Skip to content

chore: upgrade qs to 6.14.1#10389

Merged
zkochan merged 1 commit into
mainfrom
gluxon/qs
Dec 31, 2025
Merged

chore: upgrade qs to 6.14.1#10389
zkochan merged 1 commit into
mainfrom
gluxon/qs

Conversation

@gluxon

@gluxon gluxon commented Dec 31, 2025

Copy link
Copy Markdown
Member

Updating qs to address a security advisory: GHSA-6rw7-vpxm-498p

Comment thread pnpm-lock.yaml
path-to-regexp@<0.1.12: ^0.1.12
path-to-regexp@>=4.0.0 <6.3.0: '>=6.3.0'
path-to-regexp@>=7.0.0 <8.0.0: '>=8.0.0'
postman-request>qs: ^6.14.1

@gluxon gluxon Dec 31, 2025

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The postman-request and @cypress/request packages are both forks of request, which has used tilde specs for its dependencies. I looked through git blame and it's used tilde dependencies for most of its dependencies for many years. I don't think postman-request or @cypress/request actually need the specific version of qs it's looking for.

Comment thread pnpm-lock.yaml

overrides:
'@yarnpkg/fslib@2': '3'
'@cypress/request@3.0.9>qs': ^6.14.1

@gluxon gluxon Dec 31, 2025

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment above around postman-request and @cypress/request being forks of request.

@gluxon gluxon marked this pull request as ready for review December 31, 2025 03:23
@gluxon gluxon requested a review from zkochan as a code owner December 31, 2025 03:23
Copilot AI review requested due to automatic review settings December 31, 2025 03:23

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the qs package to version 6.14.1 to address a security vulnerability (GHSA-6rw7-vpxm-498p). The update is applied through package overrides to ensure vulnerable transitive dependencies are replaced with the patched version.

  • Adds override for qs in @cypress/request dependency chain
  • Adds override for qs in postman-request dependency chain
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zkochan zkochan merged commit 6b9e5f2 into main Dec 31, 2025
12 of 13 checks passed
@zkochan zkochan deleted the gluxon/qs branch December 31, 2025 12:08
zkochan pushed a commit that referenced this pull request Jan 4, 2026
zkochan added a commit that referenced this pull request Jan 7, 2026
zkochan pushed a commit that referenced this pull request Jun 12, 2026
…chain integration, force-refresh) (#12153)

Port pnpm's custom resolver hooks to the Rust pacquet engine: a pnpmfile can export a top-level `resolvers` array whose entries override built-in dependency resolution and force re-resolution when needed. See #10389 for the TypeScript-side feature request that motivated this port.

## What's included

- **Hook contract** — `CustomResolver` trait (`canResolve` / `resolve` / `shouldRefreshResolution`) mirroring `hooks/types/src/index.ts`. All three methods are optional upstream, so the Node worker reports per-resolver capability flags in one IPC round trip and pacquet skips calls a resolver doesn't implement (mirrors pnpm's `if (!customResolver.canResolve || !customResolver.resolve) continue` and `checkCustomResolverForceResolve`'s hook filter).
- **Node IPC** — the long-lived pnpmfile worker gained `resolvers` (capabilities) and `resolver` (method invocation) requests. Methods are invoked with `this` bound to the resolver object, like pnpm. Pending-request cleanup is cancellation-safe via an RAII guard.
- **Adapter & chain integration** — `CustomResolverAdapter` bridges the JSON hook contract to the typed `Resolver` trait. Custom resolvers are built into the inner resolver chain ahead of the built-ins (upstream chain priority), inside the prefetching/observing wrappers so their tarball results get resolve-time prefetch and pnpr streaming. `canResolve` results are memoized keyed `alias@bareSpecifier`, exactly like pnpm's `getCustomResolverCacheKey`. A resolver-returned `manifest` passes through (pnpm spreads the whole hook result). Payloads match upstream: `prevSpecifier`, and resolve opts carry `lockfileDir` / `projectDir` / `preferredVersions` / `currentPkg`.
- **`shouldRefreshResolution` semantics** — port of `checkCustomResolverForceResolve`: the hook receives the merged packages+snapshots entry (pnpm's in-memory `PackageSnapshot`), checks run concurrently with first-true/first-error short-circuit, and a throwing hook aborts the install (`PNPMFILE_FAIL`). A `true` verdict defeats both up-to-date optimizations, as documented in the hook's contract:
  - the prefer-frozen dispatch consults the hook (pnpm: `forceResolutionFromHook` → `needsFullResolution` blocks `isFrozenInstallPossible`) and routes to the fresh-resolve path with lockfile reuse disabled (`UpdateReuseScope::None`);
  - the optimistic repeat-install fast path now ports the pnpmfile branch of `patchesOrHooksAreModified`: the workspace state records the loaded pnpmfile list, and an added/removed/edited pnpmfile invalidates the mtime check.
- **`CurrentPkg`** — added to `ResolveOptions`, matching upstream's `currentPkg` shape `{id, name?, version?, resolution, publishedAt?}` (camelCase).

## Tests

- Adapter unit tests: missing `id`/`resolution`, invalid shapes, `canResolve` memoization, payload shapes, manifest passthrough.
- `check_custom_resolver_force_resolve` unit tests: port of upstream's `checkCustomResolverForceResolve.ts` suite (capability filter, true/false/error propagation, merged snapshot payload).
- Node IPC integration tests against a real pnpmfile: capabilities, `this` binding, round trips, error propagation, cancellation cleanup.
- CLI e2e tests against the mock registry: custom resolver precedence over the npm resolver, `shouldRefreshResolution` re-resolving past an up-to-date lockfile, and a throwing hook failing the install.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants