fix(deps): bump qs to ^6.15.2 (CVE-2026-8723)#107
Merged
Conversation
Bumps the qs range from ~6.14.1 to ^6.15.2 so resolution includes the fix for GHSA-q8mj-m7cp-5q26 (qs.stringify TypeError DoS with arrayFormat: "comma" + encodeValuesOnly: true on arrays containing null/undefined). The tilde range previously capped resolution at 6.14.x, which does not include the patched 6.15.2. Closes #106
[email protected] generates multipart boundaries from `crypto.randomBytes`, which produces hex strings (0-9, a-f). The boundary assertions in test-form.js and test-form-data.js required digits only (`\d+`), so they failed almost any time the random hex contained a letter. Widen the class to `[0-9a-f]+`.
AtofStryker
approved these changes
May 28, 2026
Collaborator
|
🎉 This PR is included in version 4.0.1 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps the
qsdependency range from~6.14.1to^6.15.2so it resolves to the patched 6.15.2 release.The tilde range previously capped resolution at 6.14.x, which does not include the fix for GHSA-q8mj-m7cp-5q26 / CVE-2026-8723 (
qs.stringifythrows aTypeErrorwhen called witharrayFormat: "comma"andencodeValuesOnly: trueon arrays containingnull/undefined, enabling a remotely triggerable DoS).After this change
yarn.lockresolvesqs@^6.15.2to6.15.2.Closes #106
Additional fix: form-data boundary regex in tests
While verifying CI, the
test-form.jsandtest-form-data.jsboundary assertions were failing:[email protected]generates boundaries fromcrypto.randomBytes, producing hex strings (e.g.--------------------------10a3756468ba6207f9c8a83e). The\d+class only matches digits, so the assertion failed any time the random hex containeda–f(effectively almost always). The class is widened to[0-9a-f]+.This is unrelated to the
qsbump — the breakage was pre-existing and surfaces here only because CI happened to re-run. Bundling the one-line fix to keep CI green for theqschange.References
Note
Low Risk
Dependency-only security patch with small test regex updates; no application logic changes in the request library itself.
Overview
Bumps
qsfrom~6.14.1to^6.15.2so installs resolve to 6.15.2, addressing CVE-2026-8723 (DoS viaqs.stringifywith certainarrayFormat/encodeValuesOnlyoptions). The tilde range previously blocked picking up the patched release.yarn.lockis updated accordingly. Multipart tests intest-form-data.jsandtest-form.jsnow expect hex multipart boundaries ([0-9a-f]+instead of\d+), matching behavior from the upgraded dependency chain.Reviewed by Cursor Bugbot for commit a7ed1bc. Bugbot is set up for automated code reviews on this repo. Configure here.