qs 6.9.6 → 6.9.8

package/.claude/backport-record.md

@@ -0,0 +1,79 @@
+# Backport Record
+
+Commits to backport from main (v6.14.1..v6.14.2, excluding version bump):
+
+| # | SHA | Description |
+|---|-----|-------------|
+| 1 | 6744d30 | [Robustness] avoid `.push`, use `void` |
+| 2 | 6bdfaf5 | [readme] replace runkit/travis CI badge with shields.io check-runs badge |
+| 3 | 2a35775 | [meta] fix changelog typo |
+| 4 | 1b9a8b4 | [actions] fix rebase workflow permissions |
+| 5 | fbc5206 | [Fix] `parse`: fix error message |
+| 6 | f6a7abf | [Fix] `parse`: enforce arrayLimit on comma-parsed values |
+| 7 | febb644 | [Fix] `parse`: throw on arrayLimit exceeded with indexed notation |
+| 8 | cfc108f | [Fix] arrayLimit means max count, not max index |
+| 9 | 6addf8c | [Fix] `parse`: mark overflow objects for indexed notation |
+| 10 | 5c308e5 | [readme] clarify parseArrays and arrayLimit documentation |
+| 11 | 294db90 | [readme] document addQueryPrefix does not add ? to empty output |
+
+## Results
+
+| Version | Base Tag | Base SHA | Result HEAD | Applied | Skipped |
+|---------|----------|----------|-------------|---------|---------|
+| 6.14 | v6.14.2 | bdcf0c7 | bdcf0c7 | all | — |
+| 6.13 | v6.13.1 | f1ee037 | 625fa19 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.12 | v6.12.3 | f90cc35 | 8a1b294 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.11 | v6.11.2 | 410bdd3 | 3a5f714 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.10 | v6.10.5 | 95bc018 | 8189da8 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.9 | v6.9.7 | 4cd0032 | 6a7a3bf | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.8 | v6.8.3 | 0db5538 | 76d53e9 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.7 | v6.7.3 | 834389a | 2991d8b | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.6 | v6.6.1 | 4cc653c | 7093153 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.5 | v6.5.3 | 298bfa5 | 40b77c3 | 1,2,4,10,11 | 3,5,6,7,8,9 |
+| 6.4 | v6.4.1 | 486aa46 | d9ffe2b | 1,2,4,10 | 3,5,6,7,8,9,11 |
+| 6.3 | v6.3.3 | ff235b4 | b4824cb | 1,2,4,10 | 3,5,6,7,8,9,11 |
+| 6.2 | v6.2.4 | 90d9f2b | db7b937 | 1,2,4,10 | 3,5,6,7,8,9,11 |
+| 6.1 | v6.1.2 | 68ca039 | 3245e1f | 1,2,10 | 3,4,5,6,7,8,9,11 |
+| 6.0 | v6.0.4 | 10233c9 | b779be4 | 1,2,10 | 3,4,5,6,7,8,9,11 |
+
+## Legend for Applied/Skipped columns
+
+1=Robustness, 2=readme badge, 3=changelog typo, 4=actions permissions,
+5=error msg fix, 6=comma arrayLimit, 7=indexed throw, 8=count semantics,
+9=mark overflow, 10=parseArrays/arrayLimit docs, 11=addQueryPrefix docs
+
+## Notes
+
+- #2 (badge): v6.4+ had runkit badge replaced; v6.0-v6.3 had Travis badge replaced
+- #4 (actions): v6.2-v6.10 had permissions block ADDED (not modified); v6.0-v6.1 have no rebase.yml
+
+## Skip Reasons
+
+| Commit | Reason for skip |
+|--------|----------------|
+| 3 (2a35775) | v6.14.1-specific changelog — not applicable to other versions |
+| 5 (fbc5206) | Requires `throwOnLimitExceeded` option (v6.14.0+) |
+| 6 (f6a7abf) | Requires overflow system (`combine(a,b,arrayLimit,plainObjects)`) from v6.14.1 |
+| 7 (febb644) | Requires `throwOnLimitExceeded` option (v6.14.0+) |
+| 8 (cfc108f) | Requires overflow system from v6.14.1 |
+| 9 (6addf8c) | Requires overflow system from v6.14.1 |
+| 11 (294db90) | v6.4 and below lack `addQueryPrefix` in README |
+
+## Release Tags
+
+| Tag | SHA | Changelog Entries |
+|-----|-----|-------------------|
+| v6.13.2 | d8a8ab3 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.12.4 | a67173e | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.11.3 | 6302f35 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.10.6 | 1aa4bd9 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.9.8 | 479d4b1 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.8.4 | 0f2b1e2 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.7.4 | d38e43a | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.6.2 | 5e1c72c | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.5.4 | c190488 | Robustness, readme #543, readme #418, readme badge, actions |
+| v6.4.2 | 9b50144 | Robustness, readme #543, readme badge (runkit+travis), actions |
+| v6.3.4 | aa3f9f4 | Robustness, readme #543, readme badge (travis), actions |
+| v6.2.5 | d68f354 | Robustness, readme #543, readme badge (travis), actions |
+| v6.1.3 | cb45ba1 | Robustness, readme #543, readme badge (travis) |
+| v6.0.5 | a73f299 | Robustness, readme #543, readme badge (travis) |

package/.claude/ghsa-2856-comment.md

@@ -0,0 +1,7 @@
+# GHSA-2856-wc6q-8xwc — Comment to post
+
+This is not a vulnerability. The described behavior only modifies properties on the **result object** returned by `qs.parse()` — it does not modify `Object.prototype` or any shared state. Setting `toString` or `hasOwnProperty` on a specific result object is not prototype pollution; it's the expected outcome of parsing a key with that name.
+
+The `allowPrototypes` option exists precisely to control whether keys that shadow `Object.prototype` properties are allowed on result objects. When `depth <= 0` and brackets are present, the prototype check is applied to the bracketed form of the key rather than the stripped form — this is a minor inconsistency in the check, but the result is equivalent to what would happen with `allowPrototypes: true`, which is an explicitly supported configuration.
+
+Closing as not applicable.

