@mochi.js/inject - npm Package Compare versions

Comparing version 0.2.0 to 0.2.1

package.json

 {
   "name": "@mochi.js/inject",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Zero-jitter stealth payload for mochi — JIT-friendly proxies installed before any page script.",
@@ -42,3 +42,3 @@ "license": "MIT",
   "dependencies": {
-    "@mochi.js/consistency": "^0.1.1"
+    "@mochi.js/consistency": "^0.1.2"
   },
@@ -45,0 +45,0 @@ "publishConfig": {

src/modules/client-hints.ts

@@ -8,7 +8,15 @@ /**
  *   - `matrix.uaCh["sec-ch-ua-platform-version"]` → platformVersion (R-007)
- *   - `matrix.uaCh["sec-ch-ua-arch"]`             → arch (optional)
- *   - `matrix.uaCh["sec-ch-ua-bitness"]`          → bitness (optional)
- *   - `matrix.uaCh["sec-ch-ua-model"]`            → model (optional)
- *   - `matrix.uaCh["sec-ch-ua-mobile"]`           → mobile (optional, "?0"/"?1")
+ *   - `matrix.uaCh["sec-ch-ua-arch"]`             → arch (R-042)
+ *   - `matrix.uaCh["sec-ch-ua-bitness"]`          → bitness (R-043)
+ *   - `matrix.uaCh["sec-ch-ua-model"]`            → model (R-045)
+ *   - `matrix.uaCh["sec-ch-ua-mobile"]`           → mobile (R-044, "?0"/"?1")
+ *   - `matrix.uaCh["ua-full-version-list"]`       → fullVersionList (R-031)
+ *   - `matrix.uaCh["ua-full-version"]`            → uaFullVersion (R-046)
  *
+ * The same `sec-ch-ua*` and `ua-full-version*` fields drive
+ * `Network.setUserAgentOverride.userAgentMetadata` in `@mochi.js/core`
+ * (task 0261). Single source of truth — the JS-side spoof and the
+ * request-header spoof read the same matrix slots so they cannot drift
+ * (PLAN.md I-5).
+ *
  * Sec-CH-UA values arrive on the wire as quoted (e.g. `'"macOS"'`,
@@ -140,2 +148,14 @@ * `'"Google Chrome";v="131", "Not.A/Brand";v="8", "Chromium";v="131"'`).
 
+  // Single-string `Sec-CH-UA-Full-Version` (legacy hint, still surfaced via
+  // `getHighEntropyValues({hints:["uaFullVersion"]})`). R-046 derives this
+  // from the branded entry of `ua-full-version-list`. Falls back to the
+  // first entry when the matrix doesn't carry the explicit field — keeps
+  // the byte-for-byte parity guarantee with `Network.setUserAgentOverride`'s
+  // `userAgentMetadata.fullVersion` (which has the same fallback).
+  const uaFullVersionRaw = ua["ua-full-version"];
+  const uaFullVersion =
+    typeof uaFullVersionRaw === "string" && uaFullVersionRaw.length > 0
+      ? uaFullVersionRaw
+      : (fullVersionList[0]?.version ?? "");
+
   const brandsLiteral = JSON.stringify(brands);
@@ -156,3 +176,3 @@ const fullVersionListLiteral = JSON.stringify(fullVersionList);
   var SPOOF_MOBILE = ${mobile ? "true" : "false"};
-  var SPOOF_UA_FULL_VERSION = (SPOOF_FULL_VERSION_LIST[0] && SPOOF_FULL_VERSION_LIST[0].version) || "";
+  var SPOOF_UA_FULL_VERSION = ${JSON.stringify(uaFullVersion)};
 
@@ -159,0 +179,0 @@ // Re-freeze brand entries on every read (Chrome returns frozen objects).

New alerts

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

Fixed alerts

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

136838

0.78%

Lines of code

3292

0.58%

Dependency changes

• Updated

  @mochi.js/consistency@^0.1.2