From 5d66d1f575de24ca2f5f2b84a65a692e0d3e9665 Mon Sep 17 00:00:00 2001
From: Steve Dogiakos <dogiakos@gmail.com>
Date: Thu, 11 Jun 2026 22:29:52 -0600
Subject: [PATCH] fix(deps): force qs >= 6.15.2 to resolve DoS advisory

express 4 pins qs to ~6.14.0, which falls in the vulnerable range of
GHSA-q8mj-m7cp-5q26 (remotely triggerable TypeError in qs.stringify).
Add an npm override so the transitive dependency resolves to the patched
6.15.2.
---
 package-lock.json | 6 +++---
 package.json      | 3 +++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 3a41f4e..86a0bf8 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1915,9 +1915,9 @@
       }
     },
     "node_modules/qs": {
-      "version": "6.14.2",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.2.tgz",
-      "integrity": "sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==",
+      "version": "6.15.2",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz",
+      "integrity": "sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==",
       "license": "BSD-3-Clause",
       "dependencies": {
         "side-channel": "^1.1.0"
diff --git a/package.json b/package.json
index 833f264..b55fc9b 100644
--- a/package.json
+++ b/package.json
@@ -21,6 +21,9 @@
   "devDependencies": {
     "nodemon": "^3.1.0"
   },
+  "overrides": {
+    "qs": "^6.15.2"
+  },
   "engines": {
     "node": ">=20"
   }