From 925a1dff1e42f1b393c977b8b77757fcf633e09f Mon Sep 17 00:00:00 2001
From: Dave Tashner <5702882+davetashner@users.noreply.github.com>
Date: Sat, 21 Feb 2026 22:11:08 -0500
Subject: [PATCH] fix: bump qs minimum to ^6.14.2 for CVE-2026-2391 (#7057)

qs versions before 6.14.2 have an arrayLimit bypass in comma parsing
that allows denial of service (GHSA-w7fw-mjwx-w883).

While the existing ^6.14.1 semver range allows 6.14.2 on fresh
installs, bumping the minimum ensures the vulnerable version cannot
be resolved.

Signed-off-by: davetashner <5702882+davetashner@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index aa2afbcb..8c9efb56 100644
--- a/package.json
+++ b/package.json
@@ -52,7 +52,7 @@
     "once": "^1.4.0",
     "parseurl": "^1.3.3",
     "proxy-addr": "^2.0.7",
-    "qs": "^6.14.1",
+    "qs": "^6.14.2",
     "range-parser": "^1.2.1",
     "router": "^2.2.0",
     "send": "^1.1.0",