qs 6.4.1 → 6.4.3

package/CHANGELOG.md

@@ -1,3 +1,15 @@
+## **6.4.3**
+- [Fix] fix regressions from robustness refactor
+- [meta] add `npmignore` to autogenerate an npmignore file
+- [actions] update reusable workflows
+
+## **6.4.2**
+- [Robustness] avoid `.push`, use `void`
+- [readme] clarify `parseArrays` and `arrayLimit` documentation (#543)
+- [readme] replace runkit CI badge with shields.io check-runs badge
+- [readme] replace travis CI badge with shields.io check-runs badge
+- [actions] fix rebase workflow permissions
+
 ## **6.4.1**
 - [Fix] `parse`: ignore `__proto__` keys (#428)
 - [Fix] fix for an impossible situation: when the formatter is called with a non-string value

package/README.md

@@ -11,7 +11,7 @@
 
 A querystring parsing and stringifying library with some added security.
 
-[![Build Status](https://api.travis-ci.org/ljharb/qs.svg)](http://travis-ci.org/ljharb/qs)
+[![Build Status](https://img.shields.io/github/check-runs/ljharb/qs/main)](https://github.com/ljharb/qs/actions)
 
 Lead Maintainer: [Jordan Harband](https://github.com/ljharb)
 
@@ -177,7 +177,7 @@ var withIndexedEmptyString = qs.parse('a[0]=b&a[1]=&a[2]=c');
 assert.deepEqual(withIndexedEmptyString, { a: ['b', '', 'c'] });
 ```
 
-**qs** will also limit specifying indices in an array to a maximum index of `20`. Any array members with an index of greater than `20` will
+**qs** will also limit arrays to a maximum of `20` elements. Any array members with an index of `20` or greater will
 instead be converted to an object with the index as the key. This is needed to handle cases when someone sent, for example, `a[999999999]` and it will take significant time to iterate over this huge array.
 
 ```javascript
@@ -192,7 +192,7 @@ var withArrayLimit = qs.parse('a[1]=b', { arrayLimit: 0 });
 assert.deepEqual(withArrayLimit, { a: { '1': 'b' } });
 ```
 
-To disable array parsing entirely, set `parseArrays` to `false`.
+To prevent array syntax (`a[]`, `a[0]`) from being parsed as arrays, set `parseArrays` to `false`.
 
 ```javascript
 var noParsingArrays = qs.parse('a[]=b', { parseArrays: false });
@@ -495,5 +495,5 @@ The maintainers of qs and thousands of other packages are working with Tidelift
 [downloads-url]: https://npm-stat.com/charts.html?package=qs
 [codecov-image]: https://codecov.io/gh/ljharb/qs/branch/main/graphs/badge.svg
 [codecov-url]: https://app.codecov.io/gh/ljharb/qs/
-[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/qs
+[actions-image]: https://img.shields.io/github/check-runs/ljharb/qs/main
 [actions-url]: https://github.com/ljharb/qs/actions

package/dist/qs.js

@@ -52,7 +52,7 @@ var defaults = {
 
 var parseValues = function parseQueryStringValues(str, options) {
     var obj = {};
-    var parts = str.split(options.delimiter, options.parameterLimit === Infinity ? undefined : options.parameterLimit);
+    var parts = str.split(options.delimiter, options.parameterLimit === Infinity ? void undefined : options.parameterLimit);
 
     for (var i = 0; i < parts.length; ++i) {
         var part = parts[i];
@@ -139,7 +139,7 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options) {
             }
         }
 
-        keys.push(parent);
+        keys[keys.length] = parent;
     }
 
     // Loop through children appending to the array until we hit depth
@@ -152,13 +152,13 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options) {
                 return;
             }
         }
-        keys.push(segment[1]);
+        keys[keys.length] = segment[1];
     }
 
     // If there's a remainder, just add whatever is left
 
     if (segment) {
-        keys.push('[' + key.slice(segment.index) + ']');
+        keys[keys.length] = '[' + key.slice(segment.index) + ']';
     }
 
     return parseObject(keys, val, options);
@@ -425,7 +425,7 @@ var has = Object.prototype.hasOwnProperty;
 var hexTable = (function () {
     var array = [];
     for (var i = 0; i < 256; ++i) {
-        array.push('%' + ((i < 16 ? '0' : '') + i.toString(16)).toUpperCase());
+        array[array.length] = '%' + ((i < 16 ? '0' : '') + i.toString(16)).toUpperCase();
     }
 
     return array;
@@ -449,7 +449,7 @@ exports.merge = function (target, source, options) {
 
     if (typeof source !== 'object') {
         if (Array.isArray(target)) {
-            target.push(source);
+            target[target.length] = source;
         } else if (target && typeof target === 'object') {
             if ((options && (options.plainObjects || options.allowPrototypes)) || !has.call(Object.prototype, source)) {
                 target[source] = true;
@@ -476,7 +476,7 @@ exports.merge = function (target, source, options) {
                 if (target[i] && typeof target[i] === 'object') {
                     target[i] = exports.merge(target[i], item, options);
                 } else {
-                    target.push(item);
+                    target[target.length] = item;
                 }
             } else {
                 target[i] = item;
@@ -569,16 +569,16 @@ exports.compact = function (obj, references) {
         return refs[lookup];
     }
 
-    refs.push(obj);
+    refs[refs.length] = obj;
 
     if (Array.isArray(obj)) {
         var compacted = [];
 
         for (var i = 0; i < obj.length; ++i) {
             if (obj[i] && typeof obj[i] === 'object') {
-                compacted.push(exports.compact(obj[i], refs));
+                compacted[compacted.length] = exports.compact(obj[i], refs);
             } else if (typeof obj[i] !== 'undefined') {
-                compacted.push(obj[i]);
+                compacted[compacted.length] = obj[i];
             }
         }
 

package/lib/parse.js

@@ -18,7 +18,7 @@ var defaults = {
 
 var parseValues = function parseQueryStringValues(str, options) {
     var obj = {};
-    var parts = str.split(options.delimiter, options.parameterLimit === Infinity ? undefined : options.parameterLimit);
+    var parts = str.split(options.delimiter, options.parameterLimit === Infinity ? void undefined : options.parameterLimit);
 
     for (var i = 0; i < parts.length; ++i) {
         var part = parts[i];
@@ -105,7 +105,7 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options) {
             }
         }
 
-        keys.push(parent);
+        keys[keys.length] = parent;
     }
 
     // Loop through children appending to the array until we hit depth
@@ -118,13 +118,13 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options) {
                 return;
             }
         }
-        keys.push(segment[1]);
+        keys[keys.length] = segment[1];
     }
 
     // If there's a remainder, just add whatever is left
 
     if (segment) {
-        keys.push('[' + key.slice(segment.index) + ']');
+        keys[keys.length] = '[' + key.slice(segment.index) + ']';
     }
 
     return parseObject(keys, val, options);

package/lib/utils.js

@@ -5,7 +5,7 @@ var has = Object.prototype.hasOwnProperty;
 var hexTable = (function () {
     var array = [];
     for (var i = 0; i < 256; ++i) {
-        array.push('%' + ((i < 16 ? '0' : '') + i.toString(16)).toUpperCase());
+        array[array.length] = '%' + ((i < 16 ? '0' : '') + i.toString(16)).toUpperCase();
     }
 
     return array;
@@ -29,7 +29,7 @@ exports.merge = function (target, source, options) {
 
     if (typeof source !== 'object') {
         if (Array.isArray(target)) {
-            target.push(source);
+            target[target.length] = source;
         } else if (target && typeof target === 'object') {
             if ((options && (options.plainObjects || options.allowPrototypes)) || !has.call(Object.prototype, source)) {
                 target[source] = true;
@@ -56,7 +56,7 @@ exports.merge = function (target, source, options) {
                 if (target[i] && typeof target[i] === 'object') {
                     target[i] = exports.merge(target[i], item, options);
                 } else {
-                    target.push(item);
+                    target[target.length] = item;
                 }
             } else {
                 target[i] = item;
@@ -149,16 +149,16 @@ exports.compact = function (obj, references) {
         return refs[lookup];
     }
 
-    refs.push(obj);
+    refs[refs.length] = obj;
 
     if (Array.isArray(obj)) {
         var compacted = [];
 
         for (var i = 0; i < obj.length; ++i) {
             if (obj[i] && typeof obj[i] === 'object') {
-                compacted.push(exports.compact(obj[i], refs));
+                compacted[compacted.length] = exports.compact(obj[i], refs);
             } else if (typeof obj[i] !== 'undefined') {
-                compacted.push(obj[i]);
+                compacted[compacted.length] = obj[i];
             }
         }
 

package/package.json

@@ -2,7 +2,7 @@
     "name": "qs",
     "description": "A querystring parser that supports nesting and arrays, with a depth limit",
     "homepage": "https://github.com/ljharb/qs",
-    "version": "6.4.1",
+    "version": "6.4.3",
     "repository": {
         "type": "git",
         "url": "https://github.com/ljharb/qs.git"
@@ -36,10 +36,11 @@
         "qs-iconv": "^1.0.4",
         "safe-publish-latest": "^2.0.0",
         "safer-buffer": "^2.1.2",
-        "tape": "^5.4.0"
+        "tape": "^5.4.0",
+        "npmignore": "^0.3.1"
     },
     "scripts": {
-        "prepublishOnly": "safe-publish-latest && npm run dist",
+        "prepublishOnly": "safe-publish-latest && npmignore --auto --commentLines=autogenerated && npm run dist",
         "prepublish": "not-in-publish || npm run prepublishOnly",
         "pretest": "npm run --silent readme && npm run --silent lint",
         "test": "npm run --silent tests-only",
@@ -50,5 +51,13 @@
         "lint": "eslint --ext=js,mjs .",
         "dist": "mkdirp dist && browserify --standalone Qs lib/index.js > dist/qs.js"
     },
-    "license": "BSD-3-Clause"
+    "license": "BSD-3-Clause",
+    "publishConfig": {
+        "ignore": [
+            "!dist/*",
+            "bower.json",
+            "component.json",
+            ".github/workflows"
+        ]
+    }
 }

package/test/parse.js

@@ -51,6 +51,15 @@ test('parse()', function (t) {
         st.end();
     });
 
+    t.test('correctly computes the remainder when depth is exceeded', function (st) {
+        st.deepEqual(
+            qs.parse('a[b][c][d][e]=f', { depth: 2 }),
+            { a: { b: { c: { '[d][e]': 'f' } } } },
+            'the remainder is "[d][e]", not the full original key'
+        );
+        st.end();
+    });
+
     t.deepEqual(qs.parse('a=b&a=c'), { a: ['b', 'c'] }, 'parses a simple array');
 
     t.test('parses an explicit array', function (st) {

package/test/stringify.js

@@ -18,6 +18,12 @@ test('stringify()', function (t) {
         st.end();
     });
 
+    t.test('correctly encodes low-byte characters', function (st) {
+        st.equal(qs.stringify({ a: String.fromCharCode(1) }), 'a=%01', 'encodes 0x01');
+        st.equal(qs.stringify({ a: String.fromCharCode(15) }), 'a=%0F', 'encodes 0x0F');
+        st.end();
+    });
+
     t.test('stringifies a nested object', function (st) {
         st.equal(qs.stringify({ a: { b: 'c' } }), 'a%5Bb%5D=c');
         st.equal(qs.stringify({ a: { b: { c: { d: 'e' } } } }), 'a%5Bb%5D%5Bc%5D%5Bd%5D=e');

package/bower.json

@@ -1,21 +0,0 @@
-{
-    "name": "qs",
-    "main": "dist/qs.js",
-    "homepage": "https://github.com/hapijs/qs",
-    "authors": [
-        "Nathan LaFreniere <quitlahok@gmail.com>"
-    ],
-    "description": "A querystring parser that supports nesting and arrays, with a depth limit",
-    "keywords": [
-        "querystring",
-        "qs"
-    ],
-    "license": "BSD-3-Clause",
-    "ignore": [
-        "**/.*",
-        "node_modules",
-        "bower_components",
-        "test",
-        "tests"
-    ]
-}

package/component.json

@@ -1,15 +0,0 @@
-{
-    "name": "qs",
-    "repository": "hapijs/qs",
-    "description": "query-string parser / stringifier with nesting support",
-    "version": "6.4.1",
-    "keywords": ["querystring", "query", "parser"],
-    "main": "lib/index.js",
-    "scripts": [
-        "lib/index.js",
-        "lib/parse.js",
-        "lib/stringify.js",
-        "lib/utils.js"
-    ],
-    "license": "BSD-3-Clause"
-}