fix: bump qs minimum to ^6.14.2 for CVE-2026-2391 (#7057)

qs versions before 6.14.2 have an arrayLimit bypass in comma parsing that allows denial of service (GHSA-w7fw-mjwx-w883). While the existing ^6.14.1 semver range allows 6.14.2 on fresh installs, bumping the minimum ensures the vulnerable version cannot be resolved. Signed-off-by: davetashner <5702882+davetashner@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 03:04:58 +00:00 · 2026-02-21 22:11:08 -05:00
parent 9c85a25c02
commit 925a1dff1e
1 changed files with 1 additions and 1 deletions
--- a/package.json
+++ b/package.json
@@ -52,7 +52,7 @@
    "once": "^1.4.0",
    "parseurl": "^1.3.3",
    "proxy-addr": "^2.0.7",
-    "qs": "^6.14.1",
+    "qs": "^6.14.2",
    "range-parser": "^1.2.1",
    "router": "^2.2.0",
    "send": "^1.1.0",