Update dependency js-toml to v1.1.3 #31
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/js-toml-1.x-lockfile"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
1.1.2→1.1.3Release Notes
sunnyadn/js-toml (js-toml)
v1.1.3Compare Source
Security
load()past the V8 call stack and throw an uncaughtRangeError, violating the documentedSyntaxParseErrorcontract and enabling a denial-of-service in services that parse untrusted TOML (GHSA-3g82-77xr-68x5, CWE-674). Neither the recursive-descent parser nor the tree-walking interpreter bounded nesting depth.load()now enforces a configurable maximum depth (load(toml, { maxDepth }), default100), rejecting over-deep input asSyntaxParseError, with a top-level backstop that converts any residual native stack overflow intoSyntaxParseErroras well. Reported by @kaimandalic.Added
LoadOptionswith amaxDepthoption forload(), and an exportedDEFAULT_MAX_DEPTHconstant.Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.