[Snyk] Security upgrade qs from 6.9.7 to 6.14.1

[danmcc]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Allocation of Resources Without Limits or Throttling SNYK-JS-QS-14724253	828

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

[constructor-claude-bedrock]

Code Review Results

✅ Strengths

This PR addresses a high-severity security vulnerability (SNYK-JS-QS-14724253) by upgrading the qs package from 6.9.7 to 6.14.1, fixing an Allocation of Resources Without Limits or Throttling vulnerability.

🚨 Critical Issues

None identified.

⚠️ Important Issues

[File: package.json Line: 62] - Version constraint inconsistency

• The package.json uses an exact version 6.14.1 for the qs dependency, while package-lock.json shows ^6.14.1 (line 15).
• Why this matters: This inconsistency could lead to different versions being installed depending on whether npm install uses the lock file or resolves from package.json in edge cases.
• Recommendation: Update package.json line 62 to use "qs": "^6.14.1" to match the lock file, or ensure both use exact versioning "qs": "6.14.1" (without the caret).

[General] - Missing test validation

• The PR upgrades qs from 6.9.7 to 6.14.1, spanning multiple minor versions which could introduce behavioral changes.
• Why this matters: The codebase uses qs.stringify() extensively across 8 modules (autocomplete, search, browse, catalog, quizzes, recommendations, tasks, tracker) with the { indices: false } option. While this option is still supported, the upgrade introduces new dependencies (side-channel, side-channel-list, side-channel-map, side-channel-weakmap, call-bound) and updates object-inspect from dev-only to production dependency.
• Recommendation: Before merging, run the full test suite (npm test) to ensure query string serialization behavior remains consistent, especially for:
  • Arrays handling with indices: false
  • Special characters in query parameters
  • Nested objects
  • User segments and test cells parameters

💡 Suggestions

[General] - Consider dependency pinning strategy

• The repository currently uses a mix of caret ranges and exact versions. For security-critical dependencies like qs, consider using exact versions (without ^) to ensure predictable builds and controlled upgrades.

[General] - Document the security fix

• Consider adding a note in the commit message or CHANGELOG about the specific vulnerability being addressed (SNYK-JS-QS-14724253 - score 828/1000) for future reference and security audit trails.

Overall Assessment: ⚠️ Needs Work

The security upgrade itself is necessary and well-intentioned. However, the version constraint inconsistency between package.json and package-lock.json should be resolved, and the test suite should be run to verify no behavioral regressions occurred with this multi-minor-version upgrade. Once these items are addressed, this PR should be approved.

[esezen]

The fix was merged in a different PR