Skip to content

chore(deps): update dependency qs to v6.15.3#6310

Merged
thomhurst merged 1 commit into
mainfrom
renovate/qs-6.x
Jun 24, 2026
Merged

chore(deps): update dependency qs to v6.15.3#6310
thomhurst merged 1 commit into
mainfrom
renovate/qs-6.x

Conversation

@thomhurst

Copy link
Copy Markdown
Owner

This PR contains the following updates:

Package Type Update Change
qs resolutions patch 6.15.26.15.3

Release Notes

ljharb/qs (qs)

v6.15.3

Compare Source

  • [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via combine/merge
  • [Fix] utils: respect encoding of surrogate pairs across chunks (#​559)
  • [Robustness] parse: throw the arrayLimit error before splitting oversized comma values
  • [Robustness] utils.merge / utils.assign: avoid invoking __proto__ setter when copying own properties
  • [Robustness] utils: enforce arrayLimit consistently across merge's array paths
  • [Perf] utils: make compact O(n) via a side-channel visited-set instead of Array.indexOf
  • [Deps] update side-channel
  • [Dev Deps] update eslint, mock-property, tape
  • [Tests] parse: characterize current lenient handling of unbalanced bracket keys (#​558)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@thomhurst thomhurst added dependencies Pull requests that update a dependency file PATCH renovate-bot labels Jun 24, 2026
@thomhurst thomhurst enabled auto-merge (squash) June 24, 2026 20:40
@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@claude claude Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependency Update Review: qs 6.15.2 → 6.15.3

This is a straightforward Renovate-generated patch bump for the qs package (used in docs/), along with cascading lockfile updates to side-channel, side-channel-list, and object-inspect.

What changed

  • qs 6.15.3 includes several robustness and security-adjacent fixes:
    • Enforces arrayLimit on cumulative array growth via combine/merge (prevents DoS via oversized arrays)
    • Avoids invoking __proto__ setter when copying own properties (prototype pollution hardening)
    • Fixes surrogate pair encoding across chunks
    • Makes compact O(n) instead of O(n²)
  • side-channel → 1.1.1 and side-channel-list → 1.0.1 are minor patch updates pulled in transitively
  • es-define-property is a new transitive dependency of qs 6.15.3 (replaces internal ad-hoc property definition)

Assessment

The changes are scoped entirely to docs/package.json and docs/yarn.lock — no production .NET code is touched. The qs package is used only in the documentation site tooling, not in TUnit's core library or test runner. The patch includes meaningful robustness improvements (prototype pollution guard, array limit enforcement) that are worth taking.

The lockfile diff is consistent with the package.json change: all version pins align, integrity hashes are present, and no unexpected packages were added beyond the new es-define-property transitive dep.

No concerns — safe to merge.

This was referenced Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file PATCH renovate-bot

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants