Skip to content

Bump lodash-es and js-toml in /documentation/4.0/themes/hugo-theme-relearn-9.0.3/tools#1734

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/documentation/4.0/themes/hugo-theme-relearn-9.0.3/tools/multi-fc0629ce51
Open

Bump lodash-es and js-toml in /documentation/4.0/themes/hugo-theme-relearn-9.0.3/tools#1734
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/documentation/4.0/themes/hugo-theme-relearn-9.0.3/tools/multi-fc0629ce51

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown
Contributor

Removes lodash-es. It's no longer used after updating ancestor dependency js-toml. These dependencies need to be updated together.

Removes lodash-es

Updates js-toml from 1.0.2 to 1.1.2

Release notes

Sourced from js-toml's releases.

v1.1.2

Security

  • Fix silent acceptance of duplicate keys whose prior value is a falsy primitive (GHSA-m34p-749j-x6m6, CWE-697).

    The interpreter checked whether a key already existed with a truthy test (if (object[key])) instead of key in object. When the prior value was a falsy primitive — false, 0, 0.0, -0.0, nan, or "" — the duplicate-key branch was skipped and the value was silently overwritten by a later table, dotted-key sub-table, or array-of-tables of the same name, instead of raising a parse error as the TOML 1.0.0 spec requires. A boolean false could thus surface as a truthy object in the parsed result.

    All users on 1.1.1 or earlier are affected and should upgrade to 1.1.2.

    Reported by @​CosmicCrusader23 — thank you.

Fixed

  • Reject array-of-tables headers ([[a.b]]) that descend into a statically-defined array. getOrCreateArray lacked the immutability guard that createTable already had, so such input either threw an uncaught TypeError or silently mutated the static array instead of raising SyntaxParseError.

Full changelog: sunnyadn/js-toml@v1.1.1...v1.1.2

v1.1.1

Security

  • Fix CPU exhaustion via O(n²) BigInt construction on radix-prefixed integer literals (GHSA-wp3c-266w-4qfq, CWE-400, CWE-407).

    The 0x / 0o / 0b integer parser previously used a hand-written BigInt accumulator loop that ran in O(n²) in the literal length, allowing a single attacker-supplied ~500 kB radix literal to block the Node.js event loop for tens of seconds. The fix switches to the V8 native BigInt(prefixedString) constructor (O(n)) and caps radix-prefixed literals at 1000 digits, matching jackson-core's StreamReadConstraints.maxNumberLength default.

    All users on 1.1.0 or earlier are affected and should upgrade to 1.1.1.

    Reported and patched by @​tonghuaroot — thank you.

Full changelog: sunnyadn/js-toml@v1.1.0...v1.1.1

v1.1.0

What's New

  • TOML serialization: New dump() function to convert JavaScript objects to TOML strings
  • Security: Resolved all Dependabot alerts by upgrading chevrotain (11→12), vitest, and transitive dependencies

Bug Fixes

  • Fix silent error swallowing in tryCreateKey (non-DuplicateKeyError exceptions were silently dropped)
  • Fix tokenInterpreters Map misuse (declared as Map but used as plain object)
  • Remove dead/broken octal escape code path in string unescaping

Internal

  • Add createCategoryToken helper to reduce token registration boilerplate
  • Simplify hasRenderableHeader logic in TOML generator
  • Upgrade chevrotain 11→12 (drops lodash-es dependency)
  • Upgrade vitest/coverage-v8 to 4.1.4

v1.0.3

... (truncated)

Changelog

Sourced from js-toml's changelog.

[1.1.2] - 2026-05-28

Security

  • Fix silent acceptance of duplicate keys whose prior value is a falsy primitive (false, 0, 0.0, -0.0, nan, "") (GHSA-m34p-749j-x6m6, CWE-697). The interpreter used a truthy existence check (if (object[key])) instead of key in object, so a later table, dotted-key sub-table, or array-of-tables sharing the same name silently overwrote the falsy value instead of raising a duplicate-key error. Reported by @​CosmicCrusader23.

Fixed

  • Reject array-of-tables headers ([[a.b]]) that descend into a statically-defined array. getOrCreateArray lacked the immutability guard that createTable had, so such input either threw an uncaught TypeError or silently mutated the static array instead of raising SyntaxParseError.

[1.1.1] - 2026-05-25

Security

  • Fix CPU exhaustion via O(n²) BigInt construction on radix-prefixed integer literals (GHSA-wp3c-266w-4qfq, CWE-400, CWE-407). The 0x / 0o / 0b integer parser previously used a hand-written BigInt accumulator loop that ran in O(n²) in the literal length, allowing a single ~500 kB literal to block the event loop for tens of seconds. Switched to the native BigInt(prefixedString) constructor (O(n)) and capped radix-prefixed literals at 1000 digits. Reported by @​tonghuaroot.

[1.1.0] - 2026-04-15

Added

  • TOML serialization via dump() function with support for all TOML v1.0.0 value types
  • DumpOptions for controlling newline style, undefined handling, and key quoting

Changed

  • Upgraded Chevrotain to v12
  • Migrated ESLint to flat configuration

[1.0.3] - 2026-02-24

Fixed

  • Replaced @digitak/esrun with tsx to resolve esbuild vulnerability
  • Upgraded dependencies to resolve security vulnerabilities

Changed

  • Extracted isPlainObject utility and replaced redundant implementations
Commits
  • e3041b2 chore: release v1.1.2
  • 685a3bd fix: reject array-of-tables headers that descend into a static array
  • e0504fa fix: treat falsy-primitive duplicate keys as parse errors (GHSA-m34p-749j-x6m6)
  • 8713713 refactor: type sanitize() as discriminated union to remove dumpValue throw
  • 61d5a16 test: cover dump error paths and drop dead non-integer fallback
  • 470c7c9 refactor: replace defensive throw in getRadix with exhaustive switch
  • aeba37d docs: add changelog entry for v1.1.1
  • 60d0741 chore: release v1.1.1
  • 1abcb31 Merge commit from fork
  • 1e45ca5 Cap radix-prefixed integer literals at 1000 digits and use native BigInt
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Removes [lodash-es](https://github.com/lodash/lodash). It's no longer used after updating ancestor dependency [js-toml](https://github.com/sunnyadn/js-toml). These dependencies need to be updated together.


Removes `lodash-es`

Updates `js-toml` from 1.0.2 to 1.1.2
- [Release notes](https://github.com/sunnyadn/js-toml/releases)
- [Changelog](https://github.com/sunnyadn/js-toml/blob/main/CHANGELOG.md)
- [Commits](sunnyadn/js-toml@v1.0.2...v1.1.2)

---
updated-dependencies:
- dependency-name: lodash-es
  dependency-version:
  dependency-type: indirect
- dependency-name: js-toml
  dependency-version: 1.1.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 18, 2026
@oracle-contributor-agreement oracle-contributor-agreement Bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jun 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants