qs DoS Fix — GHSA-q8mj-m7cp-5q26

Branch fix/npm-audit-vulnerabilities · Unblocks #1951, #1955 (and any future PR blocked by main npm-audit CI failure)

Before / After

moderate
1
high
0
critical
0
after fix
0

The change

- "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.0.tgz"
+ "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz"

One transitive dep bumped. Five lines of package-lock.json. No application code touched.

Why this matters now

test-npm-audit.sh in the Security Tests CI suite started failing on every PR after the qs advisory landed in the GitHub Advisory Database. #1953 ("remove stale pnpm-lock.yaml") cleared 3 prior dependabot alerts but didn't catch this one because qs is a transitive dep, not a direct one.

Affected open PRs blocked by the same red check:

Advisory detail

GHSA-q8mj-m7cp-5q26 · CVSS 5.3 · CWE-476 (NULL pointer deref)

qs >=6.11.1 <=6.15.1 — qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set. DoS surface for any handler that calls qs.stringify on untrusted user-supplied data.

Fix: bump to 6.15.2 (or later). Done via npm audit fix --package-lock-only.

Bundle context — this is one of a parallel cleanup sweep: brainstorm CC version-floor notes (#1951), visual-style pilot (#1955), watchdog SQL-backed (#1952 merged), pnpm-lock stale (#1953 merged). This PR is the unblocker for the remaining two.