Skip to content

bump qs dev dependency#42

Open
erickhun wants to merge 2 commits intomainfrom
eric/inf-897
Open

bump qs dev dependency#42
erickhun wants to merge 2 commits intomainfrom
eric/inf-897

Conversation

@erickhun
Copy link
Collaborator

@erickhun erickhun commented Mar 18, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Chores
    • Patch version 0.6.1 released with dependency updates.

erickhun and others added 2 commits March 18, 2026 17:06
@erickhun @claude
fix(security): override qs to 6.14.2 to fix arrayLimit bypass DoS / I…
72533fb 
…NF-897

qs <= 6.14.1 does not enforce arrayLimit for comma-separated values
when comma: true is enabled, allowing denial-of-service via memory
exhaustion. Since express 4.x still pins qs 6.13.0, an npm override
is used to force the patched version.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@erickhun @claude
chore: bump version to 0.6.1
29025c2 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@erickhun erickhun requested a review from a team as a code owner March 18, 2026 09:10
@coderabbitai
Copy link

coderabbitai bot commented Mar 18, 2026

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 317d6c3d-8b13-45f3-a839-9451ccb6d94c

📥 Commits

Reviewing files that changed from the base of the PR and between 7dfb535 and 29025c2.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json

Walkthrough

The package version was updated from 0.6.0 to 0.6.1. A trailing comma was added after the prepublish script in package.json. An overrides section was introduced to pin the transitive dependency resolution for the qs package to version 6.14.2. These changes resulted in 5 lines added and 2 lines removed.

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'bump qs dev dependency' accurately reflects the main change of pinning the qs transitive dependency to version 6.14.2 in the package.json overrides section.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

Tip

CodeRabbit can enforce grammar and style rules using `languagetool`.

Configure the reviews.tools.languagetool setting to enable/disable rules and categories. Refer to the LanguageTool Community to learn more.

@erickhun
Copy link
Collaborator Author

erickhun commented Mar 18, 2026

hey @amooabeebadesina , can I just get an approval to unblock the merge? thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amooabeebadesina amooabeebadesina Awaiting requested review from amooabeebadesina

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@erickhun