Skip to content

Bump qs and raneto in /custom#288

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/custom/multi-6129cf5dac
Open

Bump qs and raneto in /custom#288
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/custom/multi-6129cf5dac

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Feb 12, 2026
edited by sparkfabrik-ai-bot Bot
Loading

User description

Bumps qs to 6.14.2 and updates ancestor dependency raneto. These dependencies need to be updated together.

Updates qs from 6.11.0 to 6.14.2

Changelog

Sourced from qs's changelog.

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions

6.14.1

  • [Fix] ensure arrayLimit applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions
  • [Tests] stringify: increase coverage
  • [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

  • [New] parse: add throwOnParameterLimitExceeded option (#517)
  • [Refactor] parse: use utils.combine more
  • [patch] parse: add explicit throwOnLimitExceeded default
  • [actions] use shared action; re-add finishers
  • [meta] Fix changelog formatting bug
  • [Deps] update side-channel
  • [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
  • [Tests] increase coverage

6.13.1

  • [Fix] stringify: avoid a crash when a filter key is null
  • [Fix] utils.merge: functions should not be stringified into keys
  • [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
  • [Fix] stringify: ensure a non-string filter does not crash
  • [Refactor] use __proto__ syntax instead of Object.create for null objects
  • [Refactor] misc cleanup
  • [Tests] utils.merge: add some coverage
  • [Tests] fix a test case
  • [actions] split out node 10-20, and 20+
  • [Dev Deps] update es-value-fixtures, mock-property, object-inspect, tape

6.13.0

  • [New] parse: add strictDepth option (#511)
  • [Tests] use npm audit instead of aud

6.12.3

  • [Fix] parse: properly account for strictNullHandling when allowEmptyArrays

... (truncated)

Commits
  • bdcf0c7 v6.14.2
  • 294db90 [readme] document that addQueryPrefix does not add ? to empty output
  • 5c308e5 [readme] clarify parseArrays and arrayLimit documentation
  • 6addf8c [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit
  • cfc108f [Fix] arrayLimit means max count, not max index, in combine/merge/`pars...
  • febb644 [Fix] parse: throw on arrayLimit exceeded with indexed notation when `thr...
  • f6a7abf [Fix] parse: enforce arrayLimit on comma-parsed values
  • fbc5206 [Fix] parse: fix error message to reflect arrayLimit as max index; remove e...
  • 1b9a8b4 [actions] fix rebase workflow permissions
  • 2a35775 [meta] fix changelog typo (arrayLengtharrayLimit)
  • Additional commits viewable in compare view

Updates raneto from 0.17.5 to 0.18.0

Release notes

Sourced from raneto's releases.

v0.18.0

2025.09.15 / v0.18.0

This is a modernization refactor.

  • [BREAKING] Default port is 8080 and not 3000
  • [BREAKING] Minimum Node.js is v22.x LTS
  • [BREAKING] Rename branch to "main" from "master"
  • [BREAKING] Packages removed: pm2, commander, tail, serve-favicon
  • [BREAKING] bin/raneto removed as it is out of scope. Please do not use PM2 and instead use npm start, containers, systemd, etc.
  • [BREAKING] Modernizing, moving to ESModules, require => import, const/let, node: import prefix, module.exports => export, 'use strict'; etc.
  • [BREAKING] CSP (Content Security Policy) is now enforcing
  • [New] Theme redesign
  • [New] Table of Contents Link Targets (marked-gfm-heading-id)
  • [New] Multi-architecture container builds
  • [New] File-based sessions to prevent requiring login on restart
  • [Fix] Better searching (fuzzy, partial matches)
  • [Misc] Replacing underscore with lodash and sanitize-html
  • [Misc] Remove node-fetch, using native Node.js version
  • [Misc] Remove extend, explicitly declaring @​eslint/js dependency
  • [Misc] Remove hogan-express in favor of mustache-express
  • [Misc] Change "Meta information" to "metadata"
  • [Misc] Upgrading to Express v5.x
  • [Misc] Dependency upgrades
  • [Add] Container build (raneto:latest) on push to main
  • [Add] Container build (raneto:tag) on tag creation
  • [Fix] Windows support (mainline versions only)

v0.17.8

2024.02.22 / v0.17.8

  • [New] ShowOnMenu by @​mgdesign #388
  • [Misc] Upgrading to latest Node.js LTS v18.x and v20.x
  • [Misc] Linting / Prettier

v0.17.7

2024.02.21 / v0.17.7

v0.17.6

2023.11.06 / v0.17.6

  • [Misc] Dependency upgrades
Changelog

Sourced from raneto's changelog.

2025.09.15 / v0.18.0

This is a modernization refactor.

