fix(deps): resolve 3 qs Dependabot alerts (DoS)#692
Open
DeepDiver1975 wants to merge 2 commits into
Open
Conversation
qs is a transitive dependency (body-parser@1.20.3 -> qs "6.13.0"). Added a Yarn resolution pinning qs to ^6.15.2; it now resolves to 6.15.3, above all three advisory thresholds. body-parser continues to resolve the single hoisted copy (semver-compatible within the 6.x line). - qs 6.13.0 -> 6.15.3 - #70 arrayLimit bypass in bracket notation -> DoS via memory exhaustion (needs >= 6.14.1) - #74 arrayLimit bypass in comma parsing -> DoS (needs >= 6.14.2) - #91 stringify crash on null/undefined in comma-format arrays with encodeValuesOnly (needs >= 6.15.2) Verified: qs loads at 6.15.3, the previously-crashing comma/encodeValuesOnly path now handles null without throwing, and body-parser resolves the single 6.15.3 copy. The full karma suite requires the app nested inside a built ownCloud core checkout (unavailable here); this change is lockfile-only. Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
phil-davis
previously approved these changes
Jul 16, 2026
Core PR #41649 adjusted the format of the trashbin original location. So adjust the test expectation to match. Signed-off-by: Phillip Davis <phil@jankaritech.com>
Contributor
|
There might be some change needed to explicitly whitelist the trashbin app. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Resolves all 3 open Dependabot alerts on
owncloud/guests, all for theqspackage (transitive,developmentscope).qsis pulled in transitively viabody-parser@1.20.3 -> qs "6.13.0"(karma's dev server dependency). It is pinned to an exact version by its only parent, so a plain upgrade cannot move it. Added a Yarnresolutionsentry ("qs": "^6.15.2"); it now resolves to a single 6.15.3 copy, above all three advisory thresholds.6.13.0 -> 6.15.3is semver-compatible within the 6.x line, sobody-parserkeeps working.Fixed
qs.stringifycrash on null/undefined in comma-format arrays withencodeValuesOnly→ DoS (medium)No fix available
None.
Motivation and Context
Three remotely-triggerable DoS advisories against the bundled
qs. Bumping past 6.15.2 clears all three.How Has This Been Tested?
yarn install— lockfile re-resolves cleanly;qscollapses to a single6.15.3block.qsloads at 6.15.3 and the previously-crashing comma-format /encodeValuesOnlypath now handlesnullwithout throwing (the Misleading actions in Users panel #91 regression).body-parserresolves the single hoisted 6.15.3 copy — the resolution took effect and the only consumer still works.Note: the full karma JS suite requires the guests app nested inside a built ownCloud core checkout (
core/vendor), which isn't available in this environment. This change is lockfile-only; CI runs the full suite.Types of changes
Checklist:
🤖 Generated with Claude Code