Branch fix/npm-audit-vulnerabilities · Unblocks #1951, #1955 (and any future PR blocked by main npm-audit CI failure)
One transitive dep bumped. Five lines of package-lock.json. No application code touched.
test-npm-audit.sh in the Security Tests CI suite started failing on every PR after the qs advisory landed in the GitHub Advisory Database. #1953 ("remove stale pnpm-lock.yaml") cleared 3 prior dependabot alerts but didn't catch this one because qs is a transitive dep, not a direct one.
Affected open PRs blocked by the same red check:
GHSA-q8mj-m7cp-5q26 · CVSS 5.3 · CWE-476 (NULL pointer deref)
qs >=6.11.1 <=6.15.1 — qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set. DoS surface for any handler that calls qs.stringify on untrusted user-supplied data.
Fix: bump to 6.15.2 (or later). Done via npm audit fix --package-lock-only.