tomli

tomli is a read-only TOML parser that does exactly what it promises with zero surprises. The API is dead simple: `tomli.load()` for file objects and `tomli.loads()` for strings. It strictly follows the TOML spec and fails fast with clear error messages when parsing invalid input, which is exactly what you want from a security perspective.

From a security standpoint, tomli excels. It has zero dependencies, eliminating supply chain risk entirely. The codebase is small and auditable. Error messages are informative without leaking sensitive data - they point to line numbers and syntax issues without echoing potentially sensitive configuration values. Input validation is strict by design since it implements the TOML spec faithfully, rejecting malformed input rather than trying to be clever.

The library became part of Python 3.11+ stdlib as `tomllib`, which speaks to its quality. For Python 3.10 and earlier, tomli is the backport you want. No crypto concerns since it's just a parser, no network operations, no file path traversal issues - it operates only on the data you explicitly provide.

tomli is a pure-Python TOML parser that I've used extensively for configuration file parsing. From a security perspective, it's exemplary: no external dependencies means zero supply chain risk, and it's read-only by design which prevents entire classes of file manipulation vulnerabilities. The error messages are informative without leaking implementation details, and it handles malformed input gracefully with proper exception types.

The API is refreshingly simple: tomli.load() for file objects and tomli.loads() for strings. It strictly follows the TOML spec, which means you get predictable parsing behavior. Input validation is robust - I've thrown various malformed configs at it during testing and it consistently fails safely with clear TOMLDecodeError exceptions that pinpoint the issue without exposing system internals.

The library is now part of Python 3.11+ as tomllib in the standard library, which speaks to its quality. For projects supporting older Python versions, tomli remains the go-to choice. No authentication/authorization concerns since it's purely a parser, and no crypto/TLS since it operates on local files only.

I've used tomli extensively for parsing configuration files in production systems. It's a read-only TOML parser with zero dependencies, which makes supply chain auditing trivial. The API is dead simple: `tomli.load(fp)` or `tomli.loads(s)` returns a dict. No configuration, no surprises.

From a security perspective, tomli handles malformed input gracefully with clear TOMLDecodeError exceptions that don't leak file paths or internal state. Error messages pinpoint line/column numbers without exposing system details. The parser has excellent input validation and I've never seen it crash on malicious input—it just raises appropriate exceptions. Since it's pure Python with no C extensions or crypto, the attack surface is minimal.

The library follows secure-by-default principles: strict TOML 1.0.0 spec compliance means no legacy quirks or permissive parsing that could lead to misconfigurations. It became part of Python 3.11+ stdlib as `tomllib`, which speaks to its code quality. For Python <3.11 projects, tomli is the standard choice.