npm - qs - Versions diffs - 6.5.3 → 6.6.0 - Mend

qs 6.5.3 → 6.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/.editorconfig CHANGED Viewed

@@ -7,15 +7,11 @@ end_of_line = lf
 charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
-max_line_length = 160
-quote_type = single
+max_line_length = 140
 [test/*]
 max_line_length = off
-[LICENSE.md]
-indent_size = off
 [*.md]
 max_line_length = off
@@ -32,12 +28,3 @@ indent_size = 2
 [LICENSE]
 indent_size = 2
 max_line_length = off
-[coverage/**/*]
-indent_size = off
-indent_style = off
-indent = off
-max_line_length = off
-[.nycrc]
-indent_style = tab

package/.eslintignore ADDED Viewed

	@@ -0,0 +1 @@
1	+ dist

package/.eslintrc CHANGED Viewed

@@ -3,35 +3,19 @@
     "extends": "@ljharb",
-    "ignorePatterns": [
-        "dist/",
-    ],
     "rules": {
         "complexity": 0,
         "consistent-return": 1,
-        "func-name-matching": 0,
+		"func-name-matching": 0,
         "id-length": [2, { "min": 1, "max": 25, "properties": "never" }],
         "indent": [2, 4],
-        "max-lines-per-function": 0,
-        "max-params": [2, 12],
-        "max-statements": [2, 45],
+        "max-lines-per-function": [2, { "max": 150 }],
+        "max-params": [2, 14],
+        "max-statements": [2, 52],
         "multiline-comment-style": 0,
         "no-continue": 1,
         "no-magic-numbers": 0,
-        "no-param-reassign": 1,
         "no-restricted-syntax": [2, "BreakStatement", "DebuggerStatement", "ForInStatement", "LabeledStatement", "WithStatement"],
-    },
-    "overrides": [
-        {
-            "files": "test/**",
-            "rules": {
-                "max-lines-per-function": 0,
-                "max-statements": 0,
-                "no-extend-native": 0,
-                "function-paren-newline": 0,
-            },
-        },
-    ],
+        "operator-linebreak": [2, "before"],
+    }
 }

package/CHANGELOG.md CHANGED Viewed

@@ -1,26 +1,18 @@
-## **6.5.3**
-- [Fix] `parse`: ignore `__proto__` keys (#428)
-- [Fix]` `utils.merge`: avoid a crash with a null target and a truthy non-array source
-- [Fix] correctly parse nested arrays
+## **6.6.0**
+- [New] Add support for iso-8859-1, utf8 "sentinel" and numeric entities (#268)
+- [New] move two-value combine to a `utils` function (#189)
 - [Fix] `stringify`: fix a crash with `strictNullHandling` and a custom `filter`/`serializeDate` (#279)
+- [Fix] when `parseArrays` is false, properly handle keys ending in `[]` (#260)
+- [Fix] `stringify`: do not crash in an obscure combo of `interpretNumericEntities`, a bad custom `decoder`, & `iso-8859-1`
 - [Fix] `utils`: `merge`: fix crash when `source` is a truthy primitive & no options are provided
-- [Fix] when `parseArrays` is false, properly handle keys ending in `[]`
-- [Fix] fix for an impossible situation: when the formatter is called with a non-string value
-- [Fix] `utils.merge`: avoid a crash with a null target and an array source
-- [Refactor] `utils`: reduce observable [[Get]]s
-- [Refactor] use cached `Array.isArray`
-- [Refactor] `stringify`: Avoid arr = arr.concat(...), push to the existing instance (#269)
+- [refactor] `stringify`: Avoid arr = arr.concat(...), push to the existing instance (#269)
 - [Refactor] `parse`: only need to reassign the var once
-- [Robustness] `stringify`: avoid relying on a global `undefined` (#427)
-- [readme] remove travis badge; add github actions/codecov badges; update URLs
-- [Docs] Clean up license text so it’s properly detected as BSD-3-Clause
-- [Docs] Clarify the need for "arrayLimit" option
-- [meta] fix README.md (#399)
-- [meta] add FUNDING.yml
-- [actions] backport actions from main
-- [Tests] always use `String(x)` over `x.toString()`
-- [Tests] remove nonexistent tape option
-- [Dev Deps] backport from main
+- [Refactor] `parse`/`stringify`: clean up `charset` options checking; fix defaults
+- [Refactor] add missing defaults
+- [Refactor] `parse`: one less `concat` call
+- [Refactor] `utils`: `compactQueue`: make it explicitly side-effecting
+- [Dev Deps] update `browserify, `eslint`, `@ljharb/eslint-config`, `iconv-lite`, `safe-publish-latest`, `tape`
+- [Tests] up to `node` `v10.10`, `v9.11`, `v8.12`, `v6.14`, `v4.9`; pin included builds to LTS
 ## **6.5.2**
 - [Fix] use `safer-buffer` instead of `Buffer` constructor

package/LICENSE ADDED Viewed

@@ -0,0 +1,28 @@
+Copyright (c) 2014 Nathan LaFreniere and other contributors.
+All rights reserved.
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * The names of any contributors may not be used to endorse or promote
+      products derived from this software without specific prior written
+      permission.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS AND CONTRIBUTORS BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+                                  *   *   *
+The complete list of contributors can be found at: https://github.com/hapijs/qs/graphs/contributors

package/README.md CHANGED Viewed

@@ -1,13 +1,12 @@
 # qs <sup>[![Version Badge][2]][1]</sup>
-[![github actions][actions-image]][actions-url]
-[![coverage][codecov-image]][codecov-url]
-[![dependency status][deps-svg]][deps-url]
-[![dev dependency status][dev-deps-svg]][dev-deps-url]
+[![Build Status][3]][4]
+[![dependency status][5]][6]
+[![dev dependency status][7]][8]
 [![License][license-image]][license-url]
 [![Downloads][downloads-image]][downloads-url]
-[![npm badge][npm-badge-png]][package-url]
+[![npm badge][11]][1]
 A querystring parsing and stringifying library with some added security.
@@ -147,6 +146,62 @@ var withDots = qs.parse('a.b=c', { allowDots: true });
 assert.deepEqual(withDots, { a: { b: 'c' } });
 ```
+If you have to deal with legacy browsers or services, there's
+also support for decoding percent-encoded octets as iso-8859-1:
+```javascript
+var oldCharset = qs.parse('a=%A7', { charset: 'iso-8859-1' });
+assert.deepEqual(oldCharset, { a: '§' });
+```
+Some services add an initial `utf8=✓` value to forms so that old
+Internet Explorer versions are more likely to submit the form as
+utf-8. Additionally, the server can check the value against wrong
+encodings of the checkmark character and detect that a query string
+or `application/x-www-form-urlencoded` body was *not* sent as
+utf-8, eg. if the form had an `accept-charset` parameter or the
+containing page had a different character set.
+**qs** supports this mechanism via the `charsetSentinel` option.
+If specified, the `utf8` parameter will be omitted from the
+returned object. It will be used to switch to `iso-8859-1`/`utf-8`
+mode depending on how the checkmark is encoded.
+**Important**: When you specify both the `charset` option and the
+`charsetSentinel` option, the `charset` will be overridden when
+the request contains a `utf8` parameter from which the actual
+charset can be deduced. In that sense the `charset` will behave
+as the default charset rather than the authoritative charset.
+```javascript
+var detectedAsUtf8 = qs.parse('utf8=%E2%9C%93&a=%C3%B8', {
+    charset: 'iso-8859-1',
+    charsetSentinel: true
+});
+assert.deepEqual(detectedAsUtf8, { a: 'ø' });
+// Browsers encode the checkmark as &#10003; when submitting as iso-8859-1:
+var detectedAsIso8859_1 = qs.parse('utf8=%26%2310003%3B&a=%F8', {
+    charset: 'utf-8',
+    charsetSentinel: true
+});
+assert.deepEqual(detectedAsIso8859_1, { a: 'ø' });
+```
+If you want to decode the `&#...;` syntax to the actual character,
+you can specify the `interpretNumericEntities` option as well:
+```javascript
+var detectedAsIso8859_1 = qs.parse('a=%26%239786%3B', {
+    charset: 'iso-8859-1',
+    interpretNumericEntities: true
+});
+assert.deepEqual(detectedAsIso8859_1, { a: '☺' });
+```
+It also works when the charset has been detected in `charsetSentinel`
+mode.
 ### Parsing Arrays
 **qs** can also parse arrays using a similar `[]` notation:
@@ -183,7 +238,7 @@ assert.deepEqual(withIndexedEmptyString, { a: ['b', '', 'c'] });
 ```
 **qs** will also limit specifying indices in an array to a maximum index of `20`. Any array members with an index of greater than `20` will
-instead be converted to an object with the index as the key. This is needed to handle cases when someone sent, for example, `a[999999999]` and it will take significant time to iterate over this huge array.
+instead be converted to an object with the index as the key:
 ```javascript
 var withMaxIndex = qs.parse('a[100]=b');
@@ -268,30 +323,6 @@ var decoded = qs.parse('x=z', { decoder: function (str) {
 }})
 ```
-You can encode keys and values using different logic by using the type argument provided to the encoder:
-```javascript
-var encoded = qs.stringify({ a: { b: 'c' } }, { encoder: function (str, defaultEncoder, charset, type) {
-    if (type === 'key') {
-        return // Encoded key
-    } else if (type === 'value') {
-        return // Encoded value
-    }
-}})
-```
-The type argument is also provided to the decoder:
-```javascript
-var decoded = qs.parse('x=z', { decoder: function (str, defaultDecoder, charset, type) {
-    if (type === 'key') {
-        return // Decoded key
-    } else if (type === 'value') {
-        return // Decoded value
-    }
-}})
-```
 Examples beyond this point will be shown as though the output is not URI encoded for clarity. Please note that the return values in these cases *will* be URI encoded during real usage.
 When arrays are stringified, by default they are given explicit indices:
@@ -451,10 +482,40 @@ var nullsSkipped = qs.stringify({ a: 'b', c: null}, { skipNulls: true });
 assert.equal(nullsSkipped, 'a=b');
 ```
+If you're communicating with legacy systems, you can switch to `iso-8859-1`
+using the `charset` option:
+```javascript
+var iso = qs.stringify({ æ: 'æ' }, { charset: 'iso-8859-1' });
+assert.equal(iso, '%E6=%E6');
+```
+Characters that don't exist in `iso-8859-1` will be converted to numeric
+entities, similar to what browsers do:
+```javascript
+var numeric = qs.stringify({ a: '☺' }, { charset: 'iso-8859-1' });
+assert.equal(numeric, 'a=%26%239786%3B');
+```
+You can use the `charsetSentinel` option to announce the character by
+including an `utf8=✓` parameter with the proper encoding if the checkmark,
+similar to what Ruby on Rails and others do when submitting forms.
+```javascript
+var sentinel = qs.stringify({ a: '☺' }, { charsetSentinel: true });
+assert.equal(sentinel, 'utf8=%E2%9C%93&a=%E2%98%BA');
+var isoSentinel = qs.stringify({ a: 'æ' }, { charsetSentinel: true, charset: 'iso-8859-1' });
+assert.equal(isoSentinel, 'utf8=%26%2310003%3B&a=%E6');
+```
 ### Dealing with special character sets
-By default the encoding and decoding of characters is done in `utf-8`. If you
-wish to encode querystrings to a different character set (i.e.
+By default the encoding and decoding of characters is done in `utf-8`,
+and `iso-8859-1` support is also built in via the `charset` parameter.
+If you wish to encode querystrings to a different character set (i.e.
 [Shift JIS](https://en.wikipedia.org/wiki/Shift_JIS)) you can use the
 [`qs-iconv`](https://github.com/martinheidegger/qs-iconv) library:
@@ -483,28 +544,18 @@ assert.equal(qs.stringify({ a: 'b c' }, { format : 'RFC3986' }), 'a=b%20c');
 assert.equal(qs.stringify({ a: 'b c' }, { format : 'RFC1738' }), 'a=b+c');
 ```
-## Security
-Please email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.
-## qs for enterprise
-Available as part of the Tidelift Subscription
-The maintainers of qs and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. [Learn more.](https://tidelift.com/subscription/pkg/npm-qs?utm_source=npm-qs&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)
-[package-url]: https://npmjs.org/package/qs
-[npm-version-svg]: https://versionbadg.es/ljharb/qs.svg
-[deps-svg]: https://david-dm.org/ljharb/qs.svg
-[deps-url]: https://david-dm.org/ljharb/qs
-[dev-deps-svg]: https://david-dm.org/ljharb/qs/dev-status.svg
-[dev-deps-url]: https://david-dm.org/ljharb/qs#info=devDependencies
-[npm-badge-png]: https://nodei.co/npm/qs.png?downloads=true&stars=true
-[license-image]: https://img.shields.io/npm/l/qs.svg
+[1]: https://npmjs.org/package/qs
+[2]: http://versionbadg.es/ljharb/qs.svg
+[3]: https://api.travis-ci.org/ljharb/qs.svg
+[4]: https://travis-ci.org/ljharb/qs
+[5]: https://david-dm.org/ljharb/qs.svg
+[6]: https://david-dm.org/ljharb/qs
+[7]: https://david-dm.org/ljharb/qs/dev-status.svg
+[8]: https://david-dm.org/ljharb/qs?type=dev
+[9]: https://ci.testling.com/ljharb/qs.png
+[10]: https://ci.testling.com/ljharb/qs
+[11]: https://nodei.co/npm/qs.png?downloads=true&stars=true
+[license-image]: http://img.shields.io/npm/l/qs.svg
 [license-url]: LICENSE
-[downloads-image]: https://img.shields.io/npm/dm/qs.svg
-[downloads-url]: https://npm-stat.com/charts.html?package=qs
-[codecov-image]: https://codecov.io/gh/ljharb/qs/branch/main/graphs/badge.svg
-[codecov-url]: https://app.codecov.io/gh/ljharb/qs/
-[actions-image]: https://img.shields.io/endpoint?url=https://github-actions-badge-u3jn4tfpocch.runkit.sh/ljharb/qs
-[actions-url]: https://github.com/ljharb/qs/actions
+[downloads-image]: http://img.shields.io/npm/dm/qs.svg
+[downloads-url]: http://npm-stat.com/charts.html?package=qs