package/.claude/ghsa-6rw7-update.md

@@ -0,0 +1,53 @@
+# GHSA-6rw7-vpxm-498p — Edits to make
+
+## Severity
+Change: High → Low
+
+## CVSS 3.1
+Old: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` (7.5 High)
+New: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L` (3.7 Low)
+
+Changes:
+- AC: L → H (requires non-default parameterLimit config for real impact)
+- A: H → L (bounded memory increase, not a crash/full DoS under defaults)
+
+## Description — replace with:
+
+### Summary
+
+The `arrayLimit` option in qs did not enforce limits for bracket notation (`a[]=1&a[]=2`), only for indexed notation (`a[0]=1`). This is a consistency bug; `arrayLimit` should apply uniformly across all array notations.
+
+**Note:** The default `parameterLimit` of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than `parameterLimit` regardless of `arrayLimit`, because each `a[]=value` consumes one parameter slot. The severity has been reduced accordingly.
+
+### Details
+
+The `arrayLimit` option only checked limits for indexed notation (`a[0]=1&a[1]=2`) but did not enforce it for bracket notation (`a[]=1&a[]=2`).
+
+**Vulnerable code** (`lib/parse.js:159-162`):
+```javascript
+if (root === '[]' && options.parseArrays) {
+    obj = utils.combine([], leaf);  // No arrayLimit check
+}
+```
+
+**Working code** (`lib/parse.js:175`):
+```javascript
+else if (index <= options.arrayLimit) {  // Limit checked here
+    obj = [];
+    obj[index] = leaf;
+}
+```
+
+### PoC
+
+```javascript
+const qs = require('qs');
+const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
+console.log(result.a.length);  // Output: 6 (should be max 5)
+```
+
+**Note on parameterLimit interaction:** The original advisory's "DoS demonstration" claimed a length of 10,000, but `parameterLimit` (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000.
+
+### Impact
+
+Consistency bug in `arrayLimit` enforcement. With default `parameterLimit`, the practical DoS risk is negligible since `parameterLimit` already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when `parameterLimit` is explicitly set to a very high value.

package/.claude/ghsa-w7fw-comment.md

@@ -0,0 +1,10 @@
+# GHSA-w7fw-mjwx-w883 — Comment to post
+
+This is a valid report — thank you. The comma-split code path in `parseArrayValue` returned the split array immediately, bypassing the `arrayLimit` check. Unlike the bracket notation case (GHSA-6rw7-vpxm-498p), this genuinely bypasses `parameterLimit` as well, since a single parameter like `a=x,x,x,...` produces an arbitrarily large array from one `&`-delimited parameter.
+
+A fix has been implemented: after the comma split and decode step, if the resulting array exceeds `arrayLimit`, it is converted to an object (consistent with other `arrayLimit` exceedances), and `throwOnLimitExceeded` is respected.
+
+A few corrections to the advisory:
+- **Severity should be Medium, not High**: This requires the non-default `comma: true` option to be explicitly enabled. HTTP server request size limits also bound the practical impact.
+- **Vulnerable version range**: Should be `<= 6.14.1` (not `< 6.14.1`), since 6.14.1 is also affected.
+- **Patched version**: Will be set once the fix is released.

package/.claude/settings.local.json

@@ -0,0 +1,36 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(npm run lint:*)",
+      "Bash(npm test:*)",
+      "Bash(npm run tests-only:*)",
+      "Bash(npm show:*)",
+      "Bash(git log:*)",
+      "Bash(git tag:*)",
+      "Bash(npm view:*)",
+      "Bash(git fetch:*)",
+      "Bash(git cat-file:*)",
+      "Bash(git show:*)",
+      "Bash(git rev-parse:*)",
+      "Bash(git rev-list:*)",
+      "Bash(gh api:*)",
+      "Bash(node /tmp/qs-vuln-test.js:*)",
+      "Bash(git -C /Users/ljharb/git/ljharb/qs.git show 3086902 --stat)",
+      "Bash(git -C /Users/ljharb/git/ljharb/qs.git diff HEAD -- lib/parse.js lib/utils.js)",
+      "Bash(open:*)",
+      "WebSearch",
+      "WebFetch(domain:www.first.org)",
+      "WebFetch(domain:nvd.nist.gov)",
+      "WebFetch(domain:raw.githubusercontent.com)",
+      "Bash(git -C /Users/ljharb/git/ljharb/qs.git diff origin/main...HEAD)",
+      "Bash(for ver in v6.13.1 v6.12.3 v6.11.2 v6.10.5 v6.9.7 v6.8.3 v6.7.3 v6.6.1 v6.5.3 v6.4.1 v6.3.3 v6.2.4 v6.1.2 v6.0.4)",
+      "Bash(do echo '=== $ver ===')",
+      "Bash(done)",
+      "Bash(git checkout:*)",
+      "Bash(cd /Users/ljharb/git/ljharb/qs.git git add README.md git commit --no-verify --no-gpg-sign -m \"[readme] replace travis CI badge with shields.io check-runs badge\")",
+      "Bash(npm run dist:*)",
+      "Bash(for tag in v6.13.2 v6.12.4 v6.11.3 v6.10.6 v6.9.8 v6.8.4 v6.7.4 v6.6.2 v6.5.4 v6.4.2 v6.3.4 v6.2.5 v6.1.3 v6.0.5)",
+      "Bash(gh run view:*)"
+    ]
+  }
+}

package/.editorconfig

@@ -8,6 +8,7 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 max_line_length = 160
+quote_type = single
 
 [test/*]
 max_line_length = off

package/.eslintrc

@@ -3,20 +3,23 @@
 
     "extends": "@ljharb",
 
+    "ignorePatterns": [
+        "dist/",
+    ],
+
     "rules": {
         "complexity": 0,
         "consistent-return": 1,
-		"func-name-matching": 0,
+        "func-name-matching": 0,
         "id-length": [2, { "min": 1, "max": 25, "properties": "never" }],
         "indent": [2, 4],
         "max-lines-per-function": [2, { "max": 150 }],
-        "max-params": [2, 14],
+        "max-params": [2, 15],
         "max-statements": [2, 52],
         "multiline-comment-style": 0,
         "no-continue": 1,
         "no-magic-numbers": 0,
         "no-restricted-syntax": [2, "BreakStatement", "DebuggerStatement", "ForInStatement", "LabeledStatement", "WithStatement"],
-        "operator-linebreak": [2, "before"],
     },
 
     "overrides": [

package/CHANGELOG.md

@@ -1,3 +1,22 @@
+## **6.9.8**
+- [Robustness] avoid `.push`, use `void`
+- [readme] clarify `parseArrays` and `arrayLimit` documentation (#543)
+- [readme] document that `addQueryPrefix` does not add `?` to empty output (#418)
+- [readme] replace runkit CI badge with shields.io check-runs badge
+- [actions] fix rebase workflow permissions
+
+## **6.9.7**
+- [Fix] `parse`: ignore `__proto__` keys (#428)
+- [Fix] `stringify`: avoid encoding arrayformat comma when `encodeValuesOnly = true` (#424)
+- [Robustness] `stringify`: avoid relying on a global `undefined` (#427)
+- [readme] remove travis badge; add github actions/codecov badges; update URLs
+- [Docs] add note and links for coercing primitive values (#408)
+- [Tests] clean up stringify tests slightly
+- [meta] fix README.md (#399)
+- Revert "[meta] ignore eclint transitive audit warning"
+- [actions] backport actions from main
+- [Dev Deps] backport updates from main
+
 ## **6.9.6**
 - [Fix] restore `dist` dir; mistakenly removed in d4f6c32
 

package/README.md

@@ -1,12 +1,13 @@
 # qs <sup>[![Version Badge][2]][1]</sup>
 
-[![Build Status][3]][4]
-[![dependency status][5]][6]
-[![dev dependency status][7]][8]
+[![github actions][actions-image]][actions-url]
+[![coverage][codecov-image]][codecov-url]
+[![dependency status][deps-svg]][deps-url]
+[![dev dependency status][dev-deps-svg]][dev-deps-url]
 [![License][license-image]][license-url]
 [![Downloads][downloads-image]][downloads-url]
 
-[![npm badge][11]][1]
+[![npm badge][npm-badge-png]][package-url]
 
 A querystring parsing and stringifying library with some added security.
 
@@ -237,7 +238,7 @@ var withIndexedEmptyString = qs.parse('a[0]=b&a[1]=&a[2]=c');
 assert.deepEqual(withIndexedEmptyString, { a: ['b', '', 'c'] });
 ```
 
-**qs** will also limit specifying indices in an array to a maximum index of `20`. Any array members with an index of greater than `20` will
+**qs** will also limit arrays to a maximum of `20` elements. Any array members with an index of `20` or greater will
 instead be converted to an object with the index as the key. This is needed to handle cases when someone sent, for example, `a[999999999]` and it will take significant time to iterate over this huge array.
 
 ```javascript
@@ -252,7 +253,7 @@ var withArrayLimit = qs.parse('a[1]=b', { arrayLimit: 0 });
 assert.deepEqual(withArrayLimit, { a: { '1': 'b' } });
 ```
 
-To disable array parsing entirely, set `parseArrays` to `false`.
+To prevent array syntax (`a[]`, `a[0]`) from being parsed as arrays, set `parseArrays` to `false`.
 
 ```javascript
 var noParsingArrays = qs.parse('a[]=b', { parseArrays: false });
@@ -280,6 +281,17 @@ assert.deepEqual(arraysOfObjects, { a: ['b', 'c'] })
 ```
 (_this cannot convert nested objects, such as `a={b:1},{c:d}`_)
 
+### Parsing primitive/scalar values (numbers, booleans, null, etc)
+
+By default, all values are parsed as strings. This behavior will not change and is explained in [issue #91](https://github.com/ljharb/qs/issues/91).
+
+```javascript
+var primitiveValues = qs.parse('a=15&b=true&c=null');
+assert.deepEqual(primitiveValues, { a: '15', b: 'true', c: 'null' });
+```
+
+If you wish to auto-convert values which look like numbers, booleans, and other values into their primitive counterparts, you can use the [query-types Express JS middleware](https://github.com/xpepermint/query-types) which will auto-convert all request query parameters.
+
 ### Stringifying
 
 [](#preventEval)
@@ -345,7 +357,7 @@ var encoded = qs.stringify({ a: { b: 'c' } }, { encoder: function (str, defaultE
 The type argument is also provided to the decoder:
 
 ```javascript
-var decoded = qs.parse('x=z', { decoder: function (str, defaultEncoder, charset, type) {
+var decoded = qs.parse('x=z', { decoder: function (str, defaultDecoder, charset, type) {
     if (type === 'key') {
         return // Decoded key
     } else if (type === 'value') {
@@ -425,6 +437,12 @@ The query string may optionally be prepended with a question mark:
 assert.equal(qs.stringify({ a: 'b', c: 'd' }, { addQueryPrefix: true }), '?a=b&c=d');
 ```
 
+Note that when the output is an empty string, the prefix will not be added:
+
+```javascript
+assert.equal(qs.stringify({}, { addQueryPrefix: true }), '');
+```
+
 The delimiter may be overridden with stringify as well:
 
 ```javascript
@@ -587,18 +605,18 @@ Available as part of the Tidelift Subscription
 
 The maintainers of qs and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. [Learn more.](https://tidelift.com/subscription/pkg/npm-qs?utm_source=npm-qs&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)
 
-[1]: https://npmjs.org/package/qs
-[2]: http://versionbadg.es/ljharb/qs.svg
-[3]: https://api.travis-ci.org/ljharb/qs.svg
-[4]: https://travis-ci.org/ljharb/qs
-[5]: https://david-dm.org/ljharb/qs.svg
-[6]: https://david-dm.org/ljharb/qs
-[7]: https://david-dm.org/ljharb/qs/dev-status.svg
-[8]: https://david-dm.org/ljharb/qs?type=dev
-[9]: https://ci.testling.com/ljharb/qs.png
-[10]: https://ci.testling.com/ljharb/qs
-[11]: https://nodei.co/npm/qs.png?downloads=true&stars=true
-[license-image]: http://img.shields.io/npm/l/qs.svg
+[package-url]: https://npmjs.org/package/qs
+[npm-version-svg]: https://versionbadg.es/ljharb/qs.svg
+[deps-svg]: https://david-dm.org/ljharb/qs.svg
+[deps-url]: https://david-dm.org/ljharb/qs
+[dev-deps-svg]: https://david-dm.org/ljharb/qs/dev-status.svg
+[dev-deps-url]: https://david-dm.org/ljharb/qs#info=devDependencies
+[npm-badge-png]: https://nodei.co/npm/qs.png?downloads=true&stars=true
+[license-image]: https://img.shields.io/npm/l/qs.svg
 [license-url]: LICENSE
-[downloads-image]: http://img.shields.io/npm/dm/qs.svg
-[downloads-url]: http://npm-stat.com/charts.html?package=qs
+[downloads-image]: https://img.shields.io/npm/dm/qs.svg
+[downloads-url]: https://npm-stat.com/charts.html?package=qs
+[codecov-image]: https://codecov.io/gh/ljharb/qs/branch/main/graphs/badge.svg
+[codecov-url]: https://app.codecov.io/gh/ljharb/qs/
+[actions-image]: https://img.shields.io/github/check-runs/ljharb/qs/main
+[actions-url]: https://github.com/ljharb/qs/actions

package/dist/qs.js

@@ -89,7 +89,7 @@ var charsetSentinel = 'utf8=%E2%9C%93'; // encodeURIComponent('✓')
 var parseValues = function parseQueryStringValues(str, options) {
     var obj = {};
     var cleanStr = options.ignoreQueryPrefix ? str.replace(/^\?/, '') : str;
-    var limit = options.parameterLimit === Infinity ? undefined : options.parameterLimit;
+    var limit = options.parameterLimit === Infinity ? void undefined : options.parameterLimit;
     var parts = cleanStr.split(options.delimiter, limit);
     var skipIndex = -1; // Keep track of where the utf8 sentinel was found
     var i;
@@ -174,7 +174,7 @@ var parseObject = function (chain, val, options, valuesParsed) {
             ) {
                 obj = [];
                 obj[index] = leaf;
-            } else {
+            } else if (cleanRoot !== '__proto__') {
                 obj[cleanRoot] = leaf;
             }
         }
@@ -214,7 +214,7 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options, valuesPars
             }
         }
 
-        keys.push(parent);
+        keys[keys.length] = parent;
     }
 
     // Loop through children appending to the array until we hit depth
@@ -227,13 +227,13 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options, valuesPars
                 return;
             }
         }
-        keys.push(segment[1]);
+        keys[keys.length] = segment[1];
     }
 
     // If there's a remainder, just add whatever is left
 
     if (segment) {
-        keys.push('[' + key.slice(segment.index) + ']');
+        keys[keys.length] = '[' + key.slice(segment.index + ']');
     }
 
     return parseObject(keys, val, options, valuesParsed);
@@ -316,6 +316,7 @@ var arrayPrefixGenerators = {
 };
 
 var isArray = Array.isArray;
+var split = String.prototype.split;
 var push = Array.prototype.push;
 var pushToArray = function (arr, valueOrArray) {
     push.apply(arr, isArray(valueOrArray) ? valueOrArray : [valueOrArray]);
@@ -393,6 +394,14 @@ var stringify = function stringify(
     if (isNonNullishPrimitive(obj) || utils.isBuffer(obj)) {
         if (encoder) {
             var keyValue = encodeValuesOnly ? prefix : encoder(prefix, defaults.encoder, charset, 'key', format);
+            if (generateArrayPrefix === 'comma' && encodeValuesOnly) {
+                var valuesArray = split.call(String(obj), ',');
+                var valuesJoined = '';
+                for (var i = 0; i < valuesArray.length; ++i) {
+                    valuesJoined += (i === 0 ? '' : ',') + formatter(encoder(valuesArray[i], defaults.encoder, charset, 'value', format));
+                }
+                return [formatter(keyValue) + '=' + valuesJoined];
+            }
             return [formatter(keyValue) + '=' + formatter(encoder(obj, defaults.encoder, charset, 'value', format))];
         }
         return [formatter(prefix) + '=' + formatter(String(obj))];
@@ -407,7 +416,7 @@ var stringify = function stringify(
     var objKeys;
     if (generateArrayPrefix === 'comma' && isArray(obj)) {
         // we need to join elements in
-        objKeys = [{ value: obj.length > 0 ? obj.join(',') || null : undefined }];
+        objKeys = [{ value: obj.length > 0 ? obj.join(',') || null : void undefined }];
     } else if (isArray(filter)) {
         objKeys = filter;
     } else {
@@ -415,9 +424,9 @@ var stringify = function stringify(
         objKeys = sort ? keys.sort(sort) : keys;
     }
 
-    for (var i = 0; i < objKeys.length; ++i) {
-        var key = objKeys[i];
-        var value = typeof key === 'object' && key.value !== undefined ? key.value : obj[key];
+    for (var j = 0; j < objKeys.length; ++j) {
+        var key = objKeys[j];
+        var value = typeof key === 'object' && typeof key.value !== 'undefined' ? key.value : obj[key];
 
         if (skipNulls && value === null) {
             continue;
@@ -453,7 +462,7 @@ var normalizeStringifyOptions = function normalizeStringifyOptions(opts) {
         return defaults;
     }
 
-    if (opts.encoder !== null && opts.encoder !== undefined && typeof opts.encoder !== 'function') {
+    if (opts.encoder !== null && typeof opts.encoder !== 'undefined' && typeof opts.encoder !== 'function') {
         throw new TypeError('Encoder has to be a function.');
     }
 
@@ -586,7 +595,7 @@ var isArray = Array.isArray;
 var hexTable = (function () {
     var array = [];
     for (var i = 0; i < 256; ++i) {
-        array.push('%' + ((i < 16 ? '0' : '') + i.toString(16)).toUpperCase());
+        array[array.length] = '%' + ((i < 16 ? '0' : '' + i.toString(16)).toUpperCase());
     }
 
     return array;
@@ -602,7 +611,7 @@ var compactQueue = function compactQueue(queue) {
 
             for (var j = 0; j < obj.length; ++j) {
                 if (typeof obj[j] !== 'undefined') {
-                    compacted.push(obj[j]);
+                    compacted[compacted.length] = obj[j];
                 }
             }
 
@@ -630,7 +639,7 @@ var merge = function merge(target, source, options) {
 
     if (typeof source !== 'object') {
         if (isArray(target)) {
-            target.push(source);
+            target[target.length] = source;
         } else if (target && typeof target === 'object') {
             if ((options && (options.plainObjects || options.allowPrototypes)) || !has.call(Object.prototype, source)) {
                 target[source] = true;
@@ -658,7 +667,7 @@ var merge = function merge(target, source, options) {
                 if (targetItem && typeof targetItem === 'object' && item && typeof item === 'object') {
                     target[i] = merge(targetItem, item, options);
                 } else {
-                    target.push(item);
+                    target[target.length] = item;
                 }
             } else {
                 target[i] = item;
@@ -755,6 +764,7 @@ var encode = function encode(str, defaultEncoder, charset, kind, format) {
 
         i += 1;
         c = 0x10000 + (((c & 0x3FF) << 10) | (string.charCodeAt(i) & 0x3FF));
+        /* eslint operator-linebreak: [2, "before"] */
         out += hexTable[0xF0 | (c >> 18)]
             + hexTable[0x80 | ((c >> 12) & 0x3F)]
             + hexTable[0x80 | ((c >> 6) & 0x3F)]
@@ -777,8 +787,8 @@ var compact = function compact(value) {
             var key = keys[j];
             var val = obj[key];
             if (typeof val === 'object' && val !== null && refs.indexOf(val) === -1) {
-                queue.push({ obj: obj, prop: key });
-                refs.push(val);
+                queue[queue.length] = { obj: obj, prop: key };
+                refs[refs.length] = val;
             }
         }
     }
@@ -808,7 +818,7 @@ var maybeMap = function maybeMap(val, fn) {
     if (isArray(val)) {
         var mapped = [];
         for (var i = 0; i < val.length; i += 1) {
-            mapped.push(fn(val[i]));
+            mapped[mapped.length] = fn(val[i]);
         }
         return mapped;
     }

package/lib/parse.js

@@ -50,7 +50,7 @@ var charsetSentinel = 'utf8=%E2%9C%93'; // encodeURIComponent('✓')
 var parseValues = function parseQueryStringValues(str, options) {
     var obj = {};
     var cleanStr = options.ignoreQueryPrefix ? str.replace(/^\?/, '') : str;
-    var limit = options.parameterLimit === Infinity ? undefined : options.parameterLimit;
+    var limit = options.parameterLimit === Infinity ? void undefined : options.parameterLimit;
     var parts = cleanStr.split(options.delimiter, limit);
     var skipIndex = -1; // Keep track of where the utf8 sentinel was found
     var i;
@@ -135,7 +135,7 @@ var parseObject = function (chain, val, options, valuesParsed) {
             ) {
                 obj = [];
                 obj[index] = leaf;
-            } else {
+            } else if (cleanRoot !== '__proto__') {
                 obj[cleanRoot] = leaf;
             }
         }
@@ -175,7 +175,7 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options, valuesPars
             }
         }
 
-        keys.push(parent);
+        keys[keys.length] = parent;
     }
 
     // Loop through children appending to the array until we hit depth
@@ -188,13 +188,13 @@ var parseKeys = function parseQueryStringKeys(givenKey, val, options, valuesPars
                 return;
             }
         }
-        keys.push(segment[1]);
+        keys[keys.length] = segment[1];
     }
 
     // If there's a remainder, just add whatever is left
 
     if (segment) {
-        keys.push('[' + key.slice(segment.index) + ']');
+        keys[keys.length] = '[' + key.slice(segment.index + ']');
     }
 
     return parseObject(keys, val, options, valuesParsed);

package/lib/stringify.js

@@ -18,6 +18,7 @@ var arrayPrefixGenerators = {
 };
 
 var isArray = Array.isArray;
+var split = String.prototype.split;
 var push = Array.prototype.push;
 var pushToArray = function (arr, valueOrArray) {
     push.apply(arr, isArray(valueOrArray) ? valueOrArray : [valueOrArray]);
@@ -95,6 +96,14 @@ var stringify = function stringify(
     if (isNonNullishPrimitive(obj) || utils.isBuffer(obj)) {
         if (encoder) {
             var keyValue = encodeValuesOnly ? prefix : encoder(prefix, defaults.encoder, charset, 'key', format);
+            if (generateArrayPrefix === 'comma' && encodeValuesOnly) {
+                var valuesArray = split.call(String(obj), ',');
+                var valuesJoined = '';
+                for (var i = 0; i < valuesArray.length; ++i) {
+                    valuesJoined += (i === 0 ? '' : ',') + formatter(encoder(valuesArray[i], defaults.encoder, charset, 'value', format));
+                }
+                return [formatter(keyValue) + '=' + valuesJoined];
+            }
             return [formatter(keyValue) + '=' + formatter(encoder(obj, defaults.encoder, charset, 'value', format))];
         }
         return [formatter(prefix) + '=' + formatter(String(obj))];
@@ -109,7 +118,7 @@ var stringify = function stringify(
     var objKeys;
     if (generateArrayPrefix === 'comma' && isArray(obj)) {
         // we need to join elements in
-        objKeys = [{ value: obj.length > 0 ? obj.join(',') || null : undefined }];
+        objKeys = [{ value: obj.length > 0 ? obj.join(',') || null : void undefined }];
     } else if (isArray(filter)) {
         objKeys = filter;
     } else {
@@ -117,9 +126,9 @@ var stringify = function stringify(
         objKeys = sort ? keys.sort(sort) : keys;
     }
 
-    for (var i = 0; i < objKeys.length; ++i) {
-        var key = objKeys[i];
-        var value = typeof key === 'object' && key.value !== undefined ? key.value : obj[key];
+    for (var j = 0; j < objKeys.length; ++j) {
+        var key = objKeys[j];
+        var value = typeof key === 'object' && typeof key.value !== 'undefined' ? key.value : obj[key];
 
         if (skipNulls && value === null) {
             continue;
@@ -155,7 +164,7 @@ var normalizeStringifyOptions = function normalizeStringifyOptions(opts) {
         return defaults;
     }
 
-    if (opts.encoder !== null && opts.encoder !== undefined && typeof opts.encoder !== 'function') {
+    if (opts.encoder !== null && typeof opts.encoder !== 'undefined' && typeof opts.encoder !== 'function') {
         throw new TypeError('Encoder has to be a function.');
     }
 

package/lib/utils.js

@@ -8,7 +8,7 @@ var isArray = Array.isArray;
 var hexTable = (function () {
     var array = [];
     for (var i = 0; i < 256; ++i) {
-        array.push('%' + ((i < 16 ? '0' : '') + i.toString(16)).toUpperCase());
+        array[array.length] = '%' + ((i < 16 ? '0' : '' + i.toString(16)).toUpperCase());
     }
 
     return array;
@@ -24,7 +24,7 @@ var compactQueue = function compactQueue(queue) {
 
             for (var j = 0; j < obj.length; ++j) {
                 if (typeof obj[j] !== 'undefined') {
-                    compacted.push(obj[j]);
+                    compacted[compacted.length] = obj[j];
                 }
             }
 
@@ -52,7 +52,7 @@ var merge = function merge(target, source, options) {
 
     if (typeof source !== 'object') {
         if (isArray(target)) {
-            target.push(source);
+            target[target.length] = source;
         } else if (target && typeof target === 'object') {
             if ((options && (options.plainObjects || options.allowPrototypes)) || !has.call(Object.prototype, source)) {
                 target[source] = true;
@@ -80,7 +80,7 @@ var merge = function merge(target, source, options) {
                 if (targetItem && typeof targetItem === 'object' && item && typeof item === 'object') {
                     target[i] = merge(targetItem, item, options);
                 } else {
-                    target.push(item);
+                    target[target.length] = item;
                 }
             } else {
                 target[i] = item;
@@ -177,6 +177,7 @@ var encode = function encode(str, defaultEncoder, charset, kind, format) {
 
