chore(deps): bump qs from 6.14.0 to 6.14.2

[dependabot]

Bumps qs from 6.14.0 to 6.14.2.

Changelog

Sourced from qs's changelog.

6.14.2

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

Commits

• bdcf0c7 v6.14.2
• 294db90 [readme] document that addQueryPrefix does not add ? to empty output
• 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
• 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
• cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
• febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
• f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
• fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
• 1b9a8b4 [actions] fix rebase workflow permissions
• 2a35775 [meta] fix changelog typo (arrayLength → arrayLimit)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[rtibblesbot]

Dependency Update Review

Package: qs 6.14.0 → 6.14.2
Semver risk: Patch
Dependency type: Production
CI status: In progress (no failures; completed checks passing)

Changelog Analysis

Sources consulted:

• CHANGELOG.md
• Compare v6.14.0...v6.14.2

Breaking changes: None.

Security fixes: None explicitly (no CVEs), though the arrayLimit enforcement fixes harden query string parsing.

Notable changes (6.14.1 + 6.14.2):

• Fixed arrayLimit to apply consistently to [] notation, indexed notation, and comma-parsed values
• arrayLimit now correctly represents max count (not max index) in combine/merge/parseArrayValue
• Fixed handling of custom decoders returning null for keys
• Robustness improvements (avoid .push, use void)
• Refactored key segment splitting into helper

Compatibility Assessment

• Project uses affected APIs: No — qs is used as a transitive dependency via express and body-parser, and directly in package.json. The fixes relate to arrayLimit and throwOnLimitExceeded options that require explicit opt-in.
• Peer dependency changes: None
• Code changes required: None
• Lockfile changes: Clean — only qs (6.14.0→6.14.2) and transitive qs (6.5.3→6.5.5 via request) updated

Recommendation

APPROVE — Low-risk patch bump with bug fixes only. No breaking changes, no API surface changes affecting this project.

[rtibblesbot]

Dependency Update Review

Package: qs 6.14.0 → 6.14.2 (specifier ^6.11.2 → ^6.14.2)
Semver risk: Patch
Dependency type: Production
CI status: Passing

Changelog Analysis

Sources consulted:

• CHANGELOG.md
• Compare v6.14.0...v6.14.2

Breaking changes: None.

Security fixes: None.

Notable changes (6.14.1–6.14.2):

• Fixed arrayLimit enforcement on [] notation, indexed notation overflow, and comma-parsed values
• Custom decoder returning null for a key now correctly ignores that key
• Robustness improvements (avoid .push, use void)
• Documentation and CI maintenance

Compatibility Assessment

This project uses qs.stringify with arrayFormat: 'comma' and a custom encoder in contentcuration/contentcuration/frontend/shared/client.js. All fixes in 6.14.1–6.14.2 target parse behavior (arrayLimit handling, custom decoder null keys) — none affect stringify. No API changes, no new peer dependencies, no code changes required.

Recommendation

APPROVE — patch-level bug fixes to parsing behavior that don't affect this project's stringify-only usage. CI passing.

[rtibblesbot]

Dependency Update Review

Package: qs 6.14.0 → 6.14.2
Semver risk: Patch
Dependency type: Production
CI status: Passing

Changelog Analysis

Sources consulted:

• CHANGELOG.md
• Compare v6.14.0...v6.14.2

Breaking changes: None.

Security fixes: None explicitly flagged, though fixes to arrayLimit enforcement in parse harden the library against potential abuse via oversized arrays.

Notable changes (v6.14.1 + v6.14.2):

• Multiple fixes to arrayLimit enforcement in parse: now applies to [] notation, comma-parsed values, and indexed notation
• throwOnLimitExceeded now throws on arrayLimit exceeded with indexed notation
• Custom decoder returning null for a key now ignores that key
• Robustness improvements (avoid .push, use void)
• Documentation and CI housekeeping

Compatibility Assessment

All changes are on the parse side. This project uses only qs.stringify (in contentcuration/contentcuration/frontend/shared/client.js for query param serialization with arrayFormat: 'comma'). No qs.parse usage found. These fixes have zero impact on this project's usage.

The lockfile also bumps transitive qs@6.5.3 → 6.5.5 (used by request). Same risk profile — patch-level parse fixes.

• Project uses affected APIs: No (only stringify, not parse)
• Peer dependency changes: No
• Code changes required: No
• Prior failed attempts: No

Recommendation

APPROVE — Patch-level update, all changes are parse-side fixes, project only uses stringify, CI passing.

[rtibbles]

No concerns from changelog - good to merge.