From 8e83544bb413fcc42c145f0c20229a0368725643 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom@getoutline.com>
Date: Mon, 27 Apr 2026 10:29:07 -0400
Subject: [PATCH] chore: Bump qs to 6.14.2 to address GHSA-w7fw-mjwx-w883
 (#12183)

* chore: Bump qs to 6.14.2 to address GHSA-w7fw-mjwx-w883
---
 AGENTS.md    | 12 ++++++++++++
 package.json |  4 +++-
 yarn.lock    |  8 ++++----
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/AGENTS.md b/AGENTS.md
index bf238ddd1f..09bf1afce1 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -46,6 +46,18 @@ You're an expert in the following areas:
 yarn install
 ```
 
+- When adding a `resolutions` entry to address a security advisory in a transitive dependency, target only the specific vulnerable descriptors using the `name@npm:<range>` syntax rather than overriding the package globally. Inspect `yarn.lock` to find the exact ranges requested by upstream packages and add one entry per vulnerable range, e.g.:
+
+```json
+"resolutions": {
+  "qs@npm:^6.5.2": "^6.14.2",
+  "qs@npm:^6.11.0": "^6.14.2",
+  "qs@npm:^6.14.0": "^6.14.2"
+}
+```
+
+This keeps overrides scoped to the affected dependents and avoids forcing unrelated consumers onto an incompatible version.
+
 ## TypeScript Usage
 
 - Use strict mode.
diff --git a/package.json b/package.json
index ac07967f9e..d63000d8dd 100644
--- a/package.json
+++ b/package.json
@@ -382,7 +382,9 @@
     "debug": "4.3.4",
     "node-fetch": "^2.7.0",
     "js-yaml": "^4.1.1",
-    "qs": "6.14.1",
+    "qs@npm:^6.5.2": "^6.14.2",
+    "qs@npm:^6.11.0": "^6.14.2",
+    "qs@npm:^6.14.0": "^6.14.2",
     "prismjs": "1.30.0",
     "cheerio": "1.0.0-rc.12",
     "zod": "^4.3.6",
diff --git a/yarn.lock b/yarn.lock
index 9e43ecb62e..cc93a6f5cb 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -18088,12 +18088,12 @@ __metadata:
   languageName: node
   linkType: hard
 
-"qs@npm:6.14.1":
-  version: 6.14.1
-  resolution: "qs@npm:6.14.1"
+"qs@npm:^6.14.2":
+  version: 6.15.1
+  resolution: "qs@npm:6.15.1"
   dependencies:
     side-channel: "npm:^1.1.0"
-  checksum: 10c0/0e3b22dc451f48ce5940cbbc7c7d9068d895074f8c969c0801ac15c1313d1859c4d738e46dc4da2f498f41a9ffd8c201bd9fb12df67799b827db94cc373d2613
+  checksum: 10c0/19ee504f0ebff72598503e38cd6d9bd7b52a8ab62ae18b1e6bee3d4db58469bd65871ef1893a881bafb0f80ef2f9ab586e1f255cf25cc8d816c0f5a704721d97
   languageName: node
   linkType: hard