fix: qs arrayLimit bypass in comma parsing allows denial of service (#17947)

Resolves [Dependabot Alert 454](https://github.com/twentyhq/twenty/security/dependabot/454) and [Dependabot Alert 455](https://github.com/twentyhq/twenty/security/dependabot/455). `zapier-platform-cli` leaves in one entry of qs locked at version `6.5.x`, so the alert might not close automatically. However, the PR fixes any occurrences in the server itself.
2026-04-21 13:37:22 +00:00 · 2026-02-16 00:52:23 +05:00 · 2026-02-16 00:52:23 +05:00 · b1d3ec665a
commit b1d3ec665a
parent ac3ac5cd4d
3 changed files with 10 additions and 10 deletions
--- a/packages/twenty-server/src/engine/core-modules/application/constants/seed-dependencies/yarn.lock
+++ b/packages/twenty-server/src/engine/core-modules/application/constants/seed-dependencies/yarn.lock
@ -2375,11 +2375,11 @@ __metadata:
  linkType: hard

 "qs@npm:~6.14.0":
-  version: 6.14.1
-  resolution: "qs@npm:6.14.1"
+  version: 6.14.2
+  resolution: "qs@npm:6.14.2"
  dependencies:
    side-channel: "npm:^1.1.0"
-  checksum: 10c0/0e3b22dc451f48ce5940cbbc7c7d9068d895074f8c969c0801ac15c1313d1859c4d738e46dc4da2f498f41a9ffd8c201bd9fb12df67799b827db94cc373d2613
+  checksum: 10c0/646110124476fc9acf3c80994c8c3a0600cbad06a4ede1c9e93341006e8426d64e85e048baf8f0c4995f0f1bf0f37d1f3acc5ec1455850b81978792969a60ef6
  languageName: node
  linkType: hard

--- a/packages/twenty-server/src/engine/core-modules/application/utils/get-default-application-package-fields.util.ts
+++ b/packages/twenty-server/src/engine/core-modules/application/utils/get-default-application-package-fields.util.ts
@ -8,7 +8,7 @@ import { SEED_DEPENDENCIES_DIRNAME } from 'src/engine/core-modules/application/c
 // package.json: hash(JSON.stringify(JSON.parse(content))). yarn.lock: hash(content).
 // Both use first 32 chars of SHA512 hex digest.
 const DEFAULT_PACKAGE_JSON_CHECKSUM = '4cf57bd317cfe8e49c47b0aa76aabb39';
-const DEFAULT_YARN_LOCK_CHECKSUM = 'c160582cf017853b6340d3defec4e6ec';
+const DEFAULT_YARN_LOCK_CHECKSUM = 'ff907767cc85edc87d6c77445b933b12';

 export type DefaultApplicationPackageFields = {
  packageJsonChecksum: string;
--- a/yarn.lock
+++ b/yarn.lock
@ -51842,18 +51842,18 @@ __metadata:
  linkType: hard

 "qs@npm:^6.11.0, qs@npm:^6.11.1, qs@npm:^6.11.2, qs@npm:^6.12.3, qs@npm:^6.14.0, qs@npm:^6.4.0, qs@npm:^6.7.0, qs@npm:~6.14.0":
-  version: 6.14.1
-  resolution: "qs@npm:6.14.1"
+  version: 6.14.2
+  resolution: "qs@npm:6.14.2"
  dependencies:
    side-channel: "npm:^1.1.0"
-  checksum: 10c0/0e3b22dc451f48ce5940cbbc7c7d9068d895074f8c969c0801ac15c1313d1859c4d738e46dc4da2f498f41a9ffd8c201bd9fb12df67799b827db94cc373d2613
+  checksum: 10c0/646110124476fc9acf3c80994c8c3a0600cbad06a4ede1c9e93341006e8426d64e85e048baf8f0c4995f0f1bf0f37d1f3acc5ec1455850b81978792969a60ef6
  languageName: node
  linkType: hard

 "qs@npm:~6.5.2":
-  version: 6.5.3
-  resolution: "qs@npm:6.5.3"
-  checksum: 10c0/6631d4f2fa9d315e480662646745a4aa3a708817fbffe2cbdacec8ab9be130f92740c66191770fe9b704bc5fa9c1cc1f6596f55ad132fef7bd3ad1582f199eb0
+  version: 6.5.5
+  resolution: "qs@npm:6.5.5"
+  checksum: 10c0/6a5728b92378776d194c19d2bcf8e8847fa96ecfa6eb64f64e7ac73a394043cacaf257be014fa1a86201077a1e0c5ef5760ee0e0d6b6a4fe9f5ae8afcf5b9254
  languageName: node
  linkType: hard