Update npm package qs to v6.15.2 [SECURITY]

[hash-worker]

This PR contains the following updates:

Package	Change	Age	Confidence
qs	6.14.2 → 6.15.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-8723

Summary

qs.stringify throws TypeError when called with arrayFormat: 'comma' and encodeValuesOnly: true on an array containing null or undefined. The throw is synchronous and not handled by any of qs's null-related options (skipNulls, strictNullHandling).

Details

In the comma + encodeValuesOnly branch, lib/stringify.js:145 mapped the array through the raw encoder before joining:

obj = utils.maybeMap(obj, encoder);

utils.encode (lib/utils.js:195) reads str.length with no null guard, so a null or undefined element throws TypeError. skipNulls and strictNullHandling are both checked in the per-element loop below this line and never get a chance to run.

Same class of bug as the filter-array path fixed in 0c180a4. The vulnerable shape of the comma + encodeValuesOnly branch was introduced in 4c4b23d ("encode comma values more consistently", PR #​463, 2023-01-19), first released in v6.11.1.

PoC

const qs = require('qs');

qs.stringify({ a: [null, 'b'] },      { arrayFormat: 'comma', encodeValuesOnly: true });
qs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });
qs.stringify({ a: [null] },           { arrayFormat: 'comma', encodeValuesOnly: true });
// TypeError: Cannot read properties of null (reading 'length')
//     at encode (lib/utils.js:195:13)
//     at Object.maybeMap (lib/utils.js:322:37)
//     at stringify (lib/stringify.js:145:25)

Fix

lib/stringify.js:145, applied in 21f80b3 on main:

- obj = utils.maybeMap(obj, encoder);
+ obj = utils.maybeMap(obj, function (v) {
+     return v == null ? v : encoder(v);
+ });

null and undefined now pass through maybeMap unchanged and reach the join(',') step as-is. For { a: [null, 'b'] } this produces a=,b, matching the non-encodeValuesOnly comma path (which already joins before encoding and produces a=%2Cb for the same input). Single-element [null] arrays still collapse via the existing obj.join(',') || null and remain subject to skipNulls / strictNullHandling in the main loop.

Affected versions

>=6.11.1 <=6.15.1

The vulnerable code shape was introduced in 4c4b23d and first shipped in v6.11.1. Earlier versions — including all of 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 — implemented the comma + encodeValuesOnly path differently (joining before encoding) and are not affected. Empirically verified across released versions.

Impact

Application code that calls qs.stringify with both arrayFormat: 'comma' and encodeValuesOnly: true (both non-default) on input that may contain a null or undefined array element will throw synchronously instead of producing a query string. In a typical Node.js HTTP framework (Express, Fastify, Koa, hapi) the sync throw is caught by the framework's error boundary and the affected request returns a 500; the worker process does not exit and subsequent requests are unaffected. The "kills the worker process" framing applies only to call sites outside a request-handler error boundary (background jobs, startup paths, stream pipelines) or to deployments with framework error handling explicitly disabled.

The vulnerable input is a null or undefined entry inside an array; this is reachable from JSON request bodies or from application code constructing arrays from user input, but not from standard HTML form submissions (which produce strings or omitted fields, not literal null).

---

Release Notes

ljharb/qs (qs)

v6.15.2

Compare Source

• [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
• [Fix] stringify: use configured delimiter after charsetSentinel (#​555)
• [Fix] stringify: apply formatter to encoded key under strictNullHandling (#​554)
• [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#​551)
• [Fix] parse: handle nested bracket groups and add regression tests (#​530)
• [readme] fix grammar (#​550)
• [Dev Deps] update @ljharb/eslint-config
• [Tests] add regression tests for keys containing percent-encoded bracket text

v6.15.1

Compare Source

• [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
• [Deps] update @ljharb/eslint-config
• [Dev Deps] update @ljharb/eslint-config, iconv-lite
• [Tests] increase coverage

v6.15.0

Compare Source

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#​425, #​122)
• [Fix] duplicates option should not apply to bracket notation keys (#​514)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • "before 4am every weekday,every weekend"

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hash	Error		May 22, 2026 6:51pm
hashdotdesign-tokens	Error		May 22, 2026 6:51pm
petrinaut	Error	Comment	May 22, 2026 6:51pm

[hash-worker]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

error This project's package.json defines "packageManager": "yarn@4.12.0". However the current global version of Yarn is 1.22.22.

Presence of the "packageManager" field indicates that the project is meant to be used with Corepack, a tool included by default with all official Node.js distributions starting from 16.9 and 14.19.
Corepack must currently be enabled by running corepack enable in your terminal. For more information, check out https://yarnpkg.com/corepack.

[cursor]

PR Summary

Low Risk
Low risk dependency bump limited to qs patch/minor updates; primary risk is subtle behavior changes in querystring parse/stringify affecting edge cases.

Overview
Bumps the pinned qs version in root package.json resolutions from 6.14.2 to 6.15.2, pulling in upstream fixes (including the security advisory crash fix in qs.stringify for arrayFormat: 'comma' + encodeValuesOnly).

^{Reviewed by Cursor Bugbot for commit be0a36e. Bugbot is set up for automated code reviews on this repo. Configure here.}

[augmentcode]

🤖 Augment PR Summary

Summary: Updates the Yarn resolution for qs from 6.14.2 to 6.15.2 to address CVE-2026-8723.
Changes:

• Adjusts the root package.json resolutions entry to force qs@6.15.2 across the monorepo.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 1 suggestion posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

qs is bumped in resolutions, but yarn.lock still pins qs@npm:6.14.2, so installs (especially with immutable installs) may continue using the vulnerable version or fail due to a lock mismatch. It’d be good to ensure the lockfile/artifacts reflect qs@6.15.2 as well.

Severity: medium

Other Locations

• yarn.lock:39620

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[hash-worker]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (6.15.2). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.