qs dependency locked to vulnerable version (< 6.14.1) #7619
Description
Is there an existing issue for this?
- I have searched the existing issues
OS/Web Information
Vulnerable qs dependency (< 6.14.1)
A security vulnerability has been reported in the qs package affecting versions earlier than 6.14.1:
- Advisory: GHSA-6rw7-vpxm-498p
In code-server, the qs dependency is currently locked to version 6.4.0:
This version appears to fall within the affected range described in the advisory.
Expected behavior
Upgrade qs to version 6.14.1 or later, or otherwise mitigate the reported vulnerability.
Steps to Reproduce
Expected
Upgrade qs to version 6.14.1 or later, or otherwise mitigate the reported vulnerability.
Actual
qs dependency is currently locked to version 6.4.0:
Logs
Screenshot/Video
No response
Does this bug reproduce in native VS Code?
Yes, this is also broken in native VS Code
Does this bug reproduce in VS Code web?
Yes, this is also broken in VS Code web
Does this bug reproduce in GitHub Codespaces?
Yes, this is also broken in GitHub Codespaces
Are you accessing code-server over a secure context?
- I am using a secure context.
Notes
No response