From 18d346c84858ab7b0b136c97c209f62738d7ab6d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 25 May 2026 07:32:03 +0000
Subject: [PATCH 1/2] chore(deps): bump crate-ci/typos in the actions group

Bumps the actions group with 1 update: [crate-ci/typos](https://github.com/crate-ci/typos).


Updates `crate-ci/typos` from 1.46.2 to 1.46.3
- [Release notes](https://github.com/crate-ci/typos/releases)
- [Changelog](https://github.com/crate-ci/typos/blob/master/CHANGELOG.md)
- [Commits](https://github.com/crate-ci/typos/compare/v1.46.2...v1.46.3)

---
updated-dependencies:
- dependency-name: crate-ci/typos
  dependency-version: 1.46.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/typos.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/typos.yml b/.github/workflows/typos.yml
index 2fe6130..9039154 100644
--- a/.github/workflows/typos.yml
+++ b/.github/workflows/typos.yml
@@ -15,5 +15,5 @@ jobs:
     timeout-minutes: 3
     steps:
       - uses: actions/checkout@v6
-      - uses: crate-ci/typos@v1.46.2
+      - uses: crate-ci/typos@v1.46.3
         continue-on-error: true  # warn-only — surface findings without blocking CI

From d605f7982731ab2910ffd511f6e6527c0c3947bc Mon Sep 17 00:00:00 2001
From: Manas Srivastava <mastermanas805@gmail.com>
Date: Fri, 29 May 2026 10:37:29 +0530
Subject: [PATCH 2/2] chore(deps): pin qs to ^6.15.2 via npm overrides to fix
 GHSA-q8mj-m7cp-5q26

scan / osv-scan flagged qs@6.15.0 (transitive via body-parser/express)
as vulnerable to GHSA-q8mj-m7cp-5q26 (CVSS 6.3, medium). Fixed in 6.15.2.

Added a top-level npm overrides entry so the transitive resolves to a
patched version without touching the express/body-parser declared
ranges. Lockfile regenerated; the single node_modules/qs node now
resolves to 6.15.2 (verified).

Local gate green: npm ci, npm run build, npm test (248/248 pass, coverage
99.81% lines / 95.03% branches).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 package-lock.json | 6 +++---
 package.json      | 5 ++++-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index c5bdb21..7704c3f 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -853,9 +853,9 @@
       }
     },
     "node_modules/qs": {
-      "version": "6.15.0",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.0.tgz",
-      "integrity": "sha512-mAZTtNCeetKMH+pSjrb76NAM8V9a05I9aBZOHztWy/UqcJdQYNsf59vrRKWnojAT9Y+GbIvoTBC++CPHqpDBhQ==",
+      "version": "6.15.2",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz",
+      "integrity": "sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw==",
       "license": "BSD-3-Clause",
       "dependencies": {
         "side-channel": "^1.1.0"
diff --git a/package.json b/package.json
index 4da8603..171b022 100644
--- a/package.json
+++ b/package.json
@@ -61,5 +61,8 @@
   "engines": {
     "node": ">=18"
   },
-  "mcpName": "io.github.InstaNode-dev/mcp"
+  "mcpName": "io.github.InstaNode-dev/mcp",
+  "overrides": {
+    "qs": "^6.15.2"
+  }
 }