V17.4.9 — override qs to ^6.15.2 to clear security advisories
Same shape as V17.3.1's tough-cookie override. No code changes — just dependency hygiene.
What was wrong
GitHub Dependabot has been failing on every new qs security advisory (last attempt: run 26332461208) with security_update_not_possible. The reason:
| Source | Constraint on qs
|
|---|---|
node-telegram-bot-api@0.66.0 → @cypress/request@3.0.1
| exact 6.10.4 |
node-red@4.1.10 → body-parser@1.20.4
| ~6.14.0 (≥6.14.0 <6.15.0)
|
node-red@4.1.10 → express@4.22.1
| ~6.14.0
|
node-red-node-test-helper@0.3.6 → body-parser@1.20.4
| ~6.14.0
|
node-red-node-test-helper@0.3.6 → express@4.22.1
| ~6.14.0
|
node-telegram-bot-api@0.66.0 → request@2.88.2
| ~6.5.2
|
The advisories are patched in qs 6.15.2. No single version satisfies all six constraints AND ≥6.15.2 — the @cypress/request exact-pin on 6.10.4 blocks it. Dependabot logs:
The latest possible version that can be installed is 6.10.4
The earliest fixed version is 6.15.2.
No patched version available for qs
What V17.4.9 changes
One line in package.json:
"overrides": {
- "tough-cookie": "^4.1.3"
+ "tough-cookie": "^4.1.3",
+ "qs": "^6.15.2"
},npm install then forces every transitive path to resolve to qs@6.15.2, bypassing the nested package.json constraints. Verified:
$ npm ls qs
node-red-contrib-telegrambot@17.4.9
+-- node-red-node-test-helper@0.3.6
| +-- body-parser@1.20.4
| | `-- qs@6.15.2
| +-- express@4.22.1
| | `-- qs@6.15.2 deduped
| `-- supertest@7.2.2
| `-- superagent@10.3.0
| `-- qs@6.15.2 deduped
`-- node-telegram-bot-api@0.66.0
+-- @cypress/request-promise@5.0.0
| `-- request-promise-core@1.1.3
| `-- request@2.88.2
| `-- qs@6.15.2 deduped
`-- @cypress/request@3.0.1
`-- qs@6.15.2 deduped
All six paths now on the patched version.
Risk
Low. qs has a stable parse() / stringify() API and the 6.10.4 → 6.15.2 range is minor-version bumps (security + bug fixes, no API breakage). Express and @cypress/request both call qs through its public API which hasn't changed shape. 232 tests pass unchanged.
What this does NOT do
- Doesn't ship any code changes. The polling-teardown fix from V17.4.8 is still the most important upgrade for anyone hitting the 409 Conflict shapes reported in #440 / #441 / #411.
- Doesn't address every Dependabot alert on this repo — there are other transitive vulns the same pattern would handle if/when they become disruptive.