fix(deps): bump qs from 6.15.0 to 6.15.2 to resolve GHSA-q8mj-m7cp-5q26

[WilliamBerryiii]

Description

Resolves the moderate-severity advisory GHSA-q8mj-m7cp-5q26 against the transitive qs dependency by bumping the lockfile entry from 6.15.0 → 6.15.2.

• qs is not a direct dependency of this repository — it is pulled in indirectly via @vscode/vsce@3.9.1 → typed-rest-client@1.8.11 → qs. As a result, package.json is intentionally untouched and the change is lockfile-only.
• Alongside the targeted qs bump, npm install reconciled six stale "peer": true markers on @cspell/dict-* and one cspell linker entry. These are pure lockfile-metadata adjustments — no version, integrity hash, resolved URL, or dependency-tree change accompanies them.

The diff is small and contained: 1 file changed, 7 insertions, 13 deletions. No source, agent, prompt, instruction, skill, workflow, or documentation content is modified.

Related Issue(s)

Closes #1649

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Testing

Agent-run validations:

• npm run lint:md — Passed (211 files, 0 errors).
• npm run lint:frontmatter — Passed (540 files, 0 errors).
• npm run validate:skills — exits 1 due to a pre-existing warning on .github/skills/experimental/customer-card-render/templates/ (unrecognized subdirectory). Unrelated to this lockfile-only diff.
• npm run lint:md-links and npm run lint:ps could not run cleanly in the local sandbox (network-restricted external URL checks and PSGallery install). CI is the source of truth and will run the full lint:all suite on this PR.
• Transitive dependency confirmed via npm ls qs — resolved chain is hve-core → @vscode/vsce@3.9.1 → typed-rest-client@1.8.11 → qs@6.15.2. No other dependents on qs exist in the tree.
• Diff inspection — git diff --stat origin/main confirms only package-lock.json changed. Lockfile review shows the qs entry's resolved URL and integrity hash updated alongside the version bump; remaining hunks remove "peer": true flags on a handful of @cspell/dict-* entries that npm install normalized.
• audit-ci.json requires no edit — the bump itself remediates the advisory; no allowlist entry was added.

Security analysis summary: This PR is itself the remediation for a published moderate-severity advisory; the new qs version (6.15.2) is the upstream fixed release. No source code, scripts, or configuration outside the lockfile changed, so there is no expanded attack surface and no secrets are introduced.

Note

Manual testing was not performed. CI (including the pip-audit, lint:all, and dependency-pinning workflows) is the source of truth for end-to-end validation and will run on this PR.

Checklist

Required Checks

• Documentation is updated (if applicable) (N/A — lockfile-only patch, no docs surface affected)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable) (N/A — advisory remediation; no new functionality)

AI Artifact Contributions

• Used /prompt-analyze to review contribution (N/A — no AI artifact changes)
• Addressed all feedback from prompt-builder review (N/A — no AI artifact changes)
• Verified contribution follows common standards and type-specific requirements (N/A — no AI artifact changes)

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check (N/A — lockfile-only diff contains no prose)
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate (N/A — no agent/skill/prompt/instructions metadata changed; plugin output is unaffected)
• Docusaurus tests: npm run docs:test (N/A — no docs/ changes)

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege (N/A — no security scripts modified)

Additional Notes

Files changed (1 file, 7 insertions, 13 deletions):

• package-lock.json — qs bumped 6.15.0 → 6.15.2 (resolved URL, integrity hash, and version updated); incidental removal of "peer": true markers from six @cspell/dict-* and one cspell linker lockfile entries.

Advisory disposition:

Package	Advisory	Severity	Disposition	Mechanism
qs	GHSA-q8mj-m7cp-5q26	Moderate	Resolved	Lockfile upgraded to qs@6.15.2 (the upstream fixed release)

Dependency chain: hve-core → @vscode/vsce@3.9.1 → typed-rest-client@1.8.11 → qs@6.15.2

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/qs	6.15.2	🟢 5.3	Details Check Score Reason Code-Review ⚠️ 1 Found 5/30 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 13 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices 🟢 5 badge detected: Passing Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• package-lock.json

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.49%. Comparing base (1102901) to head (89a79fd).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1650      +/-   ##
==========================================
- Coverage   85.50%   85.49%   -0.01%     
==========================================
  Files          82       82              
  Lines       11805    11805              
==========================================
- Hits        10094    10093       -1     
- Misses       1711     1712       +1     

Flag	Coverage Δ
pester	83.65% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.