Skip to content

build(deps): bump github.com/pelletier/go-toml/v2 from 2.4.2 to 2.4.3#38

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/pelletier/go-toml/v2-2.4.3
Open

build(deps): bump github.com/pelletier/go-toml/v2 from 2.4.2 to 2.4.3#38
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/pelletier/go-toml/v2-2.4.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/pelletier/go-toml/v2 from 2.4.2 to 2.4.3.

Release notes

Sourced from github.com/pelletier/go-toml/v2's releases.

v2.4.3

What's Changed

What's new

Fixed bugs

Documentation

Other changes

New Contributors

Full Changelog: pelletier/go-toml@v2.4.2...v2.4.3

Commits
  • 071a36c fix: bound array and inline table nesting depth to prevent stack-overflow DoS...
  • 57fec25 Add RawMessage marshal support to unstable (#1084)
  • 79f82e3 fix: error instead of panic on nil unexported embedded pointer (#1089)
  • a28afed unstable/kind: drop duplicate 'a' from LocalDate comment (#1062)
  • 6fa69af fix: do not recurse forever on recursively embedded structs (#1087)
  • 82b792e fix: report table placement errors with position and key context (#1086)
  • f93de50 perf: avoid interface boxing when decoding date/time values (#1085)
  • 21f8286 Deliver the whole document to a root Unmarshaler (#994) (#1083)
  • 98e94ae Update bundled toml.abnf to TOML 1.1.0 and pin spec-corner behaviour (#1082)
  • 35f78d5 Fix invalid TOML from commented multi-line values (#1081)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/pelletier/go-toml/v2](https://github.com/pelletier/go-toml) from 2.4.2 to 2.4.3.
- [Release notes](https://github.com/pelletier/go-toml/releases)
- [Commits](pelletier/go-toml@v2.4.2...v2.4.3)

---
updated-dependencies:
- dependency-name: github.com/pelletier/go-toml/v2
  dependency-version: 2.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 8, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 8, 2026 06:43
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 8, 2026
@github-actions github-actions Bot added the build label Jul 8, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgithub.com/​pelletier/​go-toml/​v2@​v2.4.2 ⏵ v2.4.399100100100100

View full report

@clawsweeper

clawsweeper Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed July 8, 2026, 2:47 AM ET / 06:47 UTC.

Summary
The branch updates the direct Go module github.com/pelletier/go-toml/v2 from v2.4.2 to v2.4.3 in go.mod and go.sum.

Reproducibility: not applicable. this is a dependency maintenance PR, not a reported runtime bug. The source check confirms the dependency is used by config load/save and the PR only updates module metadata.

Review metrics: 3 noteworthy metrics.

  • Diff size: 2 files changed; 3 additions, 3 deletions. The review surface is limited to module metadata and checksums.
  • Dependency surface: 1 direct production Go module bumped. The changed dependency is used for runtime TOML config load/save.
  • Validation status: 12 successful checks, 1 skipped release-draft check. Current GitHub checks support merging once normal dependency ownership is satisfied.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • none.

Next step before merge

  • No ClawSweeper repair lane is needed because the patch is narrow and has no actionable review finding.

Security
Cleared: The diff only updates go.mod/go.sum for an existing direct Go dependency; upstream v2.4.3 includes parser hardening fixes and no new dependency source, script, or permission surface is introduced.

Review details

Best possible solution:

Merge the narrow dependency bump after normal dependency-review gates remain green, keeping the existing config parser usage unchanged.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a dependency maintenance PR, not a reported runtime bug. The source check confirms the dependency is used by config load/save and the PR only updates module metadata.

Is this the best way to solve the issue?

Yes; for this dependency update, the narrow go.mod/go.sum bump is the maintainable path. Current main does not already contain v2.4.3, and no duplicate implementation path was found.

AGENTS.md: not found in the target repository.

Codex review notes: model internal, reasoning high; reviewed against b5c480e0492b.

Label changes

Label changes:

  • add P3: This is a low-risk semver patch dependency maintenance PR with a narrow go.mod/go.sum diff and green checks.
  • add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot bot dependency PR, so the external-contributor real-behavior proof gate does not apply; GitHub CI provides supplemental validation.

Label justifications:

  • P3: This is a low-risk semver patch dependency maintenance PR with a narrow go.mod/go.sum diff and green checks.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot bot dependency PR, so the external-contributor real-behavior proof gate does not apply; GitHub CI provides supplemental validation.
Evidence reviewed

What I checked:

  • Current main still pins old version: Current main has github.com/pelletier/go-toml/v2 at v2.4.2, so the dependency bump is not already implemented there. (go.mod:7, b5c480e0492b)
  • PR patch is narrow: The proposed commit changes only go.mod and go.sum, with 3 additions and 3 deletions for the v2.4.3 bump and checksum update. (go.mod:7, 4acdaf690ec4)
  • TOML dependency is used at runtime: The repository uses go-toml for config load/save, so this direct dependency update affects the config parser/encoder surface rather than unused code. (internal/config/config.go:126, b5c480e0492b)
  • Upstream release contents: The upstream v2.4.3 release notes list parser, marshaling, panic, recursion, and stack-overflow DoS fixes, matching the dependency update described in the PR body.
  • Checks are green: GitHub reports the PR merge state as CLEAN with CI lint, test, deps, release-check, CodeQL, secret scanning, and Socket checks successful; only the release-draft update check is skipped. (4acdaf690ec4)
  • Current go-toml pin history: The current v2.4.2 pin on main came from a recent Dependabot dependency bump, with adjacent direct dependency bumps also handled by Dependabot. (go.mod:7, 3c467251b4c3)

Likely related people:

  • @openclaw/openclaw-secops: CODEOWNERS assigns go.mod and go.sum to this handle, and this PR only changes those files. (role: code owner for dependency and package integrity surfaces; confidence: high; commits: 2cc577b8ebf4; files: go.mod, go.sum, .github/CODEOWNERS)
  • Peter Steinberger: The initial release commit added the Go module, CODEOWNERS, and the TOML config load/save path that consumes this dependency. (role: introduced config and dependency surface; confidence: medium; commits: 2cc577b8ebf4; files: go.mod, go.sum, internal/config/config.go)
  • dependabot[bot]: Recent main history shows Dependabot carrying the existing go-toml v2.4.2 pin and neighboring direct Go dependency bumps. (role: recent dependency updater on main; confidence: medium; commits: 3c467251b4c3, 5d2e6ad412c5, b5c480e0492b; files: go.mod, go.sum)
  • vincentkoc: GitHub metadata shows this account assigned to the live dependency PR, though the file-history signal is weak. (role: assigned reviewer; confidence: low; files: go.mod, go.sum)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. labels Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

build dependencies Pull requests that update a dependency file go Pull requests that update go code P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant