Skip to content

chore(deps): update dependency qs to v6.9.9 [security]#439

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-qs-vulnerability
Open

chore(deps): update dependency qs to v6.9.9 [security]#439
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-qs-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
qs 6.5.56.9.9 age confidence

qs vulnerable to Prototype Pollution

CVE-2022-24999 / GHSA-hrpp-h998-j3pp

More information

Details

qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

ljharb/qs (qs)

v6.9.9

Compare Source

  • [Fix] fix regressions from robustness refactor
  • [meta] add npmignore to autogenerate an npmignore file
  • [actions] update reusable workflows

v6.9.8

Compare Source

  • [Robustness] avoid .push, use void
  • [readme] clarify parseArrays and arrayLimit documentation (#​543)
  • [readme] document that addQueryPrefix does not add ? to empty output (#​418)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [actions] fix rebase workflow permissions

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 20d4e2d to f817bee Compare July 16, 2026 16:21
@renovate
renovate Bot requested a review from jimmyandrade July 16, 2026 16:22
@renovate
renovate Bot force-pushed the renovate/npm-qs-vulnerability branch 5 times, most recently from cd70d0a to 8c44ad3 Compare July 16, 2026 16:52
@renovate
renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 8c44ad3 to c2d0f1e Compare July 16, 2026 17:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants