Update dependency qs to v6 [SECURITY]#13

Open

renovate[bot] wants to merge 1 commit into

renovate/npm-qs-vulnerability

renovate Bot commented May 9, 2026 •

edited

Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
qs	`~5.2.0` → `~6.15.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

qs vulnerable to Prototype Pollution

CVE-2022-24999 / GHSA-hrpp-h998-j3pp

More information

Details

qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.

Severity

CVSS Score: 7.5 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

ljharb/qs (qs)

`v6.15.2`

[Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
[Fix] stringify: use configured delimiter after charsetSentinel (#555)
[Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
[Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
[Fix] parse: handle nested bracket groups and add regression tests (#530)
[readme] fix grammar (#550)
[Dev Deps] update @ljharb/eslint-config
[Tests] add regression tests for keys containing percent-encoded bracket text

`v6.15.1`

[Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
[Deps] update @ljharb/eslint-config
[Dev Deps] update @ljharb/eslint-config, iconv-lite
[Tests] increase coverage

`v6.15.0`

[New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
[Fix] duplicates option should not apply to bracket notation keys (#514)

`v6.14.2`

[Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
[Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
[Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
[Fix] parse: enforce arrayLimit on comma-parsed values
[Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
[Robustness] avoid .push, use void
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] replace runkit CI badge with shields.io check-runs badge
[meta] fix changelog typo (arrayLength → arrayLimit)
[actions] fix rebase workflow permissions

`v6.14.1`

[Fix] ensure arrayLength applies to [] notation as well
[Fix] parse: when a custom decoder returns null for a key, ignore that key
[Refactor] parse: extract key segment splitting helper
[meta] add threat model
[actions] add workflow permissions
[Tests] stringify: increase coverage
[Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

`v6.14.0`

[New] parse: add throwOnParameterLimitExceeded option (#517)
[Refactor] parse: use utils.combine more
[patch] parse: add explicit throwOnLimitExceeded default
[actions] use shared action; re-add finishers
[meta] Fix changelog formatting bug
[Deps] update side-channel
[Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
[Tests] increase coverage

`v6.13.3`

[Fix] fix regressions from robustness refactor
[actions] update reusable workflows

`v6.13.2`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.13.1`

[Fix] stringify: avoid a crash when a filter key is null
[Fix] utils.merge: functions should not be stringified into keys
[Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
[Fix] stringify: ensure a non-string filter does not crash
[Refactor] use __proto__ syntax instead of Object.create for null objects
[Refactor] misc cleanup
[Tests] utils.merge: add some coverage
[Tests] fix a test case
[actions] split out node 10-20, and 20+
[Dev Deps] update es-value-fixtures, mock-property, object-inspect, tape

`v6.13.0`

[New] parse: add strictDepth option (#511)
[Tests] use npm audit instead of aud

`v6.12.5`

[Fix] fix regressions from robustness refactor
[actions] update reusable workflows

`v6.12.4`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.12.3`

[Fix] parse: properly account for strictNullHandling when allowEmptyArrays
[meta] fix changelog indentation

`v6.12.2`

[Fix] parse: parse encoded square brackets (#506)
[readme] add CII best practices badge

`v6.12.1`

[Fix] parse: Disable decodeDotInKeys by default to restore previous behavior (#501)
[Performance] utils: Optimize performance under large data volumes, reduce memory usage, and speed up processing (#502)
[Refactor] utils: use +=
[Tests] increase coverage

`v6.12.0`

[New] parse/stringify: add decodeDotInKeys/encodeDotKeys options (#488)
[New] parse: add duplicates option
[New] parse/stringify: add allowEmptyArrays option to allow [] in object values (#487)
[Refactor] parse/stringify: move allowDots config logic to its own variable
[Refactor] stringify: move option-handling code into normalizeStringifyOptions
[readme] update readme, add logos (#484)
[readme] stringify: clarify default arrayFormat behavior
[readme] fix line wrapping
[readme] remove dead badges
[Deps] update side-channel
[meta] make the dist build 50% smaller
[meta] add sideEffects flag
[meta] run build in prepack, not prepublish
[Tests] parse: remove useless tests; add coverage
[Tests] stringify: increase coverage
[Tests] use mock-property
[Tests] stringify: improve coverage
[Dev Deps] update @ljharb/eslint-config , aud, has-override-mistake, has-property-descriptors, mock-property, npmignore, object-inspect, tape
[Dev Deps] pin glob, since v10.3.8+ requires a broken jackspeak
[Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6

