Fast, unopinionated, minimalist web framework for node.
fix: bump qs minimum to ^6.14.2 for CVE-2026-2391 (#7057)
qs versions before 6.14.2 have an arrayLimit bypass in comma parsing that allows denial of service (GHSA-w7fw-mjwx-w883). While the existing ^6.14.1 semver range allows 6.14.2 on fresh installs, bumping the minimum ensures the vulnerable version cannot be resolved. Signed-off-by: davetashner <5702882+davetashner@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
D
Dave Tashner committed
925a1dff1e42f1b393c977b8b77757fcf633e09f
Parent: 9c85a25
Committed by GitHub <noreply@github.com>
on 2/22/2026, 3:11:08 AM