Skip to content

[lexical] Security: Fix qs vulnerability (CVE-2025-15284)#8176

Merged
thatmichael85 merged 1 commit intomainfrom
users/thatmichael85/qs-vulnerability-fix
Feb 26, 2026
Merged

[lexical] Security: Fix qs vulnerability (CVE-2025-15284)#8176
thatmichael85 merged 1 commit intomainfrom
users/thatmichael85/qs-vulnerability-fix

Conversation

@thatmichael85
Copy link
Contributor

@thatmichael85 thatmichael85 commented Feb 26, 2026
edited
Loading

Description

Resolves Dependabot alert #427 for qs@6.14.0 (DoS via memory exhaustion through arrayLimit bypass in bracket notation, HIGH severity, CVE-2025-15284).

Changes

  • Added "qs": ">=6.14.2" to pnpm.overrides in package.json
  • Regenerated pnpm-lock.yaml (resolves to qs@6.15.0)

Why an override?

qs is a transitive dependency of body-parser@1.20.4 and express. Although their semver ranges (~6.14.0 and ^6.14.0) allow the patched version, pnpm's resolver keeps the existing lockfile resolution unless explicitly overridden. A pnpm.overrides entry is the standard approach for forcing transitive dependency updates — consistent with the existing overrides for react, react-dom, @types/node, and @shikijs/types in this repo.

Test plan

Before

  • qs@6.14.0 in root lockfile (transitive dep of express and body-parser)
  • 1 open Dependabot alert for CVE-2025-15284

After

  • Root lockfile resolves to qs@6.15.0
  • Minimal lockfile diff (11 insertions, 49 deletions) — no unrelated dependency changes
  • All unit tests pass locally
  • CI passes

@vercel
Copy link

vercel bot commented Feb 26, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
lexical Ready Ready Preview, Comment Feb 26, 2026 3:40am
lexical-playground Ready Ready Preview, Comment Feb 26, 2026 3:40am

Request Review

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Feb 26, 2026
@thatmichael85
[lexical] Security: Fix qs vulnerability (CVE-2025-15284)
eea3ca8 
Add pnpm override for qs>=6.14.2 to resolve Dependabot alert #427
(DoS via memory exhaustion, HIGH severity).

qs is a transitive dependency of body-parser and express. Although their
semver ranges (~6.14.0 and ^6.14.0) allow the patched version, pnpm's
resolver keeps the existing lockfile resolution unless explicitly
overridden. A pnpm override is the standard approach for forcing
transitive dependency updates — consistent with the existing overrides
for react, react-dom, @types/node, and @shikijs/types in this repo.
@thatmichael85 thatmichael85 force-pushed the users/thatmichael85/qs-vulnerability-fix branch from 2ad5633 to eea3ca8 Compare February 26, 2026 03:38
@etrepum etrepum added the extended-tests Run extended e2e tests on a PR label Feb 26, 2026
@thatmichael85 thatmichael85 added this pull request to the merge queue Feb 26, 2026
Merged via the queue into main with commit 108b541 Feb 26, 2026
42 checks passed
@etrepum etrepum mentioned this pull request Mar 19, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@etrepum etrepum etrepum approved these changes

@zurfyx zurfyx Awaiting requested review from zurfyx zurfyx is a code owner

@fantactuka fantactuka Awaiting requested review from fantactuka fantactuka is a code owner

@acywatson acywatson Awaiting requested review from acywatson acywatson is a code owner

@ivailop7 ivailop7 Awaiting requested review from ivailop7 ivailop7 is a code owner

@potatowagon potatowagon Awaiting requested review from potatowagon potatowagon is a code owner

@takuyakanbr takuyakanbr Awaiting requested review from takuyakanbr takuyakanbr is a code owner

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. extended-tests Run extended e2e tests on a PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thatmichael85 @etrepum