitting `"[object Temporal.Instant]"` instead of an RFC 3339
+ * timestamp.
+ *
+ * @param value The value to test.
+ * @returns `true` if the value reports `Temporal.Instant` via
+ *          `Symbol.toStringTag`, exposes a `bigint`-valued
+ *          `epochNanoseconds`, and overrides `toString`; `false` otherwise.
+ */
+export function isTemporalInstant(value: unknown): value is Temporal.Instant {
+  return (
+    typeof value === "object" &&
+    value !== null &&
+    Object.prototype.toString.call(value) === "[object Temporal.Instant]" &&
+    "epochNanoseconds" in value &&
+    typeof value.epochNanoseconds === "bigint" &&
+    "toString" in value &&
+    typeof value.toString === "function" &&
+    value.toString !== Object.prototype.toString
+  );
+}
+
+/**
+ * Checks whether the given value is a `Temporal.Duration` object, regardless
+ * of whether it came from a polyfill or the host's native implementation.
+ *
+ * The guard verifies the spec-mandated `Symbol.toStringTag`, that the
+ * `sign` accessor returns one of the three spec-valid values (`-1`, `0`,
+ * or `1`), and that `toString` is not the default inherited from
+ * `Object.prototype`.  Together they reject bare objects whose tag was set
+ * to `"Temporal.Duration"` without exposing the rest of the shape; the
+ * `toString` check in particular prevents a spoof from reaching the
+ * JSON-LD serializer (which calls `toString()`) and emitting
+ * `"[object Temporal.Duration]"` instead of an ISO 8601 duration.
+ *
+ * @param value The value to test.
+ * @returns `true` if the value reports `Temporal.Duration` via
+ *          `Symbol.toStringTag`, exposes a `sign` of `-1`, `0`, or `1`,
+ *          and overrides `toString`; `false` otherwise.
+ */
+export function isTemporalDuration(value: unknown): value is Temporal.Duration {
+  return (
+    typeof value === "object" &&
+    value !== null &&
+    Object.prototype.toString.call(value) === "[object Temporal.Duration]" &&
+    "sign" in value &&
+    (value.sign === -1 || value.sign === 0 || value.sign === 1) &&
+    "toString" in value &&
+    typeof value.toString === "function" &&
+    value.toString !== Object.prototype.toString
+  );
+}

package/src/url.test.ts

@@ -19,6 +19,50 @@ test("validatePublicUrl()", async () => {
   await rejects(() => validatePublicUrl("https://localhost"), UrlError);
   await rejects(() => validatePublicUrl("https://127.0.0.1"), UrlError);
   await rejects(() => validatePublicUrl("https://[::1]"), UrlError);
+  await rejects(
+    () => validatePublicUrl("http://[::ffff:7f00:1]/"),
+    UrlError,
+  );
+  await rejects(
+    () => validatePublicUrl("https://[64:ff9b::7f00:1]/"),
+    UrlError,
+  );
+  await rejects(
+    () => validatePublicUrl("https://[64:ff9b::a00:1]/"),
+    UrlError,
+  );
+  await rejects(
+    () => validatePublicUrl("https://[64:ff9b:1::a00:1]/"),
+    UrlError,
+  );
+  await rejects(
+    () => validatePublicUrl("https://[64:ff9b:1::808:808]/"),
+    UrlError,
+  );
+  await rejects(
+    () => validatePublicUrl("https://[2001::]/"),
+    UrlError,
+  );
+  await rejects(
+    () => validatePublicUrl("https://[2002:a00:1::]/"),
+    UrlError,
+  );
+  for (
+    const url of [
+      "https://100.64.0.1",
+      "https://198.18.0.1",
+      "https://224.0.0.1",
+      "https://240.0.0.1",
+      "https://192.0.2.1",
+      "https://192.88.99.1",
+      "https://198.51.100.1",
+      "https://203.0.113.1",
+    ]
+  ) {
+    await rejects(() => validatePublicUrl(url), UrlError);
+  }
+  await validatePublicUrl("https://[2001:db8::1]");
+  await validatePublicUrl("https://[64:ff9b::8.8.8.8]");
 });
 
 test("isValidPublicIPv4Address()", () => {
@@ -28,6 +72,24 @@ test("isValidPublicIPv4Address()", () => {
   ok(!isValidPublicIPv4Address("10.0.0.1")); // private
   ok(!isValidPublicIPv4Address("127.16.0.1")); // private
   ok(!isValidPublicIPv4Address("169.254.0.1")); // link-local
+  ok(!isValidPublicIPv4Address("100.64.0.1")); // shared address space
+  ok(!isValidPublicIPv4Address("100.127.255.255"));
+  ok(!isValidPublicIPv4Address("192.0.0.1")); // IETF protocol
+  ok(!isValidPublicIPv4Address("192.0.2.1")); // documentation
+  ok(!isValidPublicIPv4Address("192.88.99.0")); // 6to4 relay anycast
+  ok(!isValidPublicIPv4Address("192.88.99.1"));
+  ok(!isValidPublicIPv4Address("192.88.99.2")); // 6a44 relay anycast
+  ok(!isValidPublicIPv4Address("192.88.99.255"));
+  ok(!isValidPublicIPv4Address("198.18.0.1")); // benchmarking
+  ok(!isValidPublicIPv4Address("198.19.255.255"));
+  ok(!isValidPublicIPv4Address("198.51.100.1")); // documentation
+  ok(!isValidPublicIPv4Address("203.0.113.1")); // documentation
+  ok(!isValidPublicIPv4Address("224.0.0.1")); // multicast
+  ok(!isValidPublicIPv4Address("239.255.255.255"));
+  ok(!isValidPublicIPv4Address("240.0.0.1")); // reserved
+  ok(!isValidPublicIPv4Address("255.255.255.255")); // broadcast
+  ok(!isValidPublicIPv4Address("1.2.3"));
+  ok(!isValidPublicIPv4Address("999.1.1.1"));
 });
 
 test("isValidPublicIPv6Address()", () => {
@@ -37,6 +99,22 @@ test("isValidPublicIPv6Address()", () => {
   ok(!isValidPublicIPv6Address("fe80::1")); // link-local
   ok(!isValidPublicIPv6Address("ff00::1")); // multicast
   ok(!isValidPublicIPv6Address("::")); // unspecified
+  ok(!isValidPublicIPv6Address("::ffff:7f00:1")); // IPv4-mapped
+  ok(!isValidPublicIPv6Address("64:ff9b::7f00:1")); // NAT64 localhost
+  ok(!isValidPublicIPv6Address("64:ff9b::127.0.0.1"));
+  ok(!isValidPublicIPv6Address("64:ff9b::a00:1")); // NAT64 private
+  ok(!isValidPublicIPv6Address("64:ff9b::10.0.0.1"));
+  ok(!isValidPublicIPv6Address("64:ff9b:1::")); // local-use NAT64
+  ok(!isValidPublicIPv6Address("64:ff9b:1::a00:1"));
+  ok(!isValidPublicIPv6Address("64:ff9b:1::10.0.0.1"));
+  ok(!isValidPublicIPv6Address("2001::")); // Teredo
+  ok(!isValidPublicIPv6Address("2001:0:4136:e378:8000:63bf:3fff:fdd2"));
+  ok(!isValidPublicIPv6Address("2002:a00:1::")); // 6to4
+  ok(!isValidPublicIPv6Address("2002:7f00:1::"));
+  ok(!isValidPublicIPv6Address("2002:c0a8:1::"));
+  ok(!isValidPublicIPv6Address("2002:a9fe:1::"));
+  ok(isValidPublicIPv6Address("64:ff9b::808:808")); // NAT64 public
+  ok(isValidPublicIPv6Address("64:ff9b::8.8.8.8"));
 });
 
 test("expandIPv6Address()", () => {
@@ -56,4 +134,8 @@ test("expandIPv6Address()", () => {
     expandIPv6Address("2001:db8::1"),
     "2001:0db8:0000:0000:0000:0000:0000:0001",
   );
+  deepStrictEqual(
+    expandIPv6Address("64:ff9b::8.8.8.8"),
+    "0064:ff9b:0000:0000:0000:0000:0808:0808",
+  );
 });

package/src/url.ts

@@ -19,11 +19,16 @@ export async function validatePublicUrl(url: string): Promise<void> {
   }
   let hostname = parsed.hostname;
   if (hostname.startsWith("[") && hostname.endsWith("]")) {
-    hostname = hostname.substring(1, hostname.length - 2);
+    hostname = hostname.slice(1, -1);
   }
   if (hostname === "localhost") {
     throw new UrlError("Localhost is not allowed");
   }
+  const hostnameFamily = isIP(hostname);
+  if (hostnameFamily !== 0) {
+    validatePublicIpAddress(hostname, hostnameFamily);
+    return;
+  }
   if ("Deno" in globalThis && !isIP(hostname)) {
     // If the `net` permission is not granted, we can't resolve the hostname.
     // However, we can safely assume that it cannot gain access to private
@@ -50,40 +55,60 @@ export async function validatePublicUrl(url: string): Promise<void> {
     addresses = [];
   }
   for (const { address, family } of addresses) {
-    if (
-      family === 4 && !isValidPublicIPv4Address(address) ||
-      family === 6 && !isValidPublicIPv6Address(address) ||
-      family < 4 || family === 5 || family > 6
-    ) {
-      throw new UrlError(`Invalid or private address: ${address}`);
-    }
+    validatePublicIpAddress(address, family);
+  }
+}
+
+function validatePublicIpAddress(address: string, family: number): void {
+  if (
+    family === 4 && isValidPublicIPv4Address(address) ||
+    family === 6 && isValidPublicIPv6Address(address)
+  ) {
+    return;
   }
+  throw new UrlError(`Invalid or private address: ${address}`);
 }
 
 export function isValidPublicIPv4Address(address: string): boolean {
-  const parts = address.split(".");
-  const first = parseInt(parts[0]);
-  if (first === 0 || first === 10 || first === 127) return false;
-  const second = parseInt(parts[1]);
-  if (first === 169 && second === 254) return false;
-  if (first === 172 && second >= 16 && second <= 31) return false;
-  if (first === 192 && second === 168) return false;
-  return true;
+  const parts = parseIPv4Address(address);
+  if (parts == null) return false;
+  const value = ipv4PartsToNumber(parts);
+  return !nonPublicIPv4Prefixes.some(({ base, prefix }) =>
+    matchesIPv4Prefix(value, base, prefix)
+  );
 }
 
 export function isValidPublicIPv6Address(address: string): boolean {
-  address = expandIPv6Address(address);
-  if (address.at(4) !== ":") return false;
-  const firstWord = parseInt(address.substring(0, 4), 16);
-  return !(
-    (firstWord >= 0xfc00 && firstWord <= 0xfdff) || // ULA
-    (firstWord >= 0xfe80 && firstWord <= 0xfebf) || // Link-local
-    firstWord === 0 || firstWord >= 0xff00 // Multicast
-  );
+  const words = parseIPv6Address(address);
+  if (words == null) return false;
+  if (
+    nonPublicIPv6Prefixes.some(({ words: prefixWords, prefix }) =>
+      matchesIPv6Prefix(words, prefixWords, prefix)
+    )
+  ) return false;
+  for (
+    const { extractIPv4, prefix, words: prefixWords } of ipv6WithIPv4Prefixes
+  ) {
+    if (!matchesIPv6Prefix(words, prefixWords, prefix)) continue;
+    const ipv4Address = extractIPv4(words);
+    if (ipv4Address != null && !isValidPublicIPv4Address(ipv4Address)) {
+      return false;
+    }
+  }
+  return true;
 }
 
 export function expandIPv6Address(address: string): string {
   address = address.toLowerCase();
+  const ipv4Delimiter = address.lastIndexOf(":");
+  if (address.includes(".") && ipv4Delimiter >= 0) {
+    const ipv4Parts = parseIPv4Address(address.substring(ipv4Delimiter + 1));
+    if (ipv4Parts == null) return address;
+    const high = (ipv4Parts[0] << 8) + ipv4Parts[1];
+    const low = (ipv4Parts[2] << 8) + ipv4Parts[3];
+    address = address.substring(0, ipv4Delimiter + 1) +
+      high.toString(16) + ":" + low.toString(16);
+  }
   if (address === "::") return "0000:0000:0000:0000:0000:0000:0000:0000";
   if (address.startsWith("::")) address = "0000" + address;
   if (address.endsWith("::")) address = address + "0000";
@@ -94,3 +119,153 @@ export function expandIPv6Address(address: string): string {
   const parts = address.split(":");
   return parts.map((part) => part.padStart(4, "0")).join(":");
 }
+
+type IPv4Prefix = {
+  cidr: string;
+  base: number;
+  prefix: number;
+  rfc: string;
+};
+
+// Keep CIDR and RFC metadata in the table instead of row comments so security
+// reviewers can audit each blocked range without duplicating source text.
+const nonPublicIPv4Prefixes = [
+  ipv4Prefix("0.0.0.0/8", "RFC 6890"),
+  ipv4Prefix("10.0.0.0/8", "RFC 1918"),
+  ipv4Prefix("100.64.0.0/10", "RFC 6598"),
+  ipv4Prefix("127.0.0.0/8", "RFC 1122"),
+  ipv4Prefix("169.254.0.0/16", "RFC 3927"),
+  ipv4Prefix("172.16.0.0/12", "RFC 1918"),
+  ipv4Prefix("192.0.0.0/24", "RFC 6890"),
+  ipv4Prefix("192.0.2.0/24", "RFC 5737"),
+  ipv4Prefix("192.88.99.0/24", "RFC 7526"),
+  ipv4Prefix("192.168.0.0/16", "RFC 1918"),
+  ipv4Prefix("198.18.0.0/15", "RFC 2544"),
+  ipv4Prefix("198.51.100.0/24", "RFC 5737"),
+  ipv4Prefix("203.0.113.0/24", "RFC 5737"),
+  ipv4Prefix("224.0.0.0/4", "RFC 5771"),
+  ipv4Prefix("240.0.0.0/4", "RFC 1112"),
+];
+
+type IPv6Prefix = {
+  cidr: string;
+  words: number[];
+  prefix: number;
+  rfc: string;
+};
+
+const nonPublicIPv6Prefixes = [
+  ipv6Prefix("::/16", "RFC 4291"),
+  ipv6Prefix("2001::/32", "RFC 4380"),
+  ipv6Prefix("2002::/16", "RFC 3056"),
+  ipv6Prefix("64:ff9b:1::/48", "RFC 8215"),
+  ipv6Prefix("fc00::/7", "RFC 4193"),
+  ipv6Prefix("fe80::/10", "RFC 4291"),
+  ipv6Prefix("ff00::/8", "RFC 4291"),
+];
+
+type IPv6WithIPv4Prefix = IPv6Prefix & {
+  extractIPv4: (words: number[]) => string | null;
+};
+
+// This table has one entry for now, but keeps embedded IPv4 extraction aligned
+// with the CIDR metadata above if another translation prefix needs it later.
+const ipv6WithIPv4Prefixes: IPv6WithIPv4Prefix[] = [
+  {
+    ...ipv6Prefix("64:ff9b::/96", "RFC 6052"),
+    extractIPv4: (words) => ipv4FromWords(words[6], words[7]),
+  },
+];
+
+function ipv4Prefix(cidr: string, rfc: string): IPv4Prefix {
+  const [address, prefixText] = cidr.split("/");
+  const prefix = parseInt(prefixText, 10);
+  const parts = parseIPv4Address(address);
+  if (parts == null || !Number.isInteger(prefix) || prefix < 0 || prefix > 32) {
+    throw new Error(`Invalid IPv4 prefix: ${cidr}`);
+  }
+  return { cidr, base: ipv4PartsToNumber(parts), prefix, rfc };
+}
+
+function ipv6Prefix(cidr: string, rfc: string): IPv6Prefix {
+  const [address, prefixText] = cidr.split("/");
+  const prefix = parseInt(prefixText, 10);
+  const words = parseIPv6Address(address);
+  if (
+    words == null || !Number.isInteger(prefix) || prefix < 0 || prefix > 128
+  ) {
+    throw new Error(`Invalid IPv6 prefix: ${cidr}`);
+  }
+  return { cidr, words, prefix, rfc };
+}
+
+function parseIPv4Address(address: string): number[] | null {
+  const parts = address.split(".").map((part) => {
+    if (!/^\d+$/.test(part)) return NaN;
+    return parseInt(part, 10);
+  });
+  // Keep explicit bounds checks even though the regex narrows today's parser;
+  // they make future parser changes fail closed.
+  if (
+    parts.length !== 4 ||
+    parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)
+  ) return null;
+  return parts;
+}
+
+function parseIPv6Address(address: string): number[] | null {
+  const parts = expandIPv6Address(address).split(":");
+  if (parts.length !== 8) return null;
+  const words = parts.map((part) => {
+    if (!/^[0-9a-f]{1,4}$/i.test(part)) return NaN;
+    return parseInt(part, 16);
+  });
+  // Keep explicit bounds checks even though the regex narrows today's parser;
+  // they make future parser changes fail closed.
+  if (
+    words.some((word) => !Number.isInteger(word) || word < 0 || word > 0xffff)
+  ) return null;
+  return words;
+}
+
+function ipv4PartsToNumber(parts: number[]): number {
+  return parts[0] * 2 ** 24 + parts[1] * 2 ** 16 + parts[2] * 2 ** 8 +
+    parts[3];
+}
+
+function ipv4FromWords(highWord: number, lowWord: number): string {
+  return [
+    highWord >> 8,
+    highWord & 0xff,
+    lowWord >> 8,
+    lowWord & 0xff,
+  ].join(".");
+}
+
+function matchesIPv4Prefix(
+  address: number,
+  prefixBase: number,
+  prefixLength: number,
+): boolean {
+  const blockSize = 2 ** (32 - prefixLength);
+  return Math.floor(address / blockSize) === Math.floor(prefixBase / blockSize);
+}
+
+function matchesIPv6Prefix(
+  address: number[],
+  prefixWords: number[],
+  prefixLength: number,
+): boolean {
+  let remaining = prefixLength;
+  for (let i = 0; i < 8 && remaining > 0; i++) {
+    if (remaining >= 16) {
+      if (address[i] !== prefixWords[i]) return false;
+      remaining -= 16;
+    } else {
+      const mask = (0xffff << (16 - remaining)) & 0xffff;
+      if ((address[i] & mask) !== (prefixWords[i] & mask)) return false;
+      remaining = 0;
+    }
+  }
+  return true;
+}

package/tsdown.config.ts

@@ -4,11 +4,14 @@ import { defineConfig } from "tsdown";
 
 export default [
   defineConfig({
-    entry: ["src/mod.ts", "src/jsonld.ts"],
+    entry: ["src/mod.ts", "src/jsonld.ts", "src/temporal.ts"],
     dts: { compilerOptions: { isolatedDeclarations: true, declaration: true } },
     format: ["esm", "cjs"],
     platform: "neutral",
-    external: [/^node:/],
+    deps: { neverBundle: [/^node:/] },
+    banner: {
+      dts: `/// <reference lib="esnext.temporal" />`,
+    },
   }),
   defineConfig({
     outDir: "dist/tests",
@@ -16,6 +19,6 @@ export default [
       .map((f) => f.replace(sep, "/")),
     format: ["esm", "cjs"],
     platform: "node",
-    external: [/^node:/, "@fedify/fixture"],
+    deps: { neverBundle: [/^node:/, "@fedify/fixture"] },
   }),
 ];