Skip to content

qs dependency locked to vulnerable version (< 6.14.1) #7619

New issue
New issue
Open
Open
qs dependency locked to vulnerable version (< 6.14.1)#7619
Labels
bugSomething isn't workingsecuritySecurity relatedtriageThis issue needs to be triaged by a maintainer
@abhilashknair

Description

@abhilashknair
abhilashknair
opened on Jan 2, 2026

Is there an existing issue for this?

  • I have searched the existing issues

OS/Web Information

Vulnerable qs dependency (< 6.14.1)

A security vulnerability has been reported in the qs package affecting versions earlier than 6.14.1:

In code-server, the qs dependency is currently locked to version 6.4.0:

This version appears to fall within the affected range described in the advisory.

Expected behavior

Upgrade qs to version 6.14.1 or later, or otherwise mitigate the reported vulnerability.

Steps to Reproduce

Expected

Upgrade qs to version 6.14.1 or later, or otherwise mitigate the reported vulnerability.

Actual

qs dependency is currently locked to version 6.4.0:

Logs



Screenshot/Video


No response


Does this bug reproduce in native VS Code?


Yes, this is also broken in native VS Code


Does this bug reproduce in VS Code web?


Yes, this is also broken in VS Code web


Does this bug reproduce in GitHub Codespaces?


Yes, this is also broken in GitHub Codespaces


Are you accessing code-server over a secure context?


    

  •  I am using a secure context.
    • 



Notes


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't workingsecuritySecurity relatedtriageThis issue needs to be triaged by a maintainer
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions