chore(deps): update dependency qs to v6.14.1 (master)

[mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
qs	dependencies	minor	6.9.4 → 6.14.1

This PR resolves the vulnerabilities described in Issue #829

---

Version 6.9.4

Risk Change	Critical	High	Medium	Low
N/A	0	1	0	2

Version 6.14.1

Risk Change	Critical	High	Medium	Low
-100%	0 (--)	0 (-1 )	0 (--)	0 (-2 )

Mend ensures you have the greatest risk reduction ("Recommended Fix"-highlighted in green) by removing as many vulnerabilities as possible. Click to see how we calculate risk reduction.

---

Release Notes

ljharb/qs (qs)

v6.14.1

Compare Source

• [Fix] ensure arrayLimit applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

v6.14.0

Compare Source

• [New] parse: add throwOnParameterLimitExceeded option (#​517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

v6.13.3

Compare Source

[Fix] fix regressions from robustness refactor
[actions] update reusable workflows

v6.13.2

Compare Source

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#​543)
• [readme] document that addQueryPrefix does not add ? to empty output (#​418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

v6.13.1

Compare Source

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup
• [Tests] utils.merge: add some coverage
• [Tests] fix a test case
• [actions] split out node 10-20, and 20+
• [Dev Deps] update es-value-fixtures, mock-property, object-inspect, tape

v6.13.0

Compare Source

• [New] parse: add strictDepth option (#​511)
• [Tests] use npm audit instead of aud

v6.12.5

Compare Source

• [Fix] fix regressions from robustness refactor
• [actions] update reusable workflows

v6.12.4

Compare Source

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#​543)
• [readme] document that addQueryPrefix does not add ? to empty output (#​418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

v6.12.3

Compare Source

• [Fix] parse: properly account for strictNullHandling when allowEmptyArrays
• [meta] fix changelog indentation

v6.12.2

Compare Source

• [Fix] parse: parse encoded square brackets (#​506)
• [readme] add CII best practices badge

v6.12.1

Compare Source

• [Fix] parse: Disable decodeDotInKeys by default to restore previous behavior (#​501)
• [Performance] utils: Optimize performance under large data volumes, reduce memory usage, and speed up processing (#​502)
• [Refactor] utils: use +=
• [Tests] increase coverage

v6.12.0

Compare Source

• [New] parse/stringify: add decodeDotInKeys/encodeDotKeys options (#​488)
• [New] parse: add duplicates option
• [New] parse/stringify: add allowEmptyArrays option to allow [] in object values (#​487)
• [Refactor] parse/stringify: move allowDots config logic to its own variable
• [Refactor] stringify: move option-handling code into normalizeStringifyOptions
• [readme] update readme, add logos (#​484)
• [readme] stringify: clarify default arrayFormat behavior
• [readme] fix line wrapping
• [readme] remove dead badges
• [Deps] update side-channel
• [meta] make the dist build 50% smaller
• [meta] add sideEffects flag
• [meta] run build in prepack, not prepublish
• [Tests] parse: remove useless tests; add coverage
• [Tests] stringify: increase coverage
• [Tests] use mock-property
• [Tests] stringify: improve coverage
• [Dev Deps] update @ljharb/eslint-config , aud, has-override-mistake, has-property-descriptors, mock-property, npmignore, object-inspect, tape
• [Dev Deps] pin glob, since v10.3.8+ requires a broken jackspeak
• [Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6

v6.11.4

Compare Source

• [Fix] fix regressions from robustness refactor
• [actions] update reusable workflows

v6.11.3

Compare Source

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#​543)
• [readme] document that addQueryPrefix does not add ? to empty output (#​418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

v6.11.2

Compare Source

• [Fix] parse: Fix parsing when the global Object prototype is frozen (#​473)
• [Tests] add passing test cases with empty keys (#​473)

