Skip to content

Bump qs and express#3

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/multi-c8afcbbcd8
Open

Bump qs and express#3
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/multi-c8afcbbcd8

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Jan 1, 2026

Bumps qs to 6.14.1 and updates ancestor dependency express. These dependencies need to be updated together.

Updates qs from 6.5.1 to 6.14.1

Changelog

Sourced from qs's changelog.

6.14.1

  • [Fix] ensure arrayLength applies to [] notation as well
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key
  • [Refactor] parse: extract key segment splitting helper
  • [meta] add threat model
  • [actions] add workflow permissions
  • [Tests] stringify: increase coverage
  • [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0

  • [New] parse: add throwOnParameterLimitExceeded option (#517)
  • [Refactor] parse: use utils.combine more
  • [patch] parse: add explicit throwOnLimitExceeded default
  • [actions] use shared action; re-add finishers
  • [meta] Fix changelog formatting bug
  • [Deps] update side-channel
  • [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
  • [Tests] increase coverage

6.13.1

  • [Fix] stringify: avoid a crash when a filter key is null
  • [Fix] utils.merge: functions should not be stringified into keys
  • [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
  • [Fix] stringify: ensure a non-string filter does not crash
  • [Refactor] use __proto__ syntax instead of Object.create for null objects
  • [Refactor] misc cleanup
  • [Tests] utils.merge: add some coverage
  • [Tests] fix a test case
  • [actions] split out node 10-20, and 20+
  • [Dev Deps] update es-value-fixtures, mock-property, object-inspect, tape

6.13.0

  • [New] parse: add strictDepth option (#511)
  • [Tests] use npm audit instead of aud

6.12.3

  • [Fix] parse: properly account for strictNullHandling when allowEmptyArrays
  • [meta] fix changelog indentation

6.12.2

  • [Fix] parse: parse encoded square brackets (#506)
  • [readme] add CII best practices badge

6.12.1

  • [Fix] parse: Disable decodeDotInKeys by default to restore previous behavior (#501)
  • [Performance] utils: Optimize performance under large data volumes, reduce memory usage, and speed up processing (#502)
  • [Refactor] utils: use +=
  • [Tests] increase coverage

6.12.0

... (truncated)

Commits
  • 3fa11a5 v6.14.1
  • a626704 [Dev Deps] update npmignore
  • 3086902 [Fix] ensure arrayLength applies to [] notation as well
  • fc7930e [Dev Deps] update eslint, @ljharb/eslint-config
  • 0b06aac [Dev Deps] update @ljharb/eslint-config
  • 64951f6 [Refactor] parse: extract key segment splitting helper
  • e1bd259 [Dev Deps] update @ljharb/eslint-config
  • f4b3d39 [eslint] add eslint 9 optional peer dep
  • 6e94d95 [Dev Deps] update eslint, @ljharb/eslint-config, npmignore
  • 973dc3c [actions] add workflow permissions
  • Additional commits viewable in compare view

Updates express from 4.16.3 to 4.22.1

Release notes

Sourced from express's releases.

v4.22.1

What's Changed

[!IMPORTANT]
The prior release (4.22.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Full Changelog: expressjs/express@4.22.0...v4.22.1

4.22.0

Important: Security

What's Changed

Full Changelog: expressjs/express@4.21.2...4.22.0

4.21.2

What's Changed

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

Full Changelog: expressjs/express@4.21.0...4.21.1

... (truncated)

Changelog

Sourced from express's changelog.

4.22.1 / 2025-12-01

4.22.0 / 2025-12-01

4.21.2 / 2024-11-06

  • deps: path-to-regexp@0.1.12
    • Fix backtracking protection
  • deps: path-to-regexp@0.1.11
    • Throws an error on invalid path values

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

  • Deprecate res.location("back") and res.redirect("back") magic string
  • deps: serve-static@1.16.2
    • includes send@0.19.0
  • deps: finalhandler@1.3.1
  • deps: qs@6.13.0

4.20.0 / 2024-09-10

  • deps: serve-static@0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@0.6.0
    • add depth option to customize the depth level in the parser
    • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect
  • deps: path-to-regexp@0.1.10
    • Adds support for named matching groups in the routes using a regex
    • Adds backtracking protection to parameters without regexes defined
  • deps: encodeurl@~2.0.0
    • Removes encoding of \, |, and ^ to align better with URL spec
  • Deprecate passing options.maxAge and options.expires to res.clearCookie

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump qs and express
73ef5f7 
Bumps [qs](https://github.com/ljharb/qs) to 6.14.1 and updates ancestor dependency [express](https://github.com/expressjs/express). These dependencies need to be updated together.


Updates `qs` from 6.5.1 to 6.14.1
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.5.1...v6.14.1)

Updates `express` from 4.16.3 to 4.22.1
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/v4.22.1/History.md)
- [Commits](expressjs/express@4.16.3...v4.22.1)

---
updated-dependencies:
- dependency-name: qs
  dependency-version: 6.14.1
  dependency-type: indirect
- dependency-name: express
  dependency-version: 4.22.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jan 1, 2026
@fossabot
Copy link

fossabot bot commented Jan 1, 2026
edited
Loading

fossabot is Thinking

@fossabot
Copy link

fossabot bot commented Jan 1, 2026
edited
Loading

✓ Safe to upgrade

I recommend merging this upgrade because it includes critical security fixes for prototype pollution vulnerabilities in both qs and express packages without introducing breaking changes that affect this codebase. The application uses express.urlencoded with extended: false, meaning it doesn't rely on the qs parser where breaking changes occurred. No deprecated patterns (res.redirect('back'), res.clearCookie with maxAge, non-integer res.status values) were found in the codebase. This upgrade patches multiple High severity security vulnerabilities including CVE-2024-51999 and CVE-2024-47764.

What we checked

  • Application uses express.urlencoded({ extended: false }), which means it doesn't use the qs parser. Breaking changes in qs (depth limits, cycle detection) don't affect this application since extended: false uses the querystring library instead [1]
  • Express upgraded to 4.22.1 - staying within v4.x branch, so Express 5 breaking changes don't apply [2]
  • qs upgraded to 6.14.1 with critical security fixes for prototype pollution (proto keys) and safer-buffer usage [3]
  • res.status usage with numeric expression (err.status || 500) is compatible - no string or non-integer values used [4]
  • No req.query usage found in user routes - application doesn't parse or modify query parameters [5]
  • No res.redirect or res.clearCookie usage in routes - deprecated patterns not present in codebase [6]

Dependency Usage

Express serves as the core web framework for this Node.js RESTful application, powering the main application setup with middleware (logging, cookie parsing, error handling), route definitions for the home page, and database-backed API endpoints for user data retrieval. The qs package is installed as a transitive dependency of Express but has no direct usage in the application code, indicating it's used internally by Express for query string parsing. The architecture follows a standard Express pattern with centralized configuration in app.js, modular routing, and a server bootstrap script that launches the application on a configurable port.

  • Application uses express.urlencoded({ extended: false }), which means it doesn't use the qs parser. Breaking changes in qs (depth limits, cycle detection) don't affect this application since extended: false uses the querystring library instead

    node-restful-app/app.js

    Line 23 in 73ef5f7

    app.use(express.urlencoded({ extended: false }));
  • res.status usage with numeric expression (err.status || 500) is compatible - no string or non-integer values used

    node-restful-app/app.js

    Line 48 in 73ef5f7

    res.status(err.status || 500);
View 2 more usages
Less Important Usages (1)

These usages were analyzed but no breaking changes were detected:

express

Changes

The qs package upgrade addresses 21 critical security vulnerabilities, including prototype pollution protections (__proto__ key filtering) and safer buffer handling, alongside 8 breaking changes where cycles now throw errors during stringify operations and the "internals" pattern has been removed. Key functional improvements include fixes for array parsing edge cases, comma-delimited value handling, and charset encoding issues across 138 bug fixes.

  • [Refactor] remove “internals” pattern. (a296cb4) (v6.14.1, changelog)
  • [New] stringify: throw on cycles, instead of an infinite loop (63766c2) (v6.14.1, changelog)
  • Added extra key/value argument to decoder function for type differentiation (#333) (v6.9.0, package source)
View 589 more changes
  • [Fix] use safer-buffer instead of Buffer constructor (73b3732) (v6.14.1, changelog)
  • [Fix] parse: ignore __proto__ keys (8b4cc14) (v6.14.1, changelog)
  • [Fix] parse: ignore __proto__ keys (#428) (e799ba5) (v6.14.1, changelog)
  • [actions] restrict action permissions (e45d713) (v6.14.1, changelog)
  • [Fix] use String(foo) instead of foo + ‘’ to correctly cast to a string. (5cc3728) (v6.14.1, changelog)
  • v6.0.2 (47dfbd6) (v6.14.1, changelog)
  • [Fix] ensure that allowPrototypes: false does not ever shadow Object.prototype properties. (ca844c5) (v6.14.1, changelog)
  • [Fix] Restore dist directory; will be removed in v7. (938f24e) (v6.14.1, changelog)
  • Test cases for sort parameter fix. Old implementation was not sorting keys at 3 or more depth. (4479449) (v6.14.1, changelog)
  • [Fix] ensure key[]=x&key[]&key[]=y results in 3, not 2, values. (5ac31b4) (v6.14.1, changelog)
  • [Robustness] formats: cache String#replace (387afd7) (v6.14.1, changelog)
  • remove unnecessary escapes (according to npm test results) (eb9fbe4) (v6.14.1, changelog)
  • [Refactor] stringify: throw faster with an invalid encoder (b041eb9) (v6.14.1, changelog)
  • [Fix] when parseArrays is false, properly handle keys ending in [] (2b94ea7) (v6.14.1, changelog)
  • [Tests] remove nonexistent tape option (e570db9) (v6.14.1, changelog)
  • [Refactor] parse/stringify: clean up charset options checking; fix defaults (380568b) (v6.14.1, changelog)
  • [Fix] stringify: do not crash when the following criteria are met: (ac6d4ce) (v6.14.1, changelog)
  • [Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided (0da164d) (v6.14.1, changelog)
  • [Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (98126ef) (v6.14.1, changelog)
  • v6.0.3 (be1c421) (v6.14.1, changelog)
  • [Fix] follow allowPrototypes option during merge (ec9e736) (v6.14.1, changelog)
  • [eslint] reduce warnings (c43969f) (v6.14.1, changelog)
  • [Fix] support keys starting with brackets. (12152db) (v6.14.1, changelog)
  • [Fix] correctly parse nested arrays (fde5bb7) (v6.14.1, changelog)
  • [Fix] utils.merge`: avoid a crash with a null target and a truthy non-array source (d856d80) (v6.14.1, changelog)
  • [Fix] fix for an impossible situation: when the formatter is called with a non-string value (8dbad28) (v6.14.1, changelog)
  • [Robustness] stringify: cache Object.prototype.hasOwnProperty (41c42b8) (v6.14.1, changelog)
  • [New] [Fix] stringify symbols and bigints (2ebaf87) (v6.14.1, changelog)
  • [Fix] parse: throw a TypeError instead of an Error for bad charset (fe6384c) (v6.14.1, changelog)
  • [Fix] parse: Fix parsing array from object with comma true (eecd28d) (v6.14.1, changelog)
  • [Fix] parses comma delimited array while having percent-encoded comma treated as normal text (cd9a3cd) (v6.14.1, changelog)
  • [Fix] proper comma parsing of URL-encoded commas (bf0ea91) (v6.14.1, changelog)
  • [Fix] stringify: when arrayFormat is comma, respect serializeDate (daf3e6a) (v6.14.1, changelog)
  • [Fix] ensure node 0.12 can stringify Symbols (3b40167) (v6.14.1, changelog)
  • [Tests] Buffer.from in node v5.0-v5.9 and v4.0-v4.4 requires a TypedArray (b635b60) (v6.14.1, changelog)
  • [fix] parse: with comma true, do not split non-string values (#334) (99a8181) (v6.14.1, changelog)
  • [Fix] parse: with comma true, handle field that holds an array of arrays (#335) (77c2846) (v6.14.1, changelog)
  • [Fix] stringify: fix arrayFormat comma with empty array/objects (deada94) (v6.14.1, changelog)
