chore(ui): update dependency qs to v6.15.2 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
qs	pnpm.overrides	minor	6.14.2 → 6.15.2

---

qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set

CVE-2026-8723 / GHSA-q8mj-m7cp-5q26

More information

Details

Summary

qs.stringify throws TypeError when called with arrayFormat: 'comma' and encodeValuesOnly: true on an array containing null or undefined. The throw is synchronous and not handled by any of qs's null-related options (skipNulls, strictNullHandling).

Details

In the comma + encodeValuesOnly branch, lib/stringify.js:145 mapped the array through the raw encoder before joining:

obj = utils.maybeMap(obj, encoder);

utils.encode (lib/utils.js:195) reads str.length with no null guard, so a null or undefined element throws TypeError. skipNulls and strictNullHandling are both checked in the per-element loop below this line and never get a chance to run.

Same class of bug as the filter-array path fixed in 0c180a4. The vulnerable shape of the comma + encodeValuesOnly branch was introduced in 4c4b23d ("encode comma values more consistently", PR #​463, 2023-01-19), first released in v6.11.1.

PoC

const qs = require('qs');

qs.stringify({ a: [null, 'b'] },      { arrayFormat: 'comma', encodeValuesOnly: true });
qs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });
qs.stringify({ a: [null] },           { arrayFormat: 'comma', encodeValuesOnly: true });
// TypeError: Cannot read properties of null (reading 'length')
//     at encode (lib/utils.js:195:13)
//     at Object.maybeMap (lib/utils.js:322:37)
//     at stringify (lib/stringify.js:145:25)

Fix

lib/stringify.js:145, applied in 21f80b3 on main:

- obj = utils.maybeMap(obj, encoder);
+ obj = utils.maybeMap(obj, function (v) {
+     return v == null ? v : encoder(v);
+ });

null and undefined now pass through maybeMap unchanged and reach the join(',') step as-is. For { a: [null, 'b'] } this produces a=,b, matching the non-encodeValuesOnly comma path (which already joins before encoding and produces a=%2Cb for the same input). Single-element [null] arrays still collapse via the existing obj.join(',') || null and remain subject to skipNulls / strictNullHandling in the main loop.

Affected versions

>=6.11.1 <=6.15.1

The vulnerable code shape was introduced in 4c4b23d and first shipped in v6.11.1. Earlier versions — including all of 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 — implemented the comma + encodeValuesOnly path differently (joining before encoding) and are not affected. Empirically verified across released versions.

Impact

Application code that calls qs.stringify with both arrayFormat: 'comma' and encodeValuesOnly: true (both non-default) on input that may contain a null or undefined array element will throw synchronously instead of producing a query string. In a typical Node.js HTTP framework (Express, Fastify, Koa, hapi) the sync throw is caught by the framework's error boundary and the affected request returns a 500; the worker process does not exit and subsequent requests are unaffected. The "kills the worker process" framing applies only to call sites outside a request-handler error boundary (background jobs, startup paths, stream pipelines) or to deployments with framework error handling explicitly disabled.

The vulnerable input is a null or undefined entry inside an array; this is reachable from JSON request bodies or from application code constructing arrays from user input, but not from standard HTML form submissions (which produce strings or omitted fields, not literal null).

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

• https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26
• https://nvd.nist.gov/vuln/detail/CVE-2026-8723
• https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41
• https://github.com/advisories/GHSA-q8mj-m7cp-5q26

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

ljharb/qs (qs)

v6.15.2

Compare Source

• [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
• [Fix] stringify: use configured delimiter after charsetSentinel (#​555)
• [Fix] stringify: apply formatter to encoded key under strictNullHandling (#​554)
• [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#​551)
• [Fix] parse: handle nested bracket groups and add regression tests (#​530)
• [readme] fix grammar (#​550)
• [Dev Deps] update @ljharb/eslint-config
• [Tests] add regression tests for keys containing percent-encoded bracket text

v6.15.1

Compare Source

• [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
• [Deps] update @ljharb/eslint-config
• [Dev Deps] update @ljharb/eslint-config, iconv-lite
• [Tests] increase coverage

v6.15.0

Compare Source

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#​425, #​122)
• [Fix] duplicates option should not apply to bracket notation keys (#​514)

---

Configuration

📅 Schedule: (in timezone Europe/Madrid)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: ui/pnpm-lock.yaml

Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 29, reused 0, downloaded 0, added 0
Progress: resolved 52, reused 0, downloaded 0, added 0
Progress: resolved 68, reused 0, downloaded 0, added 0
Progress: resolved 78, reused 0, downloaded 0, added 0
Progress: resolved 88, reused 0, downloaded 0, added 0
Progress: resolved 102, reused 0, downloaded 0, added 0
 ERR_PNPM_TRUST_DOWNGRADE  High-risk trust downgrade for "next-auth@5.0.0-beta.30" (possible package takeover)

This error happened while installing a direct dependency of /tmp/renovate/repos/github/prowler-cloud/prowler/ui

Trust checks are based solely on publish date, not semver. A package cannot be installed if any earlier-published version had stronger trust evidence. Earlier versions had provenance attestation, but this version has no trust evidence. A trust downgrade may indicate a supply chain incident.

[github-actions]

⚠️ Changes detected in the following folders without a corresponding update to the CHANGELOG.md:

• ui

Please add an entry to the corresponding CHANGELOG.md file to maintain a clear history of changes.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.