Updated qs override range

[9larsons]

Why

The existing qs override pinned >=6.7.0 <=6.14.1 but missed qs@6.5.5, which reaches ghost/core via request@2.88.2 → @tryghost/logging. That logging chain is consumed by @tryghost/job-manager, @tryghost/prometheus-metrics, @tryghost/server, gscan, and knex-migrator — all dependencies of ghost/core, not just an e2e-only path.

GHSA-6rw7-vpxm-498p (moderate, arrayLimit bypass causing DoS via memory exhaustion) is fixed in qs@6.14.1, so the existing override target (^6.14.2) is already correct — only the range needed widening to cover pre-6.7.0 resolutions.

qs follows strict semver and the 6.x line is API-stable, so the deprecated request@2.88.2 package works identically against qs@6.14.2 as it did against 6.5.5.

Test plan

• pnpm install — lockfile updates cleanly
• pnpm audit — total findings 58 → 57, unique GHSAs 46 → 45; qs@6.5.5 no longer in the tree, only 6.14.2 and 6.15.0 (already patched)
• pnpm test — 6283/6283 ghost/core unit tests pass (the pre-existing comments-ui editor markdown flake reproduces on clean main and is unrelated)
• CI confirms the same delta against the canonical environment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ff538e16-a1b8-4edf-9160-772eb0e41d24

📥 Commits

Reviewing files that changed from the base of the PR and between 45490b5 and 64719a1.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

---

Walkthrough

The pnpm.overrides configuration for the qs dependency in package.json was modified. The version constraint for the override was changed from >=6.7.0 <=6.14.1 to <6.14.1, while the resolved version remains ^6.14.2. This change expands the applicability of the override to include all versions of qs below 6.14.1 instead of limiting it to a specific bounded range.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Updated qs override range' directly and accurately summarizes the main change—widening the qs package override range in pnpm.overrides to cover additional versions.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the security vulnerability (GHSA-6rw7-vpxm-498p), why the override range was widened, the dependency chain affected, and the test plan executed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/qs-override-widen

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.19%. Comparing base (45490b5) to head (64719a1).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #27678   +/-   ##
=======================================
  Coverage   73.19%   73.19%           
=======================================
  Files        1561     1561           
  Lines      127072   127072           
  Branches    15396    15397    +1     
=======================================
+ Hits        93011    93012    +1     
+ Misses      33082    33081    -1     
  Partials      979      979           

Flag	Coverage Δ
admin-tests	49.86% <ø> (ø)
e2e-tests	73.19% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.