From 3b7e2ff796a52b09837e268c17151f10e2f01b2f Mon Sep 17 00:00:00 2001
From: EugeniyKiyashko <EugeniyKiyashko@users.noreply.github.com>
Date: Wed, 7 Jan 2026 15:25:45 +0400
Subject: [PATCH 1/2] fix(deps) sbom: qs's arrayLimit bypass in its bracket
 notation allows DoS via memory exhaustion [security]

---
 packages/sbom/package.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/packages/sbom/package.json b/packages/sbom/package.json
index 15db10fccb4d..645d17e0677f 100644
--- a/packages/sbom/package.json
+++ b/packages/sbom/package.json
@@ -9,7 +9,8 @@
   "pnpm": {
     "overrides": {
       "body-parser@>=2.2.0 <2.2.1": ">=2.2.1",
-      "jws@=4.0.0": ">=4.0.1"
+      "jws@=4.0.0": ">=4.0.1",
+      "qs": ">=6.14.1"
     }
   }
 }

From 0ada04b2e0a05cc2cb84ed8fef62502a5d749b97 Mon Sep 17 00:00:00 2001
From: alexlavrov <36633600+alexslavr@users.noreply.github.com>
Date: Wed, 7 Jan 2026 15:34:06 +0400
Subject: [PATCH 2/2] Update lockfile

---
 packages/sbom/pnpm-lock.yaml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/packages/sbom/pnpm-lock.yaml b/packages/sbom/pnpm-lock.yaml
index 021b0ad2f1f3..1511e15e81d4 100644
--- a/packages/sbom/pnpm-lock.yaml
+++ b/packages/sbom/pnpm-lock.yaml
@@ -7,6 +7,7 @@ settings:
 overrides:
   body-parser@>=2.2.0 <2.2.1: '>=2.2.1'
   jws@=4.0.0: '>=4.0.1'
+  qs: '>=6.14.1'
 
 importers:
 
@@ -1061,8 +1062,8 @@ packages:
   pump@3.0.3:
     resolution: {integrity: sha512-todwxLMY7/heScKmntwQG8CXVkWUOdYxIvY2s0VWAAMh/nd8SoYiRaKjlr7+iCs984f2P8zvrfWcDDYVb73NfA==}
 
-  qs@6.14.0:
-    resolution: {integrity: sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==}
+  qs@6.14.1:
+    resolution: {integrity: sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==}
     engines: {node: '>=0.6'}
 
   quick-lru@5.1.1:
@@ -1868,7 +1869,7 @@ snapshots:
       http-errors: 2.0.1
       iconv-lite: 0.7.0
       on-finished: 2.4.1
-      qs: 6.14.0
+      qs: 6.14.1
       raw-body: 3.0.2
       type-is: 2.0.1
     transitivePeerDependencies:
@@ -2743,7 +2744,7 @@ snapshots:
       once: 1.4.0
     optional: true
 
-  qs@6.14.0:
+  qs@6.14.1:
     dependencies:
       side-channel: 1.1.0
     optional: true