qs 6.6.0 → 6.6.2

package/.claude/backport-record.md

@@ -0,0 +1,79 @@
+# Backport Record
+
+Commits to backport from main (v6.14.1..v6.14.2, excluding version bump):
+
+| # | SHA | Description |
+|---|-----|-------------|
+| 1 | 6744d30 | [Robustness] avoid `.push`, use `void` |
+| 2 | 6bdfaf5 | [readme] replace runkit/travis CI badge with shields.io check-runs badge |
+| 3 | 2a35775 | [meta] fix changelog typo |
+| 4 | 1b9a8b4 | [actions] fix rebase workflow permissions |
+| 5 | fbc5206 | [Fix] `parse`: fix error message |
+| 6 | f6a7abf | [Fix] `parse`: enforce arrayLimit on comma-parsed values |
+| 7 | febb644 | [Fix] `parse`: throw on arrayLimit exceeded with indexed notation |
+| 8 | cfc108f | [Fix] arrayLimit means max count, not max index |
+| 9 | 6addf8c | [Fix] `parse`: mark overflow objects for indexed notation |
+| 10 | 5c308e5 | [readme] clarify parseArrays and arrayLimit documentation |
+| 11 | 294db90 | [readme] document addQueryPrefix does not add ? to empty output |
+
+## Results
+
+| Version | Base Tag | Base SHA | Result HEAD | Applied | Skipped |
+|---------|----------|----------|-------------|---------|---------|
+| 6.14 | v6.14.2 | bdcf0c7 | bdcf0c7 | all | — |
+| 6.13 | v6.13.1 | f1ee037 | 625fa19 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.12 | v6.12.3 | f90cc35 | 8a1b294 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.11 | v6.11.2 | 410bdd3 | 3a5f714 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.10 | v6.10.5 | 95bc018 | 8189da8 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.9 | v6.9.7 | 4cd0032 | 6a7a3bf | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.8 | v6.8.3 | 0db5538 | 76d53e9 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.7 | v6.7.3 | 834389a | 2991d8b | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.6 | v6.6.1 | 4cc653c | 7093153 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.5 | v6.5.3 | 298bfa5 | 40b77c3 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.4 | v6.4.1 | 486aa46 | d9ffe2b | 1,2,4,10 | 3,5,6,7,8,9,11 |
+| 6.3 | v6.3.3 | ff235b4 | b4824cb | 1,2,4,10 | 3,5,6,7,8,9,11 |
+| 6.2 | v6.2.4 | 90d9f2b | db7b937 | 1,2,4,10 | 3,5,6,7,8,9,11 |
+| 6.1 | v6.1.2 | 68ca039 | 3245e1f | 1,2,10 | 3,4,5,6,7,8,9,11 |
+| 6.0 | v6.0.4 | 10233c9 | b779be4 | 1,2,10 | 3,4,5,6,7,8,9,11 |
+
+## Legend for Applied/Skipped columns
+
+1=Robustness, 2=readme badge, 3=changelog typo, 4=actions permissions,
+5=error msg fix, 6=comma arrayLimit, 7=indexed throw, 8=count semantics,
+9=mark overflow, 10=parseArrays/arrayLimit docs, 11=addQueryPrefix docs
+
+## Notes
+
+- #2 (badge): v6.4+ had runkit badge replaced; v6.0-v6.3 had Travis badge replaced
+- #4 (actions): v6.2-v6.10 had permissions block ADDED (not modified); v6.0-v6.1 have no rebase.yml
+
+## Skip Reasons
+
+| Commit | Reason for skip |
+|--------|----------------|
+| 3 (2a35775) | v6.14.1-specific changelog — not applicable to other versions |
+| 5 (fbc5206) | Requires `throwOnLimitExceeded` option (v6.14.0+) |
+| 6 (f6a7abf) | Requires overflow system (`combine(a,b,arrayLimit,plainObjects)`) from v6.14.1 |
+| 7 (febb644) | Requires `throwOnLimitExceeded` option (v6.14.0+) |
+| 8 (cfc108f) | Requires overflow system from v6.14.1 |
+| 9 (6addf8c) | Requires overflow system from v6.14.1 |
+| 11 (294db90) | v6.4 and below lack `addQueryPrefix` in README |
+
+## Release Tags
+
+| Tag | SHA | Changelog Entries |
+|-----|-----|-------------------|
+| v6.13.2 | d8a8ab3 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.12.4 | a67173e | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.11.3 | 6302f35 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.10.6 | 1aa4bd9 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.9.8 | 479d4b1 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.8.4 | 0f2b1e2 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.7.4 | d38e43a | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.6.2 | 5e1c72c | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.5.4 | c190488 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.4.2 | 9b50144 | Robustness, readme #543, readme badge (runkit+travis), actions |
+| v6.3.4 | aa3f9f4 | Robustness, readme #543, readme badge (travis), actions |
+| v6.2.5 | d68f354 | Robustness, readme #543, readme badge (travis), actions |
+| v6.1.3 | cb45ba1 | Robustness, readme #543, readme badge (travis) |
+| v6.0.5 | a73f299 | Robustness, readme #543, readme badge (travis) |

