fix(deps): qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion [security] #32099
Conversation
…via memory exhaustion [security]
There was a problem hiding this comment.
Pull request overview
This PR addresses a security vulnerability in the qs library (CVE related to DoS via memory exhaustion through bracket notation bypass of arrayLimit) by upgrading all instances to version 6.14.1.
Key Changes:
- Added pnpm override to enforce minimum version of
[email protected] - Updated all transitive dependencies using
qs(6.13.0, 6.14.0, and 6.5.3) to the secure version 6.14.1
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Added pnpm override to enforce minimum qs version of 6.14.1 for security |
| pnpm-lock.yaml | Updated all qs package resolutions and snapshots from versions 6.5.3, 6.13.0, and 6.14.0 to 6.14.1 across all transitive dependencies |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
| "axios@<1.8.2": "^1.13.2", | ||
| "braces@<3.0.3": "^3.0.3", | ||
| "semver@<5.7.2": "^5.7.2", | ||
| "qs": ">=6.14.1", |
There was a problem hiding this comment.
The override pattern for qs is inconsistent with other security overrides in this file. Other security-related overrides use range-based patterns (e.g., axios@<1.8.2, braces@<3.0.3) to target vulnerable versions specifically, while this override uses a bare package name without a vulnerable version range. This means it will force ALL versions of qs to be upgraded, even if they're already at safe versions, which is more aggressive than necessary.
Consider using a pattern like qs@<6.14.1: ">=6.14.1" to match the convention used by other overrides in this file. This would only affect vulnerable versions while being more explicit about which versions are being replaced.
| "qs": ">=6.14.1", | |
| "qs@<6.14.1": ">=6.14.1", |
2 participants
No description provided.