fix(deps): update dependency qs to v6.14.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
qs	6.14.0 → 6.14.1

GitHub Vulnerability Alerts

CVE-2025-15284

Summary

The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations.

Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit regardless of arrayLimit, because each a[]=value consumes one parameter slot. The severity has been reduced accordingly.

Details

The arrayLimit option only checked limits for indexed notation (a[0]=1&a[1]=2) but did not enforce it for bracket notation (a[]=1&a[]=2).

Vulnerable code (lib/parse.js:159-162):

if (root === '[]' && options.parseArrays) {
    obj = utils.combine([], leaf);  // No arrayLimit check
}

Working code (lib/parse.js:175):

else if (index <= options.arrayLimit) {  // Limit checked here
    obj = [];
    obj[index] = leaf;
}

The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.

PoC

const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length);  // Output: 6 (should be max 5)

Note on parameterLimit interaction: The original advisory's "DoS demonstration" claimed a length of 10,000, but parameterLimit (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000.

Impact

Consistency bug in arrayLimit enforcement. With default parameterLimit, the practical DoS risk is negligible since parameterLimit already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when parameterLimit is explicitly set to a very high value.

---

Release Notes

ljharb/qs (qs)

v6.14.1

Compare Source

• [Fix] ensure arrayLength applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Plan Result (@infrastructure/notes-api-production)

CI link

No changes. Your infrastructure matches the configuration.

[github-actions]

Plan Result (@infrastructure/account-data-deleter-production)

CI link

⚠️ Resource Deletion will happen ⚠️

This plan contains resource delete operation. Please check the plan result very carefully!

Plan: 0 to add, 0 to change, 1 to destroy.

• Delete
  • aws_ecr_repository.data-deleter-app_application_ecs_service_ecr-app_ecr-repo_3026A62A

Change Result (Click me)

  # aws_ecr_repository.data-deleter-app_application_ecs_service_ecr-app_ecr-repo_3026A62A will be destroyed
  # (because aws_ecr_repository.data-deleter-app_application_ecs_service_ecr-app_ecr-repo_3026A62A is not in configuration)
  - resource "aws_ecr_repository" "data-deleter-app_application_ecs_service_ecr-app_ecr-repo_3026A62A" {
      - arn                  = "arn:aws:ecr:us-east-1:996905175585:repository/accountdatadeleter-prod-app" -> null
      - id                   = "accountdatadeleter-prod-app" -> null
      - image_tag_mutability = "MUTABLE" -> null
      - name                 = "accountdatadeleter-prod-app" -> null
      - registry_id          = "996905175585" -> null
      - repository_url       = "996905175585.dkr.ecr.us-east-1.amazonaws.com/accountdatadeleter-prod-app" -> null
      - tags                 = {
          - "app_code"       = "pocket"
          - "component_code" = "pocket-accountdatadeleter"
          - "costCenter"     = "Pocket"
          - "env_code"       = "prod"
          - "environment"    = "Prod"
          - "owner"          = "Pocket"
          - "service"        = "AccountDataDeleter"
        } -> null
      - tags_all             = {
          - "app_code"       = "pocket"
          - "component_code" = "pocket-accountdatadeleter"
          - "costCenter"     = "Pocket"
          - "env_code"       = "prod"
          - "environment"    = "Prod"
          - "owner"          = "Pocket"
          - "service"        = "AccountDataDeleter"
        } -> null

      - encryption_configuration {
          - encryption_type = "AES256" -> null
            # (1 unchanged attribute hidden)
        }

      - image_scanning_configuration {
          - scan_on_push = true -> null
        }
    }

Plan: 0 to add, 0 to change, 1 to destroy.

⚠️ Errors

• failed to add a label @infrastructure/account-data-deleter-production/destroy: label name is too long (max: 50)

[github-actions]

Plan Result (@infrastructure/shareable-lists-api-production)

CI link

No changes. Your infrastructure matches the configuration.

[github-actions]

❌ Plan Result (@infrastructure/annotations-api-production)

CI link

Error: Error acquiring the state lock
 
 Error message: operation error DynamoDB: PutItem, https response error
 StatusCode: 400, RequestID:
 J254M00EU1TFO4J3V17BQRC3RNVV4KQNSO5AEMVJF66Q9ASUAAJG,
 ConditionalCheckFailedException: The conditional request failed
 Lock Info:
   ID:        17f560c1-fb72-deaf-c5c0-8865950339f2
   Path:      mozilla-pocket-team-prod-terraform-state/AnnotationsAPI
   Operation: OperationTypeApply
   Who:       runner@runnervmmtnos
   Version:   1.8.3
   Created:   2026-01-20 19:24:56.236645074 +0000 UTC
   Info:      
 
 
 Terraform acquires a state lock to protect the state from being written
 by multiple users at the same time. Please resolve the issue above and try
 again. For most commands, you can disable locking with the "-lock=false"
 flag, but this is not recommended.

[github-actions]

Plan Result (@infrastructure/list-api-production)

CI link

No changes. Your infrastructure matches the configuration.

[github-actions]

Plan Result (@infrastructure/pocket-event-bridge-production)

CI link

⚠️ Resource Deletion will happen ⚠️

This plan contains resource delete operation. Please check the plan result very carefully!

Plan: 0 to add, 0 to change, 1 to destroy.

• Delete
  • aws_cloudwatch_event_bus.shared-event-bus_event-bus-PocketEventBridge-Prod-Shared-Event-Bus_AA9ACCF5

Change Result (Click me)

  # aws_cloudwatch_event_bus.shared-event-bus_event-bus-PocketEventBridge-Prod-Shared-Event-Bus_AA9ACCF5 will be destroyed
  # (because aws_cloudwatch_event_bus.shared-event-bus_event-bus-PocketEventBridge-Prod-Shared-Event-Bus_AA9ACCF5 is not in configuration)
  - resource "aws_cloudwatch_event_bus" "shared-event-bus_event-bus-PocketEventBridge-Prod-Shared-Event-Bus_AA9ACCF5" {
      - arn                = "arn:aws:events:us-east-1:996905175585:event-bus/PocketEventBridge-Prod-Shared-Event-Bus" -> null
      - id                 = "PocketEventBridge-Prod-Shared-Event-Bus" -> null
      - name               = "PocketEventBridge-Prod-Shared-Event-Bus" -> null
      - tags               = {
          - "app_code"       = "pocket-content-shared"
          - "component_code" = "pocket-content-shared-pocketeventbridge"
          - "costCenter"     = "Shared"
          - "env_code"       = "prod"
          - "environment"    = "Prod"
          - "owner"          = "Pocket"
          - "service"        = "PocketEventBridge"
        } -> null
      - tags_all           = {
          - "app_code"       = "pocket-content-shared"
          - "component_code" = "pocket-content-shared-pocketeventbridge"
          - "costCenter"     = "Shared"
          - "env_code"       = "prod"
          - "environment"    = "Prod"
          - "owner"          = "Pocket"
          - "service"        = "PocketEventBridge"
        } -> null
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 0 to change, 1 to destroy.

⚠️ Errors

• failed to add a label @infrastructure/pocket-event-bridge-production/destroy: label name is too long (max: 50)

[github-actions]

Plan Result (@infrastructure/v3-proxy-api-production)

CI link

⚠️ Resource Deletion will happen ⚠️

This plan contains resource delete operation. Please check the plan result very carefully!

Plan: 0 to add, 0 to change, 1 to destroy.

• Delete
  • aws_ecr_repository.application_ecs_service_ecr-app_ecr-repo_ABFE17F0

Change Result (Click me)

  # aws_ecr_repository.application_ecs_service_ecr-app_ecr-repo_ABFE17F0 will be destroyed
  # (because aws_ecr_repository.application_ecs_service_ecr-app_ecr-repo_ABFE17F0 is not in configuration)
  - resource "aws_ecr_repository" "application_ecs_service_ecr-app_ecr-repo_ABFE17F0" {
      - arn                  = "arn:aws:ecr:us-east-1:996905175585:repository/v3proxyapi-prod-app" -> null
      - id                   = "v3proxyapi-prod-app" -> null
      - image_tag_mutability = "MUTABLE" -> null
      - name                 = "v3proxyapi-prod-app" -> null
      - registry_id          = "996905175585" -> null
      - repository_url       = "996905175585.dkr.ecr.us-east-1.amazonaws.com/v3proxyapi-prod-app" -> null
      - tags                 = {
          - "app_code"       = "pocket"
          - "component_code" = "pocket-v3proxyapi"
          - "costCenter"     = "Pocket"
          - "env_code"       = "prod"
          - "environment"    = "Prod"
          - "owner"          = "Pocket"
          - "service"        = "V3ProxyApi"
        } -> null
      - tags_all             = {
          - "app_code"       = "pocket"
          - "component_code" = "pocket-v3proxyapi"
          - "costCenter"     = "Pocket"
          - "env_code"       = "prod"
          - "environment"    = "Prod"
          - "owner"          = "Pocket"
          - "service"        = "V3ProxyApi"
        } -> null

      - encryption_configuration {
          - encryption_type = "AES256" -> null
            # (1 unchanged attribute hidden)
        }

      - image_scanning_configuration {
          - scan_on_push = true -> null
        }
    }

Plan: 0 to add, 0 to change, 1 to destroy.

[github-actions]

❌ Plan Result (@infrastructure/user-list-search-production)

CI link

Error: Error acquiring the state lock
 
 Error message: operation error DynamoDB: PutItem, https response error
 StatusCode: 400, RequestID:
 AOK2TIO926S6O02ROSLS0DLK4JVV4KQNSO5AEMVJF66Q9ASUAAJG,
 ConditionalCheckFailedException: The conditional request failed
 Lock Info:
   ID:        dbd76df8-8696-eff1-bb00-9395e59afbe0
   Path:      mozilla-pocket-team-prod-terraform-state/UserListSearch
   Operation: OperationTypeApply
   Who:       runner@runnervmwffz4
   Version:   1.8.3
   Created:   2026-02-09 15:40:42.280752694 +0000 UTC
   Info:      
 
 
 Terraform acquires a state lock to protect the state from being written
 by multiple users at the same time. Please resolve the issue above and try
 again. For most commands, you can disable locking with the "-lock=false"
 flag, but this is not recommended.

[github-actions]

Plan Result (@infrastructure/image-api-production)

CI link

No changes. Your infrastructure matches the configuration.