build(deps): bump github.com/pelletier/go-toml/v2 from 2.4.2 to 2.4.3#38
build(deps): bump github.com/pelletier/go-toml/v2 from 2.4.2 to 2.4.3#38dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [github.com/pelletier/go-toml/v2](https://github.com/pelletier/go-toml) from 2.4.2 to 2.4.3. - [Release notes](https://github.com/pelletier/go-toml/releases) - [Commits](pelletier/go-toml@v2.4.2...v2.4.3) --- updated-dependencies: - dependency-name: github.com/pelletier/go-toml/v2 dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Codex review: needs maintainer review before merge. Reviewed July 8, 2026, 2:47 AM ET / 06:47 UTC. Summary Reproducibility: not applicable. this is a dependency maintenance PR, not a reported runtime bug. The source check confirms the dependency is used by config load/save and the PR only updates module metadata. Review metrics: 3 noteworthy metrics.
Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Next step before merge
Security Review detailsBest possible solution: Merge the narrow dependency bump after normal dependency-review gates remain green, keeping the existing config parser usage unchanged. Do we have a high-confidence way to reproduce the issue? Not applicable; this is a dependency maintenance PR, not a reported runtime bug. The source check confirms the dependency is used by config load/save and the PR only updates module metadata. Is this the best way to solve the issue? Yes; for this dependency update, the narrow go.mod/go.sum bump is the maintainable path. Current main does not already contain v2.4.3, and no duplicate implementation path was found. AGENTS.md: not found in the target repository. Codex review notes: model internal, reasoning high; reviewed against b5c480e0492b. Label changesLabel changes:
Label justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
Bumps github.com/pelletier/go-toml/v2 from 2.4.2 to 2.4.3.
Release notes
Sourced from github.com/pelletier/go-toml/v2's releases.
Commits
071a36cfix: bound array and inline table nesting depth to prevent stack-overflow DoS...57fec25Add RawMessage marshal support to unstable (#1084)79f82e3fix: error instead of panic on nil unexported embedded pointer (#1089)a28afedunstable/kind: drop duplicate 'a' from LocalDate comment (#1062)6fa69affix: do not recurse forever on recursively embedded structs (#1087)82b792efix: report table placement errors with position and key context (#1086)f93de50perf: avoid interface boxing when decoding date/time values (#1085)21f8286Deliver the whole document to a root Unmarshaler (#994) (#1083)98e94aeUpdate bundled toml.abnf to TOML 1.1.0 and pin spec-corner behaviour (#1082)35f78d5Fix invalid TOML from commented multi-line values (#1081)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)