fix: override qs to 6.14.1 to resolve CVE-2025-15284 (Dependabot #401)

[devin-ai-integration]

Description

Resolves Dependabot alert #401 — CVE-2025-15284 (High severity, CVSS 7.5).

qs@6.13.0 is a transitive dependency pinned by express@4.21.1 and body-parser@1.20.3. The vulnerability allows arrayLimit bypass via bracket notation, enabling DoS through memory exhaustion. The fix is in qs@6.14.1.

Since express@4.21.1 pins qs to exactly 6.13.0, a direct upgrade isn't possible without jumping to Express 5.x (breaking). Instead, this adds a pnpm override to force qs to 6.14.1, consistent with how other transitive dependency vulnerabilities are already handled in this repo.

Human review checklist

• Verify the blanket "qs": "6.14.1" override is preferred over a scoped "qs@6": "6.14.1" — only one major version (6.x) exists in the tree, so both are equivalent today
• Confirm no changeset is needed — only root package.json and pnpm-lock.yaml changed; no files under packages/ were modified

Test plan

• pnpm lint — passes
• pnpm test:vitest — all 11 test suites pass (48 tests total)
• Verified lockfile resolves qs@6.14.1 in all three locations (body-parser, express, standalone)

Package updates

No published packages are affected — qs is only a transitive dependency of express/body-parser used in demo apps. No changeset required.

---

Link to Devin run: https://crossmint.devinenterprise.com/sessions/9ce066e103f044e9af55e7ea756bc368
Requested by: Penelope (@soinclined)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3d6bf30

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[devin-ai-integration]

Original prompt from Penelope

please draft a pr to resolve this that doesn't break anything 
https://github.com/Crossmint/crossmint-sdk/security/dependabot/401

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[greptile-apps]

_{No files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

_{No files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}