[Security] Fix HIGH vulnerability: CVE-2025-15284

[orbisai0security]

Security Fix

This PR addresses a HIGH severity vulnerability detected by our security scanner.

Security Impact Assessment

Aspect	Rating	Rationale
Impact	Medium	In WaveTerm, a terminal emulator app, exploitation of this qs DoS vulnerability could cause the application to crash or become unresponsive when parsing malformed array inputs, potentially disrupting user workflows and requiring app restart; however, it does not enable data breaches, remote code execution, or system compromise, limiting damage to temporary denial of service on the user's local machine.
Likelihood	Low	WaveTerm is a client-side desktop application with limited external input surface, and qs is likely used for internal parsing of controlled data like configuration or UI parameters; exploitation would require an attacker to deliver specific malformed inputs, which is unlikely without social engineering or if the app processes untrusted web content, given its focus on local terminal operations.
Ease of Fix	Medium	Remediation involves updating the qs dependency to a patched version via npm, which may require reviewing and testing for compatibility with WaveTerm's web-based interface and terminal features; potential for breaking changes exists due to qs's role in query string handling, necessitating moderate testing effort across different platforms.

Vulnerability Details

• Rule ID: CVE-2025-15284
• File: package-lock.json
• Description: qs: qs: Denial of Service via improper input validation in array parsing

Changes Made

This automated fix addresses the vulnerability by applying security best practices.

Files Modified

• package.json
• package-lock.json

Verification

This fix has been automatically verified through:

• ✅ Build verification
• ✅ Scanner re-scan
• ✅ LLM code review

🤖 This PR was automatically generated.