  • [BREAKING] Default port is 8080 and not 3000
  • [BREAKING] Minimum Node.js is v22.x LTS
  • [BREAKING] Rename branch to "main" from "master"
  • [BREAKING] Packages removed: pm2, commander, tail, serve-favicon
  • [BREAKING] bin/raneto removed as it is out of scope. Please do not use PM2 and instead use npm start, containers, systemd, etc.
  • [BREAKING] Modernizing, moving to ESModules, require => import, const/let, node: import prefix, module.exports => export, 'use strict'; etc.
  • [BREAKING] CSP (Content Security Policy) is now enforcing
  • [New] Theme redesign
  • [New] Table of Contents Link Targets (marked-gfm-heading-id)
  • [New] Multi-architecture container builds
  • [New] File-based sessions to prevent requiring login on restart
  • [Fix] Better searching (fuzzy, partial matches)
  • [Misc] Replacing underscore with lodash and sanitize-html
  • [Misc] Remove node-fetch, using native Node.js version
  • [Misc] Remove extend, explicitly declaring @​eslint/js dependency
  • [Misc] Remove hogan-express in favor of mustache-express
  • [Misc] Change "Meta information" to "metadata"
  • [Misc] Upgrading to Express v5.x
  • [Misc] Dependency upgrades
  • [Add] Container build (raneto:latest) on push to main
  • [Add] Container build (raneto:tag) on tag creation
  • [Fix] Windows support (mainline versions only)

2024.02.22 / v0.17.8

  • [New] ShowOnMenu by @​mgdesign #388
  • [Misc] Upgrading to latest Node.js LTS v18.x and v20.x
  • [Misc] Linting / Prettier

2024.02.21 / v0.17.7

2023.11.05 / v0.17.6

  • [Misc] Dependency upgrades
Commits
  • 9f9fb0a Release: v0.18.0
  • 5f770d1 Dependencies: Upgrading packages
  • cee03ef Fix: ESLint rules to ignore unused with underscore prefix
  • 15085ef Dependencies: Upgrading to Express v5.x
  • e04725e Edit: Linting
  • 4c47f5b Fix: ReDos vulnerability
  • 52fe5f3 Add: Multi-architecture container builds
  • 21fff58 Edit: CSP (Content Security Policy) is now enforcing
  • 844e35d Move: HISTORY.md to CHANGELOG.md
  • 5fcd18b Dependencies: Upgrading @​raneto/theme-default from v0.5.0 to v0.8.0
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

PR Type

Other

Description

  • Updated raneto dependency from version 0.17.5 to 0.18.0

  • Indirect update of qs to 6.14.2 (ancestor dependency)

  • Security and bug fixes in dependency chain

Diagram Walkthrough

flowchart LR
  A["package.json"] --> B["raneto 0.17.5 → 0.18.0"]
  B --> C["qs 6.11.0 → 6.14.2"]
Loading

File Walkthrough
Relevant files
Dependencies
package.json
Bump raneto and qs dependencies                                                   

custom/package.json

  • Updated raneto dependency version from 0.17.5 to 0.18.0
  • Includes indirect update of qs dependency to 6.14.2
 +1/-1     

@dependabot
Bump qs and raneto in /custom
e7fc205 
Bumps [qs](https://github.com/ljharb/qs) to 6.14.2 and updates ancestor dependency [raneto](https://github.com/ryanlelek/Raneto). These dependencies need to be updated together.


Updates `qs` from 6.11.0 to 6.14.2
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.11.0...v6.14.2)

Updates `raneto` from 0.17.5 to 0.18.0
- [Release notes](https://github.com/ryanlelek/Raneto/releases)
- [Changelog](https://github.com/ryanlelek/Raneto/blob/main/CHANGELOG.md)
- [Commits](ryanlelek/Raneto@0.17.5...0.18.0)

---
updated-dependencies:
- dependency-name: qs
  dependency-version: 6.14.2
  dependency-type: indirect
- dependency-name: raneto
  dependency-version: 0.18.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 12, 2026
@dependabot dependabot Bot mentioned this pull request Feb 12, 2026
Closed
@sparkfabrik-ai-bot
Copy link
Copy Markdown

sparkfabrik-ai-bot Bot commented Feb 12, 2026

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪
🧪 No relevant tests
🔒 Security concerns

No - This PR addresses a security concern by updating the qs dependency through the raneto package update. The qs library had known vulnerabilities in version 6.11.0 that are resolved in 6.14.2. This is a positive security improvement.

⚡ Recommended focus areas for review

Dependency Update

The PR updates raneto from 0.17.5 to 0.18.0, which is a minor version bump. Since the PR description mentions this is to address a qs vulnerability (bumping from 6.11.0 to 6.14.2), verify that the raneto 0.18.0 release notes confirm it includes the updated qs dependency. Also check if there are any breaking changes in raneto 0.18.0 that might affect the application, especially considering the patch-package script that patches raneto.

 
"raneto": "0.18.0"

@sparkfabrik-ai-bot
Copy link
Copy Markdown

sparkfabrik-ai-bot Bot commented Feb 12, 2026

PR Code Suggestions ✨

No code suggestions found for the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code Review effort 1/5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants