From f547f0c824d436c4dcf1af5f440bdd7a2c1068d8 Mon Sep 17 00:00:00 2001
From: agentclear <agentops@ceedar.ai>
Date: Sat, 30 May 2026 00:33:28 -0700
Subject: [PATCH 1/2] fix(deps): bump qs override to >=6.15.2 to patch DoS
 (CYPACK-1269)

---
 CHANGELOG.md   |  3 +++
 package.json   |  2 +-
 pnpm-lock.yaml | 14 +++++++-------
 3 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ba0564c84..17eaa14f3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Security
+- Bumped `qs` to >=6.15.2 to address a remotely triggerable DoS (`qs.stringify` crash on null/undefined entries in comma-format arrays when `encodeValuesOnly` is set), pulled in transitively via `express`. ([CYPACK-1269](https://linear.app/ceedar/issue/CYPACK-1269), [#PRNUM](https://github.com/ceedaragents/cyrus/pull/PRNUM))
+
 ### Changed
 - Updated `@anthropic-ai/claude-agent-sdk` from 0.3.154 to 0.3.156 and `@anthropic-ai/sdk` from 0.100.0 to 0.100.1. See the [SDK changelog](https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md) for details. ([CYPACK-1265](https://linear.app/ceedar/issue/CYPACK-1265), [#1270](https://github.com/cyrusagents/cyrus/pull/1270))
 
diff --git a/package.json b/package.json
index bda988282..e17d5bfb2 100644
--- a/package.json
+++ b/package.json
@@ -50,7 +50,7 @@
 			"jws": ">=4.0.1",
 			"@modelcontextprotocol/sdk": ">=1.26.0",
 			"semver": ">=7.5.2",
-			"qs": ">=6.14.2",
+			"qs": ">=6.15.2",
 			"vite": ">=7.1.11",
 			"zod": "4.3.6",
 			"hono": ">=4.12.18",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 1e6f0ee98..6d3a37b7c 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -8,7 +8,7 @@ overrides:
   jws: '>=4.0.1'
   '@modelcontextprotocol/sdk': '>=1.26.0'
   semver: '>=7.5.2'
-  qs: '>=6.14.2'
+  qs: '>=6.15.2'
   vite: '>=7.1.11'
   zod: 4.3.6
   hono: '>=4.12.18'
@@ -3647,8 +3647,8 @@ packages:
   pumpify@2.0.1:
     resolution: {integrity: sha512-m7KOje7jZxrmutanlkS1daj1dS6z6BgslzOXmcSEpIlCxM3VJH7lG5QLeck/6hgF6F4crFf01UtQmNsJfweTAw==}
 
-  qs@6.15.1:
-    resolution: {integrity: sha512-6YHEFRL9mfgcAvql/XhwTvf5jKcOiiupt2FiJxHkiX1z4j7WL8J/jRHYLluORvc1XxB5rV20KoeK00gVJamspg==}
+  qs@6.15.2:
+    resolution: {integrity: sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==}
     engines: {node: '>=0.6'}
 
   quick-format-unescaped@4.0.4:
@@ -6144,7 +6144,7 @@ snapshots:
       http-errors: 2.0.1
       iconv-lite: 0.7.2
       on-finished: 2.4.1
-      qs: 6.15.1
+      qs: 6.15.2
       raw-body: 3.0.2
       type-is: 2.0.1
     transitivePeerDependencies:
@@ -6559,7 +6559,7 @@ snapshots:
       once: 1.4.0
       parseurl: 1.3.3
       proxy-addr: 2.0.7
-      qs: 6.15.1
+      qs: 6.15.2
       range-parser: 1.2.1
       router: 2.2.0
       send: 1.2.1
@@ -6879,7 +6879,7 @@ snapshots:
       extend: 3.0.2
       gaxios: 6.7.1(encoding@0.1.13)
       google-auth-library: 9.15.1(encoding@0.1.13)
-      qs: 6.15.1
+      qs: 6.15.2
       url-template: 2.0.8
       uuid: 14.0.0
     transitivePeerDependencies:
@@ -7736,7 +7736,7 @@ snapshots:
       inherits: 2.0.4
       pump: 3.0.4
 
-  qs@6.15.1:
+  qs@6.15.2:
     dependencies:
       side-channel: 1.1.0
 

From 21e530befeaa2a5d8c832637f59ab7bec00658f2 Mon Sep 17 00:00:00 2001
From: agentclear <agentops@ceedar.ai>
Date: Sat, 30 May 2026 00:34:09 -0700
Subject: [PATCH 2/2] docs(changelog): add PR link for qs security bump
 (CYPACK-1269)

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 17eaa14f3..84f1ae1d3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file.
 ## [Unreleased]
 
 ### Security
-- Bumped `qs` to >=6.15.2 to address a remotely triggerable DoS (`qs.stringify` crash on null/undefined entries in comma-format arrays when `encodeValuesOnly` is set), pulled in transitively via `express`. ([CYPACK-1269](https://linear.app/ceedar/issue/CYPACK-1269), [#PRNUM](https://github.com/ceedaragents/cyrus/pull/PRNUM))
+- Bumped `qs` to >=6.15.2 to address a remotely triggerable DoS (`qs.stringify` crash on null/undefined entries in comma-format arrays when `encodeValuesOnly` is set), pulled in transitively via `express`. ([CYPACK-1269](https://linear.app/ceedar/issue/CYPACK-1269), [#1274](https://github.com/ceedaragents/cyrus/pull/1274))
 
 ### Changed
 - Updated `@anthropic-ai/claude-agent-sdk` from 0.3.154 to 0.3.156 and `@anthropic-ai/sdk` from 0.100.0 to 0.100.1. See the [SDK changelog](https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md) for details. ([CYPACK-1265](https://linear.app/ceedar/issue/CYPACK-1265), [#1270](https://github.com/cyrusagents/cyrus/pull/1270))