Skip to content

fix(deps): resolve 3 qs Dependabot alerts (DoS)#692

Open
DeepDiver1975 wants to merge 2 commits into
masterfrom
fix/dependabot-alerts
Open

fix(deps): resolve 3 qs Dependabot alerts (DoS)#692
DeepDiver1975 wants to merge 2 commits into
masterfrom
fix/dependabot-alerts

Conversation

@DeepDiver1975

Copy link
Copy Markdown
Member

Description

Resolves all 3 open Dependabot alerts on owncloud/guests, all for the qs package (transitive, development scope).

qs is pulled in transitively via body-parser@1.20.3 -> qs "6.13.0" (karma's dev server dependency). It is pinned to an exact version by its only parent, so a plain upgrade cannot move it. Added a Yarn resolutions entry ("qs": "^6.15.2"); it now resolves to a single 6.15.3 copy, above all three advisory thresholds. 6.13.0 -> 6.15.3 is semver-compatible within the 6.x line, so body-parser keeps working.

Fixed

Alert Package Old → New Advisory Needs ≥
#70 qs 6.13.0 → 6.15.3 arrayLimit bypass in bracket notation → DoS via memory exhaustion (medium) 6.14.1
#74 qs 6.13.0 → 6.15.3 arrayLimit bypass in comma parsing → DoS (low) 6.14.2
#91 qs 6.13.0 → 6.15.3 qs.stringify crash on null/undefined in comma-format arrays with encodeValuesOnly → DoS (medium) 6.15.2

No fix available

None.

Motivation and Context

Three remotely-triggerable DoS advisories against the bundled qs. Bumping past 6.15.2 clears all three.

How Has This Been Tested?

  • yarn install — lockfile re-resolves cleanly; qs collapses to a single 6.15.3 block.
  • Verified qs loads at 6.15.3 and the previously-crashing comma-format / encodeValuesOnly path now handles null without throwing (the Misleading actions in Users panel #91 regression).
  • Verified body-parser resolves the single hoisted 6.15.3 copy — the resolution took effect and the only consumer still works.

Note: the full karma JS suite requires the guests app nested inside a built ownCloud core checkout (core/vendor), which isn't available in this environment. This change is lockfile-only; CI runs the full suite.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • My code follows the code style of this project.
  • All new and existing tests passed.

🤖 Generated with Claude Code

qs is a transitive dependency (body-parser@1.20.3 -> qs "6.13.0"). Added a
Yarn resolution pinning qs to ^6.15.2; it now resolves to 6.15.3, above all
three advisory thresholds. body-parser continues to resolve the single
hoisted copy (semver-compatible within the 6.x line).

- qs 6.13.0 -> 6.15.3
  - #70 arrayLimit bypass in bracket notation -> DoS via memory exhaustion (needs >= 6.14.1)
  - #74 arrayLimit bypass in comma parsing -> DoS (needs >= 6.14.2)
  - #91 stringify crash on null/undefined in comma-format arrays with encodeValuesOnly (needs >= 6.15.2)

Verified: qs loads at 6.15.3, the previously-crashing comma/encodeValuesOnly
path now handles null without throwing, and body-parser resolves the single
6.15.3 copy. The full karma suite requires the app nested inside a built
ownCloud core checkout (unavailable here); this change is lockfile-only.

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@DeepDiver1975
DeepDiver1975 requested a review from a team as a code owner July 15, 2026 21:54
phil-davis
phil-davis previously approved these changes Jul 16, 2026
Core PR #41649 adjusted the format of the trashbin original
location. So adjust the test expectation to match.

Signed-off-by: Phillip Davis <phil@jankaritech.com>
@phil-davis

Copy link
Copy Markdown
Contributor

There might be some change needed to explicitly whitelist the trashbin app.
I will have a look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants