Skip to content

deps: qs@^6.14.1 #6972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
UlisesGascon merged 1 commit into from
Jan 5, 2026
Merged

deps: qs@^6.14.1 #6972

UlisesGascon merged 1 commit into from
Jan 5, 2026
+1 −1

Conversation

@UlisesGascon
Copy link
Member

@UlisesGascon UlisesGascon commented Jan 4, 2026

Port for #6969

@UlisesGascon UlisesGascon marked this pull request as ready for review January 4, 2026 10:52
@jonchurch jonchurch mentioned this pull request Jan 5, 2026
Merged
@UlisesGascon UlisesGascon self-assigned this Jan 5, 2026
@UlisesGascon UlisesGascon merged commit efe85d9 into 4.x Jan 5, 2026
53 checks passed
@sergio-tao
Copy link

sergio-tao commented Jan 5, 2026

Well done!
Is there going to be a new release (5.2.2?) with this dependency fix? 😁

@gabrieel1007
Copy link
Contributor

gabrieel1007 commented Jan 5, 2026

@sergio-tao
Good question!
Actually, everything about this is covered in PR #6969 — you can check the details there.

@serhalp
Copy link

serhalp commented Jan 8, 2026

Hello! Is there a 4.x release planned that will include this fix soon? Thanks!

@gabrieel1007 gabrieel1007 mentioned this pull request Jan 8, 2026
Draft
@bjohansebas bjohansebas deleted the ulises/upgrade-qs-in-4x branch January 8, 2026 16:25
@jaenster
Copy link

jaenster commented Jan 12, 2026

Could we please have a patch version for express containing this?

@jonchurch
Copy link
Member

jonchurch commented Jan 12, 2026
edited
Loading

@serhalp @jaenster
Speaking for myself, I'm not currently planning a patch release specifically for this.

A fresh npm install already resolves to secure versions, and a patch release wouldn't change your remediation steps or silence Dependabot alerts. You'd still need to update your lockfile either way.

To update: npm update qs body-parser

(The body-parser update may not be needed depending on your version, but older versions of body-parser had qs pinned so it's good to include.)

It occurs to me though that I may be too used to managing dependencies this way to understand why others want to solve it with a patch release. Why do you ask for a patch release? Is there something causing you pain here that a patch would solve? Tooling yelling at you?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jonchurch jonchurch jonchurch approved these changes

+1 more reviewer

@efekrskl efekrskl efekrskl approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@UlisesGascon UlisesGascon

Labels

4.x

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@UlisesGascon @sergio-tao @gabrieel1007 @serhalp @jaenster @jonchurch @efekrskl