npm - qs - Versions diffs - 6.2.0 → 6.2.4 - Mend

qs 6.2.0 → 6.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/.editorconfig ADDED Viewed

@@ -0,0 +1,45 @@
+root = true
+[*]
+indent_style = space
+indent_size = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+max_line_length = 160
+quote_type = single
+[test/*]
+max_line_length = off
+[*.md]
+indent_size = off
+max_line_length = off
+[*.json]
+max_line_length = off
+[Makefile]
+max_line_length = off
+[CHANGELOG.md]
+indent_style = space
+indent_size = 2
+[LICENSE]
+indent_size = 2
+max_line_length = off
+[coverage/**/*]
+indent_size = off
+indent_style = off
+indent = off
+max_line_length = off
+[dist/*]
+max_line_length = off
+insert_final_newline = off
+[.nycrc]
+indent_style = off

package/.eslintrc CHANGED Viewed

@@ -1,19 +1,39 @@
 {
-	"root": true,
+    "root": true,
-	"extends": "@ljharb",
+    "extends": "@ljharb",
-	"rules": {
-		"complexity": [2, 22],
-		"consistent-return": [1],
-		"id-length": [2, { "min": 1, "max": 25, "properties": "never" }],
-		"indent": [2, 4],
-		"max-params": [2, 9],
-		"max-statements": [2, 36],
-		"no-extra-parens": [1],
-		"no-continue": [1],
-		"no-magic-numbers": 0,
-		"no-restricted-syntax": [2, "BreakStatement", "DebuggerStatement", "ForInStatement", "LabeledStatement", "WithStatement"],
-		"operator-linebreak": 1
-	}
+    "ignorePatterns": [
+        "dist/",
+    ],
+    "rules": {
+        "complexity": [2, 29],
+        "consistent-return": 1,
+        "func-name-matching": 0,
+        "id-length": [2, { "min": 1, "max": 25, "properties": "never" }],
+        "indent": [2, 4],
+        "max-lines-per-function": 0,
+        "max-lines": 0,
+        "max-params": [2, 12],
+        "max-statements": [2, 45],
+        "multiline-comment-style": 0,
+        "no-continue": 1,
+        "no-magic-numbers": 0,
+        "no-param-reassign": 1,
+        "no-restricted-syntax": [2, "BreakStatement", "DebuggerStatement", "ForInStatement", "LabeledStatement", "WithStatement"],
+        "sort-keys": 0,
+    },
+    "overrides": [
+        {
+            "files": "test/**",
+            "rules": {
+                "max-lines-per-function": 0,
+                "max-statements": 0,
+                "no-extend-native": 0,
+                "function-paren-newline": 0,
+            },
+        },
+    ],
 }

package/.github/FUNDING.yml ADDED Viewed

@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+github: [ljharb]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: npm/qs
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with a single custom sponsorship URL

package/.nycrc ADDED Viewed

@@ -0,0 +1,13 @@
+{
+	"all": true,
+	"check-coverage": false,
+	"reporter": ["text-summary", "text", "html", "json"],
+	"lines": 86,
+	"statements": 85.93,
+	"functions": 82.43,
+	"branches": 76.06,
+	"exclude": [
+		"coverage",
+		"dist"
+	]
+}

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,36 @@
+## **6.2.4**
+- [Fix] `parse`: ignore `__proto__` keys (#428)
+- [Fix] `utils.merge`: avoid a crash with a null target and an array source
+- [Fix] `utils.merge`: avoid a crash with a null target and a truthy non-array source
+- [Fix] `utils`: `merge`: fix crash when `source` is a truthy primitive & no options are provided
+- [Fix] when `parseArrays` is false, properly handle keys ending in `[]`
+- [Robustness] `stringify`: avoid relying on a global `undefined` (#427)
+- [Refactor] use cached `Array.isArray`
+- [Docs] Clarify the need for "arrayLimit" option
+- [meta] fix README.md (#399)
+- [meta] Clean up license text so it’s properly detected as BSD-3-Clause
+- [meta] add FUNDING.yml
+- [actions] backport actions from main
+- [Tests] use `safer-buffer` instead of `Buffer` constructor
+- [Tests] remove nonexistent tape option
+- [Dev Deps] backport from main
+## **6.2.3**
+- [Fix] follow `allowPrototypes` option during merge (#201, #200)
+- [Fix] chmod a-x
+- [Fix] support keys starting with brackets (#202, #200)
+- [Tests] up to `node` `v7.7`, `v6.10`,` v4.8`; disable osx builds since they block linux builds
+## **6.2.2**
+- [Fix] ensure that `allowPrototypes: false` does not ever shadow Object.prototype properties
+## **6.2.1**
+- [Fix] ensure `key[]=x&key[]&key[]=y` results in 3, not 2, values
+- [Refactor] Be explicit and use `Object.prototype.hasOwnProperty.call`
+- [Tests] remove `parallelshell` since it does not reliably report failures
+- [Tests] up to `node` `v6.3`, `v5.12`
+- [Dev Deps] update `tape`, `eslint`, `@ljharb/eslint-config`, `qs-iconv`
 ## [**6.2.0**](https://github.com/ljharb/qs/issues?milestone=36&state=closed)
 - [New] pass Buffers to the encoder/decoder directly (#161)
 - [New] add "encoder" and "decoder" options, for custom param encoding/decoding (#160)
@@ -17,6 +50,9 @@
 ## [**6.0.0**](https://github.com/ljharb/qs/issues?milestone=31&state=closed)
 - [**#124**](https://github.com/ljharb/qs/issues/124) Use ES6 and drop support for node < v4
+## **5.2.1**
+- [Fix] ensure `key[]=x&key[]&key[]=y` results in 3, not 2, values
 ## [**5.2.0**](https://github.com/ljharb/qs/issues?milestone=30&state=closed)
 - [**#64**](https://github.com/ljharb/qs/issues/64) Add option to sort object keys in the query string

package/LICENSE.md ADDED Viewed

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+Copyright (c) 2014, Nathan LaFreniere and other [contributors](https://github.com/ljharb/qs/graphs/contributors)
+All rights reserved.
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

package/README.md ADDED Viewed

@@ -0,0 +1,400 @@
+# qs
+A querystring parsing and stringifying library with some added security.
+[![Build Status](https://api.travis-ci.org/ljharb/qs.svg)](http://travis-ci.org/ljharb/qs)
+Lead Maintainer: [Jordan Harband](https://github.com/ljharb)
+The **qs** module was originally created and maintained by [TJ Holowaychuk](https://github.com/visionmedia/node-querystring).
+## Usage
+```javascript
+var qs = require('qs');
+var assert = require('assert');
+var obj = qs.parse('a=c');
+assert.deepEqual(obj, { a: 'c' });
+var str = qs.stringify(obj);
+assert.equal(str, 'a=c');
+```
+### Parsing Objects
+[](#preventEval)
+```javascript
+qs.parse(string, [options]);
+```
+**qs** allows you to create nested objects within your query strings, by surrounding the name of sub-keys with square brackets `[]`.
+For example, the string `'foo[bar]=baz'` converts to:
+```javascript
+assert.deepEqual(qs.parse('foo[bar]=baz'), {
+  foo: {
+    bar: 'baz'
+  }
+});
+```
+When using the `plainObjects` option the parsed value is returned as a plain object, created via `Object.create(null)` and as such you should be aware that prototype methods will not exist on it and a user may set those names to whatever value they like:
+```javascript
+var plainObject = qs.parse('a[hasOwnProperty]=b', { plainObjects: true });
+assert.deepEqual(plainObject, { a: { hasOwnProperty: 'b' } });
+```
+By default parameters that would overwrite properties on the object prototype are ignored, if you wish to keep the data from those fields either use `plainObjects` as mentioned above, or set `allowPrototypes` to `true` which will allow user input to overwrite those properties. *WARNING* It is generally a bad idea to enable this option as it can cause problems when attempting to use the properties that have been overwritten. Always be careful with this option.
+```javascript
+var protoObject = qs.parse('a[hasOwnProperty]=b', { allowPrototypes: true });
+assert.deepEqual(protoObject, { a: { hasOwnProperty: 'b' } });
+```
+URI encoded strings work too:
+```javascript
+assert.deepEqual(qs.parse('a%5Bb%5D=c'), {
+  a: { b: 'c' }
+});
+```
+You can also nest your objects, like `'foo[bar][baz]=foobarbaz'`:
+```javascript
+assert.deepEqual(qs.parse('foo[bar][baz]=foobarbaz'), {
+  foo: {
+    bar: {
+      baz: 'foobarbaz'
+    }
+  }
+});
+```
+By default, when nesting objects **qs** will only parse up to 5 children deep. This means if you attempt to parse a string like
+`'a[b][c][d][e][f][g][h][i]=j'` your resulting object will be:
+```javascript
+var expected = {
+  a: {
+    b: {
+      c: {
+        d: {
+          e: {
+            f: {
+              '[g][h][i]': 'j'
+            }
+          }
+        }
+      }
+    }
+  }
+};
+var string = 'a[b][c][d][e][f][g][h][i]=j';
+assert.deepEqual(qs.parse(string), expected);
+```
+This depth can be overridden by passing a `depth` option to `qs.parse(string, [options])`:
+```javascript
+var deep = qs.parse('a[b][c][d][e][f][g][h][i]=j', { depth: 1 });
+assert.deepEqual(deep, { a: { b: { '[c][d][e][f][g][h][i]': 'j' } } });
+```
+The depth limit helps mitigate abuse when **qs** is used to parse user input, and it is recommended to keep it a reasonably small number.
+For similar reasons, by default **qs** will only parse up to 1000 parameters. This can be overridden by passing a `parameterLimit` option:
+```javascript
+var limited = qs.parse('a=b&c=d', { parameterLimit: 1 });
+assert.deepEqual(limited, { a: 'b' });
+```
+An optional delimiter can also be passed:
+```javascript
+var delimited = qs.parse('a=b;c=d', { delimiter: ';' });
+assert.deepEqual(delimited, { a: 'b', c: 'd' });
+```
+Delimiters can be a regular expression too:
+```javascript
+var regexed = qs.parse('a=b;c=d,e=f', { delimiter: /[;,]/ });
+assert.deepEqual(regexed, { a: 'b', c: 'd', e: 'f' });
+```
+Option `allowDots` can be used to enable dot notation:
+```javascript
+var withDots = qs.parse('a.b=c', { allowDots: true });
+assert.deepEqual(withDots, { a: { b: 'c' } });
+```
+### Parsing Arrays
+**qs** can also parse arrays using a similar `[]` notation:
+```javascript
+var withArray = qs.parse('a[]=b&a[]=c');
+assert.deepEqual(withArray, { a: ['b', 'c'] });
+```
+You may specify an index as well:
+```javascript
+var withIndexes = qs.parse('a[1]=c&a[0]=b');
+assert.deepEqual(withIndexes, { a: ['b', 'c'] });
+```
+Note that the only difference between an index in an array and a key in an object is that the value between the brackets must be a number
+to create an array. When creating arrays with specific indices, **qs** will compact a sparse array to only the existing values preserving
+their order:
+```javascript
+var noSparse = qs.parse('a[1]=b&a[15]=c');
+assert.deepEqual(noSparse, { a: ['b', 'c'] });
+```
+Note that an empty string is also a value, and will be preserved:
+```javascript
+var withEmptyString = qs.parse('a[]=&a[]=b');
+assert.deepEqual(withEmptyString, { a: ['', 'b'] });
+var withIndexedEmptyString = qs.parse('a[0]=b&a[1]=&a[2]=c');
+assert.deepEqual(withIndexedEmptyString, { a: ['b', '', 'c'] });
+```
+**qs** will also limit specifying indices in an array to a maximum index of `20`. Any array members with an index of greater than `20` will
+instead be converted to an object with the index as the key. This is needed to handle cases when someone sent, for example, `a[999999999]` and it will take significant time to iterate over this huge array.
+```javascript
+var withMaxIndex = qs.parse('a[100]=b');
+assert.deepEqual(withMaxIndex, { a: { '100': 'b' } });
+```
+This limit can be overridden by passing an `arrayLimit` option:
+```javascript
+var withArrayLimit = qs.parse('a[1]=b', { arrayLimit: 0 });
+assert.deepEqual(withArrayLimit, { a: { '1': 'b' } });
+```
+To disable array parsing entirely, set `parseArrays` to `false`.
+```javascript
+var noParsingArrays = qs.parse('a[]=b', { parseArrays: false });
+assert.deepEqual(noParsingArrays, { a: { '0': 'b' } });
+```
+If you mix notations, **qs** will merge the two items into an object:
+```javascript
+var mixedNotation = qs.parse('a[0]=b&a[b]=c');
+assert.deepEqual(mixedNotation, { a: { '0': 'b', b: 'c' } });
+```
+You can also create arrays of objects:
+```javascript
+var arraysOfObjects = qs.parse('a[][b]=c');
+assert.deepEqual(arraysOfObjects, { a: [{ b: 'c' }] });
+```
+### Stringifying
+[](#preventEval)
+```javascript
+qs.stringify(object, [options]);
+```
+When stringifying, **qs** by default URI encodes output. Objects are stringified as you would expect:
+```javascript
+assert.equal(qs.stringify({ a: 'b' }), 'a=b');
+assert.equal(qs.stringify({ a: { b: 'c' } }), 'a%5Bb%5D=c');
+```
+This encoding can be disabled by setting the `encode` option to `false`:
+```javascript
+var unencoded = qs.stringify({ a: { b: 'c' } }, { encode: false });
+assert.equal(unencoded, 'a[b]=c');
+```
+This encoding can also be replaced by a custom encoding method set as `encoder` option:
+```javascript
+var encoded = qs.stringify({ a: { b: 'c' } }, { encoder: function (str) {
+  // Passed in values `a`, `b`, `c`
+  return // Return encoded string
+}})
+```
+_(Note: the `encoder` option does not apply if `encode` is `false`)_
+Analogue to the `encoder` there is a `decoder` option for `parse` to override decoding of properties and values:
+```javascript
+var decoded = qs.parse('x=z', { decoder: function (str) {
+  // Passed in values `x`, `z`
+  return // Return decoded string
+}})
+```
+You can encode keys and values using different logic by using the type argument provided to the encoder:
+```javascript
+var encoded = qs.stringify({ a: { b: 'c' } }, { encoder: function (str, defaultEncoder, charset, type) {
+    if (type === 'key') {
+        return // Encoded key
+    } else if (type === 'value') {
+        return // Encoded value
+    }
+}})
+```
+The type argument is also provided to the decoder:
+```javascript
+var decoded = qs.parse('x=z', { decoder: function (str, defaultDecoder, charset, type) {
+    if (type === 'key') {
+        return // Decoded key
+    } else if (type === 'value') {
+        return // Decoded value
+    }
+}})
+```
+Examples beyond this point will be shown as though the output is not URI encoded for clarity. Please note that the return values in these cases *will* be URI encoded during real usage.
+When arrays are stringified, by default they are given explicit indices:
+```javascript
+qs.stringify({ a: ['b', 'c', 'd'] });
+// 'a[0]=b&a[1]=c&a[2]=d'
+```
+You may override this by setting the `indices` option to `false`:
+```javascript
+qs.stringify({ a: ['b', 'c', 'd'] }, { indices: false });
+// 'a=b&a=c&a=d'
+```
+You may use the `arrayFormat` option to specify the format of the output array
+```javascript
+qs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'indices' })
+// 'a[0]=b&a[1]=c'
+qs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'brackets' })
+// 'a[]=b&a[]=c'
+qs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'repeat' })
+// 'a=b&a=c'
+```
+Empty strings and null values will omit the value, but the equals sign (=) remains in place:
+```javascript
+assert.equal(qs.stringify({ a: '' }), 'a=');
+```
+Properties that are set to `undefined` will be omitted entirely:
+```javascript
+assert.equal(qs.stringify({ a: null, b: undefined }), 'a=');
+```
+The delimiter may be overridden with stringify as well:
+```javascript
+assert.equal(qs.stringify({ a: 'b', c: 'd' }, { delimiter: ';' }), 'a=b;c=d');
+```
+Finally, you can use the `filter` option to restrict which keys will be included in the stringified output.
+If you pass a function, it will be called for each key to obtain the replacement value. Otherwise, if you
+pass an array, it will be used to select properties and array indices for stringification:
+```javascript
+function filterFunc(prefix, value) {
+  if (prefix == 'b') {
+    // Return an `undefined` value to omit a property.
+    return;
+  }
+  if (prefix == 'e[f]') {
+    return value.getTime();
+  }
+  if (prefix == 'e[g][0]') {
+    return value * 2;
+  }
+  return value;
+}
+qs.stringify({ a: 'b', c: 'd', e: { f: new Date(123), g: [2] } }, { filter: filterFunc });
+// 'a=b&c=d&e[f]=123&e[g][0]=4'
+qs.stringify({ a: 'b', c: 'd', e: 'f' }, { filter: ['a', 'e'] });
+// 'a=b&e=f'
+qs.stringify({ a: ['b', 'c', 'd'], e: 'f' }, { filter: ['a', 0, 2] });
+// 'a[0]=b&a[2]=d'
+```
+### Handling of `null` values
+By default, `null` values are treated like empty strings:
+```javascript
+var withNull = qs.stringify({ a: null, b: '' });
+assert.equal(withNull, 'a=&b=');
+```
+Parsing does not distinguish between parameters with and without equal signs. Both are converted to empty strings.
+```javascript
+var equalsInsensitive = qs.parse('a&b=');
+assert.deepEqual(equalsInsensitive, { a: '', b: '' });
+```
+To distinguish between `null` values and empty strings use the `strictNullHandling` flag. In the result string the `null`
+values have no `=` sign:
+```javascript
+var strictNull = qs.stringify({ a: null, b: '' }, { strictNullHandling: true });
+assert.equal(strictNull, 'a&b=');
+```
+To parse values without `=` back to `null` use the `strictNullHandling` flag:
+```javascript
+var parsedStrictNull = qs.parse('a&b=', { strictNullHandling: true });
+assert.deepEqual(parsedStrictNull, { a: null, b: '' });
+```
+To completely skip rendering keys with `null` values, use the `skipNulls` flag:
+```javascript
+var nullsSkipped = qs.stringify({ a: 'b', c: null}, { skipNulls: true });
+assert.equal(nullsSkipped, 'a=b');
+```
+### Dealing with special character sets
+By default the encoding and decoding of characters is done in `utf-8`. If you
+wish to encode querystrings to a different character set (i.e.
+[Shift JIS](https://en.wikipedia.org/wiki/Shift_JIS)) you can use the
+[`qs-iconv`](https://github.com/martinheidegger/qs-iconv) library:
+```javascript
+var encoder = require('qs-iconv/encoder')('shift_jis');
+var shiftJISEncoded = qs.stringify({ a: 'こんにちは！' }, { encoder: encoder });
+assert.equal(shiftJISEncoded, 'a=%82%B1%82%F1%82%C9%82%BF%82%CD%81I');
+```
+This also works for decoding of query strings:
+```javascript
+var decoder = require('qs-iconv/decoder')('shift_jis');
+var obj = qs.parse('a=%82%B1%82%F1%82%C9%82%BF%82%CD%81I', { decoder: decoder });
+assert.deepEqual(obj, { a: 'こんにちは！' });
+```

package/bower.json ADDED Viewed

@@ -0,0 +1,21 @@
+{
+    "name": "qs",
+    "main": "dist/qs.js",
+    "homepage": "https://github.com/hapijs/qs",
+    "authors": [
+        "Nathan LaFreniere <quitlahok@gmail.com>"
+    ],
+    "description": "A querystring parser that supports nesting and arrays, with a depth limit",
+    "keywords": [
+        "querystring",
+        "qs"
+    ],
+    "license": "BSD-3-Clause",
+    "ignore": [
+        "**/.*",
+        "node_modules",
+        "bower_components",
+        "test",
+        "tests"
+    ]
+}

package/component.json ADDED Viewed

@@ -0,0 +1,15 @@
+{
+    "name": "qs",
+    "repository": "hapijs/qs",
+    "description": "query-string parser / stringifier with nesting support",
+    "version": "6.2.4",
+    "keywords": ["querystring", "query", "parser"],
+    "main": "lib/index.js",
+    "scripts": [
+        "lib/index.js",
+        "lib/parse.js",
+        "lib/stringify.js",
+        "lib/utils.js"
+    ],
+    "license": "BSD-3-Clause"
+}