Commit 8363843
Qs security vulnerability fix (#1226)
Fix: Upgrade `qs` to 6.14.1 to address DoS vulnerability
This PR addresses a security vulnerability in the `qs` package where its
`arrayLimit` bypass in bracket notation (`a[]=1&a[]=2`) allows
Denial-of-Service (DoS) via memory exhaustion.
The `qs` package was a transitive dependency at version `6.14.0`, which
is vulnerable. Dependabot could not automatically update it to the
patched version `6.14.1`.
To mitigate this, `qs` has been explicitly added to the `resolutions`
section in `package.json` (and `overrides` in `pnpm-lock.yaml`), forcing
the installation of version `6.14.1` or higher.
**Verification:**
- `qs` updated from 6.14.0 to 6.14.1.
- Linting and build processes completed successfully.
<!--
Tick these boxes if they're applicable to your PR.
- Changesets are only required for PRs to Spotlight library packages
(e.g. @spotlightjs/overlay). Not for the website/docs or demo app
contributions.
- Typo correction or small bugfix PRs don't require an issue. If you're
making a bigger change, please open an issue first.
-->
Before opening this PR:
- [ ] I added a [Changeset
Entry](https://spotlightjs.com/contribute/changesets/) with `pnpm
changeset:add`
- [ ] I referenced issues that this PR addresses
---
<a
href="https://cursor.com/background-agent?bcId=bc-229a24b1-d070-4f0a-8e75-5ad147de75d0"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/open-in-cursor-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in
Cursor"
src="https://cursor.com/open-in-cursor.svg"></picture></a> <a
href="https://cursor.com/agents?id=bc-229a24b1-d070-4f0a-8e75-5ad147de75d0"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/open-in-web-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web"
src="https://cursor.com/open-in-web.svg"></picture></a>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>![https://cursor.com/open-in-cursor-dark.svg"><source](https://cursor.com/open-in-cursor-dark.svg"><source){kind=link}
![https://cursor.com/open-in-cursor-light.svg"><img](https://cursor.com/open-in-cursor-light.svg"><img){kind=link}
![https://cursor.com/open-in-cursor.svg"></picture></a> <a](https://cursor.com/open-in-cursor.svg"></picture></a> <a){kind=link}
![https://cursor.com/open-in-web-dark.svg"><source](https://cursor.com/open-in-web-dark.svg"><source){kind=link}
![https://cursor.com/open-in-web-light.svg"><img](https://cursor.com/open-in-web-light.svg"><img){kind=link}
![https://cursor.com/open-in-web.svg"></picture></a](https://cursor.com/open-in-web.svg"></picture></a){kind=link}
1 parent 8986f33 commit 8363843
2 files changed
+8
-6
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
37 | 37 | | |
38 | 38 | | |
39 | 39 | | |
40 | | - | |
| 40 | + | |
| 41 | + | |
41 | 42 | | |
42 | 43 | | |
43 | 44 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments