From 2cc0b130f0b64dd7644c22c03a38c6ff6c180229 Mon Sep 17 00:00:00 2001
From: Antoine du Hamel <duhamelantoine1995@gmail.com>
Date: Mon, 5 Jan 2026 10:01:15 +0100
Subject: [PATCH 1/2] fix(auth): validation of H1 tokens (#1026)

---
 lib/auth.js                  |  6 +++---
 test/fixtures/run-auth-h1.js | 13 +++++++++++++
 test/unit/auth.test.js       | 11 +++++++++++
 3 files changed, 27 insertions(+), 3 deletions(-)
 create mode 100644 test/fixtures/run-auth-h1.js

diff --git a/lib/auth.js b/lib/auth.js
index a55f667a..79275843 100644
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -12,7 +12,7 @@ function errorExit(message) {
   process.exit(1);
 }
 
-function check(username, token) {
+function check(username, token, format = /^[A-Za-z0-9_]+$/) {
   if (typeof username !== 'string') {
     errorExit(`username must be a string, received ${typeof username}`);
   }
@@ -25,7 +25,7 @@ function check(username, token) {
   if (typeof token !== 'string') {
     errorExit(`token must be a string, received ${typeof token}`);
   }
-  if (!/^[A-Za-z0-9_]+$/.test(token)) {
+  if (!format.test(token)) {
     errorExit(`token is misformatted: ${token}`);
   }
 }
@@ -107,7 +107,7 @@ async function auth(
 
     get h1() {
       const { h1_username, h1_token } = getMergedConfig();
-      check(h1_username, h1_token);
+      check(h1_username, h1_token, /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/);
       const h1 = encode(h1_username, h1_token);
       setOwnProperty(result, 'h1', h1);
       return h1;
diff --git a/test/fixtures/run-auth-h1.js b/test/fixtures/run-auth-h1.js
new file mode 100644
index 00000000..e153043c
--- /dev/null
+++ b/test/fixtures/run-auth-h1.js
@@ -0,0 +1,13 @@
+(async function() {
+  const { default: auth } = await import('../../lib/auth.js');
+  const authParams = await auth({ github: false });
+  if (typeof authParams === 'object' && authParams != null) {
+    for (const key of Object.getOwnPropertyNames(authParams)) {
+      if (key !== 'h1') delete authParams[key];
+    }
+  }
+  process.stdout.write(`${JSON.stringify(authParams)}\n`);
+})().catch(err => {
+  console.error(err);
+  process.exit(1);
+});
diff --git a/test/unit/auth.test.js b/test/unit/auth.test.js
index e753cb87..db5119ef 100644
--- a/test/unit/auth.test.js
+++ b/test/unit/auth.test.js
@@ -99,6 +99,17 @@ describe('auth', async function() {
     );
   });
 
+  it('accepts a valid H1 token format', async function() {
+    await runAuthScript(
+      {
+        HOME: { h1_username: 'nyancat', h1_token: 'wWIDaa7wz7uGIryWLuqbJRhqUkLI6qlemK1KaMChhpC=' }
+      },
+      ['{"h1":"bnlhbmNhdDp3V0lEYWE3d3o3dUdJcnlXTHVxYkpSaHFVa0xJNnFsZW1LMUthTUNoaHBDPQ=="}'],
+      '',
+      'run-auth-h1'
+    );
+  });
+
   it('permits capital letters in token format', async function() {
     await runAuthScript(
       { HOME: { username: 'nyancat', token: '0123456789ABCDEF' } },

From d6ab4fc9a374752f10ad4977995e12c4583d92e0 Mon Sep 17 00:00:00 2001
From: "Node.js GitHub Bot" <github-bot@iojs.org>
Date: Mon, 5 Jan 2026 17:58:03 +0000
Subject: [PATCH 2/2] chore(main): release 6.1.1 (#1027)

---
 CHANGELOG.md        | 7 +++++++
 npm-shrinkwrap.json | 4 ++--
 package.json        | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5a08a432..3342719b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## [6.1.1](https://github.com/nodejs/node-core-utils/compare/v6.1.0...v6.1.1) (2026-01-05)
+
+
+### Bug Fixes
+
+* **auth:** validation of H1 tokens ([#1026](https://github.com/nodejs/node-core-utils/issues/1026)) ([2cc0b13](https://github.com/nodejs/node-core-utils/commit/2cc0b130f0b64dd7644c22c03a38c6ff6c180229))
+
 ## [6.1.0](https://github.com/nodejs/node-core-utils/compare/v6.0.0...v6.1.0) (2026-01-02)
 
 
diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json
index 74eb2d61..c87ddde7 100644
--- a/npm-shrinkwrap.json
+++ b/npm-shrinkwrap.json
@@ -1,12 +1,12 @@
 {
   "name": "@node-core/utils",
-  "version": "6.1.0",
+  "version": "6.1.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@node-core/utils",
-      "version": "6.1.0",
+      "version": "6.1.1",
       "license": "MIT",
       "dependencies": {
         "@inquirer/prompts": "^7.4.1",
diff --git a/package.json b/package.json
index a427eb55..bfb003de 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "6.1.0",
+  "version": "6.1.1",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {