Skip to content

chore(deps): update dependency qs to v6.15.3#6310

Merged
thomhurst merged 1 commit into
mainfrom
renovate/qs-6.x
Jun 24, 2026
Merged

chore(deps): update dependency qs to v6.15.3#6310
thomhurst merged 1 commit into
mainfrom
renovate/qs-6.x

Conversation

@thomhurst

@thomhurst thomhurst commented Jun 24, 2026

Copy link
Copy Markdown
Owner

This PR contains the following updates:

Package Type Update Change
qs resolutions patch 6.15.26.15.3

Release Notes

ljharb/qs (qs)

v6.15.3

Compare Source

  • [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via combine/merge
  • [Fix] utils: respect encoding of surrogate pairs across chunks (#​559)
  • [Robustness] parse: throw the arrayLimit error before splitting oversized comma values
  • [Robustness] utils.merge / utils.assign: avoid invoking __proto__ setter when copying own properties
  • [Robustness] utils: enforce arrayLimit consistently across merge's array paths
  • [Perf] utils: make compact O(n) via a side-channel visited-set instead of Array.indexOf
  • [Deps] update side-channel
  • [Dev Deps] update eslint, mock-property, tape
  • [Tests] parse: characterize current lenient handling of unbalanced bracket keys (#​558)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@thomhurst thomhurst added dependencies Pull requests that update a dependency file PATCH renovate-bot labels Jun 24, 2026
@thomhurst thomhurst enabled auto-merge (squash) June 24, 2026 20:40
@codacy-production

codacy-production Bot commented Jun 24, 2026

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

claude[bot]
claude Bot approved these changes Jun 24, 2026
View reviewed changes

@claude claude Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependency Update Review: qs 6.15.2 → 6.15.3

This is a straightforward Renovate-generated patch bump for the qs package (used in docs/), along with cascading lockfile updates to side-channel, side-channel-list, and object-inspect.

What changed

  • qs 6.15.3 includes several robustness and security-adjacent fixes:
    • Enforces arrayLimit on cumulative array growth via combine/merge (prevents DoS via oversized arrays)
    • Avoids invoking __proto__ setter when copying own properties (prototype pollution hardening)
    • Fixes surrogate pair encoding across chunks
    • Makes compact O(n) instead of O(n²)
  • side-channel → 1.1.1 and side-channel-list → 1.0.1 are minor patch updates pulled in transitively
  • es-define-property is a new transitive dependency of qs 6.15.3 (replaces internal ad-hoc property definition)

Assessment

The changes are scoped entirely to docs/package.json and docs/yarn.lock — no production .NET code is touched. The qs package is used only in the documentation site tooling, not in TUnit's core library or test runner. The patch includes meaningful robustness improvements (prototype pollution guard, array limit enforcement) that are worth taking.

The lockfile diff is consistent with the package.json change: all version pins align, integrity hashes are present, and no unexpected packages were added beyond the new es-define-property transitive dep.

No concerns — safe to merge.

@thomhurst thomhurst merged commit 31a0680 into main Jun 24, 2026
14 of 15 checks passed
@thomhurst thomhurst deleted the renovate/qs-6.x branch June 24, 2026 21:03
This was referenced Jun 28, 2026
Open
Open
Merged
Merged
Closed
Closed
Merged
Open
Open
Open
Open
Open
Merged
Merged
Open
This was referenced Jun 29, 2026
Closed
Merged
Merged
Open
Merged
Merged
Merged
Open
Merged
Open
Merged
Merged
Open
Merged
Closed
Open
Open
Closed
Open
Merged
github-actions Bot pushed a commit to BenjaminMichaelis/TrxLib that referenced this pull request Jun 29, 2026
@dependabot
Bump TUnit from 1.56.25 to 1.57.0 (#63)
d86014b 
Updated [TUnit](https://github.com/thomhurst/TUnit) from 1.56.25 to
1.57.0.

<details>
<summary>Release notes</summary>

_Sourced from [TUnit's
releases](https://github.com/thomhurst/TUnit/releases)._

## 1.57.0

<!-- Release notes generated using configuration in .github/release.yml
at v1.57.0 -->

## What's Changed
### Other Changes
* perf(sourcegen): consolidate per-file ModuleInitializers into merged
.cctor (#​6226) by @​thomhurst in
thomhurst/TUnit#6286
* fix: resolve CS0121 IsEqualTo ambiguity on .NET 8 SDK (#​6296) by
@​thomhurst in thomhurst/TUnit#6313
* chore(docs): apply Codacy markdownlint fixes by @​thomhurst in
thomhurst/TUnit#6284
* fix(mocks): generate mock for qualified-name X.Mock() calls (#​6298)
by @​thomhurst in thomhurst/TUnit#6314
### Dependencies
* chore(deps): update tunit to 1.56.35 by @​thomhurst in
thomhurst/TUnit#6306
* chore(deps): update dependency stackexchange.redis to 3.0.7 by
@​thomhurst in thomhurst/TUnit#6307
* chore(deps): update dependency opentelemetry.instrumentation.http to
1.16.0 by @​thomhurst in thomhurst/TUnit#6308
* chore(deps): update dependency
opentelemetry.instrumentation.aspnetcore to 1.16.0 by @​thomhurst in
thomhurst/TUnit#6309
* chore(deps): update dependency qs to v6.15.3 by @​thomhurst in
thomhurst/TUnit#6310
* chore(deps): update dependency polyfill to 10.11.0 by @​thomhurst in
thomhurst/TUnit#6312
* chore(deps): update dependency polyfill to 10.11.0 by @​thomhurst in
thomhurst/TUnit#6311
* chore(deps): bump http-proxy-middleware from 2.0.9 to 2.0.10 in /docs
by @​dependabot[bot] in thomhurst/TUnit#6303


**Full Changelog**:
thomhurst/TUnit@v1.56.35...v1.57.0

## 1.56.35

<!-- Release notes generated using configuration in .github/release.yml
at v1.56.35 -->

## What's Changed
### Other Changes
* feat(aspire): tear down Aspire on test-run abort via session
cancellation token by @​thomhurst in
thomhurst/TUnit#6292
### Dependencies
* chore(deps): update tunit to 1.56.25 by @​thomhurst in
thomhurst/TUnit#6294
* chore(deps): update dependency
microsoft.visualstudio.threading.analyzers to v18 by @​thomhurst in
thomhurst/TUnit#6297
* chore(deps): update dependency microsoft.net.test.sdk to 18.7.0 by
@​thomhurst in thomhurst/TUnit#6300
* chore(deps): update dependency microsoft.playwright to 1.61.0 by
@​thomhurst in thomhurst/TUnit#6302
* chore(deps): update actions/cache action to v6 by @​thomhurst in
thomhurst/TUnit#6301
* chore(deps): update dependency azure.storage.blobs to 12.29.1 by
@​thomhurst in thomhurst/TUnit#6304


**Full Changelog**:
thomhurst/TUnit@v1.56.25...v1.56.35

Commits viewable in [compare
view](thomhurst/TUnit@v1.56.25...v1.57.0).
</details>

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=TUnit&package-manager=nuget&previous-version=1.56.25&new-version=1.57.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced Jun 29, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file PATCH renovate-bot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thomhurst @renovate-bot