Skip to content

fix(deps): bump qs override to >=6.15.2 to patch DoS (CYPACK-1269)#1274

Merged
Connoropolous merged 2 commits into
mainfrom
cypack-1269
May 30, 2026
Merged

fix(deps): bump qs override to >=6.15.2 to patch DoS (CYPACK-1269)#1274
Connoropolous merged 2 commits into
mainfrom
cypack-1269

Conversation

@cyrusagent
Copy link
Copy Markdown
Contributor

@cyrusagent cyrusagent commented May 30, 2026

Summary

Addresses the sole open Dependabot advisory (#140) — a medium-severity remotely-triggerable DoS in qs <6.15.2 (GHSA-q8mj-m7cp-5q26): qs.stringify crashes with a TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set.

  • qs is pulled in transitively via apps/cli > express@5.2.x > body-parser > qs. Per the team's dependency security policy, this is a deep transitive whose owning direct dep (express) has no released version that resolves qs >=6.15.2, so the existing root pnpm.overrides entry is bumped from >=6.14.2 (which resolved to the still-vulnerable 6.15.1) to >=6.15.2.
  • pnpm audit now reports zero advisories.

This supersedes #1251 (which bundled unrelated EgressProxy changes); that PR is being closed in favor of this one.

Linear: CYPACK-1269

Test plan

  • pnpm install regenerates lockfile with qs@6.15.2 (single resolved version)
  • pnpm audit reports no known vulnerabilities
  • pnpm build succeeds
  • pnpm typecheck succeeds
  • pnpm test:packages:run — all packages green

@cyrusagent cyrusagent mentioned this pull request May 30, 2026
Closed
5 tasks
@Connoropolous Connoropolous merged commit 716aa8f into main May 30, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Connoropolous Connoropolous Connoropolous approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cyrusagent @Connoropolous