Skip to content

fix(deps): upgrade qs to 6.14.1 to fix CVE-2025-15284 #2011

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
markscott-ms merged 1 commit into from
Jan 7, 2026
Merged

fix(deps): upgrade qs to 6.14.1 to fix CVE-2025-15284 #2011

markscott-ms merged 1 commit into from
Jan 7, 2026
+9 −8

Conversation

@rocketstack-matt
Copy link
Member

@rocketstack-matt rocketstack-matt commented Jan 6, 2026
edited
Loading

Resolves https://github.com/finos/architecture-as-code/security/dependabot/128

Type of Change

  • 🐛 Bug fix (non-breaking change which fixes an issue)
  • ✨ New feature (non-breaking change which adds functionality)
  • 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • 📚 Documentation update
  • 🎨 Code style/formatting changes
  • ♻️ Refactoring (no functional changes)
  • ⚡ Performance improvements
  • ✅ Test additions or updates
  • 🔧 Chore (maintenance, dependencies, CI, etc.)

Affected Components

  • CLI (cli/)
  • Shared (shared/)
  • CALM Widgets (calm-widgets/)
  • CALM Hub (calm-hub/)
  • CALM Hub UI (calm-hub-ui/)
  • Documentation (docs/)
  • VS Code Extension (calm-plugins/vscode/)
  • Dependencies
  • CI/CD

Commit Message Format ✅

Testing

  • I have tested my changes locally
  • I have added/updated unit tests
  • All existing tests pass

Checklist

  • My commits follow the conventional commit format
  • I have updated documentation if necessary
  • I have added tests for my changes (if applicable)
  • My changes follow the project's coding standards

Copilot AI review requested due to automatic review settings January 6, 2026 17:53
@rocketstack-matt rocketstack-matt requested a review from a team as a code owner January 6, 2026 17:53
@github-actions github-actions bot added the config label Jan 6, 2026
Copilot AI reviewed Jan 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a dependency override for the qs package to version 6.14.1 to address security vulnerability CVE-2025-15284. The qs library is used as a transitive dependency through body-parser and express packages.

Key Changes:

  • Added qs version override to ^6.14.1 in the root package.json overrides section

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@rocketstack-matt rocketstack-matt force-pushed the fix/cve-2025-15284-qs-vulnerability branch from 88b15e3 to 8bad94b Compare January 7, 2026 11:00
@rocketstack-matt rocketstack-matt force-pushed the fix/cve-2025-15284-qs-vulnerability branch from 8bad94b to e8cc5f8 Compare January 7, 2026 11:16
@markscott-ms markscott-ms merged commit c1fc6b9 into finos:main Jan 7, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@markscott-ms markscott-ms markscott-ms approved these changes

Assignees

No one assigned

Labels

config

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rocketstack-matt @markscott-ms