fix(deps): update dependency org.mozilla:rhino to v1.7.14.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.mozilla:rhino (source)	1.7.13 → 1.7.14.1

GitHub Vulnerability Alerts

CVE-2025-66453

When an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service.

Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult
where pow5mult attempts to raise 5 to a ridiculous power.

Example code: (4.47118444E-314).toFixed(2)

---

Release Notes

mozilla/rhino (org.mozilla:rhino)

v1.7.14.1

December 2, 2025

These releases fix a bug in the code that formats floating-point numbers into strings
that could result in very bad performance in some cases.

We recommend that all users of Rhino upgrade to release 1.8.1 if possible,
and upgrade to Java 17 or 21.

Users who need an older release, or who cannot yet leave Java 8, can also
use 1.7.15.1 or 1.7.14.1.

v1.7.14

December 2, 2025

These releases fix a bug in the code that formats floating-point numbers into strings
that could result in very bad performance in some cases.

We recommend that all users of Rhino upgrade to release 1.8.1 if possible,
and upgrade to Java 17 or 21.

Users who need an older release, or who cannot yet leave Java 8, can also
use 1.7.15.1 or 1.7.14.1.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.