Skip to content

chore(deps): update dependency qs to v6.7.3 [security]#96

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-qs-vulnerability
Open

chore(deps): update dependency qs to v6.7.3 [security]#96
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-qs-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 28, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
qs 6.7.06.7.3 age confidence

qs vulnerable to Prototype Pollution

CVE-2022-24999 / GHSA-hrpp-h998-j3pp

More information

Details

qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

ljharb/qs (qs)

v6.7.3

Compare Source

  • [Fix] parse: ignore __proto__ keys (#​428)
  • [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#​424)
  • [Robustness] stringify: avoid relying on a global undefined (#​427)
  • [readme] remove travis badge; add github actions/codecov badges; update URLs
  • [Docs] add note and links for coercing primitive values (#​408)
  • [meta] fix README.md (#​399)
  • [meta] do not publish workflow files
  • [actions] backport actions from main
  • [Dev Deps] backport updates from main
  • [Tests] use nyc for coverage
  • [Tests] clean up stringify tests slightly

v6.7.2

Compare Source

  • [Fix] proper comma parsing of URL-encoded commas (#​361)
  • [Fix] parses comma delimited array while having percent-encoded comma treated as normal text (#​336)

v6.7.1

Compare Source

  • [Fix] parse: Fix parsing array from object with comma true (#​359)
  • [Fix] parse: with comma true, handle field that holds an array of arrays (#​335)
  • [fix] parse: with comma true, do not split non-string values (#​334)
  • [Fix] parse: throw a TypeError instead of an Error for bad charset (#​349)
  • [Fix] fix for an impossible situation: when the formatter is called with a non-string value
  • [Refactor] formats: tiny bit of cleanup.
  • readme: add security note
  • [meta] add tidelift marketing copy
  • [meta] add funding field
  • [meta] add FUNDING.yml
  • [meta] Clean up license text so it’s properly detected as BSD-3-Clause
  • [Dev Deps] update eslint, @ljharb/eslint-config, tape, safe-publish-latest, evalmd, iconv-lite, mkdirp, object-inspect, browserify
  • [Tests] parse: add passing arrayFormat tests
  • [Tests] use shared travis-ci configs
  • [Tests] Buffer.from in node v5.0-v5.9 and v4.0-v4.4 requires a TypedArray
  • [Tests] add tests for depth=0 and depth=false behavior, both current and intuitive/intended
  • [Tests] use eclint instead of editorconfig-tools
  • [actions] add automatic rebasing / merge commit blocking

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 193c20d to 2f319d2 Compare October 15, 2023 17:05
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 2f319d2 to 7190cc8 Compare October 23, 2023 17:57
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 7190cc8 to a58bf91 Compare January 15, 2024 10:05
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from a58bf91 to eac8eff Compare February 4, 2024 09:34
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from eac8eff to 4df3610 Compare February 25, 2024 11:18
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 4df3610 to 3e9393f Compare March 12, 2024 12:44
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 3e9393f to a4cc519 Compare April 14, 2024 08:34
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from a4cc519 to 0ce4633 Compare July 21, 2024 14:32
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 0ce4633 to 933b40b Compare August 6, 2024 06:50
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 933b40b to 45b365c Compare December 2, 2024 10:24
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 45b365c to 3276ef6 Compare January 23, 2025 21:12
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 3276ef6 to 3d87d52 Compare February 9, 2025 14:13
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 3d87d52 to 23f74db Compare March 3, 2025 12:20
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 23f74db to 31c8ac4 Compare March 11, 2025 11:43
@renovate renovate Bot changed the title fix(deps): update dependency qs to v6.7.3 [security] chore(deps): update dependency qs to v6.7.3 [security] Sep 25, 2025
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 31c8ac4 to 13be348 Compare December 31, 2025 17:47
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch 2 times, most recently from dd75a89 to 30e28a0 Compare February 17, 2026 16:05
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 30e28a0 to 23ff122 Compare April 8, 2026 18:08
@renovate renovate Bot changed the title chore(deps): update dependency qs to v6.7.3 [security] chore(deps): update dependency qs to v6.7.3 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot deleted the renovate/npm-qs-vulnerability branch April 27, 2026 17:29
@renovate renovate Bot changed the title chore(deps): update dependency qs to v6.7.3 [security] - autoclosed chore(deps): update dependency qs to v6.7.3 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-qs-vulnerability branch from 23ff122 to 52ca78f Compare April 27, 2026 23:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants