@fedify/vocab-runtime 2.4.0-dev.1564 → 2.4.0-dev.1570

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (42) hide show
  1. package/deno.json +1 -2
  2. package/dist/mod.cjs +190 -107
  3. package/dist/mod.d.cts +200 -18
  4. package/dist/mod.d.ts +200 -18
  5. package/dist/mod.js +184 -97
  6. package/dist/tests/decimal.test.cjs +2 -2
  7. package/dist/tests/decimal.test.mjs +2 -2
  8. package/dist/tests/{docloader-CYQvKbtL.mjs → docloader-C76ldE5C.mjs} +10 -97
  9. package/dist/tests/{docloader-UAdXnDwt.cjs → docloader-mvgIWKI7.cjs} +9 -102
  10. package/dist/tests/docloader.test.cjs +6 -58
  11. package/dist/tests/docloader.test.mjs +6 -58
  12. package/dist/tests/{request-DgAlI7RF.mjs → request-BEXkv1ul.mjs} +1 -1
  13. package/dist/tests/{request-DnzhAfki.cjs → request-SworbvLc.cjs} +1 -1
  14. package/dist/tests/request.test.cjs +1 -1
  15. package/dist/tests/request.test.mjs +1 -1
  16. package/dist/tests/{url-2XwVbUS_.cjs → url-C20FhC7p.cjs} +0 -108
  17. package/dist/tests/{url-YWJbnRlf.mjs → url-m9Qzxy-Y.mjs} +1 -85
  18. package/dist/tests/url.test.cjs +1 -104
  19. package/dist/tests/url.test.mjs +2 -105
  20. package/package.json +1 -11
  21. package/src/contexts.ts +0 -2
  22. package/src/docloader.test.ts +6 -102
  23. package/src/docloader.ts +8 -76
  24. package/src/mod.ts +0 -4
  25. package/src/url.test.ts +1 -252
  26. package/src/url.ts +0 -141
  27. package/tsdown.config.ts +1 -6
  28. package/dist/docloader-DnUMWHaJ.d.cts +0 -202
  29. package/dist/docloader-xRGn1azD.d.ts +0 -202
  30. package/dist/internal/jsonld-cache.cjs +0 -279
  31. package/dist/internal/jsonld-cache.d.cts +0 -48
  32. package/dist/internal/jsonld-cache.d.ts +0 -48
  33. package/dist/internal/jsonld-cache.js +0 -275
  34. package/dist/tests/jsonld-cache.test.cjs +0 -652
  35. package/dist/tests/jsonld-cache.test.d.cts +0 -1
  36. package/dist/tests/jsonld-cache.test.d.mts +0 -1
  37. package/dist/tests/jsonld-cache.test.mjs +0 -651
  38. package/dist/url-BAdyyqAa.cjs +0 -315
  39. package/dist/url-BuxPHxK2.js +0 -261
  40. package/src/contexts/fep-7aa9.json +0 -24
  41. package/src/internal/jsonld-cache.ts +0 -538
  42. package/src/jsonld-cache.test.ts +0 -554
@@ -7,90 +7,6 @@ var UrlError = class extends Error {
7
7
  this.name = "UrlError";
8
8
  }
9
9
  };
10
- const PORTABLE_IRI_PATTERN = /^(ap|ap\+ef61):\/\/([^/?#]*)([^?#]*)(\?[^#]*)?(#.*)?$/i;
11
- const INVALID_PERCENT_ENCODING_PATTERN = /%(?![0-9A-Fa-f]{2})/;
12
- const DID_SCHEME_PATTERN = /^did:/i;
13
- const DID_PATTERN = /^did:[a-z0-9]+:[-A-Za-z0-9._%]+(?::[-A-Za-z0-9._%]+)*$/i;
14
- /**
15
- * Parses a JSON-LD `@id` value as an IRI.
16
- */
17
- function parseJsonLdId(id, base) {
18
- if (id == null || id.startsWith("_:")) return void 0;
19
- try {
20
- return parseIri(id, base);
21
- } catch {
22
- throw new TypeError("Invalid @id: " + id);
23
- }
24
- }
25
- /**
26
- * Parses an IRI as a URL, including FEP-ef61 portable ActivityPub IRIs.
27
- */
28
- function parseIri(iri, base) {
29
- if (iri instanceof URL) return normalizePortableUrl(iri) ?? new URL(iri.href);
30
- const portable = parsePortableIri(iri);
31
- if (portable != null) return portable;
32
- base = normalizeBaseIri(base);
33
- if (!URL.canParse(iri, base) && iri.startsWith("at://")) return parseAtUri(iri);
34
- const parsed = new URL(iri, base);
35
- return normalizePortableUrl(parsed) ?? parsed;
36
- }
37
- /**
38
- * Formats a URL as an IRI, including FEP-ef61 portable ActivityPub IRIs.
39
- */
40
- function formatIri(iri) {
41
- const parsed = parsePortableIri(iri instanceof URL ? iri.href : iri);
42
- if (parsed == null) return iri instanceof URL ? iri.href : URL.canParse(iri) ? new URL(iri).href : iri;
43
- return `ap+ef61://${decodePortableAuthority(parsed.host)}${parsed.pathname}${parsed.search}${parsed.hash}`;
44
- }
45
- /**
46
- * Checks whether two IRIs have the same origin.
47
- */
48
- function haveSameIriOrigin(left, right) {
49
- return getComparableIriOrigin(left) === getComparableIriOrigin(right);
50
- }
51
- function getComparableIriOrigin(iri) {
52
- iri = normalizePortableUrl(iri) ?? iri;
53
- if (iri.origin !== "null") return iri.origin;
54
- if (iri.host !== "") {
55
- const host = iri.protocol === "ap+ef61:" ? encodeURIComponent(decodePortableAuthority(iri.host).replace(DID_SCHEME_PATTERN, "did:")) : iri.host;
56
- return `${iri.protocol}//${host}`;
57
- }
58
- return iri.href;
59
- }
60
- function parsePortableIri(iri) {
61
- const match = iri.match(PORTABLE_IRI_PATTERN);
62
- if (match == null) return null;
63
- const authority = decodePortableAuthority(match[2]);
64
- if (!DID_PATTERN.test(authority)) throw new TypeError("Invalid portable ActivityPub IRI authority.");
65
- if (match[3] === "") throw new TypeError("Invalid portable ActivityPub IRI path.");
66
- return new URL(`ap+ef61://${encodeURIComponent(authority)}${match[3]}${match[4] ?? ""}${match[5] ?? ""}`);
67
- }
68
- function normalizePortableUrl(iri) {
69
- if (iri.protocol !== "ap:" && iri.protocol !== "ap+ef61:") return null;
70
- return parsePortableIri(`ap+ef61://${iri.host}${iri.pathname}${iri.search}${iri.hash}`);
71
- }
72
- function normalizeBaseIri(base) {
73
- if (base == null) return void 0;
74
- if (base instanceof URL) return normalizePortableUrl(base) ?? base;
75
- return parsePortableIri(base) ?? (base.startsWith("at://") && !URL.canParse(".", base) ? parseAtUri(base) : base);
76
- }
77
- function decodePortableAuthority(authority) {
78
- if (INVALID_PERCENT_ENCODING_PATTERN.test(authority)) throw new TypeError("Invalid portable ActivityPub IRI authority.");
79
- if (DID_SCHEME_PATTERN.test(authority)) {
80
- const decoded = authority.replace(/%25/gi, "%");
81
- if (INVALID_PERCENT_ENCODING_PATTERN.test(decoded)) throw new TypeError("Invalid portable ActivityPub IRI authority.");
82
- return decoded;
83
- }
84
- const decoded = authority.replace(/%(25|3A)/gi, (match) => match.toLowerCase() === "%3a" ? ":" : "%");
85
- if (INVALID_PERCENT_ENCODING_PATTERN.test(decoded)) throw new TypeError("Invalid portable ActivityPub IRI authority.");
86
- return decoded;
87
- }
88
- function parseAtUri(uri) {
89
- const index = uri.indexOf("/", 5);
90
- const authority = index >= 0 ? uri.slice(5, index) : uri.slice(5);
91
- const path = index >= 0 ? uri.slice(index) : "";
92
- return new URL("at://" + encodeURIComponent(authority) + path);
93
- }
94
10
  /**
95
11
  * Validates a URL to prevent SSRF attacks.
96
12
  */
@@ -257,4 +173,4 @@ function matchesIPv6Prefix(address, prefixWords, prefixLength) {
257
173
  return true;
258
174
  }
259
175
  //#endregion
260
- export { isValidPublicIPv4Address as a, parseJsonLdId as c, haveSameIriOrigin as i, validatePublicUrl as l, expandIPv6Address as n, isValidPublicIPv6Address as o, formatIri as r, parseIri as s, UrlError as t };
176
+ export { validatePublicUrl as a, isValidPublicIPv6Address as i, expandIPv6Address as n, isValidPublicIPv4Address as r, UrlError as t };
@@ -1,111 +1,8 @@
1
1
  require("./chunk-C2EiDwsr.cjs");
2
- const require_url = require("./url-2XwVbUS_.cjs");
2
+ const require_url = require("./url-C20FhC7p.cjs");
3
3
  let node_assert = require("node:assert");
4
4
  let node_test = require("node:test");
5
5
  //#region src/url.test.ts
6
- (0, node_test.test)("parseIri() accepts portable ActivityPub URI schemes", () => {
7
- for (const iri of [
8
- "ap://did:key:z6Mkabc/actor",
9
- "ap://did%3Akey%3Az6Mkabc/actor",
10
- "ap+ef61://did:key:z6Mkabc/actor",
11
- "ap+ef61://did%3Akey%3Az6Mkabc/actor",
12
- "AP+EF61://did:key:z6Mkabc/actor"
13
- ]) (0, node_assert.deepStrictEqual)(require_url.parseIri(iri), new URL("ap+ef61://did%3Akey%3Az6Mkabc/actor"));
14
- });
15
- (0, node_test.test)("parseIri() accepts DID schemes case-insensitively", () => {
16
- for (const iri of ["ap://DID:key:z6Mkabc/actor", "ap://DID%3Akey%3Az6Mkabc/actor"]) (0, node_assert.deepStrictEqual)(require_url.parseIri(iri), new URL("ap+ef61://DID%3Akey%3Az6Mkabc/actor"));
17
- });
18
- (0, node_test.test)("parseIri() accepts DID method names that start with digits", () => {
19
- (0, node_assert.deepStrictEqual)(require_url.parseIri("ap://did:3:abc/actor"), new URL("ap+ef61://did%3A3%3Aabc/actor"));
20
- });
21
- (0, node_test.test)("parseIri() accepts hyphens in DID method-specific IDs", () => {
22
- (0, node_assert.deepStrictEqual)(require_url.parseIri("ap+ef61://did:web:foo-bar.example/actor"), new URL("ap+ef61://did%3Aweb%3Afoo-bar.example/actor"));
23
- });
24
- (0, node_test.test)("parseIri() preserves existing URL parsing behavior", () => {
25
- (0, node_assert.deepStrictEqual)(require_url.parseIri("/actor", new URL("https://example.com/users/alice")), new URL("https://example.com/actor"));
26
- (0, node_assert.deepStrictEqual)(require_url.parseIri("at://did:plc:example/record"), new URL("at://did%3Aplc%3Aexample/record"));
27
- (0, node_assert.throws)(() => require_url.parseIri("ap://not-a-did/actor"), TypeError);
28
- });
29
- (0, node_test.test)("parseJsonLdId() parses JSON-LD ids", () => {
30
- (0, node_assert.deepStrictEqual)(require_url.parseJsonLdId(void 0), void 0);
31
- (0, node_assert.deepStrictEqual)(require_url.parseJsonLdId("_:blank"), void 0);
32
- (0, node_assert.deepStrictEqual)(require_url.parseJsonLdId("/actor", new URL("https://example.com/users/alice")), new URL("https://example.com/actor"));
33
- (0, node_assert.deepStrictEqual)(require_url.parseJsonLdId("ap://did:key:z6Mkabc/actor"), new URL("ap+ef61://did%3Akey%3Az6Mkabc/actor"));
34
- (0, node_assert.throws)(() => require_url.parseJsonLdId("/actor"), {
35
- name: "TypeError",
36
- message: "Invalid @id: /actor"
37
- });
38
- });
39
- (0, node_test.test)("parseIri() resolves relative IRIs against portable string bases", () => {
40
- (0, node_assert.deepStrictEqual)(require_url.parseIri("/actor", "ap://did:key:z6Mkabc/objects/1"), new URL("ap+ef61://did%3Akey%3Az6Mkabc/actor"));
41
- (0, node_assert.deepStrictEqual)(require_url.parseIri("attachments/1", "ap://did:key:z6Mkabc/objects/1"), new URL("ap+ef61://did%3Akey%3Az6Mkabc/objects/attachments/1"));
42
- (0, node_assert.throws)(() => require_url.parseIri("//example.com/outbox", "ap://did:key:z6Mkabc/objects/1"), TypeError);
43
- });
44
- (0, node_test.test)("parseIri() resolves relative IRIs against at:// string bases", () => {
45
- (0, node_assert.deepStrictEqual)(require_url.parseIri("/record", "at://did:plc:example/collection/item"), new URL("at://did%3Aplc%3Aexample/record"));
46
- (0, node_assert.deepStrictEqual)(require_url.parseIri("reply", "at://did:plc:example/collection/item"), new URL("at://did%3Aplc%3Aexample/collection/reply"));
47
- (0, node_assert.deepStrictEqual)(require_url.parseIri("reply", "at://did%3Aplc%3Aexample/collection/item"), new URL("at://did%3Aplc%3Aexample/collection/reply"));
48
- });
49
- (0, node_test.test)("parseIri() rejects portable IRIs without paths", () => {
50
- (0, node_assert.throws)(() => require_url.parseIri("ap://did:key:z6Mkabc"), TypeError);
51
- (0, node_assert.throws)(() => require_url.parseIri("ap://did:key:z6Mkabc?gateways=https%3A%2F%2Fserver.example"), TypeError);
52
- (0, node_assert.throws)(() => require_url.parseIri("ap://did:key:z6Mkabc#actor"), TypeError);
53
- });
54
- (0, node_test.test)("parseIri() rejects malformed portable DID authorities", () => {
55
- for (const iri of [
56
- "ap://did:/actor",
57
- "ap://did:key/actor",
58
- "ap://did%3Akey%3Aabc%25zz/actor",
59
- "ap://did:key:abc%25zz/actor"
60
- ]) (0, node_assert.throws)(() => require_url.parseIri(iri), TypeError);
61
- });
62
- (0, node_test.test)("haveSameIriOrigin() compares portable IRI authorities", () => {
63
- (0, node_assert.ok)(require_url.haveSameIriOrigin(require_url.parseIri("ap://did:key:z6Mkabc/actor"), require_url.parseIri("ap://did:key:z6Mkabc/outbox")));
64
- (0, node_assert.ok)(require_url.haveSameIriOrigin(new URL("ap://did%3Akey%3Az6Mkabc/actor"), new URL("ap+ef61://did%3Akey%3Az6Mkabc/outbox")));
65
- (0, node_assert.ok)(require_url.haveSameIriOrigin(require_url.parseIri("ap://DID:key:z6Mkabc/actor"), require_url.parseIri("ap://did:key:z6Mkabc/outbox")));
66
- (0, node_assert.ok)(require_url.haveSameIriOrigin(new URL("ap+ef61://DID%3Akey%3Az6Mkabc/actor"), new URL("ap+ef61://did%3Akey%3Az6Mkabc/outbox")));
67
- (0, node_assert.ok)(!require_url.haveSameIriOrigin(require_url.parseIri("ap://did:key:z6Mkabc/actor"), require_url.parseIri("ap://did:key:z6Mkdef/actor")));
68
- });
69
- (0, node_test.test)("parseIri() normalizes portable URL instances", () => {
70
- (0, node_assert.deepStrictEqual)(require_url.parseIri(new URL("ap+ef61://did%3Aexample%3Aabc%2Fdef/actor")), new URL("ap+ef61://did%3Aexample%3Aabc%252Fdef/actor"));
71
- (0, node_assert.throws)(() => require_url.parseIri("ap+ef61://not-a-did/actor"), TypeError);
72
- });
73
- (0, node_test.test)("formatIri() emits canonical portable ActivityPub URI syntax", () => {
74
- const cases = [new URL("ap://did%3Akey%3Az6Mkabc/actor"), new URL("ap+ef61://did%3Akey%3Az6Mkabc/actor")];
75
- for (const iri of cases) (0, node_assert.deepStrictEqual)(require_url.formatIri(iri), "ap+ef61://did:key:z6Mkabc/actor");
76
- (0, node_assert.deepStrictEqual)(require_url.formatIri(new URL("https://example.com/actor")), "https://example.com/actor");
77
- (0, node_assert.deepStrictEqual)(require_url.formatIri("/actor"), "/actor");
78
- });
79
- (0, node_test.test)("formatIri() preserves DID authority pct-encoded delimiters", () => {
80
- const parsed = require_url.parseIri("ap://did:example:abc%2Fdef/actor");
81
- (0, node_assert.deepStrictEqual)(parsed, new URL("ap+ef61://did%3Aexample%3Aabc%252Fdef/actor"));
82
- (0, node_assert.deepStrictEqual)(require_url.formatIri(parsed), "ap+ef61://did:example:abc%2Fdef/actor");
83
- (0, node_assert.deepStrictEqual)(require_url.parseIri(require_url.formatIri(parsed)), parsed);
84
- (0, node_assert.deepStrictEqual)(require_url.formatIri(new URL("ap+ef61://did%3Aexample%3Aabc%2Fdef/actor")), "ap+ef61://did:example:abc%2Fdef/actor");
85
- });
86
- (0, node_test.test)("parseIri() normalizes equivalent encoded DID authorities", () => {
87
- (0, node_assert.deepStrictEqual)(require_url.parseIri("ap://did:example:abc%252Fdef/actor"), require_url.parseIri("ap://did%3Aexample%3Aabc%252Fdef/actor"));
88
- });
89
- (0, node_test.test)("formatIri() preserves DID-internal pct-encoded authority characters", () => {
90
- const parsed = require_url.parseIri("ap://did:web:example.com%3A3000/actor");
91
- (0, node_assert.deepStrictEqual)(parsed, new URL("ap+ef61://did%3Aweb%3Aexample.com%253A3000/actor"));
92
- (0, node_assert.deepStrictEqual)(require_url.formatIri(parsed), "ap+ef61://did:web:example.com%3A3000/actor");
93
- });
94
- (0, node_test.test)("parseIri() accepts portable DID URLs with encoded DID delimiters", () => {
95
- const parsed = require_url.parseIri("ap://did:web:example.com%3A3000/u/1");
96
- (0, node_assert.deepStrictEqual)(parsed, new URL("ap+ef61://did%3Aweb%3Aexample.com%253A3000/u/1"));
97
- (0, node_assert.deepStrictEqual)(require_url.formatIri(parsed), "ap+ef61://did:web:example.com%3A3000/u/1");
98
- });
99
- (0, node_test.test)("parseIri() decodes pct-encoded DID delimiters in order", () => {
100
- const parsed = require_url.parseIri("ap://did%3Aweb%3Aexample.com%253A3000/u/1");
101
- (0, node_assert.deepStrictEqual)(parsed, new URL("ap+ef61://did%3Aweb%3Aexample.com%253A3000/u/1"));
102
- (0, node_assert.deepStrictEqual)(require_url.formatIri(parsed), "ap+ef61://did:web:example.com%3A3000/u/1");
103
- });
104
- (0, node_test.test)("parseIri() preserves encoded percent signs while decoding delimiters", () => {
105
- const parsed = require_url.parseIri("ap://did%3Aweb%3Aexample.com%2500/u/1");
106
- (0, node_assert.deepStrictEqual)(parsed, new URL("ap+ef61://did%3Aweb%3Aexample.com%2500/u/1"));
107
- (0, node_assert.deepStrictEqual)(require_url.formatIri(parsed), "ap+ef61://did:web:example.com%00/u/1");
108
- });
109
6
  (0, node_test.test)("validatePublicUrl()", async () => {
110
7
  await (0, node_assert.rejects)(() => require_url.validatePublicUrl("ftp://localhost"), require_url.UrlError);
111
8
  await (0, node_assert.rejects)(() => require_url.validatePublicUrl("data:text/plain;base64,SGVsbG8sIFdvcmxkIQ=="), require_url.UrlError);
@@ -1,110 +1,7 @@
1
- import { a as isValidPublicIPv4Address, c as parseJsonLdId, i as haveSameIriOrigin, l as validatePublicUrl, n as expandIPv6Address, o as isValidPublicIPv6Address, r as formatIri, s as parseIri, t as UrlError } from "./url-YWJbnRlf.mjs";
2
- import { deepStrictEqual, ok, rejects, throws } from "node:assert";
1
+ import { a as validatePublicUrl, i as isValidPublicIPv6Address, n as expandIPv6Address, r as isValidPublicIPv4Address, t as UrlError } from "./url-m9Qzxy-Y.mjs";
2
+ import { deepStrictEqual, ok, rejects } from "node:assert";
3
3
  import { test } from "node:test";
4
4
  //#region src/url.test.ts
5
- test("parseIri() accepts portable ActivityPub URI schemes", () => {
6
- for (const iri of [
7
- "ap://did:key:z6Mkabc/actor",
8
- "ap://did%3Akey%3Az6Mkabc/actor",
9
- "ap+ef61://did:key:z6Mkabc/actor",
10
- "ap+ef61://did%3Akey%3Az6Mkabc/actor",
11
- "AP+EF61://did:key:z6Mkabc/actor"
12
- ]) deepStrictEqual(parseIri(iri), new URL("ap+ef61://did%3Akey%3Az6Mkabc/actor"));
13
- });
14
- test("parseIri() accepts DID schemes case-insensitively", () => {
15
- for (const iri of ["ap://DID:key:z6Mkabc/actor", "ap://DID%3Akey%3Az6Mkabc/actor"]) deepStrictEqual(parseIri(iri), new URL("ap+ef61://DID%3Akey%3Az6Mkabc/actor"));
16
- });
17
- test("parseIri() accepts DID method names that start with digits", () => {
18
- deepStrictEqual(parseIri("ap://did:3:abc/actor"), new URL("ap+ef61://did%3A3%3Aabc/actor"));
19
- });
20
- test("parseIri() accepts hyphens in DID method-specific IDs", () => {
21
- deepStrictEqual(parseIri("ap+ef61://did:web:foo-bar.example/actor"), new URL("ap+ef61://did%3Aweb%3Afoo-bar.example/actor"));
22
- });
23
- test("parseIri() preserves existing URL parsing behavior", () => {
24
- deepStrictEqual(parseIri("/actor", new URL("https://example.com/users/alice")), new URL("https://example.com/actor"));
25
- deepStrictEqual(parseIri("at://did:plc:example/record"), new URL("at://did%3Aplc%3Aexample/record"));
26
- throws(() => parseIri("ap://not-a-did/actor"), TypeError);
27
- });
28
- test("parseJsonLdId() parses JSON-LD ids", () => {
29
- deepStrictEqual(parseJsonLdId(void 0), void 0);
30
- deepStrictEqual(parseJsonLdId("_:blank"), void 0);
31
- deepStrictEqual(parseJsonLdId("/actor", new URL("https://example.com/users/alice")), new URL("https://example.com/actor"));
32
- deepStrictEqual(parseJsonLdId("ap://did:key:z6Mkabc/actor"), new URL("ap+ef61://did%3Akey%3Az6Mkabc/actor"));
33
- throws(() => parseJsonLdId("/actor"), {
34
- name: "TypeError",
35
- message: "Invalid @id: /actor"
36
- });
37
- });
38
- test("parseIri() resolves relative IRIs against portable string bases", () => {
39
- deepStrictEqual(parseIri("/actor", "ap://did:key:z6Mkabc/objects/1"), new URL("ap+ef61://did%3Akey%3Az6Mkabc/actor"));
40
- deepStrictEqual(parseIri("attachments/1", "ap://did:key:z6Mkabc/objects/1"), new URL("ap+ef61://did%3Akey%3Az6Mkabc/objects/attachments/1"));
41
- throws(() => parseIri("//example.com/outbox", "ap://did:key:z6Mkabc/objects/1"), TypeError);
42
- });
43
- test("parseIri() resolves relative IRIs against at:// string bases", () => {
44
- deepStrictEqual(parseIri("/record", "at://did:plc:example/collection/item"), new URL("at://did%3Aplc%3Aexample/record"));
45
- deepStrictEqual(parseIri("reply", "at://did:plc:example/collection/item"), new URL("at://did%3Aplc%3Aexample/collection/reply"));
46
- deepStrictEqual(parseIri("reply", "at://did%3Aplc%3Aexample/collection/item"), new URL("at://did%3Aplc%3Aexample/collection/reply"));
47
- });
48
- test("parseIri() rejects portable IRIs without paths", () => {
49
- throws(() => parseIri("ap://did:key:z6Mkabc"), TypeError);
50
- throws(() => parseIri("ap://did:key:z6Mkabc?gateways=https%3A%2F%2Fserver.example"), TypeError);
51
- throws(() => parseIri("ap://did:key:z6Mkabc#actor"), TypeError);
52
- });
53
- test("parseIri() rejects malformed portable DID authorities", () => {
54
- for (const iri of [
55
- "ap://did:/actor",
56
- "ap://did:key/actor",
57
- "ap://did%3Akey%3Aabc%25zz/actor",
58
- "ap://did:key:abc%25zz/actor"
59
- ]) throws(() => parseIri(iri), TypeError);
60
- });
61
- test("haveSameIriOrigin() compares portable IRI authorities", () => {
62
- ok(haveSameIriOrigin(parseIri("ap://did:key:z6Mkabc/actor"), parseIri("ap://did:key:z6Mkabc/outbox")));
63
- ok(haveSameIriOrigin(new URL("ap://did%3Akey%3Az6Mkabc/actor"), new URL("ap+ef61://did%3Akey%3Az6Mkabc/outbox")));
64
- ok(haveSameIriOrigin(parseIri("ap://DID:key:z6Mkabc/actor"), parseIri("ap://did:key:z6Mkabc/outbox")));
65
- ok(haveSameIriOrigin(new URL("ap+ef61://DID%3Akey%3Az6Mkabc/actor"), new URL("ap+ef61://did%3Akey%3Az6Mkabc/outbox")));
66
- ok(!haveSameIriOrigin(parseIri("ap://did:key:z6Mkabc/actor"), parseIri("ap://did:key:z6Mkdef/actor")));
67
- });
68
- test("parseIri() normalizes portable URL instances", () => {
69
- deepStrictEqual(parseIri(new URL("ap+ef61://did%3Aexample%3Aabc%2Fdef/actor")), new URL("ap+ef61://did%3Aexample%3Aabc%252Fdef/actor"));
70
- throws(() => parseIri("ap+ef61://not-a-did/actor"), TypeError);
71
- });
72
- test("formatIri() emits canonical portable ActivityPub URI syntax", () => {
73
- const cases = [new URL("ap://did%3Akey%3Az6Mkabc/actor"), new URL("ap+ef61://did%3Akey%3Az6Mkabc/actor")];
74
- for (const iri of cases) deepStrictEqual(formatIri(iri), "ap+ef61://did:key:z6Mkabc/actor");
75
- deepStrictEqual(formatIri(new URL("https://example.com/actor")), "https://example.com/actor");
76
- deepStrictEqual(formatIri("/actor"), "/actor");
77
- });
78
- test("formatIri() preserves DID authority pct-encoded delimiters", () => {
79
- const parsed = parseIri("ap://did:example:abc%2Fdef/actor");
80
- deepStrictEqual(parsed, new URL("ap+ef61://did%3Aexample%3Aabc%252Fdef/actor"));
81
- deepStrictEqual(formatIri(parsed), "ap+ef61://did:example:abc%2Fdef/actor");
82
- deepStrictEqual(parseIri(formatIri(parsed)), parsed);
83
- deepStrictEqual(formatIri(new URL("ap+ef61://did%3Aexample%3Aabc%2Fdef/actor")), "ap+ef61://did:example:abc%2Fdef/actor");
84
- });
85
- test("parseIri() normalizes equivalent encoded DID authorities", () => {
86
- deepStrictEqual(parseIri("ap://did:example:abc%252Fdef/actor"), parseIri("ap://did%3Aexample%3Aabc%252Fdef/actor"));
87
- });
88
- test("formatIri() preserves DID-internal pct-encoded authority characters", () => {
89
- const parsed = parseIri("ap://did:web:example.com%3A3000/actor");
90
- deepStrictEqual(parsed, new URL("ap+ef61://did%3Aweb%3Aexample.com%253A3000/actor"));
91
- deepStrictEqual(formatIri(parsed), "ap+ef61://did:web:example.com%3A3000/actor");
92
- });
93
- test("parseIri() accepts portable DID URLs with encoded DID delimiters", () => {
94
- const parsed = parseIri("ap://did:web:example.com%3A3000/u/1");
95
- deepStrictEqual(parsed, new URL("ap+ef61://did%3Aweb%3Aexample.com%253A3000/u/1"));
96
- deepStrictEqual(formatIri(parsed), "ap+ef61://did:web:example.com%3A3000/u/1");
97
- });
98
- test("parseIri() decodes pct-encoded DID delimiters in order", () => {
99
- const parsed = parseIri("ap://did%3Aweb%3Aexample.com%253A3000/u/1");
100
- deepStrictEqual(parsed, new URL("ap+ef61://did%3Aweb%3Aexample.com%253A3000/u/1"));
101
- deepStrictEqual(formatIri(parsed), "ap+ef61://did:web:example.com%3A3000/u/1");
102
- });
103
- test("parseIri() preserves encoded percent signs while decoding delimiters", () => {
104
- const parsed = parseIri("ap://did%3Aweb%3Aexample.com%2500/u/1");
105
- deepStrictEqual(parsed, new URL("ap+ef61://did%3Aweb%3Aexample.com%2500/u/1"));
106
- deepStrictEqual(formatIri(parsed), "ap+ef61://did:web:example.com%00/u/1");
107
- });
108
5
  test("validatePublicUrl()", async () => {
109
6
  await rejects(() => validatePublicUrl("ftp://localhost"), UrlError);
110
7
  await rejects(() => validatePublicUrl("data:text/plain;base64,SGVsbG8sIFdvcmxkIQ=="), UrlError);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@fedify/vocab-runtime",
3
- "version": "2.4.0-dev.1564+5a2c6c2c",
3
+ "version": "2.4.0-dev.1570+f1b6aaa3",
4
4
  "homepage": "https://fedify.dev/",
5
5
  "repository": {
6
6
  "type": "git",
@@ -42,16 +42,6 @@
42
42
  "require": "./dist/jsonld.cjs",
43
43
  "default": "./dist/jsonld.js"
44
44
  },
45
- "./internal/jsonld-cache": {
46
- "types": {
47
- "import": "./dist/internal/jsonld-cache.d.ts",
48
- "require": "./dist/internal/jsonld-cache.d.cts",
49
- "default": "./dist/internal/jsonld-cache.d.ts"
50
- },
51
- "import": "./dist/internal/jsonld-cache.js",
52
- "require": "./dist/internal/jsonld-cache.cjs",
53
- "default": "./dist/internal/jsonld-cache.js"
54
- },
55
45
  "./temporal": {
56
46
  "types": {
57
47
  "import": "./dist/temporal.d.ts",
package/src/contexts.ts CHANGED
@@ -7,7 +7,6 @@ import activitystreams from "./contexts/activitystreams.json" with {
7
7
  };
8
8
  import didV1 from "./contexts/did-v1.json" with { type: "json" };
9
9
  import fep5711 from "./contexts/fep-5711.json" with { type: "json" };
10
- import fep7aa9 from "./contexts/fep-7aa9.json" with { type: "json" };
11
10
  import gotosocial from "./contexts/gotosocial.json" with { type: "json" };
12
11
  import identityV1 from "./contexts/identity-v1.json" with { type: "json" };
13
12
  import joinLemmyContext from "./contexts/join-lemmy.json" with { type: "json" };
@@ -36,7 +35,6 @@ const preloadedContexts: Record<string, unknown> = {
36
35
  "http://schema.org/": schemaorg,
37
36
  "https://gotosocial.org/ns": gotosocial,
38
37
  "https://w3id.org/fep/5711": fep5711,
39
- "https://w3id.org/fep/7aa9": fep7aa9,
40
38
 
41
39
  // Lemmy's context document is served as application/json without the JSON-LD
42
40
  // context Link header. The default document loader treats that as a regular
@@ -2,7 +2,7 @@ import fetchMock from "fetch-mock";
2
2
  import { deepStrictEqual, ok, rejects } from "node:assert";
3
3
  import { test } from "node:test";
4
4
  import preloadedContexts from "./contexts.ts";
5
- import { getDocumentLoader, getRemoteDocument } from "./docloader.ts";
5
+ import { getDocumentLoader } from "./docloader.ts";
6
6
  import { FetchError } from "./request.ts";
7
7
  import { UrlError } from "./url.ts";
8
8
 
@@ -90,7 +90,7 @@ test("getDocumentLoader()", async (t) => {
90
90
  type: "Object",
91
91
  },
92
92
  headers: {
93
- "Content-Type": "application/activity+json",
93
+ "Content-Type": "text/html; charset=utf-8",
94
94
  Link: '<https://example.com/object>; rel="alternate"; ' +
95
95
  'type="application/ld+json; profile="https://www.w3.org/ns/activitystreams""',
96
96
  },
@@ -247,44 +247,6 @@ test("getDocumentLoader()", async (t) => {
247
247
  });
248
248
  });
249
249
 
250
- fetchMock.get("https://example.com/html-no-alternate", {
251
- body: `<!DOCTYPE html>
252
- <html>
253
- <head>
254
- <title>Not an ActivityPub document</title>
255
- </head>
256
- <body>Not found</body>
257
- </html>`,
258
- headers: { "Content-Type": "text/html; charset=utf-8" },
259
- });
260
-
261
- await t.test("HTML without ActivityPub alternate link", async () => {
262
- await rejects(
263
- () => fetchDocumentLoader("https://example.com/html-no-alternate"),
264
- (error) => {
265
- ok(error instanceof FetchError);
266
- ok(
267
- error.message.includes(
268
- "HTML document has no ActivityPub alternate link",
269
- ),
270
- );
271
- ok(
272
- error.message.includes("Content-Type: text/html; charset=utf-8"),
273
- );
274
- deepStrictEqual(
275
- error.url,
276
- new URL("https://example.com/html-no-alternate"),
277
- );
278
- ok(error.response != null);
279
- deepStrictEqual(
280
- error.response.headers.get("Content-Type"),
281
- "text/html; charset=utf-8",
282
- );
283
- return true;
284
- },
285
- );
286
- });
287
-
288
250
  fetchMock.get("https://example.com/wrong-content-type", {
289
251
  body: {
290
252
  "@context": "https://www.w3.org/ns/activitystreams",
@@ -295,7 +257,7 @@ test("getDocumentLoader()", async (t) => {
295
257
  headers: { "Content-Type": "text/html; charset=utf-8" },
296
258
  });
297
259
 
298
- await t.test("wrong Content-Type with JSON body", async () => {
260
+ await t.test("Wrong Content-Type", async () => {
299
261
  deepStrictEqual(
300
262
  await fetchDocumentLoader("https://example.com/wrong-content-type"),
301
263
  {
@@ -311,64 +273,6 @@ test("getDocumentLoader()", async (t) => {
311
273
  );
312
274
  });
313
275
 
314
- fetchMock.get("https://example.com/large-html", {
315
- body: "<!DOCTYPE html>",
316
- headers: {
317
- "Content-Length": String(1024 * 1024 + 1),
318
- "Content-Type": "text/html; charset=utf-8",
319
- },
320
- });
321
-
322
- await t.test("HTML Content-Length over limit", async () => {
323
- await rejects(
324
- () => fetchDocumentLoader("https://example.com/large-html"),
325
- (error) => {
326
- ok(error instanceof FetchError);
327
- ok(
328
- error.message.includes(
329
- "HTML document is too large to scan for an ActivityPub alternate link",
330
- ),
331
- );
332
- ok(error.response != null);
333
- deepStrictEqual(error.response.status, 200);
334
- deepStrictEqual(
335
- error.response.headers.get("Content-Type"),
336
- "text/html; charset=utf-8",
337
- );
338
- return true;
339
- },
340
- );
341
- });
342
-
343
- await t.test("HTML Content-Length over limit cancels body", async () => {
344
- let canceled = false;
345
- const response = new Response("<!DOCTYPE html>", {
346
- headers: {
347
- "Content-Length": String(1024 * 1024 + 1),
348
- "Content-Type": "text/html; charset=utf-8",
349
- },
350
- });
351
- Object.defineProperty(response, "body", {
352
- value: {
353
- cancel: () => {
354
- canceled = true;
355
- },
356
- },
357
- });
358
- await rejects(
359
- () =>
360
- getRemoteDocument(
361
- "https://example.com/large-html-cancel",
362
- response,
363
- () => {
364
- throw new Error("unexpected alternate fetch");
365
- },
366
- ),
367
- FetchError,
368
- );
369
- deepStrictEqual(canceled, true);
370
- });
371
-
372
276
  fetchMock.get("https://example.com/404", { status: 404 });
373
277
 
374
278
  await t.test("not ok", async () => {
@@ -555,11 +459,11 @@ test("getDocumentLoader()", async (t) => {
555
459
 
556
460
  await t.test("ReDoS resistance (CVE-2025-68475)", async () => {
557
461
  const start = performance.now();
558
- // The malicious HTML will fail alternate discovery, but the important
559
- // thing is that it should complete quickly (not hang due to ReDoS).
462
+ // The malicious HTML will fail JSON parsing, but the important thing is
463
+ // that it should complete quickly (not hang due to ReDoS)
560
464
  await rejects(
561
465
  () => fetchDocumentLoader("https://example.com/redos"),
562
- FetchError,
466
+ SyntaxError,
563
467
  );
564
468
  const elapsed = performance.now() - start;
565
469
 
package/src/docloader.ts CHANGED
@@ -13,7 +13,6 @@ import { UrlError, validatePublicUrl } from "./url.ts";
13
13
 
14
14
  const logger = getLogger(["fedify", "runtime", "docloader"]);
15
15
  const DEFAULT_MAX_REDIRECTION = 20;
16
- const MAX_HTML_SIZE = 1024 * 1024; // 1MB
17
16
 
18
17
  /**
19
18
  * A remote JSON-LD document and its context fetched by
@@ -113,59 +112,6 @@ export type AuthenticatedDocumentLoaderFactory = (
113
112
  options?: DocumentLoaderFactoryOptions,
114
113
  ) => DocumentLoader;
115
114
 
116
- function createResponseMetadata(response: Response): Response {
117
- return new Response(null, {
118
- headers: response.headers,
119
- status: response.status,
120
- statusText: response.statusText,
121
- });
122
- }
123
-
124
- async function cancelResponseBody(response: Response): Promise<void> {
125
- if (response.body != null) {
126
- await response.body.cancel();
127
- }
128
- }
129
-
130
- async function readBoundedText(
131
- response: Response,
132
- maxBytes: number,
133
- ): Promise<{ text: string; size: number; tooLarge: boolean }> {
134
- const contentLength = response.headers.get("Content-Length");
135
- if (contentLength != null) {
136
- const size = Number(contentLength);
137
- if (size > maxBytes) {
138
- await cancelResponseBody(response);
139
- return { text: "", size, tooLarge: true };
140
- }
141
- }
142
-
143
- if (response.body == null) return { text: "", size: 0, tooLarge: false };
144
-
145
- const reader = response.body.getReader();
146
- const decoder = new TextDecoder();
147
- let text = "";
148
- let size = 0;
149
- try {
150
- while (true) {
151
- const result = await reader.read();
152
- if (result.done) break;
153
- const chunkSize = result.value.byteLength;
154
- if (size + chunkSize > maxBytes) {
155
- size += chunkSize;
156
- await reader.cancel();
157
- return { text: "", size, tooLarge: true };
158
- }
159
- size += chunkSize;
160
- text += decoder.decode(result.value, { stream: true });
161
- }
162
- text += decoder.decode();
163
- return { text, size, tooLarge: false };
164
- } finally {
165
- reader.releaseLock();
166
- }
167
- }
168
-
169
115
  /**
170
116
  * Gets a {@link RemoteDocument} from the given response.
171
117
  * @param url The URL of the document to load.
@@ -254,19 +200,15 @@ export async function getRemoteDocument(
254
200
  contentType === "application/xhtml+xml" ||
255
201
  contentType?.startsWith("application/xhtml+xml;"))
256
202
  ) {
257
- const errorResponse = createResponseMetadata(response);
258
- const html = await readBoundedText(response, MAX_HTML_SIZE);
259
- if (html.tooLarge) {
203
+ // Security: Limit HTML response size to mitigate ReDoS attacks
204
+ const MAX_HTML_SIZE = 1024 * 1024; // 1MB
205
+ const html = await response.text();
206
+ if (html.length > MAX_HTML_SIZE) {
260
207
  logger.warn(
261
208
  "HTML response too large, skipping alternate link discovery: {url}",
262
- { url: documentUrl, size: html.size },
263
- );
264
- throw new FetchError(
265
- documentUrl,
266
- `HTML document is too large to scan for an ActivityPub alternate link ` +
267
- `(Content-Type: ${contentType})`,
268
- errorResponse,
209
+ { url: documentUrl, size: html.length },
269
210
  );
211
+ document = JSON.parse(html);
270
212
  } else {
271
213
  // Safe regex patterns without nested quantifiers to prevent ReDoS
272
214
  // (CVE-2025-68475)
@@ -277,7 +219,7 @@ export async function getRemoteDocument(
277
219
  /([a-z][a-z:_-]*)=(?:"([^"]*)"|'([^']*)'|([^\s>]+))/gi;
278
220
 
279
221
  let tagMatch: RegExpExecArray | null;
280
- while ((tagMatch = tagPattern.exec(html.text)) !== null) {
222
+ while ((tagMatch = tagPattern.exec(html)) !== null) {
281
223
  const tagContent = tagMatch[2];
282
224
  let attrMatch: RegExpExecArray | null;
283
225
  const attribs: Record<string, string> = {};
@@ -305,17 +247,7 @@ export async function getRemoteDocument(
305
247
  return await fetch(new URL(attribs.href, docUrl).href);
306
248
  }
307
249
  }
308
- try {
309
- document = JSON.parse(html.text);
310
- } catch (error) {
311
- if (!(error instanceof SyntaxError)) throw error;
312
- throw new FetchError(
313
- documentUrl,
314
- `HTML document has no ActivityPub alternate link ` +
315
- `(Content-Type: ${contentType})`,
316
- errorResponse,
317
- );
318
- }
250
+ document = JSON.parse(html);
319
251
  }
320
252
  } else {
321
253
  document = await response.json();
package/src/mod.ts CHANGED
@@ -51,12 +51,8 @@ export {
51
51
  } from "./preprocessor.ts";
52
52
  export {
53
53
  expandIPv6Address,
54
- formatIri,
55
- haveSameIriOrigin,
56
54
  isValidPublicIPv4Address,
57
55
  isValidPublicIPv6Address,
58
- parseIri,
59
- parseJsonLdId,
60
56
  UrlError,
61
57
  validatePublicUrl,
62
58
  } from "./url.ts";