Skip to content

chore(deps): bump js-toml from 1.0.3 to 1.1.3#1469

Merged
zbigniewsobiecki merged 1 commit into
devfrom
dependabot/npm_and_yarn/js-toml-1.1.3
Jul 1, 2026
Merged

chore(deps): bump js-toml from 1.0.3 to 1.1.3#1469
zbigniewsobiecki merged 1 commit into
devfrom
dependabot/npm_and_yarn/js-toml-1.1.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps js-toml from 1.0.3 to 1.1.3.

Release notes

Sourced from js-toml's releases.

v1.1.2

Security

  • Fix silent acceptance of duplicate keys whose prior value is a falsy primitive (GHSA-m34p-749j-x6m6, CWE-697).

    The interpreter checked whether a key already existed with a truthy test (if (object[key])) instead of key in object. When the prior value was a falsy primitive — false, 0, 0.0, -0.0, nan, or "" — the duplicate-key branch was skipped and the value was silently overwritten by a later table, dotted-key sub-table, or array-of-tables of the same name, instead of raising a parse error as the TOML 1.0.0 spec requires. A boolean false could thus surface as a truthy object in the parsed result.

    All users on 1.1.1 or earlier are affected and should upgrade to 1.1.2.

    Reported by @​CosmicCrusader23 — thank you.

Fixed

  • Reject array-of-tables headers ([[a.b]]) that descend into a statically-defined array. getOrCreateArray lacked the immutability guard that createTable already had, so such input either threw an uncaught TypeError or silently mutated the static array instead of raising SyntaxParseError.

Full changelog: sunnyadn/js-toml@v1.1.1...v1.1.2

v1.1.1

Security

  • Fix CPU exhaustion via O(n²) BigInt construction on radix-prefixed integer literals (GHSA-wp3c-266w-4qfq, CWE-400, CWE-407).

    The 0x / 0o / 0b integer parser previously used a hand-written BigInt accumulator loop that ran in O(n²) in the literal length, allowing a single attacker-supplied ~500 kB radix literal to block the Node.js event loop for tens of seconds. The fix switches to the V8 native BigInt(prefixedString) constructor (O(n)) and caps radix-prefixed literals at 1000 digits, matching jackson-core's StreamReadConstraints.maxNumberLength default.

    All users on 1.1.0 or earlier are affected and should upgrade to 1.1.1.

    Reported and patched by @​tonghuaroot — thank you.

Full changelog: sunnyadn/js-toml@v1.1.0...v1.1.1

v1.1.0

What's New

  • TOML serialization: New dump() function to convert JavaScript objects to TOML strings
  • Security: Resolved all Dependabot alerts by upgrading chevrotain (11→12), vitest, and transitive dependencies

Bug Fixes

  • Fix silent error swallowing in tryCreateKey (non-DuplicateKeyError exceptions were silently dropped)
  • Fix tokenInterpreters Map misuse (declared as Map but used as plain object)
  • Remove dead/broken octal escape code path in string unescaping

Internal

  • Add createCategoryToken helper to reduce token registration boilerplate
  • Simplify hasRenderableHeader logic in TOML generator
  • Upgrade chevrotain 11→12 (drops lodash-es dependency)
  • Upgrade vitest/coverage-v8 to 4.1.4
Changelog

Sourced from js-toml's changelog.

[1.1.3] - 2026-06-30

Security

  • Fix uncontrolled recursion that let deeply nested input (arrays / inline tables) or a long dotted key drive load() past the V8 call stack and throw an uncaught RangeError, violating the documented SyntaxParseError contract and enabling a denial-of-service in services that parse untrusted TOML (GHSA-3g82-77xr-68x5, CWE-674). Neither the recursive-descent parser nor the tree-walking interpreter bounded nesting depth. load() now enforces a configurable maximum depth (load(toml, { maxDepth }), default 100), rejecting over-deep input as SyntaxParseError, with a top-level backstop that converts any residual native stack overflow into SyntaxParseError as well. Reported by @​kaimandalic.

Added

  • LoadOptions with a maxDepth option for load(), and an exported DEFAULT_MAX_DEPTH constant.

[1.1.2] - 2026-05-28

Security

  • Fix silent acceptance of duplicate keys whose prior value is a falsy primitive (false, 0, 0.0, -0.0, nan, "") (GHSA-m34p-749j-x6m6, CWE-697). The interpreter used a truthy existence check (if (object[key])) instead of key in object, so a later table, dotted-key sub-table, or array-of-tables sharing the same name silently overwrote the falsy value instead of raising a duplicate-key error. Reported by @​CosmicCrusader23.

Fixed

  • Reject array-of-tables headers ([[a.b]]) that descend into a statically-defined array. getOrCreateArray lacked the immutability guard that createTable had, so such input either threw an uncaught TypeError or silently mutated the static array instead of raising SyntaxParseError.

[1.1.1] - 2026-05-25

Security

  • Fix CPU exhaustion via O(n²) BigInt construction on radix-prefixed integer literals (GHSA-wp3c-266w-4qfq, CWE-400, CWE-407). The 0x / 0o / 0b integer parser previously used a hand-written BigInt accumulator loop that ran in O(n²) in the literal length, allowing a single ~500 kB literal to block the event loop for tens of seconds. Switched to the native BigInt(prefixedString) constructor (O(n)) and capped radix-prefixed literals at 1000 digits. Reported by @​tonghuaroot.

[1.1.0] - 2026-04-15

Added

  • TOML serialization via dump() function with support for all TOML v1.0.0 value types
  • DumpOptions for controlling newline style, undefined handling, and key quoting

Changed

  • Upgraded Chevrotain to v12
  • Migrated ESLint to flat configuration
Commits
  • fcb1fa3 chore: release v1.1.3
  • 4e10acf fix: bound recursion depth and surface as SyntaxParseError (GHSA-3g82-77xr-68x5)
  • fd89978 docs(examples): bump js-toml to ^1.1.2 and demonstrate dump()
  • e3041b2 chore: release v1.1.2
  • 685a3bd fix: reject array-of-tables headers that descend into a static array
  • e0504fa fix: treat falsy-primitive duplicate keys as parse errors (GHSA-m34p-749j-x6m6)
  • 8713713 refactor: type sanitize() as discriminated union to remove dumpValue throw
  • 61d5a16 test: cover dump error paths and drop dead non-integer fallback
  • 470c7c9 refactor: replace defensive throw in getRadix with exhaustive switch
  • aeba37d docs: add changelog entry for v1.1.1
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [js-toml](https://github.com/sunnyadn/js-toml) from 1.0.3 to 1.1.3.
- [Release notes](https://github.com/sunnyadn/js-toml/releases)
- [Changelog](https://github.com/sunnyadn/js-toml/blob/main/CHANGELOG.md)
- [Commits](sunnyadn/js-toml@v1.0.3...v1.1.3)

---
updated-dependencies:
- dependency-name: js-toml
  dependency-version: 1.1.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 30, 2026

@nhopeatall nhopeatall left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary

APPROVE — clean, low-risk transitive security bump. js-toml 1.0.3 → 1.1.3 is lock-file-only because js-toml is a transitive dependency of llmist / @llmist/cli (both pin ^1.0.2); 1.1.3 satisfies the caret, so no package.json change is warranted.

Verification

  • Engine constraint satisfied. The transitive chevrotain 11.2.0 → 12.0.0 bump adds engines: node >=22.0.0. Root package.json already requires node >=22.0.0, .nvmrc pins 22, all Dockerfiles use node:22/node:24 (worker is node:24 — the image where js-toml is actually exercised via llmist), and CI runs Node 22. No install-time EBADENGINE or runtime risk.
  • Clean dependency graph. lodash-es is fully removed (no dangling references remain) and exactly one chevrotain (12.0.0) copy is present — no duplicated/orphaned trees.
  • No direct usage in CASCADE. There is no import ... from 'js-toml' anywhere; the tomlString helper in src/backends/codex/index.ts is a hand-rolled escaper, unrelated to the package. The new maxDepth default (100) and stricter duplicate-key/recursion parsing therefore cannot break CASCADE's own code — only llmist's internal config parsing is affected, and those changes are security hardening.
  • CI green (5/5) including Docker build validation, lint-and-test, and integration-tests — confirming the lock file is internally consistent (npm ci would fail otherwise).
  • Security upside: pulls in fixes for recursion-depth DoS (GHSA-3g82-77xr-68x5), O(n²) BigInt DoS (GHSA-wp3c-266w-4qfq), and falsy-primitive duplicate-key correctness (GHSA-m34p-749j-x6m6).

No blocking or should-fix issues.

🕵️ claude-code · claude-opus-4-8 · run details

@zbigniewsobiecki zbigniewsobiecki merged commit c9cedf3 into dev Jul 1, 2026
6 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/js-toml-1.1.3 branch July 1, 2026 09:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants