deps: qs@^6.14.1 by UlisesGascon · Pull Request #6972 · expressjs/express (original) (raw)

@UlisesGascon

@UlisesGascon

efekrskl

jonchurch

@sergio-tao

Well done!
Is there going to be a new release (5.2.2?) with this dependency fix? 😁

@gabrieel1007

@sergio-tao
Good question!
Actually, everything about this is covered in PR #6969 — you can check the details there.

@serhalp

Hello! Is there a 4.x release planned that will include this fix soon? Thanks!

@jaenster

Could we please have a patch version for express containing this?

@jonchurch

@serhalp @jaenster
Speaking for myself, I'm not currently planning a patch release specifically for this.

A fresh npm install already resolves to secure versions, and a patch release wouldn't change your remediation steps or silence Dependabot alerts. You'd still need to update your lockfile either way.

To update: npm update qs body-parser

(The body-parser update may not be needed depending on your version, but older versions of body-parser had qs pinned so it's good to include.)

It occurs to me though that I may be too used to managing dependencies this way to understand why others want to solve it with a patch release. Why do you ask for a patch release? Is there something causing you pain here that a patch would solve? Tooling yelling at you?

@jaenster

That works if you use qs and body-parser directly. But, we dont, we use nestjs express, which uses express, which uses these.

But, i might be that im the inexperienced idiot here, so please teach me if im doing it wrong and can solve it without an override. Context, we use pnpm.

@krzysdz

That works if you use qs and body-parser directly. But, we dont, we use nestjs express, which uses express, which uses these.

Nest v10.4.22 includes updates to express (v4) and body-parser (nestjs/nest#16178, nestjs/nest#16157). Nest v11 uses express v5.2.1, which allows body-parser updates and current (not yet released) version on git lists qs 6.14.1 in package-lock.json:

https://github.com/nestjs/nest/blob/defe683829e030377f10a85175eb549b6813d575/package-lock.json#L37965-L37979

Context, we use pnpm.

pnpm has pnpm update and, if I understand filters correctly, pnpm --filter "express..." update should update only express and its dependencies. If you are using nest v10, you will also have to update it to v10.4.22 in order to allow for express updates.

@serhalp

@jonchurch I don't understand. Why was this "backported" to 4.x if you aren't releasing it? What was the purpose? 🤔

@serhalp

I might be missing something, but it isn't possible to install express v4 at the moment without 2 high CVEs, unless one uses overrides/resolutions:

❯ npm audit --omit=dev
found 0 vulnerabilities

❯ npm i express@4

added 4 packages, changed 1 package, and audited 1521 packages in 1s

❯ npm audit --omit=dev

# npm audit report

qs  <6.14.1
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix`
node_modules/body-parser/node_modules/qs
node_modules/qs
  body-parser  <=1.20.3 || 2.0.0-beta.1 - 2.0.2
  Depends on vulnerable versions of qs
  node_modules/body-parser

2 high severity vulnerabilities

To address all issues, run:
  npm audit fix

I think it's actually because of the pinned body-parser.

@bjohansebas

The backport is intended to ensure that the next Express 4 release includes this patch, you should already have the patch if you update body-parser as well. This isn’t applied automatically, but if you update body-parser alongside Express, you’ll get it, since Express 4 now uses the ~ notation in its dependencies (

"body-parser": "~1.20.3",

v4.22.1). As a result, updating your package-lock.json should pull in the patched version.

If that’s not the case, then @expressjs/express-captains, we should update the body-parser version here to point to the latest 1.x release (if we haven’t already) and cut a new release. I’ve noticed it’s been difficult for people to get the patch, and I also think something changed in how this works (@krzysdz, I believe you have some context on that).

@krzysdz

If you do a "fresh install" (no package-lock.json and no node_modules) then installing express@4 will install body-parser@1.20.4 and qs@6.14.1.

If you already had Express installed then npm i express@4 will not touch dependencies, unless necessary, because you already have dependencies installed that match the requirements. npm update qs body-parser (or just npm update) will update qs and body-parser (or all your dependencies) to the latest version that is not breaking constraints (^, ~, etc.).

@SAY-5 SAY-5 mentioned this pull request

Apr 15, 2026

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})