chore(deps): npm audit fix — close qs DoS + 3 dev-chain advisories

[Goosterhof]

Summary

Closes the qs DoS advisory (GHSA-q8mj-m7cp-5q26) that is currently failing the npm audit CI gate (Gate 1 of 8) across multiple open branches. This is a newly-published advisory on a transitive devDependency that did not exist when the open branches last ran CI. Three sibling dev-chain advisories already present on main are cleared in the same pass.

Lockfile-only change — package.json is untouched, no semver ranges widened, no major version boundaries crossed. Strict minor/patch posture, appropriate for a published @script-development library monorepo.

Advisories cleared (4)

Package	Prev	New	Advisory	Severity
qs	6.15.1	6.15.2	GHSA-q8mj-m7cp-5q26 — qs.stringify DoS (TypeError on null/undefined comma-format array entries with encodeValuesOnly)	moderate
brace-expansion	5.0.5	5.0.6	GHSA-jxxr-4gwj-5jf2	moderate
js-cookie	3.0.5	3.0.7	GHSA-qjx8-664m-686j	high
ws	8.20.0	8.21.0	GHSA-58qx-3vcg-4xpx	moderate

Fix mechanism — transitive lockfile resolution (not a direct bump, not an override)

qs@6.15.1 was pulled deeply nested under Stryker:
@stryker-mutator/core@9.6.1 → typed-rest-client@2.3.1 → qs@6.15.1

typed-rest-client@2.3.1 pins qs to an exact version 6.15.1 (advisory-affected), so a naive in-range resolution could not advance it. npm audit fix (non---force) re-resolved typed-rest-client 2.3.1 → 2.3.0 — both within @stryker-mutator/core's ~2.3.0 range — and 2.3.0 declares qs@^6.14.1, which resolves cleanly to the patched 6.15.2.

No npm override was required; no manifest edit was needed.

Verification — all 8 CI gates green locally

1. npm audit → 0 vulnerabilities
2. format:check → pass
3. lint (oxlint) → 0 warnings / 0 errors
4. build (tsdown) → pass
5. typecheck → pass
6. lint:pkg (publint + attw) → 11 packages + root clean
7. test:coverage → 528 tests pass
8. test:mutation (Stryker) → all 11 packages ≥90% break threshold

rm -rf node_modules && npm ci clean-install confirms the peer-dependency contract is intact (no ERESOLVE, 0 vulnerabilities). No --force / --legacy-peer-deps used anywhere.

🤖 Generated with Claude Code

[cloudflare-workers-and-pages]

Deploying fs-packages with    Cloudflare Pages

Latest commit:	9c734aa
Status:	✅  Deploy successful!
Preview URL:	https://45871ddc.fs-packages.pages.dev
Branch Preview URL:	https://chore-audit-fix-qs-dos.fs-packages.pages.dev

View logs

[Goosterhof]

The PR Reviewer verdicts are landing as comments, not as formal GitHub reviews — so branch protection still reads REVIEW_REQUIRED and the merge button stays locked despite the merge-ready calls. To release it, the verdicts need to be resubmitted as APPROVE reviews.

Two are green and ready for a first review: #100 (qs DoS audit fix, lockfile-only, CI green) and kendo #1312 (removes the dead streamRequest re-export, which de-risks the #87 0.4.0 break). I will rebase the rest of the merge-ready set onto main once #100 lands and re-request review then.

[jasperboerhof]

PR Reviewer · claimed

• Target: fs-packages
• PR: chore(deps): npm audit fix — close qs DoS + 3 dev-chain advisories #100
• Branch: chore/audit-fix-qs-dos
• AC anchor: none (lockfile-only audit-fix; no kendo issue, no plan dir, no PR AC section)
• Worktree: ~/Code/agent-worktrees/fs-packages/review-100

[jasperboerhof]

PR Reviewer · 9/10 · PASS

• PR: chore(deps): npm audit fix — close qs DoS + 3 dev-chain advisories #100 · fs-packages
• AC anchor: none
• Reviewers run: Acceptance, Simplicity, Surface, Silent failures skipped — no triggers, Efficiency skipped — no triggers
• Acceptance: SKIP
• Simplicity: PASS · 10/10
• Surface: PASS · 9/10

Findings

• none — all reviewers clean

Action

merge-ready

[jasperboerhof]

Auto-approved by /review-open-prs — review verdict is PASS. See the verdict comment for the per-reviewer breakdown.