Bump qs to 6.15.2 to address CVE GHSA-q8mj-m7cp-5q26

[cmalonzo]

GHSA-q8mj-m7cp-5q26

Change here:

express/package.json

Line 55 in dae209a

"qs": "^6.14.2",

[krzysdz]

^6.14.2 is compatible with 6.15.2 (will be installed by a fresh npm install or updated with npm update qs), so you don't have to wait for Express to update if you need this update.

Express does not use qs.stringify, so it is not affected by GHSA-q8mj-m7cp-5q26 / CVE-2026-872.