
Research
/Security News
Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.
If you haven't heard of TOML, well you're just missing out. Go check it out now. Back? Good.
toml-node supports TOML v1.1.0, scoring 673/680 (99.0%) on the official toml-test compliance suite:
| Pass | Total | Rate | |
|---|---|---|---|
| Valid tests | 213 | 214 | 99.5% |
| Invalid tests | 460 | 466 | 98.7% |
| Total | 673 | 680 | 99.0% |
The 7 remaining failures are inherent JavaScript platform limitations shared by all JS TOML parsers:
Number can't represent values beyond Number.MAX_SAFE_INTEGER)\uXXXX, \UXXXXXXXX, \xHH, \e)0xDEADBEEF), octal (0o755), binary (0b11010110)inf, -inf, nantrue, falsefruit.apple.color = "red")# line commentsnpm install toml
Requires Node.js 20 or later. Zero runtime dependencies.
const toml = require('toml');
const data = toml.parse(someTomlString);
toml.parse throws an exception on parse errors with line and column properties:
try {
toml.parse(someBadToml);
} catch (e) {
console.error(`Parsing error on line ${e.line}, column ${e.column}: ${e.message}`);
}
To guard against stack overflow on maliciously deep input, arrays and inline tables may nest at most 500 levels deep by default; input past the limit throws a normal parse error. Adjust the limit with the maxDepth option:
toml.parse(someTomlString, { maxDepth: 100 });
Offset date-times are returned as JavaScript Date objects. Local date-times, local dates, and local times are returned as strings since they have no timezone information and can't be losslessly represented as Date:
const data = toml.parse(`
odt = 1979-05-27T07:32:00Z # Date object
ldt = 1979-05-27T07:32:00 # string: "1979-05-27T07:32:00"
ld = 1979-05-27 # string: "1979-05-27"
lt = 07:32:00 # string: "07:32:00"
`);
data.odt instanceof Date // true
typeof data.ldt // "string"
typeof data.ld // "string"
typeof data.lt // "string"
Pass useTemporal: true to have date/time values returned as
Temporal
objects instead:
| TOML type | Returned as |
|---|---|
| Offset date-time | Temporal.ZonedDateTime |
| Local date-time | Temporal.PlainDateTime |
| Local date | Temporal.PlainDate |
| Local time | Temporal.PlainTime |
const data = toml.parse(`
odt = 1979-05-27T00:32:00-07:00
ldt = 1979-05-27T07:32:00
ld = 1979-05-27
lt = 07:32:00
`, { useTemporal: true });
data.odt.toString() // "1979-05-27T00:32:00-07:00[-07:00]"
data.ldt.toString() // "1979-05-27T07:32:00"
data.ld.toString() // "1979-05-27"
data.lt.toString() // "07:32:00"
Offset date-times become Temporal.ZonedDateTime values whose time zone is
the original UTC offset (Z maps to the UTC time zone), so the offset
written in the TOML document is preserved — unlike the default Date
representation, which loses it. Fractional seconds beyond nanosecond
precision are truncated, as permitted by the TOML spec.
useTemporal requires a runtime with the Temporal global. On runtimes
that don't provide it yet, pass an implementation such as
@js-temporal/polyfill
via the temporal option:
const { Temporal } = require('@js-temporal/polyfill');
const data = toml.parse(someTomlString, { useTemporal: true, temporal: Temporal });
Once Temporal is broadly available, Temporal output is expected to become
the default behavior in a future major version.
inf and nan are returned as JavaScript Infinity and NaN:
const data = toml.parse(`
pos_inf = inf
neg_inf = -inf
not_a_number = nan
`);
data.pos_inf === Infinity // true
data.neg_inf === -Infinity // true
Number.isNaN(data.not_a_number) // true
You can use the toml-require package to require() your .toml files with Node.js.
toml-node uses the Peggy parser generator (successor to PEG.js).
npm install
npm run build
npm test
npm run test:spec # run toml-test compliance suite
npm run test:spec:failures # show failure details
Changes to src/toml.pegjs require a rebuild with npm run build.
toml-node is licensed under the MIT license agreement. See the LICENSE file for more information.
The 'toml-js' package is another library for parsing and stringifying TOML data. It offers similar functionality to the 'toml' package but may have different performance characteristics and API design.
The 'tomlify-j0.4' package focuses on converting JavaScript objects to TOML strings. It is useful if you primarily need to generate TOML data from JavaScript objects.
The 'toml-node' package provides TOML parsing and stringifying capabilities. It is another alternative to the 'toml' package with its own implementation and features.
FAQs
TOML parser for Node.js (TOML v1.1.0 compliant)
The npm package toml receives a total of 7,944,016 weekly downloads. As such, toml popularity was classified as popular.
We found that toml demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.