chore: bump qs 6.15.2

[tommasini]

Description

Bump qs 15.2

Changelog

CHANGELOG entry:

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Low Risk
Dependency-only patch with no app code changes; qs is a transitive query-string parser, so blast radius is limited to how dependents serialize/parse URLs.

Overview
Upgrades the qs query-string library from 6.14.1 to 6.15.2 across Yarn resolutions, direct package.json dependencies, and yarn.lock. No application source files change—only dependency pins and lockfile metadata (version, resolution checksum).

^{Reviewed by Cursor Bugbot for commit ea4207a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 775847c. Configure here.}

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeSwap, SmokeMoney, SmokeWalletPlatform
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 82%

click to see 🤖 AI reasoning details

E2E Test Selection:
The only change in this PR is a minor version bump of the qs (query string parsing) library from 6.14.1 to 6.15.2, updated in both the dependencies and resolutions sections of package.json.

Impact analysis:

• qs is used in exactly 2 places in the app code:
  1. app/core/DeeplinkManager/utils/extractURLParams.ts - parses deep link URL query parameters for all deep link flows (swap, buy/sell, WalletConnect, SDK connections)
  2. app/core/WalletConnect/wc-utils.ts - parses WalletConnect URI parameters

Why these tags:

• SmokeSwap: Deep links into swap flows use qs for URL parameter parsing (e.g., metamask://swap?... deep links)
• SmokeMoney: Deep links into buy/sell/ramps flows use qs for URL parameter parsing
• SmokeWalletPlatform: General wallet platform deep link handling and WalletConnect connections

Why not all tags:

• This is a minor version bump (6.14.x → 6.15.x) of a stable, well-established library with backward-compatible API
• The library is only used in 2 specific files, both related to URL/URI parsing
• No core wallet logic, controllers, or UI components are changed
• The risk is low - minor versions of qs are typically security patches or minor bug fixes

Performance tests: Not needed - this is a utility library change with no UI rendering, state management, or performance-critical path impact.

Performance Test Selection:
The qs library bump is a minor version update to a query string parsing utility. It has no impact on UI rendering performance, state management, data loading, or any performance-critical paths. No performance tests are needed.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud