chore: upgrade qs to ^6.15.2 to address CVE-2026-8723

[brendan-kellam]

Fixes SOU-1186

Upgrades the transitive qs dependency from 6.15.0 to 6.15.2 to address CVE-2026-8723 (qs.stringify DoS/TypeError). qs is pulled in via gitbeaker, express, azure-devops-node-api, and the MCP SDK. The existing ^6.14.2 resolution already admits the patched version, so this is a yarn.lock refresh only (yarn up -R qs) with no package.json change. yarn why qs --recursive confirms every instance now resolves to 6.15.2.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Upgraded qs dependency to version ^6.14.2 for improved stability and security.
  • Retained the existing protobufjs upgrade entry in the changelog.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c2d22011-a7fb-48de-9132-b8d92d30bf75

📥 Commits

Reviewing files that changed from the base of the PR and between 46d5354 and d68b105.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• CHANGELOG.md

✅ Files skipped from review due to trivial changes (1)

• CHANGELOG.md

---

Walkthrough

This PR adds one changelog bullet under "Unreleased" → "Fixed" documenting an upgrade of the qs dependency to ^6.14.2 with a reference to PR #1282.

Changes

Dependency Update Documentation

Layer / File(s)	Summary
qs upgrade changelog entry CHANGELOG.md	Added a changelog bullet documenting the qs dependency upgrade to ^6.14.2 in the Unreleased Fixed section.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

Possibly related PRs

• sourcebot-dev/sourcebot#954: Adds a CHANGELOG bullet about upgrading qs to ^6.14.2.

Suggested reviewers

• msukkari

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title references upgrading qs to ^6.15.2 to address CVE-2026-8723, but the raw summary shows the changelog entry lists qs at ^6.14.2, creating a discrepancy between the stated version in the title and the actual version documented.	Clarify whether the upgrade is to ^6.15.2 (as stated in title) or ^6.14.2 (as shown in changelog), and ensure the title accurately reflects the actual version being upgraded to in the changeset.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/cve/qs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Line 12: Update the CHANGELOG entry that currently reads "Upgraded `qs` to
`^6.15.2`." so the version matches the project's dependency specification;
change it to either "Upgraded `qs` to `^6.14.2`." to reflect the package.json
resolutions or "Upgraded `qs` to `6.15.2`." to reflect the yarn.lock resolved
version—use the resolution spec (`^6.14.2`) per project guidelines if unsure;
locate the string "Upgraded `qs` to `^6.15.2`." in CHANGELOG.md and replace it
accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 96339f96-8e60-4be8-8cfc-d5767dba0124

📥 Commits

Reviewing files that changed from the base of the PR and between 4c9dfe0 and 46d5354.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• CHANGELOG.md

[github-actions]

License Audit

❌ Status: FAIL

Metric	Count
Total packages	2133
Resolved (non-standard)	19
Unresolved	1
Strong copyleft	0
Weak copyleft	38

Fail Reasons

• 1 package has an unresolvable license: element-source (no license metadata, repository, homepage, README, or LICENSE file could be found)

Unresolved Packages

Package	Version	License	Reason
element-source	0.0.3	UNKNOWN	No license field in npm registry metadata; package has no repository, homepage, README, or discoverable LICENSE file. Only signal is shared maintainer (abai), which is insufficient to authoritatively determine the license.

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (19)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo aidenybai/react-grab (packages/cli) - MIT LICENSE detected via GitHub API
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab (packages/cli) - MIT LICENSE detected via GitHub API
@react-grab/mcp	0.1.29	UNKNOWN	MIT	@react-grab npm scope owned by same author/maintainer (abai); canonical monorepo aidenybai/react-grab is MIT-licensed
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	GitHub repo livebook-dev/codemirror-lang-elixir - Apache-2.0 LICENSE detected via GitHub API
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	GitHub repo livebook-dev/lezer-elixir - Apache-2.0 LICENSE detected via GitHub API
map-stream	0.1.0	UNKNOWN	MIT	GitHub repo dominictarr/map-stream - MIT LICENCE detected via GitHub API
memorystream	0.3.1	UNKNOWN	MIT	GitHub repo JSBizon/node-memorystream - MIT LICENSE detected via GitHub API
valid-url	1.0.9	UNKNOWN	MIT	GitHub repo ogt/valid-url - LICENSE file text explicitly states the MIT license
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	GitHub repo PostHog/posthog-js - LICENSE file is the Apache License 2.0
pause-stream	0.0.11	["MIT","Apache2"] (array)	(MIT OR Apache-2.0)	Extracted from license array; GitHub repo dominictarr/pause-stream LICENSE confirms dual MIT and Apache 2 licensing
@sentry/cli	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Recognized non-SPDX-registered identifier: Functional Source License 1.1 with MIT future grant (not OSI/copyleft)
@sentry/cli-darwin	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Recognized non-SPDX-registered identifier: Functional Source License 1.1 with MIT future grant (not OSI/copyleft)
@sentry/cli-linux-arm	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Recognized non-SPDX-registered identifier: Functional Source License 1.1 with MIT future grant (not OSI/copyleft)
@sentry/cli-linux-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Recognized non-SPDX-registered identifier: Functional Source License 1.1 with MIT future grant (not OSI/copyleft)
@sentry/cli-linux-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Recognized non-SPDX-registered identifier: Functional Source License 1.1 with MIT future grant (not OSI/copyleft)
@sentry/cli-linux-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Recognized non-SPDX-registered identifier: Functional Source License 1.1 with MIT future grant (not OSI/copyleft)
@sentry/cli-win32-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Recognized non-SPDX-registered identifier: Functional Source License 1.1 with MIT future grant (not OSI/copyleft)
@sentry/cli-win32-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Recognized non-SPDX-registered identifier: Functional Source License 1.1 with MIT future grant (not OSI/copyleft)
@sentry/cli-win32-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	Recognized non-SPDX-registered identifier: Functional Source License 1.1 with MIT future grant (not OSI/copyleft)

[github-actions]

@brendan-kellam your pull request is missing a changelog!