Update dependency js-toml to v1.1.3 #31

Merged
MarkerBot merged 1 commit from renovate/js-toml-1.x-lockfile into main 2026-06-30 10:01:12 -07:00
Member

This PR contains the following updates:

Package Change Age Confidence
js-toml 1.1.21.1.3 age confidence

Release Notes

sunnyadn/js-toml (js-toml)

v1.1.3

Compare Source

Security
  • Fix uncontrolled recursion that let deeply nested input (arrays / inline tables) or a long dotted key drive load() past the V8 call stack and throw an uncaught RangeError, violating the documented SyntaxParseError contract and enabling a denial-of-service in services that parse untrusted TOML (GHSA-3g82-77xr-68x5, CWE-674). Neither the recursive-descent parser nor the tree-walking interpreter bounded nesting depth. load() now enforces a configurable maximum depth (load(toml, { maxDepth }), default 100), rejecting over-deep input as SyntaxParseError, with a top-level backstop that converts any residual native stack overflow into SyntaxParseError as well. Reported by @​kaimandalic.
Added
  • LoadOptions with a maxDepth option for load(), and an exported DEFAULT_MAX_DEPTH constant.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [js-toml](https://github.com/sunnyadn/js-toml) | [`1.1.2` → `1.1.3`](https://renovatebot.com/diffs/npm/js-toml/1.1.2/1.1.3) | ![age](https://developer.mend.io/api/mc/badges/age/npm/js-toml/1.1.3?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/js-toml/1.1.2/1.1.3?slim=true) | --- ### Release Notes <details> <summary>sunnyadn/js-toml (js-toml)</summary> ### [`v1.1.3`](https://github.com/sunnyadn/js-toml/blob/HEAD/CHANGELOG.md#113---2026-06-30) [Compare Source](https://github.com/sunnyadn/js-toml/compare/v1.1.2...v1.1.3) ##### Security - Fix uncontrolled recursion that let deeply nested input (arrays / inline tables) or a long dotted key drive `load()` past the V8 call stack and throw an uncaught `RangeError`, violating the documented `SyntaxParseError` contract and enabling a denial-of-service in services that parse untrusted TOML ([GHSA-3g82-77xr-68x5](https://github.com/sunnyadn/js-toml/security/advisories/GHSA-3g82-77xr-68x5), CWE-674). Neither the recursive-descent parser nor the tree-walking interpreter bounded nesting depth. `load()` now enforces a configurable maximum depth (`load(toml, { maxDepth })`, default `100`), rejecting over-deep input as `SyntaxParseError`, with a top-level backstop that converts any residual native stack overflow into `SyntaxParseError` as well. Reported by [@&#8203;kaimandalic](https://github.com/kaimandalic). ##### Added - `LoadOptions` with a `maxDepth` option for `load()`, and an exported `DEFAULT_MAX_DEPTH` constant. </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDkuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIwOS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Update dependency js-toml to v1.1.3
All checks were successful
ci/woodpecker/push/build Pipeline was successful
ci/woodpecker/pr/build Pipeline was successful
ci/woodpecker/pull_request_closed/build Pipeline was successful
ae8a7a7dca
MarkerBot scheduled this pull request to auto merge when all checks succeed 2026-06-30 10:00:50 -07:00
MarkerBot deleted branch renovate/js-toml-1.x-lockfile 2026-06-30 10:01:12 -07:00
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
MarkerMatic/site!31
No description provided.