Skip to content

build(deps): bump qs from 6.15.1 to 6.15.2#224

Merged
steipete merged 1 commit into
mainfrom
dependabot/npm_and_yarn/qs-6.15.2
May 23, 2026
Merged

build(deps): bump qs from 6.15.1 to 6.15.2#224
steipete merged 1 commit into
mainfrom
dependabot/npm_and_yarn/qs-6.15.2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 23, 2026

Bumps qs from 6.15.1 to 6.15.2.

Changelog

Sourced from qs's changelog.

6.15.2

  • [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
  • [Fix] stringify: use configured delimiter after charsetSentinel (#555)
  • [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
  • [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
  • [Fix] parse: handle nested bracket groups and add regression tests (#530)
  • [readme] fix grammar (#550)
  • [Dev Deps] update @ljharb/eslint-config
  • [Tests] add regression tests for keys containing percent-encoded bracket text
Commits
  • 9aca407 v6.15.2
  • 5e33d33 [Dev Deps] update @ljharb/eslint-config
  • 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
  • a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
  • e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
  • 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
  • 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
  • 96755ab [readme] fix grammar
  • a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump qs from 6.15.1 to 6.15.2
1a133ff 
Bumps [qs](https://github.com/ljharb/qs) from 6.15.1 to 6.15.2.
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.15.1...v6.15.2)

---
updated-dependencies:
- dependency-name: qs
  dependency-version: 6.15.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 23, 2026
@clawsweeper
Copy link
Copy Markdown

clawsweeper Bot commented May 23, 2026
edited
Loading

Codex review: needs maintainer review before merge.

Latest ClawSweeper review: 2026-05-23 14:56 UTC / May 23, 2026, 10:56 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR updates pnpm-lock.yaml to resolve qs 6.15.2 under the existing ^6.15.1 dependency range, with related lockfile resolutions for es-object-atoms 1.1.2 and postcss 8.5.15.

Reproducibility: not applicable. This PR updates dependency resolution rather than reporting a runtime bug. The relevant checks are diff scope, lockfile integrity, and hosted CI status.

PR rating
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Summary: Routine lockfile-only dependency patch with matching registry metadata, green checks, and no review findings.

Rank-up moves:

  • none
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: This is a Dependabot bot PR, so the external contributor real-behavior-proof gate does not apply; hosted checks are the relevant validation signal.

Risk before merge

  • The lockfile refresh includes postcss and es-object-atoms alongside qs, so maintainers should review it as a small dependency resolution update rather than a single package tarball change.

Maintainer options:

  1. Decide the mitigation before merge
    Merge the narrow Dependabot lockfile update after ordinary maintainer dependency review.
  2. Pause or close
    Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge
No repair lane is needed; the PR has no actionable code or docs defect and is ready for ordinary maintainer dependency review.

Security
Cleared: The diff changes only dependency resolution metadata, registry integrities match the updated lockfile entries, and the GitGuardian check is green.

Review details

Best possible solution:

Merge the narrow Dependabot lockfile update after ordinary maintainer dependency review.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this PR updates dependency resolution rather than reporting a runtime bug. The relevant checks are diff scope, lockfile integrity, and hosted CI status.

Is this the best way to solve the issue?

Yes; resolving the lockfile under the existing semver range is the narrowest maintainable way to take qs 6.15.2. No code or manifest change is needed for this patch update.

Label justifications:

  • P3: This is a routine dependency patch update with limited blast radius and green hosted checks.
  • rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and Routine lockfile-only dependency patch with matching registry metadata, green checks, and no review findings.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot bot PR, so the external contributor real-behavior-proof gate does not apply; hosted checks are the relevant validation signal.

What I checked:

  • Manifest range already allows the update: package.json declares qs as a direct production dependency with specifier ^6.15.1; the PR does not need a manifest change to resolve 6.15.2. (package.json:79, e0cfed0c449d)
  • PR diff is lockfile-only: The GitHub patch for head 1a133ff2dafba081a18ed1d7ed70401ec882f912 changes only pnpm-lock.yaml, updating qs, es-object-atoms, and postcss lockfile entries and snapshots. (pnpm-lock.yaml:72, 1a133ff2dafb)
  • Registry integrity matches qs: The npm registry reports qs@6.15.2 with the same sha512-Rzq0... integrity used by the PR lockfile entry and an engine range of >=0.6. (pnpm-lock.yaml:2285, 1a133ff2dafb)
  • Registry integrity matches transitive refreshes: The npm registry integrities for postcss@8.5.15 and es-object-atoms@1.1.2 match the lockfile values in the PR, and their engine ranges remain compatible with this package's Node support. (pnpm-lock.yaml:1536, 1a133ff2dafb)
  • Hosted checks are green: GitHub check-runs for the PR head show successful Ubuntu, macOS, Windows builds, and GitGuardian Security Checks. (1a133ff2dafb)
  • Relevant package history: git blame ties the current package and lockfile baseline to release commit abb7c9a7d9c8b5cd1eab48141dc362da4ef50a17; GitHub metadata also shows recent dependency PR build(deps): bump the dependencies group with 13 updates #209 was merged by steipete. (package.json:79, abb7c9a7d9c8)

Likely related people:

  • steipete: GitHub commit metadata maps the current package/lockfile baseline release commit to steipete, and the recent dependency group PR touching the same files was merged by steipete. (role: recent package and dependency area contributor; confidence: high; commits: abb7c9a7d9c8, 59c5d9964c29; files: package.json, pnpm-lock.yaml)
  • dependabot[bot]: A recent merged dependency group commit from Dependabot touched package.json and pnpm-lock.yaml, matching this PR's dependency-maintenance path beyond merely opening this PR. (role: dependency automation contributor; confidence: medium; commits: 59c5d9964c29; files: package.json, pnpm-lock.yaml)

Codex review notes: model gpt-5.5, reasoning high; reviewed against e0cfed0c449d.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. labels May 23, 2026
@steipete steipete merged commit 7c8b483 into main May 23, 2026
4 checks passed
@steipete steipete deleted the dependabot/npm_and_yarn/qs-6.15.2 branch May 23, 2026 19:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@steipete