Skip to content

Bump qs to 6.15.2 in yoga (CVE-2026-8723)#1988

Closed
rozele wants to merge 1 commit into
react:mainfrom
rozele:export-D110207476
Closed

Bump qs to 6.15.2 in yoga (CVE-2026-8723)#1988
rozele wants to merge 1 commit into
react:mainfrom
rozele:export-D110207476

Conversation

@rozele

@rozele rozele commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary:
Remediates GitHub security alert GHSA-q8mj-m7cp-5q26 / CVE-2026-8723 (medium severity) flagged on facebook/yoga.

qs is a transitive dependency (via body-parser and express) pinned to 6.14.2 through the ~6.14.0 range, which does not permit the fixed 6.15.2. A plain lockfile bump is therefore insufficient, so a Yarn resolutions override is used to force qs to 6.15.2 across all dependents.

Changes:

  • Add "qs": "6.15.2" to resolutions in xplat/yoga/package.json.
  • Regenerate xplat/yoga/yarn.lock via yarn install, keeping the registry.yarnpkg.com host for open-source lockfile consistency.

Differential Revision: D110207476

Summary:
Remediates GitHub security alert GHSA-q8mj-m7cp-5q26 / CVE-2026-8723 (medium severity) flagged on `facebook/yoga`.

`qs` is a transitive dependency (via `body-parser` and `express`) pinned to `6.14.2` through the `~6.14.0` range, which does not permit the fixed `6.15.2`. A plain lockfile bump is therefore insufficient, so a Yarn `resolutions` override is used to force `qs` to `6.15.2` across all dependents.

Changes:
- Add `"qs": "6.15.2"` to `resolutions` in `xplat/yoga/package.json`.
- Regenerate `xplat/yoga/yarn.lock` via `yarn install`, keeping the `registry.yarnpkg.com` host for open-source lockfile consistency.

Differential Revision: D110207476
@meta-cla meta-cla Bot added the CLA Signed label Jun 30, 2026
@meta-codesync

meta-codesync Bot commented Jun 30, 2026

Copy link
Copy Markdown

@rozele has exported this pull request. If you are a Meta employee, you can view the originating Diff in D110207476.

@meta-codesync

meta-codesync Bot commented Jun 30, 2026

Copy link
Copy Markdown

This pull request has been merged in d039679.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant