From 57864e372e88380fe176628cf5648f39c3f38bd7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sat, 23 May 2026 12:38:04 +0000 Subject: [PATCH] chore(deps): bump qs to >=6.15.2 to fix GHSA-q8mj-m7cp-5q26 Add npm overrides to force qs >= 6.15.2, resolving the DoS vulnerability where qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set (CVE-2026-8723). Dependabot alert: #266 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- package-lock.json | 20 ++++++++++---------- package.json | 3 +++ 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/package-lock.json b/package-lock.json index 7c6d60b6..2c4ac3ed 100644 --- a/package-lock.json +++ b/package-lock.json @@ -24073,9 +24073,9 @@ } }, "node_modules/qs": { - "version": "6.15.1", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.1.tgz", - "integrity": "sha512-6YHEFRL9mfgcAvql/XhwTvf5jKcOiiupt2FiJxHkiX1z4j7WL8J/jRHYLluORvc1XxB5rV20KoeK00gVJamspg==", + "version": "6.15.2", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz", + "integrity": "sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==", "dev": true, "license": "BSD-3-Clause", "dependencies": { @@ -40721,7 +40721,7 @@ "http-errors": "^2.0.0", "iconv-lite": "^0.7.0", "on-finished": "^2.4.1", - "qs": "^6.14.1", + "qs": ">=6.15.2", "raw-body": "^3.0.1", "type-is": "^2.0.1" }, @@ -43565,7 +43565,7 @@ "once": "^1.4.0", "parseurl": "^1.3.3", "proxy-addr": "^2.0.7", - "qs": "^6.14.0", + "qs": ">=6.15.2", "range-parser": "^1.2.1", "router": "^2.2.0", "send": "^1.1.0", @@ -44002,7 +44002,7 @@ "@paralleldrive/cuid2": "^2.2.2", "dezalgo": "^1.0.4", "once": "^1.4.0", - "qs": "^6.11.0" + "qs": ">=6.15.2" } }, "forwarded": { @@ -49992,9 +49992,9 @@ "integrity": "sha512-KTqnxsgGiQ6ZAzZCVlJH5eOjSnvlyEgx1m8bkRJfOhmGRqfo5KLvmAlACQkrjEtOQ4B7wF9TdSLIs9O90MX9xA==" }, "qs": { - "version": "6.15.1", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.1.tgz", - "integrity": "sha512-6YHEFRL9mfgcAvql/XhwTvf5jKcOiiupt2FiJxHkiX1z4j7WL8J/jRHYLluORvc1XxB5rV20KoeK00gVJamspg==", + "version": "6.15.2", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz", + "integrity": "sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==", "dev": true, "requires": { "side-channel": "^1.1.0" @@ -51718,7 +51718,7 @@ "formidable": "^2.0.1", "methods": "^1.1.2", "mime": "2.6.0", - "qs": "^6.10.3", + "qs": ">=6.15.2", "readable-stream": "^3.6.0", "semver": "^7.3.7" }, diff --git a/package.json b/package.json index 2a1f7b08..64601e0e 100644 --- a/package.json +++ b/package.json @@ -42,6 +42,9 @@ "where": "node ./scripts/src/where.js", "request-npm-token": "request-npm-token" }, + "overrides": { + "qs": ">=6.15.2" + }, "dependencies": { "@mongodb-js/monorepo-tools": "^1.2.3" },