package/.claude/ghsa-2856-comment.md

@@ -0,0 +1,7 @@
+# GHSA-2856-wc6q-8xwc — Comment to post
+
+This is not a vulnerability. The described behavior only modifies properties on the **result object** returned by `qs.parse()` — it does not modify `Object.prototype` or any shared state. Setting `toString` or `hasOwnProperty` on a specific result object is not prototype pollution; it's the expected outcome of parsing a key with that name.
+
+The `allowPrototypes` option exists precisely to control whether keys that shadow `Object.prototype` properties are allowed on result objects. When `depth <= 0` and brackets are present, the prototype check is applied to the bracketed form of the key rather than the stripped form — this is a minor inconsistency in the check, but the result is equivalent to what would happen with `allowPrototypes: true`, which is an explicitly supported configuration.
+
+Closing as not applicable.

package/.claude/ghsa-6rw7-update.md

@@ -0,0 +1,53 @@
+# GHSA-6rw7-vpxm-498p — Edits to make
+
+## Severity
+Change: High → Low
+
+## CVSS 3.1
+Old: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` (7.5 High)
+New: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L` (3.7 Low)
+
+Changes:
+- AC: L → H (requires non-default parameterLimit config for real impact)
+- A: H → L (bounded memory increase, not a crash/full DoS under defaults)
+
+## Description — replace with:
+
+### Summary
+
+The `arrayLimit` option in qs did not enforce limits for bracket notation (`a[]=1&a[]=2`), only for indexed notation (`a[0]=1`). This is a consistency bug; `arrayLimit` should apply uniformly across all array notations.
+
+**Note:** The default `parameterLimit` of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than `parameterLimit` regardless of `arrayLimit`, because each `a[]=value` consumes one parameter slot. The severity has been reduced accordingly.
+
+### Details
+
+The `arrayLimit` option only checked limits for indexed notation (`a[0]=1&a[1]=2`) but did not enforce it for bracket notation (`a[]=1&a[]=2`).
+
+**Vulnerable code** (`lib/parse.js:159-162`):
+```javascript
+if (root === '[]' && options.parseArrays) {
+    obj = utils.combine([], leaf);  // No arrayLimit check
+}
+```
+
+**Working code** (`lib/parse.js:175`):
+```javascript
+else if (index <= options.arrayLimit) {  // Limit checked here
+    obj = [];
+    obj[index] = leaf;
+}
+```
+
+### PoC
+
+```javascript
+const qs = require('qs');
+const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
+console.log(result.a.length);  // Output: 6 (should be max 5)
+```
+
+**Note on parameterLimit interaction:** The original advisory's "DoS demonstration" claimed a length of 10,000, but `parameterLimit` (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000.
+
+### Impact
+
+Consistency bug in `arrayLimit` enforcement. With default `parameterLimit`, the practical DoS risk is negligible since `parameterLimit` already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when `parameterLimit` is explicitly set to a very high value.

package/.claude/ghsa-w7fw-comment.md

@@ -0,0 +1,10 @@
+# GHSA-w7fw-mjwx-w883 — Comment to post
+
+This is a valid report — thank you. The comma-split code path in `parseArrayValue` returned the split array immediately, bypassing the `arrayLimit` check. Unlike the bracket notation case (GHSA-6rw7-vpxm-498p), this genuinely bypasses `parameterLimit` as well, since a single parameter like `a=x,x,x,...` produces an arbitrarily large array from one `&`-delimited parameter.
+
+A fix has been implemented: after the comma split and decode step, if the resulting array exceeds `arrayLimit`, it is converted to an object (consistent with other `arrayLimit` exceedances), and `throwOnLimitExceeded` is respected.
+
+A few corrections to the advisory:
+- **Severity should be Medium, not High**: This requires the non-default `comma: true` option to be explicitly enabled. HTTP server request size limits also bound the practical impact.
+- **Vulnerable version range**: Should be `<= 6.14.1` (not `< 6.14.1`), since 6.14.1 is also affected.
+- **Patched version**: Will be set once the fix is released.

package/.claude/settings.local.json

@@ -0,0 +1,36 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(npm run lint:*)",
+      "Bash(npm test:*)",
+      "Bash(npm run tests-only:*)",
+      "Bash(npm show:*)",
+      "Bash(git log:*)",
+      "Bash(git tag:*)",
+      "Bash(npm view:*)",
+      "Bash(git fetch:*)",
+      "Bash(git cat-file:*)",
+      "Bash(git show:*)",
+      "Bash(git rev-parse:*)",
+      "Bash(git rev-list:*)",
+      "Bash(gh api:*)",
+      "Bash(node /tmp/qs-vuln-test.js:*)",
+      "Bash(git -C /Users/ljharb/git/ljharb/qs.git show 3086902 --stat)",
+      "Bash(git -C /Users/ljharb/git/ljharb/qs.git diff HEAD -- lib/parse.js lib/utils.js)",
+      "Bash(open:*)",
+      "WebSearch",
+      "WebFetch(domain:www.first.org)",
+      "WebFetch(domain:nvd.nist.gov)",
+      "WebFetch(domain:raw.githubusercontent.com)",
+      "Bash(git -C /Users/ljharb/git/ljharb/qs.git diff origin/main...HEAD)",
+      "Bash(for ver in v6.13.1 v6.12.3 v6.11.2 v6.10.5 v6.9.7 v6.8.3 v6.7.3 v6.6.1 v6.5.3 v6.4.1 v6.3.3 v6.2.4 v6.1.2 v6.0.4)",
+      "Bash(do echo '=== $ver ===')",
+      "Bash(done)",
+      "Bash(git checkout:*)",
+      "Bash(cd /Users/ljharb/git/ljharb/qs.git git add README.md git commit --no-verify --no-gpg-sign -m \"[readme] replace travis CI badge with shields.io check-runs badge\")",
+      "Bash(npm run dist:*)",
+      "Bash(for tag in v6.13.2 v6.12.4 v6.11.3 v6.10.6 v6.9.8 v6.8.4 v6.7.4 v6.6.2 v6.5.4 v6.4.2 v6.3.4 v6.2.5 v6.1.3 v6.0.5)",
+      "Bash(gh run view:*)"
+    ]
+  }
+}

package/.editorconfig

@@ -7,11 +7,15 @@ end_of_line = lf
 charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
-max_line_length = 140
+max_line_length = 160
+quote_type = single
 
 [test/*]
 max_line_length = off
 
+[LICENSE.md]
+indent_size = off
+
 [*.md]
 max_line_length = off
 
@@ -28,3 +32,12 @@ indent_size = 2
 [LICENSE]
 indent_size = 2
 max_line_length = off
+
+[coverage/**/*]
+indent_size = off
+indent_style = off
+indent = off
+max_line_length = off
+
+[.nycrc]
+indent_style = tab

package/.eslintrc

@@ -3,10 +3,14 @@
 
     "extends": "@ljharb",
 
+    "ignorePatterns": [
+        "dist/",
+    ],
+
     "rules": {
         "complexity": 0,
         "consistent-return": 1,
-		"func-name-matching": 0,
+        "func-name-matching": 0,
         "id-length": [2, { "min": 1, "max": 25, "properties": "never" }],
         "indent": [2, 4],
         "max-lines-per-function": [2, { "max": 150 }],
@@ -15,7 +19,20 @@
         "multiline-comment-style": 0,
         "no-continue": 1,
         "no-magic-numbers": 0,
+        "no-param-reassign": 1,
         "no-restricted-syntax": [2, "BreakStatement", "DebuggerStatement", "ForInStatement", "LabeledStatement", "WithStatement"],
         "operator-linebreak": [2, "before"],
-    }
+    },
+
+    "overrides": [
+        {
+            "files": "test/**",
+            "rules": {
+                "max-lines-per-function": 0,
+                "max-statements": 0,
+                "no-extend-native": 0,
+                "function-paren-newline": 0,
+            },
+        },
+    ],
 }

package/.github/FUNDING.yml

@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: [ljharb]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: npm/qs
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: # Replace with a single custom sponsorship URL

package/.nycrc

@@ -0,0 +1,13 @@
+{
+	"all": true,
+	"check-coverage": false,
+	"reporter": ["text-summary", "text", "html", "json"],
+	"lines": 86,
+	"statements": 85.93,
+	"functions": 82.43,
+	"branches": 76.06,
+	"exclude": [
+		"coverage",
+		"dist"
+	]
+}

package/CHANGELOG.md

@@ -1,3 +1,36 @@
+## **6.6.2**
+- [Robustness] avoid `.push`, use `void`
+- [readme] clarify `parseArrays` and `arrayLimit` documentation (#543)
+- [readme] document that `addQueryPrefix` does not add `?` to empty output (#418)
+- [readme] replace runkit CI badge with shields.io check-runs badge
+- [actions] fix rebase workflow permissions
+
+## **6.6.1**
+- [Fix] `parse`: ignore `__proto__` keys (#428)
+- [Fix] fix for an impossible situation: when the formatter is called with a non-string value
+- [Fix] `utils.merge`: avoid a crash with a null target and an array source
+- [Fix] `utils.merge`: avoid a crash with a null target and a truthy non-array source
+- [Fix] correctly parse nested arrays
+- [Robustness] `stringify`: avoid relying on a global `undefined` (#427)
+- [Robustness] `stringify`: cache `Object.prototype.hasOwnProperty`
+- [Refactor] `formats`: tiny bit of cleanup.
+- [Refactor] `utils`: `isBuffer`: small tweak; add tests
+- [Refactor]: `stringify`/`utils`: cache `Array.isArray`
+- [Refactor] `utils`: reduce observable [[Get]]s
+- [Refactor] use cached `Array.isArray`
+- [Refactor] `parse`/`stringify`: make a function to normalize the options
+- [readme] remove travis badge; add github actions/codecov badges; update URLs
+- [Docs] Clarify the need for "arrayLimit" option
+- [meta] fix README.md (#399)
+- [meta] do not publish workflow files
+- [meta] Clean up license text so it’s properly detected as BSD-3-Clause
+- [meta] add FUNDING.yml
+- [meta] Fixes typo in CHANGELOG.md
+- [actions] backport actions from main
+- [Tests] fix Buffer tests to work in node < 4.5 and node < 5.10
+- [Tests] always use `String(x)` over `x.toString()`
+- [Dev Deps] backport from main
+
 ## **6.6.0**
 - [New] Add support for iso-8859-1, utf8 "sentinel" and numeric entities (#268)
 - [New] move two-value combine to a `utils` function (#189)
@@ -11,7 +44,7 @@
 - [Refactor] add missing defaults
 - [Refactor] `parse`: one less `concat` call
 - [Refactor] `utils`: `compactQueue`: make it explicitly side-effecting
-- [Dev Deps] update `browserify, `eslint`, `@ljharb/eslint-config`, `iconv-lite`, `safe-publish-latest`, `tape`
+- [Dev Deps] update `browserify`, `eslint`, `@ljharb/eslint-config`, `iconv-lite`, `safe-publish-latest`, `tape`
 - [Tests] up to `node` `v10.10`, `v9.11`, `v8.12`, `v6.14`, `v4.9`; pin included builds to LTS
 
 ## **6.5.2**

package/LICENSE.md

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2014, Nathan LaFreniere and other [contributors](https://github.com/ljharb/qs/graphs/contributors)
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

package/README.md

@@ -1,12 +1,13 @@
 # qs <sup>[![Version Badge][2]][1]</sup>
 
-[![Build Status][3]][4]
-[![dependency status][5]][6]
-[![dev dependency status][7]][8]
+[![github actions][actions-image]][actions-url]
+[![coverage][codecov-image]][codecov-url]
+[![dependency status][deps-svg]][deps-url]
+[![dev dependency status][dev-deps-svg]][dev-deps-url]
 [![License][license-image]][license-url]
 [![Downloads][downloads-image]][downloads-url]
 
-[![npm badge][11]][1]
+[![npm badge][npm-badge-png]][package-url]
 
 A querystring parsing and stringifying library with some added security.
 
@@ -237,8 +238,8 @@ var withIndexedEmptyString = qs.parse('a[0]=b&a[1]=&a[2]=c');
 assert.deepEqual(withIndexedEmptyString, { a: ['b', '', 'c'] });
 ```
 
-**qs** will also limit specifying indices in an array to a maximum index of `20`. Any array members with an index of greater than `20` will
-instead be converted to an object with the index as the key:
+**qs** will also limit arrays to a maximum of `20` elements. Any array members with an index of `20` or greater will
+instead be converted to an object with the index as the key. This is needed to handle cases when someone sent, for example, `a[999999999]` and it will take significant time to iterate over this huge array.
 
 ```javascript
 var withMaxIndex = qs.parse('a[100]=b');
@@ -252,7 +253,7 @@ var withArrayLimit = qs.parse('a[1]=b', { arrayLimit: 0 });
 assert.deepEqual(withArrayLimit, { a: { '1': 'b' } });
 ```
 
-To disable array parsing entirely, set `parseArrays` to `false`.
+To prevent array syntax (`a[]`, `a[0]`) from being parsed as arrays, set `parseArrays` to `false`.
 
 ```javascript
 var noParsingArrays = qs.parse('a[]=b', { parseArrays: false });
@@ -323,6 +324,30 @@ var decoded = qs.parse('x=z', { decoder: function (str) {
 }})
 ```
 
+You can encode keys and values using different logic by using the type argument provided to the encoder:
+
+```javascript
+var encoded = qs.stringify({ a: { b: 'c' } }, { encoder: function (str, defaultEncoder, charset, type) {
+    if (type === 'key') {
+        return // Encoded key
+    } else if (type === 'value') {
+        return // Encoded value
+    }
+}})
+```
+
+The type argument is also provided to the decoder:
+
+```javascript
+var decoded = qs.parse('x=z', { decoder: function (str, defaultDecoder, charset, type) {
+    if (type === 'key') {
+        return // Decoded key
+    } else if (type === 'value') {
+        return // Decoded value
+    }
+}})
+```
+
 Examples beyond this point will be shown as though the output is not URI encoded for clarity. Please note that the return values in these cases *will* be URI encoded during real usage.
 
 When arrays are stringified, by default they are given explicit indices:
@@ -392,6 +417,12 @@ The query string may optionally be prepended with a question mark:
 assert.equal(qs.stringify({ a: 'b', c: 'd' }, { addQueryPrefix: true }), '?a=b&c=d');
 ```
 
+Note that when the output is an empty string, the prefix will not be added:
+
+```javascript
+assert.equal(qs.stringify({}, { addQueryPrefix: true }), '');
+```
+
 The delimiter may be overridden with stringify as well:
 
 ```javascript
@@ -544,18 +575,28 @@ assert.equal(qs.stringify({ a: 'b c' }, { format : 'RFC3986' }), 'a=b%20c');
 assert.equal(qs.stringify({ a: 'b c' }, { format : 'RFC1738' }), 'a=b+c');
 ```
 
-[1]: https://npmjs.org/package/qs
-[2]: http://versionbadg.es/ljharb/qs.svg
-[3]: https://api.travis-ci.org/ljharb/qs.svg
-[4]: https://travis-ci.org/ljharb/qs
-[5]: https://david-dm.org/ljharb/qs.svg
-[6]: https://david-dm.org/ljharb/qs
-[7]: https://david-dm.org/ljharb/qs/dev-status.svg
-[8]: https://david-dm.org/ljharb/qs?type=dev
-[9]: https://ci.testling.com/ljharb/qs.png
-[10]: https://ci.testling.com/ljharb/qs
-[11]: https://nodei.co/npm/qs.png?downloads=true&stars=true
-[license-image]: http://img.shields.io/npm/l/qs.svg
+## Security
+
+Please email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.
+
+## qs for enterprise
+
+Available as part of the Tidelift Subscription
+
+The maintainers of qs and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. [Learn more.](https://tidelift.com/subscription/pkg/npm-qs?utm_source=npm-qs&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)
+
+[package-url]: https://npmjs.org/package/qs
+[npm-version-svg]: https://versionbadg.es/ljharb/qs.svg
+[deps-svg]: https://david-dm.org/ljharb/qs.svg
+[deps-url]: https://david-dm.org/ljharb/qs
+[dev-deps-svg]: https://david-dm.org/ljharb/qs/dev-status.svg
+[dev-deps-url]: https://david-dm.org/ljharb/qs#info=devDependencies
+[npm-badge-png]: https://nodei.co/npm/qs.png?downloads=true&stars=true
+[license-image]: https://img.shields.io/npm/l/qs.svg
 [license-url]: LICENSE
-[downloads-image]: http://img.shields.io/npm/dm/qs.svg
-[downloads-url]: http://npm-stat.com/charts.html?package=qs
+[downloads-image]: https://img.shields.io/npm/dm/qs.svg
+[downloads-url]: https://npm-stat.com/charts.html?package=qs
+[codecov-image]: https://codecov.io/gh/ljharb/qs/branch/main/graphs/badge.svg
+[codecov-url]: https://app.codecov.io/gh/ljharb/qs/
+[actions-image]: https://img.shields.io/github/check-runs/ljharb/qs/main
+[actions-url]: https://github.com/ljharb/qs/actions