[Snyk] Security upgrade qs from 6.14.1 to 6.14.2

[danmcc]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Allocation of Resources Without Limits or Throttling SNYK-JS-QS-15268416	708

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[constructor-claude-bedrock]

Code Review Results

✅ Strengths

This PR addresses a medium-severity security vulnerability (SNYK-JS-QS-15268416) by upgrading the qs package from 6.14.1 to 6.14.2, fixing an Allocation of Resources Without Limits or Throttling issue.

🚨 Critical Issues

None identified.

⚠️ Important Issues

None identified.

💡 Suggestions

package.json:62 - Consider using a caret range for the qs dependency like other dependencies in the project (e.g., ^6.14.2 instead of 6.14.2). Currently, form-data, node-abort-controller, and node-fetch all use caret ranges, which allow automatic minor and patch updates. However, if there's a specific reason to pin this exact version for security purposes, this is acceptable.

General - While this is an automated Snyk PR and doesn't require new tests, it would be beneficial to verify that existing tests still pass after this dependency upgrade. The qs package is used extensively throughout the codebase (autocomplete, browse, catalog, quizzes, recommendations, search, tasks, and tracker modules), so regression testing is important.

Additional Context

Security Fix Details:

• Vulnerability: SNYK-JS-QS-15268416 - Allocation of Resources Without Limits or Throttling
• Priority Score: 708/1000
• Fix: Upgrade from qs@6.14.1 to qs@6.14.2

Impact Assessment:
The qs package is a production dependency used in at least 7 core modules for query string parsing and serialization. The upgrade includes:

• Version bump from 6.14.1 to 6.14.2
• Addition of BSD-3-Clause license metadata in package-lock.json
• Updated integrity hashes

Verification Recommendations:

1. Ensure CI/CD pipeline passes all tests
2. Verify query string parsing behavior remains consistent across all affected modules
3. Confirm no breaking changes in the patch version upgrade

Overall Assessment: ✅ Pass

This is a straightforward security patch that should be merged after CI verification. The changes are minimal, well-scoped, and address a legitimate security concern with no apparent breaking changes.

[Copilot]

Pull request overview

This is a security upgrade PR that updates the qs package from version 6.14.1 to 6.14.2 to fix a medium severity vulnerability (SNYK-JS-QS-15268416) related to "Allocation of Resources Without Limits or Throttling". The qs library is extensively used throughout the codebase for query string serialization across all API modules including autocomplete, browse, catalog, quizzes, recommendations, search, tasks, and tracker.

Changes:

• Updated qs dependency from 6.14.1 to 6.14.2 in package.json
• Updated package-lock.json to reflect the new version, including the addition of license information

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Updated qs version from 6.14.1 to 6.14.2 (pinned version)
package-lock.json	Updated qs package metadata including version, resolved URL, integrity hash, and added license field

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.