Bump qs to 6.14.1 and body-parser to 2.2.2 #1423

smokhov · 2026-01-10T06:37:59Z

body-parser (and express, but that will be released later) have a transitive dep on qs
qs 6.14.0 was found vulnerable to qs's arrayLimit bypass in its bracket notation allowing DoS via memory exhaustion (CVE-2025-15284)

@w666 -- please review and merge and I guess 1.6.3 is in order?

Bumps the npm_and_yarn group with 1 update in the / directory: [js-yaml](https://github.com/nodeca/js-yaml). Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Updates `js-yaml` from 3.14.1 to 3.14.2 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 3.14.2 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>

w666 · 2026-01-10T18:43:07Z

1.6.3 has been released.

dependabot bot and others added 3 commits November 20, 2025 13:42

Merge remote-tracking branch 'origin' into deps

fe6ed92

Bump qs to 6.14.1 and body-parser to 2.2.2

8e6eba9

w666 approved these changes Jan 10, 2026

View reviewed changes

w666 merged commit 5649e8f into vpulim:master Jan 10, 2026
3 checks passed

Provide feedback