Skip to content

fix: resolve dependabot alert#861

Merged
Avijit-Microsoft merged 2 commits into
devfrom
psl-dependabot-fix
Jun 17, 2026
Merged

fix: resolve dependabot alert#861
Avijit-Microsoft merged 2 commits into
devfrom
psl-dependabot-fix

Conversation

@Shubhangi-Microsoft

@Shubhangi-Microsoft Shubhangi-Microsoft commented May 26, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This pull request updates dependencies in both the frontend and backend parts of the project to ensure compatibility and security. The most important changes are:

Dependency updates:

  • Updated the vite dependency in src/App/package.json from version ^7.3.2 to ^8.0.16 to use the latest version of the build tool.
  • Upgraded the qs package in src/App/server/package-lock.json from version 6.15.1 to 6.15.2 for improved security and bug fixes.This pull request updates a dependency in the server package. The qs package has been upgraded from version 6.15.1 to 6.15.2 to ensure the latest fixes and improvements are included.

Dependency update:

  • Upgraded the qs package from version 6.15.1 to 6.15.2 in package-lock.json to incorporate the latest changes and maintain up-to-date dependencies.- qs: 6.15.1 -> 6.15.2 (fixes GHSA-q8mj-m7cp-5q26 - remotely triggerable DoS via null/undefined entries in comma-format arrays)

Purpose

  • ...

Does this introduce a breaking change?

  • Yes
  • No

Golden Path Validation

  • I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

  • I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

  • ...

Other Information

This pull request includes dependency updates to keep the project secure and up-to-date. The most notable changes are upgrades to the vite and qs packages.

Dependency updates:

  • Upgraded vite in src/App/package.json from version ^7.3.2 to ^8.0.16 to ensure compatibility with the latest features and bug fixes.
  • Updated qs in src/App/server/package-lock.json from version 6.15.1 to 6.15.2 to include the latest security and stability improvements.

Copilot AI review requested due to automatic review settings May 26, 2026 11:09
Copilot AI reviewed May 26, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@Shubhangi-Microsoft Shubhangi-Microsoft changed the base branch from main to dev May 27, 2026 07:05
@Shubhangi-Microsoft
fix: resolve dependabot alert #191 - update qs to 6.15.2
83b7387 
- qs: 6.15.1 -> 6.15.2 (fixes GHSA-q8mj-m7cp-5q26 - remotely triggerable DoS via null/undefined entries in comma-format arrays)
Copilot AI review requested due to automatic review settings June 16, 2026 06:37
Copilot AI reviewed Jun 16, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 3 changed files in this pull request and generated 1 comment.

Files not reviewed (1)
  • src/App/server/package-lock.json: Generated file

Comment thread src/App/package.json Outdated
@Shubhangi-Microsoft
fix: resolve dependabot alerts #191, #192 - update vite to 8.0.16 and…
b068a69 
… qs to 6.15.2

- vite: 7.3.2 -> 8.0.16 (fixes GHSA-gv7w-rqvm-qjhr - esbuild missing binary integrity verification)

- qs: 6.15.1 -> 6.15.2 (fixes GHSA-q8mj-m7cp-5q26 - DoS via null/undefined in comma-format arrays)

- Also fixes: @babel/core arbitrary file read, brace-expansion DoS
@Shubhangi-Microsoft Shubhangi-Microsoft changed the title fix: resolve dependabot alert #191 - update qs to 6.15.2 fix: resolve dependabot alert Jun 16, 2026
@Avijit-Microsoft Avijit-Microsoft merged commit f199cc5 into dev Jun 17, 2026
5 checks passed
@Shubhangi-Microsoft Shubhangi-Microsoft deleted the psl-dependabot-fix branch June 17, 2026 10:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Avijit-Microsoft Avijit-Microsoft Avijit-Microsoft approved these changes

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@Prajwal-Microsoft Prajwal-Microsoft Awaiting requested review from Prajwal-Microsoft

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft

@malrose07 malrose07 Awaiting requested review from malrose07 malrose07 is a code owner

@toherman-msft toherman-msft Awaiting requested review from toherman-msft toherman-msft is a code owner

@nchandhi nchandhi Awaiting requested review from nchandhi nchandhi is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Shubhangi-Microsoft @Avijit-Microsoft