Skip to content

Qs security vulnerability fix #1226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
BYK merged 1 commit into from
Dec 31, 2025
Merged

Qs security vulnerability fix #1226

BYK merged 1 commit into from
Dec 31, 2025

Conversation

@BYK
Copy link
Member

@BYK BYK commented Dec 31, 2025

Fix: Upgrade qs to 6.14.1 to address DoS vulnerability

This PR addresses a security vulnerability in the qs package where its arrayLimit bypass in bracket notation (a[]=1&a[]=2) allows Denial-of-Service (DoS) via memory exhaustion.

The qs package was a transitive dependency at version 6.14.0, which is vulnerable. Dependabot could not automatically update it to the patched version 6.14.1.

To mitigate this, qs has been explicitly added to the resolutions section in package.json (and overrides in pnpm-lock.yaml), forcing the installation of version 6.14.1 or higher.

Verification:

  • qs updated from 6.14.0 to 6.14.1.
  • Linting and build processes completed successfully.

Before opening this PR:

  • I added a Changeset Entry with pnpm changeset:add
  • I referenced issues that this PR addresses

Open in Cursor Open in Web

@cursoragent @BYK
Bump qs to 6.14.1
0589c16 
Co-authored-by: burak.kaya <[email protected]>
@cursor
Copy link

cursor bot commented Dec 31, 2025

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
Learn more about Cursor Agents

@BYK BYK deployed to Preview December 31, 2025 20:08 — with GitHub Actions Active
@vercel
Copy link

vercel bot commented Dec 31, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
spotlightjs Ready Ready Preview, Comment Dec 31, 2025 8:09pm

@BYK BYK marked this pull request as ready for review December 31, 2025 20:32
@BYK BYK merged commit 8363843 into main Dec 31, 2025
18 checks passed
@BYK BYK deleted the cursor/qs-security-vulnerability-fix-4480 branch December 31, 2025 20:32
This was referenced Jan 7, 2026
Merged
Merged
Merged
This was referenced Jan 12, 2026
Closed
Closed
This was referenced Jan 12, 2026
Merged
Merged
@sentry-release-bot sentry-release-bot bot mentioned this pull request Jan 12, 2026
Closed
4 tasks
@github-actions github-actions bot mentioned this pull request Jan 12, 2026
Merged
@sentry-release-bot sentry-release-bot bot mentioned this pull request Jan 13, 2026
Closed
4 tasks
@github-actions github-actions bot mentioned this pull request Jan 13, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BYK @cursoragent