Skip to content

feat(deps): bump qs version #4417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mergify merged 2 commits into from
Jan 13, 2026
Merged

feat(deps): bump qs version #4417

mergify merged 2 commits into from
Jan 13, 2026
+7 −11

Conversation

@tjiang-box
Copy link
Collaborator

@tjiang-box tjiang-box commented Jan 13, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Chores
    • Added a top-level resolution to the project's dependency configuration to lock a specific package version, ensuring consistent installs across environments and avoiding version conflicts during dependency resolution.

✏️ Tip: You can customize this high-level summary in your review settings.

@tjiang-box tjiang-box requested a review from a team as a code owner January 13, 2026 03:09
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 13, 2026
edited
Loading

Walkthrough

A top-level resolutions field was added to package.json, pinning qs to version "6.14.1". This influences dependency resolution at install time and does not change runtime logic or public interfaces.

Changes

Cohort / File(s) Summary
Dependency resolution override
package.json		 Added a top-level resolutions block with "qs": "6.14.1" to enforce a specific transitive dependency version.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

Suggested reviewers

  • tjiang-box
  • tjuanitas
  • reneshen0328

🐰 I hopped through package.json with glee,
I pinned small qs to keep the tree steady,
No runtime ripples, just versions aligned,
A tidy install — neat and ready! 🥕✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1
❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description contains only the repository template for merge queue instructions without any actual change details, rationale, or version information. Add substantive description explaining why the qs version bump is necessary (e.g., security fix, bug fix, feature requirement) and include the specific version number or version range being updated.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title 'feat(deps): bump qs version' directly and clearly describes the main change: updating the qs dependency version in package.json.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5d8fdb0 and 9b410c8.

⛔ Files ignored due to path filters (1)
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (1)
  • package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)
  • GitHub Check: Queue: Embarked in merge queue
  • GitHub Check: Rule: Automatic merge queue (queue)
  • GitHub Check: semgrep-cloud-platform/scan
  • GitHub Check: lint_test_build
  • GitHub Check: Summary
🔇 Additional comments (1)
package.json (1)

363-365: Correct approach for pinning transitive dependency with security fix.

Using resolutions to pin qs at version 6.14.1 properly addresses the denial-of-service vulnerability (CVE-2025-15284 / GHSA-6rw7-vpxm-498p) that affected earlier versions. This is the standard Yarn pattern for controlling nested dependency versions across the dependency tree.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

tjuanitas
tjuanitas previously approved these changes Jan 13, 2026
View reviewed changes
@mergify mergify bot added the queued label Jan 13, 2026
@mergify
Copy link
Contributor

mergify bot commented Jan 13, 2026
edited
Loading

Merge Queue Status

🚫 The pull request has left the queue (rule: Automatic strict merge) at 5d8fdb0

This pull request spent 13 minutes 31 seconds in the queue, with no time running CI.
The checks were run in-place.

Required conditions to merge
  • any of [🛡 GitHub branch protection]:
    • check-neutral = lint_test_build
    • check-skipped = lint_test_build
    • check-success = lint_test_build
  • #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • #review-threads-unresolved = 0 [🛡 GitHub branch protection]
  • branch-protection-review-decision = APPROVED [🛡 GitHub branch protection]
  • any of [🛡 GitHub branch protection]:
    • check-success = Summary
    • check-neutral = Summary
    • check-skipped = Summary
  • any of [🛡 GitHub branch protection]:
    • check-success = license/cla
    • check-neutral = license/cla
    • check-skipped = license/cla
  • any of [🛡 GitHub branch protection]:
    • check-success = lint_pull_request
    • check-neutral = lint_pull_request
    • check-skipped = lint_pull_request

Reason

The merge conditions cannot be satisfied due to failing checks

Hint

You may have to fix your CI before adding the pull request to the queue again.
If you update this pull request, to fix the CI, it will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue instead, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

@mergify mergify bot added queued and removed queued labels Jan 13, 2026
@mergify mergify bot merged commit 9f174dc into box:master Jan 13, 2026
9 checks passed
@mergify
Copy link
Contributor

mergify bot commented Jan 13, 2026

Merge Queue Status

✅ The pull request has been merged at 9b410c8

This pull request spent 7 seconds in the queue, with no time running CI.
The checks were run in-place.

Required conditions to merge
  • #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • #review-threads-unresolved = 0 [🛡 GitHub branch protection]
  • branch-protection-review-decision = APPROVED [🛡 GitHub branch protection]
  • any of [🛡 GitHub branch protection]:
    • check-success = Summary
    • check-neutral = Summary
    • check-skipped = Summary
  • any of [🛡 GitHub branch protection]:
    • check-success = lint_test_build
    • check-neutral = lint_test_build
    • check-skipped = lint_test_build
  • any of [🛡 GitHub branch protection]:
    • check-success = license/cla
    • check-neutral = license/cla
    • check-skipped = license/cla
  • any of [🛡 GitHub branch protection]:
    • check-success = lint_pull_request
    • check-neutral = lint_pull_request
    • check-skipped = lint_pull_request

@mergify mergify bot removed the queued label Jan 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tjuanitas tjuanitas tjuanitas approved these changes

@jpan-box jpan-box jpan-box approved these changes

Assignees

No one assigned

Labels

ready-to-merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tjiang-box @tjuanitas @jpan-box