deps: update dependency smol-toml to v1.6.1 [security]

[mogyugyu-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
smol-toml	1.4.1 → 1.6.1

GitHub Vulnerability Alerts

GHSA-v3rj-xjv7-4jmq

Summary

An attacker can send a maliciously crafted TOML to cause the parser to crash, because of a stack overflow caused by thousands of consecutive commented lines.

The library uses recursion internally while parsing to skip over commented lines, which can be exploited to crash an application that is processing arbitrary TOML documents.

Proof of concept

require("smol-toml").parse('# comment\n'.repeat(8000) + 'key = "value"')

Impact

Applications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input. Downstream users are supposed to properly handle errors in such situations.

Due to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted.

As a reminder, it is strongly advised when working with untrusted user input to expect errors to occur and to appropriately catch them.

Patches

Version 1.6.1 uses a different approach for parsing comments, which no longer involves recursion.

Workarounds

Wrap all invocations of parse and stringify in a try/catch block when dealing with untrusted user input.

---

Release Notes

squirrelchat/smol-toml (smol-toml)

v1.6.1

Compare Source

This release addresses a minor security vulnerability where an attacker-controlled TOML document can exploit an unrestricted recustion and cause a stack overflow error with a document that contains thousands of sucessive commented lines. Security advisory: GHSA-v3rj-xjv7-4jmq

v1.6.0

Compare Source

As of this version, smol-toml now supports the newly released TOML 1.1.0 specification!

Highlights

Multiline inline tables

TOML 1.1.0 now allows inline tables to have newlines, as well as trailing commas.

database = {
  driver = "postgresql",
  server = {
    host = "127.0.0.1",
    port = 3307,
  },
}

Omitting seconds in datetime and time

TOML 1.1.0 renders the seconds component of time elements optional.

datetime-tz = 1979-05-27 07:32Z
datetime = 2001-09-21 10:17
time = 13:37

New string escapes

Strings now support 2 additional escape sequences:

• \xHH for code points between 0 and 255
• \e for the escape character (U+001B)

What's Changed

• feat: toml 1.1 support by @​cyyynthia in #​49

Full Changelog: squirrelchat/smol-toml@v1.5.2...v1.6.0

v1.5.2

Compare Source

Hot fix for v1.5.1... 🙃

What's Changed

• fix: properly stringify arrays of tables by @​cyyynthia

Full Changelog: squirrelchat/smol-toml@v1.5.1...v1.5.2

v1.5.1

Compare Source

Smol fix that makes newlines actually consistent when stringifying objects to TOML.

What's Changed

• fix: actually consistent newlines by @​cyyynthia

Full Changelog: squirrelchat/smol-toml@v1.5.0...v1.5.1

v1.5.0

Compare Source

This version improves the TOML output of the library when stringifying objects, courtesy of the folks over at Cloudflare.

Most notably, the lib no longer emits unnecessary table headers, and doesn't add an empty line between successive table headers anymore:

[look.at.me]
note = "In earlier versions, there would've been [look] and [look.at] generated as well."

[empty.table]
[another.empty.table]
[look.how.compact]
this = "looks"

What's Changed

• Simplify nested tables by @​penalosa in #​46

New Contributors

• @​penalosa made their first contribution in #​46

Full Changelog: squirrelchat/smol-toml@v1.4.2...v1.5.0

v1.4.2

Compare Source

A smol fix to better handle strings with many successive backslash characters.

What's Changed

fix: string escape detection in util.ts by @​cyyynthia

Full Changelog: squirrelchat/smol-toml@v1.4.1...v1.4.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

This PR has been generated by Renovate Bot.