build(deps): bump smol-toml and markdownlint-cli2

[dependabot]

Bumps smol-toml to 1.6.1 and updates ancestor dependency markdownlint-cli2. These dependencies need to be updated together.

Updates smol-toml from 1.6.0 to 1.6.1

Release notes

Sourced from smol-toml's releases.

v1.6.1

This release addresses a minor security vulnerability where an attacker-controlled TOML document can exploit an unrestricted recustion and cause a stack overflow error with a document that contains thousands of sucessive commented lines. Security advisory: GHSA-v3rj-xjv7-4jmq

Commits

• 072b64f chore: version bump
• 19a5dc7 chore: upgrade dependencies and actions
• f286f87 fix: don't use recursion in skipVoid
• See full diff in compare view

Updates markdownlint-cli2 from 0.22.0 to 0.22.1

Changelog

Sourced from markdownlint-cli2's changelog.

0.22.1

• Update dependencies

Commits

• 996abf6 Update to version 0.22.1.
• 70b6875 Improve definition of OutputFormatterConfiguration type, minor other type twe...
• 2cf5440 Add additional test case for previous commit fixing dotfile behavior.
• 21c53ed Bump eslint from 10.2.0 to 10.2.1
• b738aa0 Update removeIgnoredFiles use of micromatch to include dotfiles for consisten...
• 24c04f4 Bump junit-report-builder from 5.1.1 to 5.1.2 in /formatter-junit
• 650f208 Bump pnpm/action-setup from 5 to 6
• 726eaab Bump eslint from 10.1.0 to 10.2.0
• 1aa7579 Update indirect playwright dependencies to 1.59.1.
• fee080d Bump @​playwright/test from 1.58.2 to 1.59.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[greptile-apps]

Greptile Summary

This is a routine security-motivated dependency bump triggered by Dependabot, patching a stack-overflow vulnerability in smol-toml and picking up minor maintenance updates in markdownlint-cli2.

Key changes:

• smol-toml 1.6.0 → 1.6.1: addresses GHSA-v3rj-xjv7-4jmq, which allowed an attacker-controlled TOML document to trigger unbounded recursion in skipVoid, causing a stack overflow. The fix replaces the recursive call with an iterative loop.
• markdownlint-cli2 0.22.0 → 0.22.1: minor dependency refresh (pulls in the smol-toml fix and bumps globby 16.1.1 → 16.2.0).
• As a side-effect, the previously duplicated node_modules/knip/node_modules/smol-toml (which was already at 1.6.1) is removed from the lockfile; knip and markdownlint-cli2 now share the single top-level 1.6.1 copy.

These packages are all devDependencies used for linting tooling, so the vulnerability has no production-runtime impact. No logic changes are introduced.

Confidence Score: 5/5

Safe to merge — patches a dev-only security vulnerability with no logic changes.

All updated packages are devDependencies (linting tools). The smol-toml bump is a targeted security fix (iterative loop replacing unbounded recursion), markdownlint-cli2 bump is a dependency refresh, and globby receives a minor version bump. The lockfile deduplication is a natural consequence of version alignment. No application code is touched.

No files require special attention.

Important Files Changed

Filename	Overview
package.json	Updates markdownlint-cli2 version constraint from ^0.22.0 to ^0.22.1
package-lock.json	Lockfile updated: markdownlint-cli2 0.22.0→0.22.1, smol-toml 1.6.0→1.6.1, globby 16.1.1→16.2.0; deduplicates the previously separate knip-scoped smol-toml 1.6.1 entry now that all consumers share the same version

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[markdownlint-cli2\n0.22.0 → 0.22.1] --> B[smol-toml\n1.6.0 → 1.6.1\n🔒 GHSA-v3rj-xjv7-4jmq fixed]
    A --> C[globby\n16.1.1 → 16.2.0]
    D[knip\nexisting] --> B
    B --> E[Single deduplicated\nsmol-toml 1.6.1\nin node_modules]

Loading

_{Reviews (1): Last reviewed commit: "build(deps): bump smol-toml and markdown..." | Re-trigger Greptile}