`v6.11.4`

[Fix] fix regressions from robustness refactor
[actions] update reusable workflows

`v6.11.3`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.11.2`

[Fix] parse: Fix parsing when the global Object prototype is frozen (#473)
[Tests] add passing test cases with empty keys (#473)

`v6.11.1`

[Fix] stringify: encode comma values more consistently (#463)
[readme] add usage of filter option for injecting custom serialization, i.e. of custom types (#447)
[meta] remove extraneous code backticks (#457)
[meta] fix changelog markdown
[actions] update checkout action
[actions] restrict action permissions
[Dev Deps] update @ljharb/eslint-config, aud, object-inspect, tape

`v6.11.0`

[New] [Fix] stringify: revert 0e903c0; add commaRoundTrip option (#442)
[readme] fix version badge

`v6.10.7`

[Fix] fix regressions from robustness refactor
[actions] update reusable workflows

`v6.10.6`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.10.5`

[Fix] stringify: with arrayFormat: comma, properly include an explicit [] on a single-item array (#434)

`v6.10.4`

[Fix] stringify: with arrayFormat: comma, include an explicit [] on a single-item array (#441)
[meta] use npmignore to autogenerate an npmignore file
[Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbol, object-inspect, tape

`v6.10.3`

[Fix] parse: ignore __proto__ keys (#428)
[Robustness] stringify: avoid relying on a global undefined (#427)
[actions] reuse common workflows
[Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, tape

`v6.10.2`

[Fix] stringify: actually fix cyclic references (#426)
[Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)
[readme] remove travis badge; add github actions/codecov badges; update URLs
[Docs] add note and links for coercing primitive values (#408)
[actions] update codecov uploader
[actions] update workflows
[Tests] clean up stringify tests slightly
[Dev Deps] update eslint, @ljharb/eslint-config, aud, object-inspect, safe-publish-latest, tape

`v6.10.1`

[Fix] stringify: avoid exception on repeated object values (#402)

`v6.10.0`

[New] stringify: throw on cycles, instead of an infinite loop (#395, #394, #393)
[New] parse: add allowSparse option for collapsing arrays with missing indices (#312)
[meta] fix README.md (#399)
[meta] only run npm run dist in publish, not install
[Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbols, tape
[Tests] fix tests on node v0.6
[Tests] use ljharb/actions/node/install instead of ljharb/actions/node/run
[Tests] Revert "[meta] ignore eclint transitive audit warning"

`v6.9.9`

[Fix] fix regressions from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.9.8`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.9.7`

[Fix] parse: ignore __proto__ keys (#428)
[Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)
[Robustness] stringify: avoid relying on a global undefined (#427)
[readme] remove travis badge; add github actions/codecov badges; update URLs
[Docs] add note and links for coercing primitive values (#408)
[Tests] clean up stringify tests slightly
[meta] fix README.md (#399)
Revert "[meta] ignore eclint transitive audit warning"
[actions] backport actions from main
[Dev Deps] backport updates from main

`v6.9.6`

[Fix] restore dist dir; mistakenly removed in d4f6c32

`v6.9.5`

[Fix] stringify: do not encode parens for RFC1738
[Fix] stringify: fix arrayFormat comma with empty array/objects (#350)
[Refactor] format: remove util.assign call
[meta] add "Allow Edits" workflow; update rebase workflow
[actions] switch Automatic Rebase workflow to pull_request_target event
[Tests] stringify: add tests for #378
[Tests] migrate tests to Github Actions
[Tests] run nyc on all tests; use tape runner
[Dev Deps] update eslint, @ljharb/eslint-config, browserify, mkdirp, object-inspect, tape; add aud

`v6.9.4`

[Fix] stringify: when arrayFormat is comma, respect serializeDate (#364)
[Refactor] stringify: reduce branching (part of #350)
[Refactor] move maybeMap to utils
[Dev Deps] update browserify, tape

`v6.9.3`

[Fix] proper comma parsing of URL-encoded commas (#361)
[Fix] parses comma delimited array while having percent-encoded comma treated as normal text (#336)

`v6.9.2`

[Fix] parse: Fix parsing array from object with comma true (#359)
[Fix] parse: throw a TypeError instead of an Error for bad charset (#349)
[meta] ignore eclint transitive audit warning
[meta] fix indentation in package.json
[meta] add tidelift marketing copy
[Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, has-symbols, tape, mkdirp, iconv-lite
[actions] add automatic rebasing / merge commit blocking

`v6.9.1`

[Fix] parse: with comma true, handle field that holds an array of arrays (#335)
[Fix] parse: with comma true, do not split non-string values (#334)
[meta] add funding field
[Dev Deps] update eslint, @ljharb/eslint-config
[Tests] use shared travis-ci config

`v6.9.0`

[New] parse/stringify: Pass extra key/value argument to decoder (#333)
[Dev Deps] update eslint, @ljharb/eslint-config, evalmd
[Tests] parse: add passing arrayFormat tests
[Tests] add posttest using npx aud to run npm audit without a lockfile
[Tests] up to node v12.10, v11.15, v10.16, v8.16
[Tests] Buffer.from in node v5.0-v5.9 and v4.0-v4.4 requires a TypedArray

`v6.8.5`

[Fix] fix regressions from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.8.4`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.8.3`

[Fix] parse: ignore __proto__ keys (#428)
[Robustness] stringify: avoid relying on a global undefined (#427)
[Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)
[readme] remove travis badge; add github actions/codecov badges; update URLs
[Tests] clean up stringify tests slightly
[Docs] add note and links for coercing primitive values (#408)
[meta] fix README.md (#399)
[actions] backport actions from main
[Dev Deps] backport updates from main
[Refactor] stringify: reduce branching
[meta] do not publish workflow files

`v6.8.2`

[Fix] proper comma parsing of URL-encoded commas (#361)
[Fix] parses comma delimited array while having percent-encoded comma treated as normal text (#336)

`v6.8.1`

[Fix] parse: Fix parsing array from object with comma true (#359)
[Fix] parse: throw a TypeError instead of an Error for bad charset (#349)
[Fix] parse: with comma true, handle field that holds an array of arrays (#335)
[fix] parse: with comma true, do not split non-string values (#334)
[meta] add tidelift marketing copy
[meta] add funding field
[Dev Deps] update eslint, @ljharb/eslint-config, tape, safe-publish-latest, evalmd, has-symbols, iconv-lite, mkdirp, object-inspect
[Tests] parse: add passing arrayFormat tests
[Tests] use shared travis-ci configs
[Tests] Buffer.from in node v5.0-v5.9 and v4.0-v4.4 requires a TypedArray
[actions] add automatic rebasing / merge commit blocking

`v6.8.0`

[New] add depth=false to preserve the original key; [Fix] depth=0 should preserve the original key (#326)
[New] [Fix] stringify symbols and bigints
[Fix] ensure node 0.12 can stringify Symbols
[Fix] fix for an impossible situation: when the formatter is called with a non-string value
[Refactor] formats: tiny bit of cleanup.
[Dev Deps] update eslint, @ljharb/eslint-config, browserify, safe-publish-latest, iconv-lite, tape
[Tests] add tests for depth=0 and depth=false behavior, both current and intuitive/intended (#326)
[Tests] use eclint instead of editorconfig-tools
[docs] readme: add security note
[meta] add github sponsorship
[meta] add FUNDING.yml
[meta] Clean up license text so it’s properly detected as BSD-3-Clause

`v6.7.5`

[Fix] fix regressions from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.7.4`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.7.3`

