fix(dep): bump qs to v6.14.1#97
Conversation
|
|
Thanks for patching! Following 👀 |
Co-authored-by: Mike McCready <66998419+MikeMcC399@users.noreply.github.com>
|
Reported upstream in cypress-io/cypress#33180 |
|
@MikeMcC399 Is there anything else I can help with here? (It's unclear to me if you're waiting for me before merging this one) |
Sorry for any confusion! I'm only an external contributor to this repo and I do not have any privileges to approve your workflow or merge the PR. It appears that the Cypress.io team is shut down over the holidays, so I would be surprised if you get a response from them before next week. |
|
I wonder why this dependency was locked to a specific patch release in the first place - its not exactly normal practice? |
That was due to a problem with |
|
Cool, thanks @MikeMcC399 ! |
Address 2 high-severity vulnerabilities identified by npm audit: 1. CVE-2025-15284 (qs): DoS via arrayLimit bypass in bracket notation - Added npm overrides to force qs@6.14.1 - Upstream fix pending: cypress-io/request#97 - Tracked in #145 for override removal once upstream releases 2. CVE-2025-66020 (valibot): ReDoS in EMOJI_REGEX - Updated react-router 7.9.4 → 7.11.0 - Updated @react-router/dev 7.9.4 → 7.11.0 - These updates pull in valibot@1.2.0 (fixed version) Both vulnerabilities affect dev dependencies only (Cypress and React Router dev tooling). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
#146) ## Summary - Fix CVE-2025-15284 (qs DoS vulnerability) via npm override - Fix CVE-2025-66020 (valibot ReDoS vulnerability) via react-router update ## Vulnerabilities Addressed | CVE | Package | Severity | Fix | |-----|---------|----------|-----| | CVE-2025-15284 | qs | High (7.5) | Override to 6.14.1 | | CVE-2025-66020 | valibot | High | Update react-router to 7.11.0 | ## Changes ### qs (Dependabot #27) - **Issue:** `arrayLimit` bypass allows DoS via memory exhaustion - **Root cause:** `@cypress/request@3.0.9` pins `qs@6.14.0` - **Fix:** Added `overrides` in package.json to force `qs@6.14.1` - **Follow-up:** #145 tracks removal once upstream merges cypress-io/request#97 ### valibot - **Issue:** ReDoS in `EMOJI_REGEX` validation - **Root cause:** `@react-router/dev@7.9.4` depends on `valibot@1.1.0` - **Fix:** Updated `react-router` and `@react-router/dev` to `7.11.0`, which depends on `valibot@^1.2.0` ## Verification ``` $ npm audit found 0 vulnerabilities $ npm ls qs valibot ├─┬ @react-router/dev@7.11.0 │ └── valibot@1.2.0 └─┬ cypress@15.8.1 └─┬ @cypress/request@3.0.9 └── qs@6.14.1 overridden ``` ## Test plan - [x] `npm audit` returns 0 vulnerabilities - [x] All 289 unit tests pass - [x] ESLint checks pass - [x] Prettier formatting checks pass - [x] Build succeeds 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Updated routing framework dependencies to the latest compatible version. * Enhanced dependency resolution configuration for improved package compatibility. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
|
This repo uses
to trigger a release. The maintainers would probably be able to do this edit for you, but if you do it yourself upfront, that would make the PR better prepared.
|
Unifex
left a comment
There was a problem hiding this comment.
If a threshold is needed, this LGTM also.
Good addition adding patch updates too. That should prevent this sort of thing going forward.
Unless you have write privileges to the repo, external approvals don't have any effect. We're just waiting for the Cypress.io team to return from their holiday break and to pick up the issue. As mentioned above in #97 (comment), I also reported the issue in the main Cypress repo's issue list and I'm waiting for a response there as well. |
Use the "override" field in the package.json file. Fixes https://github.com/Automattic/request-promise-native/security/dependabot/10 / see cypress-io/request#97
Use the "override" field in the package.json file. Fixes https://github.com/Automattic/request-promise-native/security/dependabot/10 / see cypress-io/request#97
jennifer-shehane
left a comment
There was a problem hiding this comment.
Sorry for the delay here.
|
🎉 This PR is included in version 3.0.10 🎉 The release is available on: Your semantic-release bot 📦🚀 |
qs' versions before 6.14.1 have a high-level vulnerability:
PR Checklist:
I have run(Tests are not passing locally, to be honest)npm testlocally and all tests are passingI have added/updated tests for any new behavior.(No new behavior)If this is a significant change, an issue has already been...(Not a significant change)