build(deps): Bump stedolan/jq from jq-1.7.1 to 1.8.0

[dependabot]

Bumps stedolan/jq from jq-1.7.1 to 1.8.0. This release includes the previously tagged commit.

Release notes

Sourced from stedolan/jq's releases.

jq 1.8.0

We are pleased to announce the release of version 1.8.0. This release includes a number of improvements since the last version. Note that some changes may introduce breaking changes to existing scripts, so be sure to read the following information carefully. Full commit log can be found at jqlang/jq@jq-1.7.1...jq-1.8.0.

Releasing

• Change the version number pattern to 1.X.Y (1.8.0 instead of 1.8). @​itchyny #2999

• Generate provenance attestations for release artifacts and docker image. @​lectrical #3225

  gh attestation verify --repo jqlang/jq jq-linux-amd64
  gh attestation verify --repo jqlang/jq oci://ghcr.io/jqlang/jq:1.8.0

Security fixes

• CVE-2024-23337: Fix signed integer overflow in jvp_array_write and jvp_object_rehash. @​itchyny de21386681c0df0104a99d9d09db23a9b2a78b1e
  • The fix for this issue now limits the maximum size of arrays and objects to 536870912 (2^29) elements.
• CVE-2024-53427: Reject NaN with payload while parsing JSON. @​itchyny a09a4dfd55e6c24d04b35062ccfe4509748b1dd3
  • The fix for this issue now drops support for NaN with payload in JSON (like NaN123). Other JSON extensions like NaN and Infinity are still supported.
• CVE-2025-48060: Fix heap buffer overflow in jv_string_vfmt. @​itchyny c6e041699d8cd31b97375a2596217aff2cfca85b
• Fix use of uninitialized value in check_literal. @​itchyny #3324
• Fix segmentation fault on strftime/1, strflocaltime/1. @​itchyny #3271
• Fix unhandled overflow in @base64d. @​emanuele6 #3080

CLI changes

• Fix --indent 0 implicitly enabling --compact-output. @​amarshall @​gbrlmarn @​itchyny #3232

  $ jq --indent 0 . <<< '{ "foo": ["hello", "world"] }'
  {
  "foo": [
  "hello",
  "world"
  ]
  }
  # Previously, this implied --compact-output, but now outputs with new lines.

• Improve error messages to show problematic position in the filter. @​itchyny #3292

  $ jq -n '1 + $foo + 2'
  jq: error: $foo is not defined at <top-level>, line 1, column 5:
      1 + $foo + 2

... (truncated)

Commits

• d23a7b9 Update NEWS.md and AUTHORS for 1.8.0 (#3330)
• d3cf5ca Add more test cases for JQ_COLORS support (ref #3288)
• aa977aa Dynamically allocate JQ_COLORS escapes for truecolor support (#3282)
• c6e0416 Fix heap buffer overflow when formatting an empty string
• 3b00981 Fix quotes in 1.7 manual for ease of taking diff between versions (#3329)
• f28720f Increase the maximum parsing depth for parsing JSON to 10000 (#3328)
• 9ac6dda Fix whitespace in number parsing (#3195)
• aaace54 Fix parser to allow binary operators for binding syntax (#3326)
• 4e3088f Fix behavior of --slurp --stream when input has no trailing newline charact...
• 7d8c096 Add trimstr/1 function (#3319)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)