@blamejs/core
Advanced tools
@blamejs/core - npm Package Compare versions
@@ -868,2 +868,13 @@ "use strict"; | ||
| var rsaMpi = _readMpi(parsed.sigMpisBytes, 0); | ||
| // The signature is an integer in [0, n); when its value has one or more | ||
| // high zero bytes (~1/256 of signatures) the OpenPGP MPI encoding strips | ||
| // them (RFC 9580 §3.2), but node's RSA verify requires a signature exactly | ||
| // the modulus byte length. Left-pad the stripped MPI back to the modulus | ||
| // width — the same correction the Ed25519 branch applies to its R/S | ||
| // components below — or a valid signature is rejected. | ||
| var rsaSigBytes = rsaMpi.value; | ||
| var modLen = rsaPub.n.length; | ||
| if (rsaSigBytes.length < modLen) { | ||
| rsaSigBytes = Buffer.concat([Buffer.alloc(modLen - rsaSigBytes.length), rsaSigBytes]); | ||
| } | ||
| try { | ||
@@ -873,3 +884,3 @@ ok = nodeCrypto.verify(hashName, hashInput, { | ||
| padding: nodeCrypto.constants.RSA_PKCS1_PADDING, | ||
| }, rsaMpi.value); | ||
| }, rsaSigBytes); | ||
| } catch (e) { | ||
@@ -876,0 +887,0 @@ return _fail("mail-crypto/pgp/verify-error", |
@@ -293,3 +293,3 @@ "use strict"; | ||
| try { | ||
| // allow:seal-without-aad — vault-readiness probe; throwaway | ||
| // allow:seal-without-aad-by-design — vault-readiness probe; throwaway | ||
| // sentinel value, not row-bound data | ||
@@ -296,0 +296,0 @@ vault.seal("__idempotency_seal_probe__"); |
+1
-1
| { | ||
| "name": "@blamejs/core", | ||
| "version": "0.15.33", | ||
| "version": "0.15.34", | ||
| "description": "The Node framework that owns its stack.", | ||
@@ -5,0 +5,0 @@ "license": "Apache-2.0", |
+6
-6
@@ -5,6 +5,6 @@ { | ||
| "specVersion": "1.5", | ||
| "serialNumber": "urn:uuid:cfba44f6-db8e-47b3-b1dc-e142692c3a97", | ||
| "serialNumber": "urn:uuid:4006bc32-7ae3-4f18-bad1-057410956255", | ||
| "version": 1, | ||
| "metadata": { | ||
| "timestamp": "2026-06-26T23:00:05.686Z", | ||
| "timestamp": "2026-06-27T01:06:19.602Z", | ||
| "lifecycles": [ | ||
@@ -23,10 +23,10 @@ { | ||
| "component": { | ||
| "bom-ref": "@blamejs/core@0.15.33", | ||
| "bom-ref": "@blamejs/core@0.15.34", | ||
| "type": "application", | ||
| "name": "blamejs", | ||
| "version": "0.15.33", | ||
| "version": "0.15.34", | ||
| "scope": "required", | ||
| "author": "blamejs contributors", | ||
| "description": "The Node framework that owns its stack.", | ||
| "purl": "pkg:npm/%40blamejs/core@0.15.33", | ||
| "purl": "pkg:npm/%40blamejs/core@0.15.34", | ||
| "properties": [], | ||
@@ -59,3 +59,3 @@ "externalReferences": [ | ||
| { | ||
| "ref": "@blamejs/core@0.15.33", | ||
| "ref": "@blamejs/core@0.15.34", | ||
| "dependsOn": [] | ||
@@ -62,0 +62,0 @@ } |
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
New alerts
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Fixed alerts
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Improved metrics
- Total package byte prevSize
17261168
0.02%- Lines of code
300537
0