From 16a788647a6fdbfc7e59fc2b505046376906f597 Mon Sep 17 00:00:00 2001
From: Nikolay Samokhvalov <nik@postgres.ai>
Date: Sat, 23 May 2026 04:04:20 +0000
Subject: [PATCH] fix(ui): bump qs past CVE-2026-8723

---
 ui/package.json   | 3 ++-
 ui/pnpm-lock.yaml | 7 ++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/ui/package.json b/ui/package.json
index cab55a99..6c650e74 100644
--- a/ui/package.json
+++ b/ui/package.json
@@ -57,7 +57,8 @@
       "dompurify@<3.3.2": ">=3.3.2",
       "yaml@>=1.0.0 <1.10.3": ">=1.10.3",
       "uuid@<14.0.0": ">=14.0.0 <15.0.0",
-      "marked@<18.0.2": ">=18.0.2 <19.0.0"
+      "marked@<18.0.2": ">=18.0.2 <19.0.0",
+      "qs@>=6.11.1 <6.15.2": ">=6.15.2"
     }
   }
 }
diff --git a/ui/pnpm-lock.yaml b/ui/pnpm-lock.yaml
index 8164445f..e26b8744 100644
--- a/ui/pnpm-lock.yaml
+++ b/ui/pnpm-lock.yaml
@@ -52,6 +52,7 @@ overrides:
   yaml@>=1.0.0 <1.10.3: '>=1.10.3'
   uuid@<14.0.0: '>=14.0.0 <15.0.0'
   marked@<18.0.2: '>=18.0.2 <19.0.0'
+  qs@>=6.11.1 <6.15.2: '>=6.15.2'
 
 importers:
 
@@ -790,7 +791,7 @@ packages:
       json-stringify-safe: 5.0.1
       mime-types: 2.1.35
       performance-now: 2.1.0
-      qs: 6.15.0
+      qs: 6.15.2
       safe-buffer: 5.2.1
       tough-cookie: 5.1.2
       tunnel-agent: 0.6.0
@@ -5690,8 +5691,8 @@ packages:
     engines: {node: '>=6'}
     dev: true
 
-  /qs@6.15.0:
-    resolution: {integrity: sha512-mAZTtNCeetKMH+pSjrb76NAM8V9a05I9aBZOHztWy/UqcJdQYNsf59vrRKWnojAT9Y+GbIvoTBC++CPHqpDBhQ==}
+  /qs@6.15.2:
+    resolution: {integrity: sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==}
     engines: {node: '>=0.6'}
     dependencies:
       side-channel: 1.1.0