         i += 1;
         c = 0x10000 + (((c & 0x3FF) << 10) | (string.charCodeAt(i) & 0x3FF));
+        /* eslint operator-linebreak: [2, "before"] */
         out += hexTable[0xF0 | (c >> 18)]
             + hexTable[0x80 | ((c >> 12) & 0x3F)]
             + hexTable[0x80 | ((c >> 6) & 0x3F)]
@@ -199,8 +200,8 @@ var compact = function compact(value) {
             var key = keys[j];
             var val = obj[key];
             if (typeof val === 'object' && val !== null && refs.indexOf(val) === -1) {
-                queue.push({ obj: obj, prop: key });
-                refs.push(val);
+                queue[queue.length] = { obj: obj, prop: key };
+                refs[refs.length] = val;
             }
         }
     }
@@ -230,7 +231,7 @@ var maybeMap = function maybeMap(val, fn) {
     if (isArray(val)) {
         var mapped = [];
         for (var i = 0; i < val.length; i += 1) {
-            mapped.push(fn(val[i]));
+            mapped[mapped.length] = fn(val[i]);
         }
         return mapped;
     }

package/package.json

@@ -2,7 +2,7 @@
     "name": "qs",
     "description": "A querystring parser that supports nesting and arrays, with a depth limit",
     "homepage": "https://github.com/ljharb/qs",
-    "version": "6.9.6",
+    "version": "6.9.8",
     "repository": {
         "type": "git",
         "url": "https://github.com/ljharb/qs.git"
@@ -29,34 +29,35 @@
     "engines": {
         "node": ">=0.6"
     },
-    "dependencies": {},
     "devDependencies": {
-        "@ljharb/eslint-config": "^17.3.0",
-        "aud": "^1.1.3",
+        "@ljharb/eslint-config": "^20.1.0",
+        "aud": "^1.1.5",
         "browserify": "^16.5.2",
         "eclint": "^2.8.1",
-        "eslint": "^7.17.0",
+        "eslint": "^8.6.0",
         "evalmd": "^0.0.19",
         "for-each": "^0.3.3",
-        "has-symbols": "^1.0.1",
+        "has-symbols": "^1.0.2",
         "iconv-lite": "^0.5.1",
+        "in-publish": "^2.0.1",
         "mkdirp": "^0.5.5",
         "nyc": "^10.3.2",
-        "object-inspect": "^1.9.0",
+        "object-inspect": "^1.12.0",
         "qs-iconv": "^1.0.4",
-        "safe-publish-latest": "^1.1.4",
+        "safe-publish-latest": "^2.0.0",
         "safer-buffer": "^2.1.2",
-        "tape": "^5.1.1"
+        "tape": "^5.4.0"
     },
     "scripts": {
-        "prepublish": "safe-publish-latest && npm run dist",
+        "prepublishOnly": "safe-publish-latest && npm run dist",
+        "prepublish": "not-in-publish || npm run prepublishOnly",
         "pretest": "npm run --silent readme && npm run --silent lint",
         "test": "npm run tests-only",
         "tests-only": "nyc tape 'test/**/*.js'",
         "posttest": "aud --production",
         "readme": "evalmd README.md",
-        "postlint": "eclint check * lib/* test/*",
-        "lint": "eslint lib/*.js test/*.js",
+        "postlint": "eclint check * lib/* test/* !dist/*",
+        "lint": "eslint .",
         "dist": "mkdirp dist && browserify --standalone Qs lib/index.js > dist/qs.js"
     },
     "license": "BSD-3-Clause",

package/test/parse.js

@@ -620,6 +620,66 @@ test('parse()', function (t) {
         st.end();
     });
 
+    t.test('dunder proto is ignored', function (st) {
+        var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42';
+        var result = qs.parse(payload, { allowPrototypes: true });
+
+        st.deepEqual(
+            result,
+            {
+                categories: {
+                    length: '42'
+                }
+            },
+            'silent [[Prototype]] payload'
+        );
+
+        var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true });
+
+        st.deepEqual(
+            plainResult,
+            {
+                __proto__: null,
+                categories: {
+                    __proto__: null,
+                    length: '42'
+                }
+            },
+            'silent [[Prototype]] payload: plain objects'
+        );
+
+        var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true });
+
+        st.notOk(Array.isArray(query.categories), 'is not an array');
+        st.notOk(query.categories instanceof Array, 'is not instanceof an array');
+        st.deepEqual(query.categories, { some: { json: 'toInject' } });
+        st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array');
+
+        st.deepEqual(
+            qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }),
+            {
+                foo: {
+                    bar: 'stuffs'
+                }
+            },
+            'hidden values'
+        );
+
+        st.deepEqual(
+            qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }),
+            {
+                __proto__: null,
+                foo: {
+                    __proto__: null,
+                    bar: 'stuffs'
+                }
+            },
+            'hidden values: plain objects'
+        );
+
+        st.end();
+    });
+
     t.test('can return null objects', { skip: !Object.create }, function (st) {
         var expected = Object.create(null);
         expected.a = Object.create(null);

package/test/stringify.js

@@ -132,10 +132,10 @@ test('stringify()', function (t) {
     });
 
     t.test('stringifies a nested array value', function (st) {
-        st.equal(qs.stringify({ a: { b: ['c', 'd'] } }, { arrayFormat: 'indices' }), 'a%5Bb%5D%5B0%5D=c&a%5Bb%5D%5B1%5D=d');
-        st.equal(qs.stringify({ a: { b: ['c', 'd'] } }, { arrayFormat: 'brackets' }), 'a%5Bb%5D%5B%5D=c&a%5Bb%5D%5B%5D=d');
-        st.equal(qs.stringify({ a: { b: ['c', 'd'] } }, { arrayFormat: 'comma' }), 'a%5Bb%5D=c%2Cd'); // a[b]=c,d
-        st.equal(qs.stringify({ a: { b: ['c', 'd'] } }), 'a%5Bb%5D%5B0%5D=c&a%5Bb%5D%5B1%5D=d');
+        st.equal(qs.stringify({ a: { b: ['c', 'd'] } }, { encodeValuesOnly: true, arrayFormat: 'indices' }), 'a[b][0]=c&a[b][1]=d');
+        st.equal(qs.stringify({ a: { b: ['c', 'd'] } }, { encodeValuesOnly: true, arrayFormat: 'brackets' }), 'a[b][]=c&a[b][]=d');
+        st.equal(qs.stringify({ a: { b: ['c', 'd'] } }, { encodeValuesOnly: true, arrayFormat: 'comma' }), 'a[b]=c,d');
+        st.equal(qs.stringify({ a: { b: ['c', 'd'] } }, { encodeValuesOnly: true }), 'a[b][0]=c&a[b][1]=d');
         st.end();
     });
 
@@ -143,7 +143,7 @@ test('stringify()', function (t) {
         st.equal(
             qs.stringify(
                 { a: { b: ['c', 'd'] } },
-                { allowDots: true, encode: false, arrayFormat: 'indices' }
+                { allowDots: true, encodeValuesOnly: true, arrayFormat: 'indices' }
             ),
             'a.b[0]=c&a.b[1]=d',
             'indices: stringifies with dots + indices'
@@ -151,7 +151,7 @@ test('stringify()', function (t) {
         st.equal(
             qs.stringify(
                 { a: { b: ['c', 'd'] } },
-                { allowDots: true, encode: false, arrayFormat: 'brackets' }
+                { allowDots: true, encodeValuesOnly: true, arrayFormat: 'brackets' }
             ),
             'a.b[]=c&a.b[]=d',
             'brackets: stringifies with dots + brackets'
@@ -159,7 +159,7 @@ test('stringify()', function (t) {
         st.equal(
             qs.stringify(
                 { a: { b: ['c', 'd'] } },
-                { allowDots: true, encode: false, arrayFormat: 'comma' }
+                { allowDots: true, encodeValuesOnly: true, arrayFormat: 'comma' }
             ),
             'a.b=c,d',
             'comma: stringifies with dots + comma'
@@ -167,7 +167,7 @@ test('stringify()', function (t) {
         st.equal(
             qs.stringify(
                 { a: { b: ['c', 'd'] } },
-                { allowDots: true, encode: false }
+                { allowDots: true, encodeValuesOnly: true }
             ),
             'a.b[0]=c&a.b[1]=d',
             'default: stringifies with dots + indices'
@@ -215,17 +215,23 @@ test('stringify()', function (t) {
 
     t.test('stringifies an array with mixed objects and primitives', function (st) {
         st.equal(
-            qs.stringify({ a: [{ b: 1 }, 2, 3] }, { encode: false, arrayFormat: 'indices' }),
+            qs.stringify({ a: [{ b: 1 }, 2, 3] }, { encodeValuesOnly: true, arrayFormat: 'indices' }),
             'a[0][b]=1&a[1]=2&a[2]=3',
             'indices => indices'
         );
         st.equal(
-            qs.stringify({ a: [{ b: 1 }, 2, 3] }, { encode: false, arrayFormat: 'brackets' }),
+            qs.stringify({ a: [{ b: 1 }, 2, 3] }, { encodeValuesOnly: true, arrayFormat: 'brackets' }),
             'a[][b]=1&a[]=2&a[]=3',
             'brackets => brackets'
         );
         st.equal(
-            qs.stringify({ a: [{ b: 1 }, 2, 3] }, { encode: false }),
+            qs.stringify({ a: [{ b: 1 }, 2, 3] }, { encodeValuesOnly: true, arrayFormat: 'comma' }),
+            '???',
+            'brackets => brackets',
+            { skip: 'TODO: figure out what this should do' }
+        );
+        st.equal(
+            qs.stringify({ a: [{ b: 1 }, 2, 3] }, { encodeValuesOnly: true }),
             'a[0][b]=1&a[1]=2&a[2]=3',
             'default => indices'
         );
@@ -784,7 +790,12 @@ test('stringify()', function (t) {
         st.equal(qs.stringify(withArray, { encode: false }), 'a[b][0][c]=d&a[b][0][e]=f', 'array, no arrayFormat');
         st.equal(qs.stringify(withArray, { encode: false, arrayFormat: 'bracket' }), 'a[b][0][c]=d&a[b][0][e]=f', 'array, bracket');
         st.equal(qs.stringify(withArray, { encode: false, arrayFormat: 'indices' }), 'a[b][0][c]=d&a[b][0][e]=f', 'array, indices');
-        st.equal(qs.stringify(obj, { encode: false, arrayFormat: 'comma' }), '???', 'array, comma (pending issue #378)', { skip: true });
+        st.equal(
+            qs.stringify(withArray, { encode: false, arrayFormat: 'comma' }),
+            '???',
+            'array, comma',
+            { skip: 'TODO: figure out what this should do' }
+        );
 
         st.end();
     });

package/.eslintignore

@@ -1,2 +0,0 @@
-dist/
-coverage/