fix: update qs to resolve CVE-2026-8723

[dannyneira]

Summary

• Updates transitive npm dependency qs from 6.15.0 to 6.15.2 in package-lock.json.
• Resolves CVE-2026-8723 / GHSA-q8mj-m7cp-5q26, a remotely triggerable DoS in qs.stringify.
• Dependency path: react-instantsearch -> instantsearch.js -> qs.

Dependabot alert

• https://github.com/warpdotdev/commands.dev/security/dependabot/99

Advisory

• GHSA-q8mj-m7cp-5q26
• https://nvd.nist.gov/vuln/detail/CVE-2026-8723

Verification

• npm ls qs --package-lock-only --all shows qs@6.15.2.
• npm audit --json no longer reports qs.
• npm run lint passes.
• NEXT_PUBLIC_ALGOLIA_APP_ID=dummy NEXT_PUBLIC_ALGOLIA_SEARCH_API_KEY=dummy ALGOLIA_SEARCH_ADMIN_KEY=dummy npx tsc lib/*.ts && NEXT_PUBLIC_ALGOLIA_APP_ID=dummy NEXT_PUBLIC_ALGOLIA_SEARCH_API_KEY=dummy ALGOLIA_SEARCH_ADMIN_KEY=dummy npx next build passes.

Note: npm run build invokes the repo's postbuild Algolia publishing script. With placeholder Algolia values it reaches the external publish step and fails DNS lookup for the dummy app id, so the underlying TypeScript and Next build commands were run directly for validation.

Conversation: https://staging.warp.dev/conversation/25d363f7-d567-4b61-84b7-5ca0bcf37fd0
Run: https://oz.staging.warp.dev/runs/019e799d-2a32-71bf-8859-6b02d8930e6d
This PR was generated with Oz.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
commands-dev	Ready	Preview, Comment	May 30, 2026 4:04pm