From 9e6f28ee9f8c1d9bc9176a6dbb488a6a4d00efe8 Mon Sep 17 00:00:00 2001
From: Jonas <moritz+ona-security-engineer@ona.com>
Date: Mon, 19 Jan 2026 16:38:52 +0000
Subject: [PATCH] fix(security): upgrade qs to 6.14.1 for CVE-2025-15284

Add npm override to force qs@^6.14.1 in backend/catalog to remediate
DoS vulnerability via arrayLimit bypass in bracket notation.

Co-authored-by: Ona <no-reply@ona.com>
---
 backend/catalog/package-lock.json | 9 ++++++---
 backend/catalog/package.json      | 3 +++
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/backend/catalog/package-lock.json b/backend/catalog/package-lock.json
index bcc1918..df34cee 100644
--- a/backend/catalog/package-lock.json
+++ b/backend/catalog/package-lock.json
@@ -26,6 +26,9 @@
         "ts-jest": "^29.4.1",
         "ts-node": "^10.9.2",
         "typescript": "^5.9.2"
+      },
+      "overrides": {
+        "qs": "^6.14.1"
       }
     },
     "node_modules/@babel/code-frame": {
@@ -5046,9 +5049,9 @@
       "license": "MIT"
     },
     "node_modules/qs": {
-      "version": "6.14.0",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz",
-      "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==",
+      "version": "6.14.1",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz",
+      "integrity": "sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==",
       "license": "BSD-3-Clause",
       "dependencies": {
         "side-channel": "^1.1.0"
diff --git a/backend/catalog/package.json b/backend/catalog/package.json
index 01055ad..8b0eca7 100644
--- a/backend/catalog/package.json
+++ b/backend/catalog/package.json
@@ -36,5 +36,8 @@
     ],
     "ext": "ts,json",
     "exec": "ts-node src/index.ts"
+  },
+  "overrides": {
+    "qs": "^6.14.1"
   }
 }