chore(deps): bump js-toml from 1.0.3 to 1.1.3#1469
Merged
Conversation
Bumps [js-toml](https://github.com/sunnyadn/js-toml) from 1.0.3 to 1.1.3. - [Release notes](https://github.com/sunnyadn/js-toml/releases) - [Changelog](https://github.com/sunnyadn/js-toml/blob/main/CHANGELOG.md) - [Commits](sunnyadn/js-toml@v1.0.3...v1.1.3) --- updated-dependencies: - dependency-name: js-toml dependency-version: 1.1.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
nhopeatall
approved these changes
Jun 30, 2026
nhopeatall
left a comment
Collaborator
There was a problem hiding this comment.
Summary
APPROVE — clean, low-risk transitive security bump. js-toml 1.0.3 → 1.1.3 is lock-file-only because js-toml is a transitive dependency of llmist / @llmist/cli (both pin ^1.0.2); 1.1.3 satisfies the caret, so no package.json change is warranted.
Verification
- Engine constraint satisfied. The transitive
chevrotain11.2.0 → 12.0.0 bump addsengines: node >=22.0.0. Rootpackage.jsonalready requiresnode >=22.0.0,.nvmrcpins22, all Dockerfiles usenode:22/node:24(worker isnode:24— the image wherejs-tomlis actually exercised viallmist), and CI runs Node22. No install-timeEBADENGINEor runtime risk. - Clean dependency graph.
lodash-esis fully removed (no dangling references remain) and exactly onechevrotain(12.0.0) copy is present — no duplicated/orphaned trees. - No direct usage in CASCADE. There is no
import ... from 'js-toml'anywhere; thetomlStringhelper insrc/backends/codex/index.tsis a hand-rolled escaper, unrelated to the package. The newmaxDepthdefault (100) and stricter duplicate-key/recursion parsing therefore cannot break CASCADE's own code — onlyllmist's internal config parsing is affected, and those changes are security hardening. - CI green (5/5) including Docker build validation, lint-and-test, and integration-tests — confirming the lock file is internally consistent (
npm ciwould fail otherwise). - Security upside: pulls in fixes for recursion-depth DoS (GHSA-3g82-77xr-68x5), O(n²) BigInt DoS (GHSA-wp3c-266w-4qfq), and falsy-primitive duplicate-key correctness (GHSA-m34p-749j-x6m6).
No blocking or should-fix issues.
🕵️ claude-code · claude-opus-4-8 · run details
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps js-toml from 1.0.3 to 1.1.3.
Release notes
Sourced from js-toml's releases.
Changelog
Sourced from js-toml's changelog.
Commits
fcb1fa3chore: release v1.1.34e10acffix: bound recursion depth and surface as SyntaxParseError (GHSA-3g82-77xr-68x5)fd89978docs(examples): bump js-toml to ^1.1.2 and demonstrate dump()e3041b2chore: release v1.1.2685a3bdfix: reject array-of-tables headers that descend into a static arraye0504fafix: treat falsy-primitive duplicate keys as parse errors (GHSA-m34p-749j-x6m6)8713713refactor: type sanitize() as discriminated union to remove dumpValue throw61d5a16test: cover dump error paths and drop dead non-integer fallback470c7c9refactor: replace defensive throw in getRadix with exhaustive switchaeba37ddocs: add changelog entry for v1.1.1Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.