npm - qs - Versions diffs - 6.9.6 → 6.10.0 - Mend

qs 6.9.6 → 6.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/lib/parse.js CHANGED Viewed

@@ -8,6 +8,7 @@ var isArray = Array.isArray;
 var defaults = {
     allowDots: false,
     allowPrototypes: false,
+    allowSparse: false,
     arrayLimit: 20,
     charset: 'utf-8',
     charsetSentinel: false,
@@ -217,6 +218,7 @@ var normalizeParseOptions = function normalizeParseOptions(opts) {
     return {
         allowDots: typeof opts.allowDots === 'undefined' ? defaults.allowDots : !!opts.allowDots,
         allowPrototypes: typeof opts.allowPrototypes === 'boolean' ? opts.allowPrototypes : defaults.allowPrototypes,
+        allowSparse: typeof opts.allowSparse === 'boolean' ? opts.allowSparse : defaults.allowSparse,
         arrayLimit: typeof opts.arrayLimit === 'number' ? opts.arrayLimit : defaults.arrayLimit,
         charset: charset,
         charsetSentinel: typeof opts.charsetSentinel === 'boolean' ? opts.charsetSentinel : defaults.charsetSentinel,
@@ -253,5 +255,9 @@ module.exports = function (str, opts) {
         obj = utils.merge(obj, newObj, options);
     }
+    if (options.allowSparse === true) {
+        return obj;
+    }
     return utils.compact(obj);
 };

package/lib/stringify.js CHANGED Viewed

@@ -1,5 +1,6 @@
 'use strict';
+var getSideChannel = require('side-channel');
 var utils = require('./utils');
 var formats = require('./formats');
 var has = Object.prototype.hasOwnProperty;
@@ -68,9 +69,15 @@ var stringify = function stringify(
     format,
     formatter,
     encodeValuesOnly,
-    charset
+    charset,
+    sideChannel
 ) {
     var obj = object;
+    if (sideChannel.has(object)) {
+        throw new RangeError('Cyclic object value');
+    }
     if (typeof filter === 'function') {
         obj = filter(prefix, obj);
     } else if (obj instanceof Date) {
@@ -129,6 +136,7 @@ var stringify = function stringify(
             ? typeof generateArrayPrefix === 'function' ? generateArrayPrefix(prefix, key) : prefix
             : prefix + (allowDots ? '.' + key : '[' + key + ']');
+        sideChannel.set(object, true);
         pushToArray(values, stringify(
             value,
             keyPrefix,
@@ -143,7 +151,8 @@ var stringify = function stringify(
             format,
             formatter,
             encodeValuesOnly,
-            charset
+            charset,
+            sideChannel
         ));
     }
@@ -237,6 +246,7 @@ module.exports = function (object, opts) {
         objKeys.sort(options.sort);
     }
+    var sideChannel = getSideChannel();
     for (var i = 0; i < objKeys.length; ++i) {
         var key = objKeys[i];
@@ -257,7 +267,8 @@ module.exports = function (object, opts) {
             options.format,
             options.formatter,
             options.encodeValuesOnly,
-            options.charset
+            options.charset,
+            sideChannel
         ));
     }

package/package.json CHANGED Viewed

@@ -2,7 +2,7 @@
     "name": "qs",
     "description": "A querystring parser that supports nesting and arrays, with a depth limit",
     "homepage": "https://github.com/ljharb/qs",
-    "version": "6.9.6",
+    "version": "6.10.0",
     "repository": {
         "type": "git",
         "url": "https://github.com/ljharb/qs.git"
@@ -29,33 +29,36 @@
     "engines": {
         "node": ">=0.6"
     },
-    "dependencies": {},
+    "dependencies": {
+        "side-channel": "^1.0.4"
+    },
     "devDependencies": {
-        "@ljharb/eslint-config": "^17.3.0",
-        "aud": "^1.1.3",
+        "@ljharb/eslint-config": "^17.5.1",
+        "aud": "^1.1.4",
         "browserify": "^16.5.2",
         "eclint": "^2.8.1",
-        "eslint": "^7.17.0",
+        "eslint": "^7.22.0",
         "evalmd": "^0.0.19",
         "for-each": "^0.3.3",
-        "has-symbols": "^1.0.1",
+        "has-symbols": "^1.0.2",
         "iconv-lite": "^0.5.1",
+        "in-publish": "^2.0.1",
         "mkdirp": "^0.5.5",
         "nyc": "^10.3.2",
         "object-inspect": "^1.9.0",
         "qs-iconv": "^1.0.4",
         "safe-publish-latest": "^1.1.4",
         "safer-buffer": "^2.1.2",
-        "tape": "^5.1.1"
+        "tape": "^5.2.2"
     },
     "scripts": {
-        "prepublish": "safe-publish-latest && npm run dist",
+        "prepublish": "safe-publish-latest && (not-in-publish || npm run dist)",
         "pretest": "npm run --silent readme && npm run --silent lint",
         "test": "npm run tests-only",
         "tests-only": "nyc tape 'test/**/*.js'",
         "posttest": "aud --production",
         "readme": "evalmd README.md",
-        "postlint": "eclint check * lib/* test/*",
+        "postlint": "eclint check * lib/* test/* !dist/*",
         "lint": "eslint lib/*.js test/*.js",
         "dist": "mkdirp dist && browserify --standalone Qs lib/index.js > dist/qs.js"
     },

package/test/parse.js CHANGED Viewed

@@ -269,6 +269,15 @@ test('parse()', function (t) {
         st.end();
     });
+    t.test('parses sparse arrays', function (st) {
+        /* eslint no-sparse-arrays: 0 */
+        st.deepEqual(qs.parse('a[4]=1&a[1]=2', { allowSparse: true }), { a: [, '2', , , '1'] });
+        st.deepEqual(qs.parse('a[1][b][2][c]=1', { allowSparse: true }), { a: [, { b: [, , { c: '1' }] }] });
+        st.deepEqual(qs.parse('a[1][2][3][c]=1', { allowSparse: true }), { a: [, [, , [, , , { c: '1' }]]] });
+        st.deepEqual(qs.parse('a[1][2][3][c][1]=1', { allowSparse: true }), { a: [, [, , [, , , { c: [, '1'] }]]] });
+        st.end();
+    });
     t.test('parses semi-parsed strings', function (st) {
         st.deepEqual(qs.parse({ 'a[b]': 'c' }), { a: { b: 'c' } });
         st.deepEqual(qs.parse({ 'a[b]': 'c', 'a[d]': 'e' }), { a: { b: 'c', d: 'e' } });

package/test/stringify.js CHANGED Viewed

@@ -433,7 +433,7 @@ test('stringify()', function (t) {
         st.end();
     });
-    t.test('doesn\'t blow up when Buffer global is missing', function (st) {
+    t.test('does not blow up when Buffer global is missing', function (st) {
         var tempBuffer = global.Buffer;
         delete global.Buffer;
         var result = qs.stringify({ a: 'b', c: 'd' });
@@ -442,6 +442,29 @@ test('stringify()', function (t) {
         st.end();
     });
+    t.test('does not crash when parsing circular references', function (st) {
+        var a = {};
+        a.b = a;
+        st['throws'](
+            function () { qs.stringify({ 'foo[bar]': 'baz', 'foo[baz]': a }); },
+            RangeError,
+            'cyclic values throw'
+        );
+        var circular = {
+            a: 'value'
+        };
+        circular.a = circular;
+        st['throws'](
+            function () { qs.stringify(circular); },
+            RangeError,
+            'cyclic values throw'
+        );
+        st.end();
+    });
     t.test('selects properties when filter=array', function (st) {
         st.equal(qs.stringify({ a: 'b' }, { filter: ['a'] }), 'a=b');
         st.equal(qs.stringify({ a: 1 }, { filter: [] }), '');
@@ -789,5 +812,15 @@ test('stringify()', function (t) {
         st.end();
     });
+    t.test('stringifies sparse arrays', function (st) {
+        /* eslint no-sparse-arrays: 0 */
+        st.equal(qs.stringify({ a: [, '2', , , '1'] }, { encodeValuesOnly: true }), 'a[1]=2&a[4]=1');
+        st.equal(qs.stringify({ a: [, { b: [, , { c: '1' }] }] }, { encodeValuesOnly: true }), 'a[1][b][2][c]=1');
+        st.equal(qs.stringify({ a: [, [, , [, , , { c: '1' }]]] }, { encodeValuesOnly: true }), 'a[1][2][3][c]=1');
+        st.equal(qs.stringify({ a: [, [, , [, , , { c: [, '1'] }]]] }, { encodeValuesOnly: true }), 'a[1][2][3][c][1]=1');
+        st.end();
+    });
     t.end();
 });