[Fix] parse: ignore __proto__ keys (#428)
[Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)
[Robustness] stringify: avoid relying on a global undefined (#427)
[readme] remove travis badge; add github actions/codecov badges; update URLs
[Docs] add note and links for coercing primitive values (#408)
[meta] fix README.md (#399)
[meta] do not publish workflow files
[actions] backport actions from main
[Dev Deps] backport updates from main
[Tests] use nyc for coverage
[Tests] clean up stringify tests slightly

`v6.7.2`

[Fix] proper comma parsing of URL-encoded commas (#361)
[Fix] parses comma delimited array while having percent-encoded comma treated as normal text (#336)

`v6.7.1`

[Fix] parse: Fix parsing array from object with comma true (#359)
[Fix] parse: with comma true, handle field that holds an array of arrays (#335)
[fix] parse: with comma true, do not split non-string values (#334)
[Fix] parse: throw a TypeError instead of an Error for bad charset (#349)
[Fix] fix for an impossible situation: when the formatter is called with a non-string value
[Refactor] formats: tiny bit of cleanup.
readme: add security note
[meta] add tidelift marketing copy
[meta] add funding field
[meta] add FUNDING.yml
[meta] Clean up license text so it’s properly detected as BSD-3-Clause
[Dev Deps] update eslint, @ljharb/eslint-config, tape, safe-publish-latest, evalmd, iconv-lite, mkdirp, object-inspect, browserify
[Tests] parse: add passing arrayFormat tests
[Tests] use shared travis-ci configs
[Tests] Buffer.from in node v5.0-v5.9 and v4.0-v4.4 requires a TypedArray
[Tests] add tests for depth=0 and depth=false behavior, both current and intuitive/intended
[Tests] use eclint instead of editorconfig-tools
[actions] add automatic rebasing / merge commit blocking

`v6.7.0`

[New] stringify/parse: add comma as an arrayFormat option (#276, #219)
[Fix] correctly parse nested arrays (#212)
[Fix] utils.merge: avoid a crash with a null target and a truthy non-array source, also with an array source
[Robustness] stringify: cache Object.prototype.hasOwnProperty
[Refactor] utils: isBuffer: small tweak; add tests
[Refactor] use cached Array.isArray
[Refactor] parse/stringify: make a function to normalize the options
[Refactor] utils: reduce observable [[Get]]s
[Refactor] stringify/utils: cache Array.isArray
[Tests] always use String(x) over x.toString()
[Tests] fix Buffer tests to work in node < 4.5 and node < 5.10
[Tests] temporarily allow coverage to fail

`v6.6.3`

[Fix] fix regressions from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.6.2`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.6.1`

[Fix] parse: ignore __proto__ keys (#428)
[Fix] fix for an impossible situation: when the formatter is called with a non-string value
[Fix] utils.merge: avoid a crash with a null target and an array source
[Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
[Fix] correctly parse nested arrays
[Robustness] stringify: avoid relying on a global undefined (#427)
[Robustness] stringify: cache Object.prototype.hasOwnProperty
[Refactor] formats: tiny bit of cleanup.
[Refactor] utils: isBuffer: small tweak; add tests
[Refactor]: stringify/utils: cache Array.isArray
[Refactor] utils: reduce observable [[Get]]s
[Refactor] use cached Array.isArray
[Refactor] parse/stringify: make a function to normalize the options
[readme] remove travis badge; add github actions/codecov badges; update URLs
[Docs] Clarify the need for "arrayLimit" option
[meta] fix README.md (#399)
[meta] do not publish workflow files
[meta] Clean up license text so it’s properly detected as BSD-3-Clause
[meta] add FUNDING.yml
[meta] Fixes typo in CHANGELOG.md
[actions] backport actions from main
[Tests] fix Buffer tests to work in node < 4.5 and node < 5.10
[Tests] always use String(x) over x.toString()
[Dev Deps] backport from main

`v6.6.0`

[New] Add support for iso-8859-1, utf8 "sentinel" and numeric entities (#268)
[New] move two-value combine to a utils function (#189)
[Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
[Fix] when parseArrays is false, properly handle keys ending in [] (#260)
[Fix] stringify: do not crash in an obscure combo of interpretNumericEntities, a bad custom decoder, & iso-8859-1
[Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
[refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
[Refactor] parse: only need to reassign the var once
[Refactor] parse/stringify: clean up charset options checking; fix defaults
[Refactor] add missing defaults
[Refactor] parse: one less concat call
[Refactor] utils: compactQueue: make it explicitly side-effecting
[Dev Deps] update browserify, eslint, @ljharb/eslint-config, iconv-lite, safe-publish-latest, tape
[Tests] up to node v10.10, v9.11, v8.12, v6.14, v4.9; pin included builds to LTS

`v6.5.5`

[Fix] fix regressions from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.5.4`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.5.3`

[Fix] parse: ignore __proto__ keys (#428)
[Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
[Fix] correctly parse nested arrays
[Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
[Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
[Fix] when parseArrays is false, properly handle keys ending in []
[Fix] fix for an impossible situation: when the formatter is called with a non-string value
[Fix] utils.merge: avoid a crash with a null target and an array source
[Refactor] utils: reduce observable [[Get]]s
[Refactor] use cached Array.isArray
[Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
[Refactor] parse: only need to reassign the var once
[Robustness] stringify: avoid relying on a global undefined (#427)
[readme] remove travis badge; add github actions/codecov badges; update URLs
[Docs] Clean up license text so it’s properly detected as BSD-3-Clause
[Docs] Clarify the need for "arrayLimit" option
[meta] fix README.md (#399)
[meta] add FUNDING.yml
[actions] backport actions from main
[Tests] always use String(x) over x.toString()
[Tests] remove nonexistent tape option
[Dev Deps] backport from main

`v6.5.2`

[Fix] use safer-buffer instead of Buffer constructor
[Refactor] utils: module.exports one thing, instead of mutating exports (#230)
[Dev Deps] update browserify, eslint, iconv-lite, safer-buffer, tape, browserify

`v6.5.1`

[Fix] Fix parsing & compacting very deep objects (#224)
[Refactor] name utils functions
[Dev Deps] update eslint, @ljharb/eslint-config, tape
[Tests] up to node v8.4; use nvm install-latest-npm so newer npm doesn’t break older node
[Tests] Use precise dist for Node.js 0.6 runtime (#225)
[Tests] make 0.6 required, now that it’s passing
[Tests] on node v8.2; fix npm on node 0.6

`v6.5.0`

[New] add utils.assign
[New] pass default encoder/decoder to custom encoder/decoder functions (#206)
[New] parse/stringify: add ignoreQueryPrefix/addQueryPrefix options, respectively (#213)
[Fix] Handle stringifying empty objects with addQueryPrefix (#217)
[Fix] do not mutate options argument (#207)
[Refactor] parse: cache index to reuse in else statement (#182)
[Docs] add various badges to readme (#208)
[Dev Deps] update eslint, browserify, iconv-lite, tape
[Tests] up to node v8.1, v7.10, v6.11; npm v4.6 breaks on node < v1; npm v5+ breaks on node < v4
[Tests] add editorconfig-tools

`v6.4.3`

[Fix] fix regressions from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.4.2`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] replace runkit CI badge with shields.io check-runs badge
[readme] replace travis CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.4.1`

[Fix] parse: ignore __proto__ keys (#428)
[Fix] fix for an impossible situation: when the formatter is called with a non-string value
[Fix] use safer-buffer instead of Buffer constructor
[Fix] utils.merge: avoid a crash with a null target and an array source
[Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
[Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
[Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
[Fix] when parseArrays is false, properly handle keys ending in []
[Robustness] stringify: avoid relying on a global undefined (#427)
[Refactor] use cached Array.isArray
[Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
[readme] remove travis badge; add github actions/codecov badges; update URLs
[Docs] Clarify the need for "arrayLimit" option
[meta] fix README.md (#399)
[meta] Clean up license text so it’s properly detected as BSD-3-Clause
[meta] add FUNDING.yml
[actions] backport actions from main
[Tests] remove nonexistent tape option
[Dev Deps] backport from main

`v6.4.0`

[New] qs.stringify: add encodeValuesOnly option
[Fix] follow allowPrototypes option during merge (#201, #201)
[Fix] support keys starting with brackets (#202, #200)
[Fix] chmod a-x
[Dev Deps] update eslint
[Tests] up to node v7.7, v6.10, v4.8; disable osx builds since they block linux builds
[eslint] reduce warnings

`v6.3.5`

[Fix] fix regressions from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.3.4`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] replace travis CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.3.3`

[Fix] parse: ignore __proto__ keys (#428)
[Fix] fix for an impossible situation: when the formatter is called with a non-string value
[Fix] utils.merge: avoid a crash with a null target and an array source
[Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
[Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
[Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
[Fix] when parseArrays is false, properly handle keys ending in []
[Robustness] stringify: avoid relying on a global undefined (#427)
[Refactor] use cached Array.isArray
[Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
[Docs] Clarify the need for "arrayLimit" option
[meta] fix README.md (#399)
[meta] Clean up license text so it’s properly detected as BSD-3-Clause
[meta] add FUNDING.yml
[actions] backport actions from main
[Tests] use safer-buffer instead of Buffer constructor
[Tests] remove nonexistent tape option
[Dev Deps] backport from main

`v6.3.2`

[Fix] follow allowPrototypes option during merge (#201, #200)
[Dev Deps] update eslint
[Fix] chmod a-x
[Fix] support keys starting with brackets (#202, #200)
[Tests] up to node v7.7, v6.10, v4.8; disable osx builds since they block linux builds

`v6.3.1`

[Fix] ensure that allowPrototypes: false does not ever shadow Object.prototype properties (thanks, @snyk!)
[Dev Deps] update eslint, @ljharb/eslint-config, browserify, iconv-lite, qs-iconv, tape
[Tests] on all node minors; improve test matrix
[Docs] document stringify option allowDots (#195)
[Docs] add empty object and array values example (#195)
[Docs] Fix minor inconsistency/typo (#192)
[Docs] document stringify option sort (#191)
[Refactor] stringify: throw faster with an invalid encoder
[Refactor] remove unnecessary escapes (#184)
Remove contributing.md, since qs is no longer part of hapi (#183)

`v6.3.0`

[New] Add support for RFC 1738 (#174, #173)
[New] stringify: Add serializeDate option to customize Date serialization (#159)
[Fix] ensure utils.merge handles merging two arrays
[Refactor] only constructors should be capitalized
[Refactor] capitalized var names are for constructors only
[Refactor] avoid using a sparse array
[Robustness] formats: cache String#replace
[Dev Deps] update browserify, eslint, @ljharb/eslint-config; add safe-publish-latest
[Tests] up to node v6.8, v4.6; improve test matrix
[Tests] flesh out arrayLimit/arrayFormat tests (#107)
[Tests] skip Object.create tests when null objects are not available
[Tests] Turn on eslint for test files (#175)

`v6.2.6`

[Fix] fix regression from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.2.5`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] replace travis CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.2.4`

[Fix] parse: ignore __proto__ keys (#428)
[Fix] utils.merge: avoid a crash with a null target and an array source
[Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
[Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
[Fix] when parseArrays is false, properly handle keys ending in []
[Robustness] stringify: avoid relying on a global undefined (#427)
[Refactor] use cached Array.isArray
[Docs] Clarify the need for "arrayLimit" option
[meta] fix README.md (#399)
[meta] Clean up license text so it’s properly detected as BSD-3-Clause
[meta] add FUNDING.yml
[actions] backport actions from main
[Tests] use safer-buffer instead of Buffer constructor
[Tests] remove nonexistent tape option
[Dev Deps] backport from main

`v6.2.3`

[Fix] follow allowPrototypes option during merge (#201, #200)
[Fix] chmod a-x
[Fix] support keys starting

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 03adb40 to fce73a3 Compare

May 10, 2026 15:45


          Update dependency qs to v6 [SECURITY]

df2149b

renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from fce73a3 to df2149b Compare

June 7, 2026 20:13

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet