Update dependency qs to v6 [SECURITY]#13

Open

renovate[bot] wants to merge 1 commit into

renovate/npm-qs-vulnerability

renovate Bot commented May 9, 2026 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
qs	`~5.2.0` → `~6.5.3`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

qs vulnerable to Prototype Pollution

CVE-2022-24999 / GHSA-hrpp-h998-j3pp

More information

Details

qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.

Severity

CVSS Score: 7.5 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

ljharb/qs (qs)

`v6.5.3`

[Fix] parse: ignore __proto__ keys (#428)
[Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
[Fix] correctly parse nested arrays
[Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
[Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
[Fix] when parseArrays is false, properly handle keys ending in []
[Fix] fix for an impossible situation: when the formatter is called with a non-string value
[Fix] utils.merge: avoid a crash with a null target and an array source
[Refactor] utils: reduce observable [[Get]]s
[Refactor] use cached Array.isArray
[Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
[Refactor] parse: only need to reassign the var once
[Robustness] stringify: avoid relying on a global undefined (#427)
[readme] remove travis badge; add github actions/codecov badges; update URLs
[Docs] Clean up license text so it’s properly detected as BSD-3-Clause
[Docs] Clarify the need for "arrayLimit" option
[meta] fix README.md (#399)
[meta] add FUNDING.yml
[actions] backport actions from main
[Tests] always use String(x) over x.toString()
[Tests] remove nonexistent tape option
[Dev Deps] backport from main

`v6.5.2`

[Fix] use safer-buffer instead of Buffer constructor
[Refactor] utils: module.exports one thing, instead of mutating exports (#230)
[Dev Deps] update browserify, eslint, iconv-lite, safer-buffer, tape, browserify

`v6.5.1`

[Fix] Fix parsing & compacting very deep objects (#224)
[Refactor] name utils functions
[Dev Deps] update eslint, @ljharb/eslint-config, tape
[Tests] up to node v8.4; use nvm install-latest-npm so newer npm doesn’t break older node
[Tests] Use precise dist for Node.js 0.6 runtime (#225)
[Tests] make 0.6 required, now that it’s passing
[Tests] on node v8.2; fix npm on node 0.6

`v6.5.0`

[New] add utils.assign
[New] pass default encoder/decoder to custom encoder/decoder functions (#206)
[New] parse/stringify: add ignoreQueryPrefix/addQueryPrefix options, respectively (#213)
[Fix] Handle stringifying empty objects with addQueryPrefix (#217)
[Fix] do not mutate options argument (#207)
[Refactor] parse: cache index to reuse in else statement (#182)
[Docs] add various badges to readme (#208)
[Dev Deps] update eslint, browserify, iconv-lite, tape
[Tests] up to node v8.1, v7.10, v6.11; npm v4.6 breaks on node < v1; npm v5+ breaks on node < v4
[Tests] add editorconfig-tools

`v6.4.3`

[Fix] fix regressions from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.4.2`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] replace runkit CI badge with shields.io check-runs badge
[readme] replace travis CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.4.1`

[Fix] parse: ignore __proto__ keys (#428)
[Fix] fix for an impossible situation: when the formatter is called with a non-string value
[Fix] use safer-buffer instead of Buffer constructor
[Fix] utils.merge: avoid a crash with a null target and an array source
[Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
[Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
[Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
[Fix] when parseArrays is false, properly handle keys ending in []
[Robustness] stringify: avoid relying on a global undefined (#427)
[Refactor] use cached Array.isArray
[Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
[readme] remove travis badge; add github actions/codecov badges; update URLs
[Docs] Clarify the need for "arrayLimit" option
[meta] fix README.md (#399)
[meta] Clean up license text so it’s properly detected as BSD-3-Clause
[meta] add FUNDING.yml
[actions] backport actions from main
[Tests] remove nonexistent tape option
[Dev Deps] backport from main

`v6.4.0`

[New] qs.stringify: add encodeValuesOnly option
[Fix] follow allowPrototypes option during merge (#201, #201)
[Fix] support keys starting with brackets (#202, #200)
[Fix] chmod a-x
[Dev Deps] update eslint
[Tests] up to node v7.7, v6.10, v4.8; disable osx builds since they block linux builds
[eslint] reduce warnings

`v6.3.5`

[Fix] fix regressions from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.3.4`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] replace travis CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.3.3`

[Fix] parse: ignore __proto__ keys (#428)
[Fix] fix for an impossible situation: when the formatter is called with a non-string value
[Fix] utils.merge: avoid a crash with a null target and an array source
[Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
[Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
[Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
[Fix] when parseArrays is false, properly handle keys ending in []
[Robustness] stringify: avoid relying on a global undefined (#427)
[Refactor] use cached Array.isArray
[Refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
[Docs] Clarify the need for "arrayLimit" option
[meta] fix README.md (#399)
[meta] Clean up license text so it’s properly detected as BSD-3-Clause
[meta] add FUNDING.yml
[actions] backport actions from main
[Tests] use safer-buffer instead of Buffer constructor
[Tests] remove nonexistent tape option
[Dev Deps] backport from main

`v6.3.2`

[Fix] follow allowPrototypes option during merge (#201, #200)
[Dev Deps] update eslint
[Fix] chmod a-x
[Fix] support keys starting with brackets (#202, #200)
[Tests] up to node v7.7, v6.10, v4.8; disable osx builds since they block linux builds

`v6.3.1`

[Fix] ensure that allowPrototypes: false does not ever shadow Object.prototype properties (thanks, @snyk!)
[Dev Deps] update eslint, @ljharb/eslint-config, browserify, iconv-lite, qs-iconv, tape
[Tests] on all node minors; improve test matrix
[Docs] document stringify option allowDots (#195)
[Docs] add empty object and array values example (#195)
[Docs] Fix minor inconsistency/typo (#192)
[Docs] document stringify option sort (#191)
[Refactor] stringify: throw faster with an invalid encoder
[Refactor] remove unnecessary escapes (#184)
Remove contributing.md, since qs is no longer part of hapi (#183)

`v6.3.0`

[New] Add support for RFC 1738 (#174, #173)
[New] stringify: Add serializeDate option to customize Date serialization (#159)
[Fix] ensure utils.merge handles merging two arrays
[Refactor] only constructors should be capitalized
[Refactor] capitalized var names are for constructors only
[Refactor] avoid using a sparse array
[Robustness] formats: cache String#replace
[Dev Deps] update browserify, eslint, @ljharb/eslint-config; add safe-publish-latest
[Tests] up to node v6.8, v4.6; improve test matrix
[Tests] flesh out arrayLimit/arrayFormat tests (#107)
[Tests] skip Object.create tests when null objects are not available
[Tests] Turn on eslint for test files (#175)

`v6.2.6`

[Fix] fix regression from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.2.5`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] replace travis CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.2.4`

[Fix] parse: ignore __proto__ keys (#428)
[Fix] utils.merge: avoid a crash with a null target and an array source
[Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
[Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
[Fix] when parseArrays is false, properly handle keys ending in []
[Robustness] stringify: avoid relying on a global undefined (#427)
[Refactor] use cached Array.isArray
[Docs] Clarify the need for "arrayLimit" option
[meta] fix README.md (#399)
[meta] Clean up license text so it’s properly detected as BSD-3-Clause
[meta] add FUNDING.yml
[actions] backport actions from main
[Tests] use safer-buffer instead of Buffer constructor
[Tests] remove nonexistent tape option
[Dev Deps] backport from main

`v6.2.3`

[Fix] follow allowPrototypes option during merge (#201, #200)
[Fix] chmod a-x
[Fix] support keys starting with brackets (#202, #200)
[Tests] up to node v7.7, v6.10, v4.8; disable osx builds since they block linux builds

`v6.2.2`

[Fix] ensure that allowPrototypes: false does not ever shadow Object.prototype properties

`v6.2.1`

[Fix] ensure key[]=x&key[]&key[]=y results in 3, not 2, values
[Refactor] Be explicit and use Object.prototype.hasOwnProperty.call
[Tests] remove parallelshell since it does not reliably report failures
[Tests] up to node v6.3, v5.12
[Dev Deps] update tape, eslint, @ljharb/eslint-config, qs-iconv

`v6.2.0`

[New] pass Buffers to the encoder/decoder directly (#161)
[New] add "encoder" and "decoder" options, for custom param encoding/decoding (#160)
[Fix] fix compacting of nested sparse arrays (#150)

`v6.1.4`

[Fix] fix regression from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.1.3`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] replace travis CI badge with shields.io check-runs badge

`v6.1.2`

[Fix] follow allowPrototypes option during merge (#201, #200)
[Fix] chmod a-x
[Fix] support keys starting with brackets (#202, #200)
[Tests] up to node v7.7, v6.10, v4.8; disable osx builds since they block linux builds

`v6.1.1`

[Fix] ensure that allowPrototypes: false does not ever shadow Object.prototype properties

`v6.1.0`

[New] allowDots option for stringify (#151)
[Fix] "sort" option should work at a depth of 3 or more (#151)
[Fix] Restore dist directory; will be removed in v7 (#148)

`v6.0.6`

[Fix] fix regression from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.0.5`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] replace travis CI badge with shields.io check-runs badge

`v6.0.4`

[Fix] follow allowPrototypes option during merge (#201, #200)
[Fix] chmod a-x
[Fix] support keys starting with brackets (#202, #200)
[Tests] up to node v7.7, v6.10, v4.8; disable osx builds since they block linux builds

`v6.0.3`

[Fix] ensure that allowPrototypes: false does not ever shadow Object.prototype properties
[Fix] Restore dist directory; will be removed in v7 (#148)

`v6.0.2`

Revert ES6 requirement and restore support for node down to v0.8.

`v6.0.1`

#127 Fix engines definition in package.json

`v6.0.0`

#124 Use ES6 and drop support for node < v4

`v5.2.1`

[Fix] ensure key[]=x&key[]&key[]=y results in 3, not 2, values

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          Update dependency qs to v6 [SECURITY]

fce73a3

renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 03adb40 to fce73a3 Compare

May 10, 2026 15:45

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet