Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(dep): bump qs to v6.14.1#97

Merged
jennifer-shehane merged 3 commits into
cypress-io:masterfrom
hmaesta:master
Jan 5, 2026
Merged

fix(dep): bump qs to v6.14.1#97
jennifer-shehane merged 3 commits into
cypress-io:masterfrom
hmaesta:master

Conversation

@hmaesta

@hmaesta hmaesta commented Dec 30, 2025

Copy link
Copy Markdown

qs' versions before 6.14.1 have a high-level vulnerability:

PR Checklist:

  • I have run npm test locally and all tests are passing (Tests are not passing locally, to be honest)
  • I have added/updated tests for any new behavior. (No new behavior)
  • If this is a significant change, an issue has already been... (Not a significant change)

@cypress-app-bot

Copy link
Copy Markdown
Collaborator

@Yuvi-Luminos

Copy link
Copy Markdown

Thanks for patching! Following πŸ‘€

Comment thread package.json Outdated
@MikeMcC399

Copy link
Copy Markdown

@hmaesta

It's a known issue in this repo that tests fail, unfortunately.

I've re-opened #89 so that is more obvious.

@MikeMcC399

Copy link
Copy Markdown

Reported upstream in cypress-io/cypress#33180

@hmaesta

hmaesta commented Dec 31, 2025

Copy link
Copy Markdown
Author

@MikeMcC399 Is there anything else I can help with here?

(It's unclear to me if you're waiting for me before merging this one)

@MikeMcC399

Copy link
Copy Markdown

@hmaesta

@MikeMcC399 Is there anything else I can help with here?

(It's unclear to me if you're waiting for me before merging this one)

Sorry for any confusion! I'm only an external contributor to this repo and I do not have any privileges to approve your workflow or merge the PR. It appears that the Cypress.io team is shut down over the holidays, so I would be surprised if you get a response from them before next week.

@chadlwilson

Copy link
Copy Markdown

I wonder why this dependency was locked to a specific patch release in the first place - its not exactly normal practice?

@MikeMcC399

MikeMcC399 commented Jan 1, 2026

Copy link
Copy Markdown

@hmaesta

I wonder why this dependency was locked to a specific patch release in the first place - its not exactly normal practice?

That was due to a problem with qs@~6.10. 3 causing a deprecated version [email protected] to be used (see PR #44 for details). The version updates since then were done semi-automatically by Renovate and nobody thought to intervene and add back the ~. Now is an appropriate time to rectify that, as well as bumping the version so that existing installations also get updated.

@chadlwilson

Copy link
Copy Markdown

Cool, thanks @MikeMcC399 !

taearls added a commit to taearls/portfolio that referenced this pull request Jan 2, 2026
Address 2 high-severity vulnerabilities identified by npm audit:

1. CVE-2025-15284 (qs): DoS via arrayLimit bypass in bracket notation
   - Added npm overrides to force [email protected]
   - Upstream fix pending: cypress-io/request#97
   - Tracked in #145 for override removal once upstream releases

2. CVE-2025-66020 (valibot): ReDoS in EMOJI_REGEX
   - Updated react-router 7.9.4 β†’ 7.11.0
   - Updated @react-router/dev 7.9.4 β†’ 7.11.0
   - These updates pull in [email protected] (fixed version)

Both vulnerabilities affect dev dependencies only (Cypress and React Router dev tooling).

πŸ€– Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
taearls added a commit to taearls/portfolio that referenced this pull request Jan 2, 2026
#146)

## Summary

- Fix CVE-2025-15284 (qs DoS vulnerability) via npm override
- Fix CVE-2025-66020 (valibot ReDoS vulnerability) via react-router
update

## Vulnerabilities Addressed

| CVE | Package | Severity | Fix |
|-----|---------|----------|-----|
| CVE-2025-15284 | qs | High (7.5) | Override to 6.14.1 |
| CVE-2025-66020 | valibot | High | Update react-router to 7.11.0 |

## Changes

### qs (Dependabot #27)
- **Issue:** `arrayLimit` bypass allows DoS via memory exhaustion
- **Root cause:** `@cypress/[email protected]` pins `[email protected]`
- **Fix:** Added `overrides` in package.json to force `[email protected]`
- **Follow-up:** #145 tracks removal once upstream merges
cypress-io/request#97

### valibot
- **Issue:** ReDoS in `EMOJI_REGEX` validation
- **Root cause:** `@react-router/[email protected]` depends on `[email protected]`
- **Fix:** Updated `react-router` and `@react-router/dev` to `7.11.0`,
which depends on `valibot@^1.2.0`

## Verification

```
$ npm audit
found 0 vulnerabilities

$ npm ls qs valibot
β”œβ”€β”¬ @react-router/[email protected]
β”‚ └── [email protected]
└─┬ [email protected]
  └─┬ @cypress/[email protected]
    └── [email protected] overridden
```

## Test plan

- [x] `npm audit` returns 0 vulnerabilities
- [x] All 289 unit tests pass
- [x] ESLint checks pass
- [x] Prettier formatting checks pass
- [x] Build succeeds

πŸ€– Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated routing framework dependencies to the latest compatible
version.
* Enhanced dependency resolution configuration for improved package
compatibility.

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: Claude Opus 4.5 <[email protected]>
@MikeMcC399

Copy link
Copy Markdown

@hmaesta

This repo uses semantic-release for releases, so the PR title and your commit should start with

fix(deps):

to trigger a release. The maintainers would probably be able to do this edit for you, but if you do it yourself upfront, that would make the PR better prepared.

chore(deps): that you have used does not trigger a release.

@Unifex Unifex left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If a threshold is needed, this LGTM also.

Good addition adding patch updates too. That should prevent this sort of thing going forward.

@MikeMcC399

Copy link
Copy Markdown

@Unifex

If a threshold is needed, this LGTM also.

Unless you have write privileges to the repo, external approvals don't have any effect. We're just waiting for the Cypress.io team to return from their holiday break and to pick up the issue. As mentioned above in #97 (comment), I also reported the issue in the main Cypress repo's issue list and I'm waiting for a response there as well.

macbre added a commit to Automattic/request-promise-native that referenced this pull request Jan 5, 2026
macbre added a commit to Automattic/request-promise-native that referenced this pull request Jan 5, 2026

@jennifer-shehane jennifer-shehane left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay here.

@jennifer-shehane jennifer-shehane changed the title bump qs to v6.14.1 fix(dep): bump qs to v6.14.1 Jan 5, 2026
@jennifer-shehane jennifer-shehane merged commit a5253c3 into cypress-io:master Jan 5, 2026
1 check passed
AtofStryker added a commit that referenced this pull request Jan 5, 2026
AtofStryker added a commit that referenced this pull request Jan 5, 2026
AtofStryker added a commit that referenced this pull request Jan 5, 2026
@cypress-app-bot

Copy link
Copy Markdown
Collaborator

πŸŽ‰ This PR is included in version 3.0.10 πŸŽ‰

The release is available on:

Your semantic-release bot πŸ“¦πŸš€

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants