Skip to content

fix(deps) sbom: qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion [security] #32102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
EugeniyKiyashko merged 2 commits into from
Jan 7, 2026
Merged

fix(deps) sbom: qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion [security] #32102

EugeniyKiyashko merged 2 commits into from
Jan 7, 2026

Conversation

@EugeniyKiyashko
Copy link
Contributor

@EugeniyKiyashko EugeniyKiyashko commented Jan 7, 2026

No description provided.

@EugeniyKiyashko EugeniyKiyashko self-assigned this Jan 7, 2026
@pharret31 pharret31 added the dependencies Pull requests that update a dependency file label Jan 7, 2026
@pharret31 pharret31 marked this pull request as ready for review January 7, 2026 12:13
Copilot AI review requested due to automatic review settings January 7, 2026 12:13
Copilot AI reviewed Jan 7, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security vulnerability in the qs library by updating it from version 6.14.0 to 6.14.1. The vulnerability (CVE) involves a bypass of the arrayLimit setting in bracket notation that can lead to Denial of Service (DoS) through memory exhaustion.

Key Changes:

  • Added pnpm override to enforce qs >= 6.14.1 across all dependencies
  • Updated lockfile to reflect the qs version bump from 6.14.0 to 6.14.1

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
packages/sbom/package.json Added pnpm override for qs package to enforce minimum version 6.14.1
packages/sbom/pnpm-lock.yaml Updated all references to qs from 6.14.0 to 6.14.1 including package definitions, snapshots, and override settings

The changes look good and properly address the security vulnerability. All references to the qs package have been consistently updated throughout the lockfile, the override is correctly specified in both package.json and reflected in the lockfile settings, and the integrity hash has been updated appropriately. No issues were identified with this security update.

Files not reviewed (1)
  • packages/sbom/pnpm-lock.yaml: Language not supported

@EugeniyKiyashko EugeniyKiyashko merged commit 3492647 into DevExpress:26_1 Jan 7, 2026
135 of 142 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pharret31 pharret31 pharret31 approved these changes

Assignees

@EugeniyKiyashko EugeniyKiyashko

Labels

26_1 dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@EugeniyKiyashko @pharret31 @alexslavr