npm - qs - Versions diffs - 6.7.4 → 6.7.5 - Mend

qs 6.7.4 → 6.7.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/CHANGELOG.md +5 -0
package/dist/qs.js +2 -2
package/lib/parse.js +1 -1
package/lib/utils.js +1 -1
package/package.json +13 -4
package/test/parse.js +9 -0
package/test/stringify.js +6 -0
package/.claude/backport-record.md +0 -79
package/.claude/ghsa-2856-comment.md +0 -7
package/.claude/ghsa-6rw7-update.md +0 -53
package/.claude/ghsa-w7fw-comment.md +0 -10
package/.claude/settings.local.json +0 -36

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,8 @@
+## **6.7.5**
+- [Fix] fix regressions from robustness refactor
+- [meta] add `npmignore` to autogenerate an npmignore file
+- [actions] update reusable workflows
 ## **6.7.4**
 - [Robustness] avoid `.push`, use `void`
 - [readme] clarify `parseArrays` and `arrayLimit` documentation (#543)

package/dist/qs.js CHANGED Viewed

@@ -247,7 +247,7 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options, valuesPars
     // If there's a remainder, just add whatever is left
     if (segment) {
-        keys[keys.length] = '[' + key.slice(segment.index + ']');
+        keys[keys.length] = '[' + key.slice(segment.index) + ']';
     }
     return parseObject(keys, val, options, valuesParsed);
@@ -600,7 +600,7 @@ var isArray = Array.isArray;
 var hexTable = (function () {
     var array = [];
     for (var i = 0; i < 256; ++i) {
-        array[array.length] = '%' + ((i < 16 ? '0' : '' + i.toString(16)).toUpperCase());
+        array[array.length] = '%' + ((i < 16 ? '0' : '') + i.toString(16)).toUpperCase();
     }
     return array;

package/lib/parse.js CHANGED Viewed

@@ -205,7 +205,7 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options, valuesPars
     // If there's a remainder, just add whatever is left
     if (segment) {
-        keys[keys.length] = '[' + key.slice(segment.index + ']');
+        keys[keys.length] = '[' + key.slice(segment.index) + ']';
     }
     return parseObject(keys, val, options, valuesParsed);

package/lib/utils.js CHANGED Viewed

@@ -6,7 +6,7 @@ var isArray = Array.isArray;
 var hexTable = (function () {
     var array = [];
     for (var i = 0; i < 256; ++i) {
-        array[array.length] = '%' + ((i < 16 ? '0' : '' + i.toString(16)).toUpperCase());
+        array[array.length] = '%' + ((i < 16 ? '0' : '') + i.toString(16)).toUpperCase();
     }
     return array;

package/package.json CHANGED Viewed

@@ -2,7 +2,7 @@
     "name": "qs",
     "description": "A querystring parser that supports nesting and arrays, with a depth limit",
     "homepage": "https://github.com/ljharb/qs",
-    "version": "6.7.4",
+    "version": "6.7.5",
     "repository": {
         "type": "git",
         "url": "https://github.com/ljharb/qs.git"
@@ -45,10 +45,11 @@
         "qs-iconv": "^1.0.4",
         "safe-publish-latest": "^2.0.0",
         "safer-buffer": "^2.1.2",
-        "tape": "^5.4.0"
+        "tape": "^5.4.0",
+        "npmignore": "^0.3.1"
     },
     "scripts": {
-        "prepublishOnly": "safe-publish-latest && npm run dist",
+        "prepublishOnly": "safe-publish-latest && npmignore --auto --commentLines=autogenerated && npm run dist",
         "prepublish": "not-in-publish || npm run prepublishOnly",
         "pretest": "npm run --silent readme && npm run --silent lint",
         "test": "npm run --silent tests-only",
@@ -59,5 +60,13 @@
         "lint": "eslint lib/*.js test/*.js",
         "dist": "mkdirp dist && browserify --standalone Qs lib/index.js > dist/qs.js"
     },
-    "license": "BSD-3-Clause"
+    "license": "BSD-3-Clause",
+    "publishConfig": {
+        "ignore": [
+            "!dist/*",
+            "bower.json",
+            "component.json",
+            ".github/workflows"
+        ]
+    }
 }

package/test/parse.js CHANGED Viewed

@@ -84,6 +84,15 @@ test('parse()', function (t) {
         st.end();
     });
+    t.test('correctly computes the remainder when depth is exceeded', function (st) {
+        st.deepEqual(
+            qs.parse('a[b][c][d][e]=f', { depth: 2 }),
+            { a: { b: { c: { '[d][e]': 'f' } } } },
+            'the remainder is "[d][e]", not the full original key'
+        );
+        st.end();
+    });
     t.test('current behavior with depth = 0', function (st) {
         st.deepEqual(qs.parse('a[0]=b&a[1]=c', { depth: 0 }), { a: { '[0]': 'b', '[1]': 'c' } });
         st.deepEqual(qs.parse('a[0][0]=b&a[0][1]=c&a[1]=d&e=2', { depth: 0 }), { a: { '[0][0]': 'b', '[0][1]': 'c', '[1]': 'd' }, e: '2' });

package/test/stringify.js CHANGED Viewed

@@ -19,6 +19,12 @@ test('stringify()', function (t) {
         st.end();
     });
+    t.test('correctly encodes low-byte characters', function (st) {
+        st.equal(qs.stringify({ a: String.fromCharCode(1) }), 'a=%01', 'encodes 0x01');
+        st.equal(qs.stringify({ a: String.fromCharCode(15) }), 'a=%0F', 'encodes 0x0F');
+        st.end();
+    });
     t.test('stringifies falsy values', function (st) {
         st.equal(qs.stringify(undefined), '');
         st.equal(qs.stringify(null), '');

package/.claude/backport-record.md DELETED Viewed

@@ -1,79 +0,0 @@
-# Backport Record
-Commits to backport from main (v6.14.1..v6.14.2, excluding version bump):
-| # | SHA | Description |
-|---|-----|-------------|
-| 1 | 6744d30 | [Robustness] avoid `.push`, use `void` |
-| 2 | 6bdfaf5 | [readme] replace runkit/travis CI badge with shields.io check-runs badge |
-| 3 | 2a35775 | [meta] fix changelog typo |
-| 4 | 1b9a8b4 | [actions] fix rebase workflow permissions |
-| 5 | fbc5206 | [Fix] `parse`: fix error message |
-| 6 | f6a7abf | [Fix] `parse`: enforce arrayLimit on comma-parsed values |
-| 7 | febb644 | [Fix] `parse`: throw on arrayLimit exceeded with indexed notation |
-| 8 | cfc108f | [Fix] arrayLimit means max count, not max index |
-| 9 | 6addf8c | [Fix] `parse`: mark overflow objects for indexed notation |
-| 10 | 5c308e5 | [readme] clarify parseArrays and arrayLimit documentation |
-| 11 | 294db90 | [readme] document addQueryPrefix does not add ? to empty output |
-## Results
-| Version | Base Tag | Base SHA | Result HEAD | Applied | Skipped |
-|---------|----------|----------|-------------|---------|---------|
-| 6.14 | v6.14.2 | bdcf0c7 | bdcf0c7 | all | — |
-| 6.13 | v6.13.1 | f1ee037 | 625fa19 | 1,2,4,10,11 | 3,5,6,7,8,9 |
-| 6.12 | v6.12.3 | f90cc35 | 8a1b294 | 1,2,4,10,11 | 3,5,6,7,8,9 |
-| 6.11 | v6.11.2 | 410bdd3 | 3a5f714 | 1,2,4,10,11 | 3,5,6,7,8,9 |
-| 6.10 | v6.10.5 | 95bc018 | 8189da8 | 1,2,4,10,11 | 3,5,6,7,8,9 |
-| 6.9 | v6.9.7 | 4cd0032 | 6a7a3bf | 1,2,4,10,11 | 3,5,6,7,8,9 |
-| 6.8 | v6.8.3 | 0db5538 | 76d53e9 | 1,2,4,10,11 | 3,5,6,7,8,9 |
-| 6.7 | v6.7.3 | 834389a | 2991d8b | 1,2,4,10,11 | 3,5,6,7,8,9 |
-| 6.6 | v6.6.1 | 4cc653c | 7093153 | 1,2,4,10,11 | 3,5,6,7,8,9 |
-| 6.5 | v6.5.3 | 298bfa5 | 40b77c3 | 1,2,4,10,11 | 3,5,6,7,8,9 |
-| 6.4 | v6.4.1 | 486aa46 | d9ffe2b | 1,2,4,10 | 3,5,6,7,8,9,11 |
-| 6.3 | v6.3.3 | ff235b4 | b4824cb | 1,2,4,10 | 3,5,6,7,8,9,11 |
-| 6.2 | v6.2.4 | 90d9f2b | db7b937 | 1,2,4,10 | 3,5,6,7,8,9,11 |
-| 6.1 | v6.1.2 | 68ca039 | 3245e1f | 1,2,10 | 3,4,5,6,7,8,9,11 |
-| 6.0 | v6.0.4 | 10233c9 | b779be4 | 1,2,10 | 3,4,5,6,7,8,9,11 |
-## Legend for Applied/Skipped columns
-1=Robustness, 2=readme badge, 3=changelog typo, 4=actions permissions,
-5=error msg fix, 6=comma arrayLimit, 7=indexed throw, 8=count semantics,
-9=mark overflow, 10=parseArrays/arrayLimit docs, 11=addQueryPrefix docs
-## Notes
-- #2 (badge): v6.4+ had runkit badge replaced; v6.0-v6.3 had Travis badge replaced
-- #4 (actions): v6.2-v6.10 had permissions block ADDED (not modified); v6.0-v6.1 have no rebase.yml
-## Skip Reasons
-| Commit | Reason for skip |
-|--------|----------------|
-| 3 (2a35775) | v6.14.1-specific changelog — not applicable to other versions |
-| 5 (fbc5206) | Requires `throwOnLimitExceeded` option (v6.14.0+) |
-| 6 (f6a7abf) | Requires overflow system (`combine(a,b,arrayLimit,plainObjects)`) from v6.14.1 |
-| 7 (febb644) | Requires `throwOnLimitExceeded` option (v6.14.0+) |
-| 8 (cfc108f) | Requires overflow system from v6.14.1 |
-| 9 (6addf8c) | Requires overflow system from v6.14.1 |
-| 11 (294db90) | v6.4 and below lack `addQueryPrefix` in README |
-## Release Tags
-| Tag | SHA | Changelog Entries |
-|-----|-----|-------------------|
-| v6.13.2 | d8a8ab3 | Robustness, readme #543, readme #418, readme badge, actions |
-| v6.12.4 | a67173e | Robustness, readme #543, readme #418, readme badge, actions |
-| v6.11.3 | 6302f35 | Robustness, readme #543, readme #418, readme badge, actions |
-| v6.10.6 | 1aa4bd9 | Robustness, readme #543, readme #418, readme badge, actions |
-| v6.9.8 | 479d4b1 | Robustness, readme #543, readme #418, readme badge, actions |
-| v6.8.4 | 0f2b1e2 | Robustness, readme #543, readme #418, readme badge, actions |
-| v6.7.4 | d38e43a | Robustness, readme #543, readme #418, readme badge, actions |
-| v6.6.2 | 5e1c72c | Robustness, readme #543, readme #418, readme badge, actions |
-| v6.5.4 | c190488 | Robustness, readme #543, readme #418, readme badge, actions |
-| v6.4.2 | 9b50144 | Robustness, readme #543, readme badge (runkit+travis), actions |
-| v6.3.4 | aa3f9f4 | Robustness, readme #543, readme badge (travis), actions |
-| v6.2.5 | d68f354 | Robustness, readme #543, readme badge (travis), actions |
-| v6.1.3 | cb45ba1 | Robustness, readme #543, readme badge (travis) |
-| v6.0.5 | a73f299 | Robustness, readme #543, readme badge (travis) |

package/.claude/ghsa-2856-comment.md DELETED Viewed

@@ -1,7 +0,0 @@
-# GHSA-2856-wc6q-8xwc — Comment to post
-This is not a vulnerability. The described behavior only modifies properties on the **result object** returned by `qs.parse()` — it does not modify `Object.prototype` or any shared state. Setting `toString` or `hasOwnProperty` on a specific result object is not prototype pollution; it's the expected outcome of parsing a key with that name.
-The `allowPrototypes` option exists precisely to control whether keys that shadow `Object.prototype` properties are allowed on result objects. When `depth <= 0` and brackets are present, the prototype check is applied to the bracketed form of the key rather than the stripped form — this is a minor inconsistency in the check, but the result is equivalent to what would happen with `allowPrototypes: true`, which is an explicitly supported configuration.
-Closing as not applicable.

package/.claude/ghsa-6rw7-update.md DELETED Viewed

@@ -1,53 +0,0 @@
-# GHSA-6rw7-vpxm-498p — Edits to make
-## Severity
-Change: High → Low
-## CVSS 3.1
-Old: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` (7.5 High)
-New: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L` (3.7 Low)
-Changes:
-- AC: L → H (requires non-default parameterLimit config for real impact)
-- A: H → L (bounded memory increase, not a crash/full DoS under defaults)
-## Description — replace with:
-### Summary
-The `arrayLimit` option in qs did not enforce limits for bracket notation (`a[]=1&a[]=2`), only for indexed notation (`a[0]=1`). This is a consistency bug; `arrayLimit` should apply uniformly across all array notations.
-**Note:** The default `parameterLimit` of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than `parameterLimit` regardless of `arrayLimit`, because each `a[]=value` consumes one parameter slot. The severity has been reduced accordingly.
-### Details
-The `arrayLimit` option only checked limits for indexed notation (`a[0]=1&a[1]=2`) but did not enforce it for bracket notation (`a[]=1&a[]=2`).
-**Vulnerable code** (`lib/parse.js:159-162`):
-```javascript
-if (root === '[]' && options.parseArrays) {
-    obj = utils.combine([], leaf);  // No arrayLimit check
-}
-```
-**Working code** (`lib/parse.js:175`):
-```javascript
-else if (index <= options.arrayLimit) {  // Limit checked here
-    obj = [];
-    obj[index] = leaf;
-}
-```
-### PoC
-```javascript
-const qs = require('qs');
-const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
-console.log(result.a.length);  // Output: 6 (should be max 5)
-```
-**Note on parameterLimit interaction:** The original advisory's "DoS demonstration" claimed a length of 10,000, but `parameterLimit` (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000.
-### Impact
-Consistency bug in `arrayLimit` enforcement. With default `parameterLimit`, the practical DoS risk is negligible since `parameterLimit` already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when `parameterLimit` is explicitly set to a very high value.

package/.claude/ghsa-w7fw-comment.md DELETED Viewed

@@ -1,10 +0,0 @@
-# GHSA-w7fw-mjwx-w883 — Comment to post
-This is a valid report — thank you. The comma-split code path in `parseArrayValue` returned the split array immediately, bypassing the `arrayLimit` check. Unlike the bracket notation case (GHSA-6rw7-vpxm-498p), this genuinely bypasses `parameterLimit` as well, since a single parameter like `a=x,x,x,...` produces an arbitrarily large array from one `&`-delimited parameter.
-A fix has been implemented: after the comma split and decode step, if the resulting array exceeds `arrayLimit`, it is converted to an object (consistent with other `arrayLimit` exceedances), and `throwOnLimitExceeded` is respected.
-A few corrections to the advisory:
-- **Severity should be Medium, not High**: This requires the non-default `comma: true` option to be explicitly enabled. HTTP server request size limits also bound the practical impact.
-- **Vulnerable version range**: Should be `<= 6.14.1` (not `< 6.14.1`), since 6.14.1 is also affected.
-- **Patched version**: Will be set once the fix is released.

package/.claude/settings.local.json DELETED Viewed

@@ -1,36 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "Bash(npm run lint:*)",
-      "Bash(npm test:*)",
-      "Bash(npm run tests-only:*)",
-      "Bash(npm show:*)",
-      "Bash(git log:*)",
-      "Bash(git tag:*)",
-      "Bash(npm view:*)",
-      "Bash(git fetch:*)",
-      "Bash(git cat-file:*)",
-      "Bash(git show:*)",
-      "Bash(git rev-parse:*)",
-      "Bash(git rev-list:*)",
-      "Bash(gh api:*)",
-      "Bash(node /tmp/qs-vuln-test.js:*)",
-      "Bash(git -C /Users/ljharb/git/ljharb/qs.git show 3086902 --stat)",
-      "Bash(git -C /Users/ljharb/git/ljharb/qs.git diff HEAD -- lib/parse.js lib/utils.js)",
-      "Bash(open:*)",
-      "WebSearch",
-      "WebFetch(domain:www.first.org)",
-      "WebFetch(domain:nvd.nist.gov)",
-      "WebFetch(domain:raw.githubusercontent.com)",
-      "Bash(git -C /Users/ljharb/git/ljharb/qs.git diff origin/main...HEAD)",
-      "Bash(for ver in v6.13.1 v6.12.3 v6.11.2 v6.10.5 v6.9.7 v6.8.3 v6.7.3 v6.6.1 v6.5.3 v6.4.1 v6.3.3 v6.2.4 v6.1.2 v6.0.4)",
-      "Bash(do echo '=== $ver ===')",
-      "Bash(done)",
-      "Bash(git checkout:*)",
-      "Bash(cd /Users/ljharb/git/ljharb/qs.git git add README.md git commit --no-verify --no-gpg-sign -m \"[readme] replace travis CI badge with shields.io check-runs badge\")",
-      "Bash(npm run dist:*)",
-      "Bash(for tag in v6.13.2 v6.12.4 v6.11.3 v6.10.6 v6.9.8 v6.8.4 v6.7.4 v6.6.2 v6.5.4 v6.4.2 v6.3.4 v6.2.5 v6.1.3 v6.0.5)",
-      "Bash(gh run view:*)"
-    ]
-  }
-}