v6.11.1

Compare Source

• [Fix] stringify: encode comma values more consistently (#​463)
• [readme] add usage of filter option for injecting custom serialization, i.e. of custom types (#​447)
• [meta] remove extraneous code backticks (#​457)
• [meta] fix changelog markdown
• [actions] update checkout action
• [actions] restrict action permissions
• [Dev Deps] update @ljharb/eslint-config, aud, object-inspect, tape

v6.11.0

Compare Source

• [New] [Fix] stringify: revert 0e903c0; add commaRoundTrip option (#​442)
• [readme] fix version badge

v6.10.7

Compare Source

• [Fix] fix regressions from robustness refactor
• [actions] update reusable workflows

v6.10.6

Compare Source

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#​543)
• [readme] document that addQueryPrefix does not add ? to empty output (#​418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

v6.10.5

Compare Source

• [Fix] stringify: with arrayFormat: comma, properly include an explicit [] on a single-item array (#​434)

v6.10.4

Compare Source

• [Fix] stringify: with arrayFormat: comma, include an explicit [] on a single-item array (#​441)
• [meta] use npmignore to autogenerate an npmignore file
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbol, object-inspect, tape

v6.10.3

Compare Source

• [Fix] parse: ignore __proto__ keys (#​428)
• [Robustness] stringify: avoid relying on a global undefined (#​427)
• [actions] reuse common workflows
• [Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, tape

v6.10.2

Compare Source

• [Fix] stringify: actually fix cyclic references (#​426)
• [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#​424)
• [readme] remove travis badge; add github actions/codecov badges; update URLs
• [Docs] add note and links for coercing primitive values (#​408)
• [actions] update codecov uploader
• [actions] update workflows
• [Tests] clean up stringify tests slightly
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, object-inspect, safe-publish-latest, tape

v6.10.1

Compare Source

• [Fix] stringify: avoid exception on repeated object values (#​402)

v6.10.0

Compare Source

• [New] stringify: throw on cycles, instead of an infinite loop (#​395, #​394, #​393)
• [New] parse: add allowSparse option for collapsing arrays with missing indices (#​312)
• [meta] fix README.md (#​399)
• [meta] only run npm run dist in publish, not install
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbols, tape
• [Tests] fix tests on node v0.6
• [Tests] use ljharb/actions/node/install instead of ljharb/actions/node/run
• [Tests] Revert "[meta] ignore eclint transitive audit warning"

v6.9.9

Compare Source

• [Fix] fix regressions from robustness refactor
• [meta] add npmignore to autogenerate an npmignore file
• [actions] update reusable workflows

v6.9.8

Compare Source

• [Robustness] avoid .push, use void
• [readme] clarify parseArrays and arrayLimit documentation (#​543)
• [readme] document that addQueryPrefix does not add ? to empty output (#​418)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [actions] fix rebase workflow permissions

v6.9.7

Compare Source

• [Fix] parse: ignore __proto__ keys (#​428)
• [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#​424)
• [Robustness] stringify: avoid relying on a global undefined (#​427)
• [readme] remove travis badge; add github actions/codecov badges; update URLs
• [Docs] add note and links for coercing primitive values (#​408)
• [Tests] clean up stringify tests slightly
• [meta] fix README.md (#​399)
• Revert "[meta] ignore eclint transitive audit warning"
• [actions] backport actions from main
• [Dev Deps] backport updates from main

v6.9.6

Compare Source

• [Fix] restore dist dir; mistakenly removed in d4f6c32

v6.9.5

Compare Source

• [Fix] stringify: do not encode parens for RFC1738
• [Fix] stringify: fix arrayFormat comma with empty array/objects (#​350)
• [Refactor] format: remove util.assign call
• [meta] add "Allow Edits" workflow; update rebase workflow
• [actions] switch Automatic Rebase workflow to pull_request_target event
• [Tests] stringify: add tests for #​378
• [Tests] migrate tests to Github Actions
• [Tests] run nyc on all tests; use tape runner
• [Dev Deps] update eslint, @ljharb/eslint-config, browserify, mkdirp, object-inspect, tape; add aud

---

• If you want to rebase/retry this PR, check this box