Bump JS deps to resolve all open Dependabot alerts

[IEvangelist]

Bump JS deps to resolve all open Dependabot alerts

Summary

Closes the two open Dependabot alerts on this repo by bumping the two JavaScript lockfile-based manifests via npm overrides.

Alerts addressed

File	Package	Vuln range	Bumped to	Severity	GHSA	Alert
samples/polyglot-task-queue/api/package-lock.json	qs	< 6.15.2	6.15.2	medium	GHSA-r2pq-mvjr-w5xj	#480
samples/aspire-with-javascript/AspireJavaScript.Angular/package-lock.json	webpack-dev-server	<= 5.2.3	5.2.4	medium	GHSA-79cf-xcqc-c78w	#474

How each manifest was updated

• samples/polyglot-task-queue/api - qs is a transitive (via express). Added an overrides block that pins qs to ^6.15.2, then regenerated package-lock.json with npm install --package-lock-only. The diff is a one-line version + integrity bump.
• samples/aspire-with-javascript/AspireJavaScript.Angular - webpack-dev-server is a transitive (via @angular-devkit/build-angular). Added an entry to the existing overrides block ("webpack-dev-server": "^5.2.4"), then regenerated package-lock.json with npm install --package-lock-only --legacy-peer-deps (matching the existing lockfile generation; the typescript@~6.0.3 vs @angular-devkit/build-angular peer-dep mismatch is pre-existing and unrelated). Only the webpack-dev-server package + a few transitively-removed @emnapi/* peer-optional entries change.

Validation

For each updated manifest, npm install --package-lock-only --no-audit --no-fund succeeds against the configured mirror, and every vulnerable version is gone from the resolved tree:

samples/polyglot-task-queue/api/package-lock.json:
  OK  qs = 6.15.2 (expected >= 6.15.2)

samples/aspire-with-javascript/AspireJavaScript.Angular/package-lock.json:
  OK  webpack-dev-server = 5.2.4 (expected >= 5.2.4)

Risk notes for reviewers

• Both packages are dev-/runtime-only transitives - no direct dependency is changed.
• webpack-dev-server 5.2.4 is a patch bump (5.2.3 -> 5.2.4). No public API changes.
• qs 6.15.2 is a patch bump (6.15.1 -> 6.15.2). No public API changes.

[Copilot]

Pull request overview

This PR resolves the repo’s remaining open Dependabot alerts by pinning patched versions of two vulnerable transitive JavaScript dependencies via npm overrides, and updating the corresponding lockfiles to reflect the new resolutions.

Changes:

• Add an npm override for qs in samples/polyglot-task-queue/api and update package-lock.json to qs@6.15.2.
• Extend the existing npm overrides in samples/aspire-with-javascript/AspireJavaScript.Angular to force webpack-dev-server@^5.2.4 and update package-lock.json to webpack-dev-server@5.2.4 (with related lockfile pruning).

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.

File	Description
samples/polyglot-task-queue/api/package.json	Adds npm overrides entry to force qs to a patched version.
samples/polyglot-task-queue/api/package-lock.json	Updates resolved qs package entry to 6.15.2.
samples/aspire-with-javascript/AspireJavaScript.Angular/package.json	Adds webpack-dev-server to existing overrides to force patched version.
samples/aspire-with-javascript/AspireJavaScript.Angular/package-lock.json	Updates resolved webpack-dev-server to 5.2.4 and removes now-unneeded optional peer entries.

Files not reviewed (2)

• samples/aspire-with-javascript/AspireJavaScript.Angular/package-lock.json: Language not supported
• samples/polyglot-task-queue/api/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[IEvangelist]

Drive-by validation comment - GitHub won't let me approve my own PR:

• Windows CI passes, license/cla passes.
• The Build & Test Samples (ubuntu-latest) failure is pre-existing on main (run 26499954285 on commit dd2df8d and earlier runs all show the same Resource 'angular' failed to start error caused by angular-installer exiting with code 1). Same regression is hitting every recent commit on main, so the failure is not introduced by this PR.
• Diff is confined to the two lockfiles plus matching overrides entries; no behavior changes.
• Addresses Dependabot alerts:
  • Bump the grpc group across 1 directory with 5 updates #474 (webpack-dev-server <= 5.2.3 -> 5.2.4 in AspireJavaScript.Angular)
  • Bump send and express in /samples/AspireWithNode/NodeFrontend #480 (qs < 6.15.2 -> 6.15.2 in polyglot-task-queue/api)

Ready for a maintainer review/merge once the main regression is sorted (independent of this PR).

[IEvangelist]

The Build & Test Samples (ubuntu-latest) failure is pre-existing on main and unrelated to this PR. This PR only adds webpack-dev-server to the resolutions/overrides blocks — it does not touch the dependencies involved in the failure.

I confirmed the same job has failed on the last several main runs (e.g. runs 26499583761, 26499593350, 26499954285, 26558783248, 26559928976).

Root cause appears to be an Angular ERESOLVE between the sample's typescript@~6.0.3 and @angular-devkit/build-angular@21.2.11's peer constraint typescript@">=5.9 <6.0", triggered during the dapr/aspire deploy step.

Windows + CLA checks pass. Ready for maintainer review.

[IEvangelist]

Status check (Dependabot alert sweep across all 4 Aspire repos):

This PR is the only one needed to close all open Dependabot alerts on this repo (1 alert: webpack-dev-server #474). The other alert referenced in the description (qs #480) is already closed - the diff correctly only updates webpack-dev-server and bumps qs defensively to 6.15.2 in polyglot-task-queue/api via overrides.

CI failure on Build & Test Samples (ubuntu-latest) is pre-existing, not introduced by this PR. Verified by checking the last 15 main branch CI runs - every one of them since at least 2026-05-23 fails with the exact same error:

npm error code ERESOLVE
npm error While resolving: @angular-devkit/build-angular@21.2.11
npm error Found: typescript@6.0.3
npm error peer typescript@">=5.9 <6.0" from @angular-devkit/build-angular@21.2.11

This is a peer-dep mismatch in samples/aspire-with-javascript/AspireJavaScript.Angular/package.json (typescript@~6.0.3 vs Angular CLI's TS peer range) and is independent of the security fix. Re-running CI won't help; the angular sample's TS pin needs to be bumped to ~5.9.0 or @angular-devkit/build-angular needs to be upgraded to a version with a TS 6 peer. That's a separate workstream.

I'm the author so I can't self-approve - flagging here for a reviewer to evaluate.

[IEvangelist]

Validation summary (re-checked against the live Dependabot alert feed):

Repo alert	Severity	Manifest	Bumped to	State
#474 webpack-dev-server (GHSA-79cf-xcqc-c78w)	medium	samples/aspire-with-javascript/AspireJavaScript.Angular/package-lock.json	5.2.4 (via overrides)	covered by this PR
#480 qs (GHSA-r2pq-mvjr-w5xj)	medium	samples/polyglot-task-queue/api/package-lock.json	6.15.2 (via overrides)	already auto-resolved upstream; the override keeps it from regressing

CI on head 0eb2591:

• Build & Test Samples (ubuntu-latest): SUCCESS
• Build & Test Samples (windows-latest): SUCCESS
• license/cla: SUCCESS

This is the only open Dependabot-fix PR in this repo touching JS lockfiles, so once merged the repo should be alert-free. (Cannot self-approve as the author.)