From 398343a3ec666f6db4493308f2eaa05d00c2dfe2 Mon Sep 17 00:00:00 2001 From: Matthew Schile Date: Wed, 27 May 2026 13:03:07 -0600 Subject: [PATCH 1/2] fix(deps): bump qs to ^6.15.2 to address CVE-2026-8723 Bumps the qs range from ~6.14.1 to ^6.15.2 so resolution includes the fix for GHSA-q8mj-m7cp-5q26 (qs.stringify TypeError DoS with arrayFormat: "comma" + encodeValuesOnly: true on arrays containing null/undefined). The tilde range previously capped resolution at 6.14.x, which does not include the patched 6.15.2. Closes #106 --- package.json | 2 +- yarn.lock | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 1bf8ea78f..99fca743f 100644 --- a/package.json +++ b/package.json @@ -40,7 +40,7 @@ "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "performance-now": "^2.1.0", - "qs": "~6.14.1", + "qs": "^6.15.2", "safe-buffer": "^5.1.2", "tough-cookie": "^5.0.0", "tunnel-agent": "^0.6.0" diff --git a/yarn.lock b/yarn.lock index cc42761ee..1c39afcc7 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4914,13 +4914,20 @@ qjobs@^1.1.4: resolved "https://registry.yarnpkg.com/qjobs/-/qjobs-1.2.0.tgz#c45e9c61800bd087ef88d7e256423bdd49e5d071" integrity sha512-8YOJEHtxpySA3fFDyCRxA+UUV+fA+rTWnuWvylOK/NCjhY+b4ocCtmu8TtsWb+mYeU+GCHf/S66KZF/AsteKHg== -qs@^6.12.3, qs@~6.14.0, qs@~6.14.1: +qs@^6.12.3, qs@~6.14.0: version "6.14.1" resolved "https://registry.yarnpkg.com/qs/-/qs-6.14.1.tgz#a41d85b9d3902f31d27861790506294881871159" integrity sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ== dependencies: side-channel "^1.1.0" +qs@^6.15.2: + version "6.15.2" + resolved "https://registry.yarnpkg.com/qs/-/qs-6.15.2.tgz#fd55426d710403ddccc45e0f9eab16db7727ece9" + integrity sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw== + dependencies: + side-channel "^1.1.0" + qs@~6.5.2: version "6.5.3" resolved "https://registry.yarnpkg.com/qs/-/qs-6.5.3.tgz#3aeeffc91967ef6e35c0e488ef46fb296ab76aad" From a7ed1bcfb96b29a684682c0b196449c766a670a8 Mon Sep 17 00:00:00 2001 From: Matthew Schile Date: Wed, 27 May 2026 13:19:13 -0600 Subject: [PATCH 2/2] fix(tests): allow hex characters in form-data boundary regex form-data@4.x generates multipart boundaries from `crypto.randomBytes`, which produces hex strings (0-9, a-f). The boundary assertions in test-form.js and test-form-data.js required digits only (`\d+`), so they failed almost any time the random hex contained a letter. Widen the class to `[0-9a-f]+`. --- tests/test-form-data.js | 2 +- tests/test-form.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test-form-data.js b/tests/test-form-data.js index 990562be5..a70e557ae 100644 --- a/tests/test-form-data.js +++ b/tests/test-form-data.js @@ -29,7 +29,7 @@ function runTest (t, options) { } } - t.ok(/multipart\/form-data; boundary=--------------------------\d+/ + t.ok(/multipart\/form-data; boundary=--------------------------[0-9a-f]+/ .test(req.headers['content-type'])) // temp workaround diff --git a/tests/test-form.js b/tests/test-form.js index 5f262f204..cd006ee7b 100644 --- a/tests/test-form.js +++ b/tests/test-form.js @@ -20,7 +20,7 @@ tape('multipart form append', function (t) { return } - t.ok(/multipart\/form-data; boundary=--------------------------\d+/ + t.ok(/multipart\/form-data; boundary=--------------------------[0-9a-f]+/ .test(req.headers['content-type'])) // temp workaround