shelving 1.267.0 → 1.267.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -79,5 +79,8 @@ export class CloudflareKVProvider extends DBProvider {
79
79
  }
80
80
  }
81
81
  function _getKey(collection, id) {
82
- return `${collection}:${id}`;
82
+ // Percent-encode both parts so the `:` separator is unambiguous: without this, an `id` containing `:`
83
+ // (e.g. collection `a` + id `b:c`) collides with a different collection/id pair (collection `a:b` + id `c`).
84
+ // Plain identifiers (letters, digits, `-`, `_`, `.`) are left unchanged, so keys for typical names/UUIDs are stable.
85
+ return `${encodeURIComponent(collection)}:${encodeURIComponent(id)}`;
83
86
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "shelving",
3
- "version": "1.267.0",
3
+ "version": "1.267.2",
4
4
  "author": "Dave Houlbrooke <dave@shax.com>",
5
5
  "repository": {
6
6
  "type": "git",
@@ -9,13 +9,13 @@
9
9
  "main": "./index.js",
10
10
  "module": "./index.js",
11
11
  "devDependencies": {
12
- "@biomejs/biome": "^2.5.1",
12
+ "@biomejs/biome": "^2.5.2",
13
13
  "@google-cloud/firestore": "^8.6.0",
14
14
  "@heroicons/react": "^2.2.0",
15
15
  "@types/bun": "^1.3.14",
16
16
  "@types/react": "^19.2.17",
17
17
  "@types/react-dom": "^19.2.3",
18
- "@typescript/native-preview": "^7.0.0-dev.20260627.2",
18
+ "@typescript/native-preview": "^7.0.0-dev.20260704.1",
19
19
  "firebase": "^12.15.0",
20
20
  "react": "^19.3.0-canary-fef12a01-20260413",
21
21
  "react-dom": "^19.3.0-canary-fef12a01-20260413",
@@ -31,12 +31,15 @@ export class StringSchema extends Schema {
31
31
  if (typeof str !== "string")
32
32
  throw value ? `Must be ${this.one}` : "Required";
33
33
  const sane = this.sanitize(str);
34
+ // Enforce `max` before running `match`, so an over-length string is rejected without ever being handed to
35
+ // the (potentially expensive) regex — a length cap can't shield the pattern otherwise. `min` stays after
36
+ // `match` to preserve the existing "Invalid" precedence for short-but-malformed values.
37
+ if (sane.length > this.max)
38
+ throw `Maximum ${this.max} characters`;
34
39
  if (this.match && !this.match.test(sane))
35
40
  throw str.length ? `Invalid ${this.one}` : "Required";
36
41
  if (sane.length < this.min)
37
42
  throw str.length ? `Minimum ${this.min} characters` : "Required";
38
- if (sane.length > this.max)
39
- throw `Maximum ${this.max} characters`;
40
43
  return sane;
41
44
  }
42
45
  /**
package/util/crypto.js CHANGED
@@ -4,6 +4,7 @@ import { requireBytes } from "./bytes.js";
4
4
  // Constants.
5
5
  const ALGORITHM = { name: "PBKDF2", hash: "SHA-512" };
6
6
  const ITERATIONS = 500000;
7
+ const MAX_ITERATIONS = 10000000; // Upper bound on iterations accepted from a stored hash — guards against a malicious hash forcing an arbitrarily expensive derivation (DoS). Comfortably above the 500k default.
7
8
  const SALT_LENGTH = 16; // 16 bytes = 128 bits
8
9
  const HASH_LENGTH = 64; // 64 bytes = 512 bits
9
10
  const PASSWORD_LENGTH = 6;
@@ -42,8 +43,8 @@ export async function hashPassword(password, iterations = ITERATIONS) {
42
43
  received: password.length,
43
44
  caller: hashPassword,
44
45
  });
45
- if (iterations < 1)
46
- throw new ValueError("Iterations must be number greater than 0", { received: iterations, caller: hashPassword });
46
+ if (iterations < 1 || iterations > MAX_ITERATIONS)
47
+ throw new ValueError(`Iterations must be between 1 and ${MAX_ITERATIONS}`, { received: iterations, caller: hashPassword });
47
48
  // Hash the password.
48
49
  const key = await _getKey(password);
49
50
  const salt = getRandomBytes(SALT_LENGTH);
@@ -70,7 +71,7 @@ export async function verifyPassword(password, hash) {
70
71
  const hashBytes = decodeBase64URLBytes(h);
71
72
  // Check iterations.
72
73
  const iterations = Number.parseInt(i, 10);
73
- if (!Number.isFinite(iterations) || iterations < 1)
74
+ if (!Number.isFinite(iterations) || iterations < 1 || iterations > MAX_ITERATIONS)
74
75
  return false;
75
76
  // Derive the hash.
76
77
  const key = await _getKey(password);
package/util/validate.js CHANGED
@@ -124,7 +124,10 @@ export function validateArray(unsafeArray, validator) {
124
124
  */
125
125
  export function validateDictionary(unsafeDictionary, validator) {
126
126
  let changed = false;
127
- const safeDictionary = {};
127
+ // Null-prototype accumulator: an untrusted `"__proto__"` key (or `"constructor"`) then becomes an inert own
128
+ // property instead of invoking the inherited `__proto__` setter, so a crafted `{ "__proto__": … }` input can't
129
+ // reassign the returned dictionary's prototype, and the entry stays enumerable so `min`/`max` counts are correct.
130
+ const safeDictionary = Object.create(null);
128
131
  const messages = [];
129
132
  for (const [key, unsafeValue] of getDictionaryItems(unsafeDictionary)) {
130
133
  try {