Skip to content

[7.113.x] CRW-9819: Fix CVE-2025-15284 by updating qs to 6.14.1 #632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sbouchet wants to merge 1 commit into
base: 7.113.x
Choose a base branch
from
Open

[7.113.x] CRW-9819: Fix CVE-2025-15284 by updating qs to 6.14.1 #632

sbouchet wants to merge 1 commit into from
+182 −103

Conversation

@sbouchet
Copy link
Collaborator

@sbouchet sbouchet commented Jan 15, 2026

What does this PR do?

What issues does this PR fix?

backport of #621

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

@sbouchet
Fix CVE-2025-15284 by updating qs to 6.14.1
257b66b 
CVE-2025-15284 is a high severity (CVSS 7.5) vulnerability in the qs
npm package that allows Denial of Service via memory exhaustion. The
arrayLimit option fails to enforce limits for bracket notation,
allowing attackers to crash servers with a single malicious request.

This fix adds [email protected] to package overrides in both build and test/mcp
configurations, and updates the corresponding package-lock.json files.

Affected locations:
- code/build: qs upgraded from 6.13.0 to 6.14.1
- code/test/mcp: qs upgraded from 6.14.0 to 6.14.1

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

Signed-off-by: Stephane Bouchet <[email protected]>
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 15, 2026
edited by openshift-ci bot
Loading

@sbouchet: This pull request references CRW-9819 which is a valid jira issue.

Details

In response to this:

What does this PR do?

What issues does this PR fix?

backport of #621

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@github-actions
Copy link

github-actions bot commented Jan 15, 2026
edited by openshift-ci bot
Loading

Click here to review and test in web IDE: Contribute

@sbouchet sbouchet self-assigned this Jan 15, 2026
@sbouchet sbouchet moved this to Ready for Review in Eclipse Che Team C Backlog Jan 15, 2026
@github-actions
Copy link

github-actions bot commented Jan 15, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-632-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-632-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-632-dev-amd64

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@azatsarynnyy azatsarynnyy Awaiting requested review from azatsarynnyy azatsarynnyy is a code owner

@RomanNikitenko RomanNikitenko Awaiting requested review from RomanNikitenko RomanNikitenko is a code owner

@vitaliy-guliy vitaliy-guliy Awaiting requested review from vitaliy-guliy vitaliy-guliy is a code owner

Assignees

@sbouchet sbouchet

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sbouchet @openshift-ci-robot