[JavaScript] configurable size guardrails for untrusted payloads

[chaokunyang]

Feature Request

Add configurable deserialization size guardrails in Fory JavaScript for untrusted payloads.

Is your feature request related to a problem? Please describe

There are currently no configurable limits for payload-driven lengths. Untrusted binary/map/list lengths can trigger large allocations and memory pressure.

Describe the solution you'd like

Add two configurable size limits to JavaScript deserialization and enforce them in relevant preallocation-sensitive read paths.

Resolve task:

• Add only two runtime guardrail options: max_binary_size and max_collection_size.
• Enforce max_collection_size for collection and map reads (map uses entry count).
• Enforce max_binary_size for binary byte-length reads.
• Do not add string size checks; string reads are excluded from this requirement.
• Return/throw a deserialization error when a configured limit is exceeded.

Describe alternatives you've considered

Relying only on process-level memory limits and runtime/allocator behavior. This is late-failing and not protocol-aware.

Additional context

Medium: no configurable size guardrails for untrusted payloads (binary/map/list lengths can drive large allocations).

Related locations:

• javascript/packages/fory/lib/type.ts:263
• javascript/packages/fory/lib/fory.ts:56
• javascript/packages/fory/lib/gen/collection.ts:299
• javascript/packages/fory/lib/gen/array.ts:44
• javascript/packages/fory/lib/gen/map.ts:404
• javascript/packages/fory/lib/reader/index.ts:191

[ayush00git]

Hey @chaokunyang
Please assign me this one

[miantalha45]

@chaokunyang can i take this issue?

[chaokunyang]

Please do not take new issues before finishing exising ones