Merge pull request #308 from NVIDIA/dependabot/go_modules/main/github.com/pelletier/go-toml-1.9.5

Bump github.com/pelletier/go-toml from 1.9.4 to 1.9.5

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/NVIDIA/go-nvml v0.12.0-1.0.20231020145430-e06766c5e74f
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/opencontainers/runtime-spec v1.1.0
-	github.com/pelletier/go-toml v1.9.4
+	github.com/pelletier/go-toml v1.9.5
 	github.com/sirupsen/logrus v1.9.0
 	github.com/stretchr/testify v1.8.4
 	github.com/urfave/cli/v2 v2.3.0

go.sum

@@ -39,8 +39,8 @@ github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.
 github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
 github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
 github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
-github.com/pelletier/go-toml v1.9.4 h1:tjENF6MfZAg8e4ZmZTeWaWiT2vXtsoO6+iuOjFhECwM=
+github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
-github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
+github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=

vendor/github.com/pelletier/go-toml/README.md

@@ -25,9 +25,9 @@ and [much faster][v2-bench]. If you only need reading and writing TOML documents
 (majority of cases), those features are implemented and the API unlikely to
 change.
 
-The remaining features (Document structure editing and tooling) will be added
+The remaining features will be added shortly. While pull-requests are welcome on
-shortly. While pull-requests are welcome on v1, no active development is
+v1, no active development is expected on it. When v2.0.0 is released, v1 will be
-expected on it. When v2.0.0 is released, v1 will be deprecated.
+deprecated.
 
 👉 [go-toml v2][v2]
 

vendor/github.com/pelletier/go-toml/SECURITY.md

@@ -0,0 +1,19 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version    | Supported          |
+| ---------- | ------------------ |
+| Latest 2.x | :white_check_mark: |
+| All 1.x    | :x:                |
+| All 0.x    | :x:                |
+
+## Reporting a Vulnerability
+
+Email a vulnerability report to `security@pelletier.codes`. Make sure to include
+as many details as possible to reproduce the vulnerability. This is a
+side-project: I will try to get back to you as quickly as possible, time
+permitting in my personal life. Providing a working patch helps very much!

vendor/github.com/pelletier/go-toml/marshal.go

@@ -1113,7 +1113,7 @@ func (d *Decoder) valueFromToml(mtype reflect.Type, tval interface{}, mval1 *ref
 				return reflect.ValueOf(nil), fmt.Errorf("Can't convert %v(%T) to %v", tval, tval, mtype.String())
 			}
 
-			if val.Convert(reflect.TypeOf(int(1))).Int() < 0 {
+			if val.Type().Kind() != reflect.Uint64 && val.Convert(reflect.TypeOf(int(1))).Int() < 0 {
 				return reflect.ValueOf(nil), fmt.Errorf("%v(%T) is negative so does not fit in %v", tval, tval, mtype.String())
 			}
 			if reflect.Indirect(reflect.New(mtype)).OverflowUint(val.Convert(reflect.TypeOf(uint64(0))).Uint()) {

vendor/github.com/pelletier/go-toml/parser.go

@@ -293,42 +293,41 @@ func (p *tomlParser) parseRvalue() interface{} {
 		return math.NaN()
 	case tokenInteger:
 		cleanedVal := cleanupNumberToken(tok.val)
-		var err error
+		base := 10
-		var val int64
+		s := cleanedVal
+		checkInvalidUnderscore := numberContainsInvalidUnderscore
 		if len(cleanedVal) >= 3 && cleanedVal[0] == '0' {
 			switch cleanedVal[1] {
 			case 'x':
-				err = hexNumberContainsInvalidUnderscore(tok.val)
+				checkInvalidUnderscore = hexNumberContainsInvalidUnderscore
-				if err != nil {
+				base = 16
-					p.raiseError(tok, "%s", err)
-				}
-				val, err = strconv.ParseInt(cleanedVal[2:], 16, 64)
 			case 'o':
-				err = numberContainsInvalidUnderscore(tok.val)
+				base = 8
-				if err != nil {
-					p.raiseError(tok, "%s", err)
-				}
-				val, err = strconv.ParseInt(cleanedVal[2:], 8, 64)
 			case 'b':
-				err = numberContainsInvalidUnderscore(tok.val)
+				base = 2
-				if err != nil {
-					p.raiseError(tok, "%s", err)
-				}
-				val, err = strconv.ParseInt(cleanedVal[2:], 2, 64)
 			default:
 				panic("invalid base") // the lexer should catch this first
 			}
-		} else {
+			s = cleanedVal[2:]
-			err = numberContainsInvalidUnderscore(tok.val)
+		}
-			if err != nil {
+
-				p.raiseError(tok, "%s", err)
+		err := checkInvalidUnderscore(tok.val)
-			}
-			val, err = strconv.ParseInt(cleanedVal, 10, 64)
-		}
 		if err != nil {
 			p.raiseError(tok, "%s", err)
 		}
+
+		var val interface{}
+		val, err = strconv.ParseInt(s, base, 64)
+		if err == nil {
 			return val
+		}
+
+		if s[0] != '-' {
+			if val, err = strconv.ParseUint(s, base, 64); err == nil {
+				return val
+			}
+		}
+		p.raiseError(tok, "%s", err)
 	case tokenFloat:
 		err := numberContainsInvalidUnderscore(tok.val)
 		if err != nil {

vendor/github.com/pelletier/go-toml/toml.go

@@ -471,7 +471,7 @@ func LoadBytes(b []byte) (tree *Tree, err error) {
 			if _, ok := r.(runtime.Error); ok {
 				panic(r)
 			}
-			err = errors.New(r.(string))
+			err = fmt.Errorf("%s", r)
 		}
 	}()
 

vendor/modules.txt

@@ -37,7 +37,7 @@ github.com/opencontainers/runtime-tools/generate/seccomp
 github.com/opencontainers/runtime-tools/validate/capabilities
 # github.com/opencontainers/selinux v1.11.0
 ## explicit; go 1.19
-# github.com/pelletier/go-toml v1.9.4
+# github.com/pelletier/go-toml v1.9.5
 ## explicit; go 1.12
 github.com/pelletier/go-toml
 # github.com/pmezard/go-difflib v1.0.0