chore: resolve open dependabot security alerts#4
Conversation
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the qs dependency to version 6.15.2 and introduces a version override in package.json to address security vulnerabilities. The reviewer suggests using a caret range (^6.15.2) instead of >=6.15.2 for the override to prevent potential breaking changes from future major version upgrades while still receiving security patches and minor updates.
| "typescript": "~5.9.0" | ||
| }, | ||
| "overrides": { | ||
| "qs": ">=6.15.2" |
There was a problem hiding this comment.
Using >=6.15.2 for the override is effective for resolving the security alert, but it allows for potential automatic upgrades to future major versions (e.g., 7.0.0). Since qs major versions often include breaking changes in how query strings are parsed or stringified, it is safer to use a caret range like ^6.15.2. This ensures you get security patches and minor updates within the version 6 ecosystem while maintaining API compatibility.
| "qs": ">=6.15.2" | |
| "qs": "^6.15.2" |
1 participant
Summary
overridesforqsto>=6.15.2to fix transitive moderate vulnerability (alert #98) — DoS inqs.stringifyon null/undefined entries in comma-format arrays.qscomes in transitively via@angular/cli->@modelcontextprotocol/sdk->express/body-parserand viakarma->body-parser.