  • [Fix] stringify: do not encode parens for RFC1738 (4e7a5a3) (v6.14.1, changelog)
  • [Fix] restore dist dir; mistakenly removed in d4f6c32 (47d0b83) (v6.14.1, changelog)
  • [Tests] fix tests on node v0.6 (586f029) (v6.14.1, changelog)
  • [Fix] stringify: avoid exception on repeated object values (e77ca2c) (v6.14.1, changelog)
  • [Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424) (4a17709) (v6.14.1, changelog)
  • [Fix] stringify: actually fix cyclic references (9aee773) (v6.14.1, changelog)
  • [Robustness] stringify: avoid relying on a global undefined (0a1d3e8) (v6.14.1, changelog)
  • [Fix] stringify: with arrayFormat: comma, include an explicit [] on a single-item array (4e44019) (v6.14.1, changelog)
  • [Fix] stringify: encode comma values more consistently (4c4b23d) (v6.14.1, changelog)
  • [Fix] parse: Fix parsing when the global Object prototype is frozen (7895b94) (v6.14.1, changelog)
  • [Dev Deps] pin glob, since v10.3.8+ requires a broken jackspeak (5f0449f) (v6.14.1, changelog)
  • [Fix] parse: Disable decodeDotInKeys by default to restore previous behavior (7e18298) (v6.14.1, changelog)
  • [Fix]: parse: parse encoded square brackets (81835ff) (v6.14.1, changelog)
  • [Fix] parse: properly account for strictNullHandling when allowEmptyArrays (1bf9f7a) (v6.14.1, changelog)
  • [Fix] stringify: ensure a non-string filter does not crash (99fd543) (v6.14.1, changelog)
  • [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset (ca55d0f) (v6.14.1, changelog)
  • [Fix] utils.merge: functions should not be stringified into keys (aa1f0a8) (v6.14.1, changelog)
  • [Fix] stringify: avoid a crash when a filter key is null (96f4d93) (v6.14.1, changelog)
  • [patch] parse: add explicit throwOnLimitExceeded default (b189ed4) (v6.14.1, changelog)
  • [Fix] parse: when a custom decoder returns null for a key, ignore that key (6135284) (v6.14.1, changelog)
  • [Fix] ensure arrayLength applies to [] notation as well (3086902) (v6.14.1, changelog)
  • [Fix] Restore list directory; will be removed in v7. (c8857a0) (v6.14.1, changelog)
  • allowDots option for stringify. Tests also updated. (468c9df) (v6.14.1, changelog)
  • Added encoder option with ShiftJIS test code (79c2c7e) (v6.14.1, changelog)
  • Added decoder option analogue to encoder option. (f91a1e5) (v6.14.1, changelog)
  • Slight structure changes in the code to allow custom encoding of Buffers (50c785c) (v6.14.1, changelog)
  • Add support for RFC 1738 (3dc76ca) (v6.14.1, changelog)
  • Merge pull request #268 from papandreou/feature/iso8859-1 (286c4bd) (v6.14.1, changelog)
  • [New] qs.stringify: add encodeValuesOnly option (556ee0a) (v6.14.1, changelog)
  • [New] parse: add allowSparse option for collapsing arrays with missing indices (b04febd) (v6.14.1, changelog)
  • [actions] add automatic rebasing / merge commit blocking (76e4570) (v6.14.1, changelog)
  • [New] add depth=false to preserve the original key; [Fix] depth=0 should preserve the original key (649f05f) (v6.14.1, changelog)
  • [New] [Fix] stringify: revert 0e903c0; add commaRoundTrip option (c313472) (v6.14.1, changelog)
  • logo: add half banner (edc19a2) (v6.14.1, changelog)
  • [New] parse/stringify: add allowEmptyArrays option to allow [] in object values (f22b2bc) (v6.14.1, changelog)
  • [New] parse: add duplicates option (981ce09) (v6.14.1, changelog)
  • [New] parse/stringify: add decodeDotInKeys/encodeDotKeys options (30004b2) (v6.14.1, changelog)
  • [Performance] utils: Optimize performance under large data volumes, reduce memory usage, and speed up processing (6d7df02) (v6.14.1, changelog)
  • [New] parse: add strictDepth option (8d56df2) (v6.14.1, changelog)
  • [New] parse: add throwOnParameterLimitExceeded option (ef0b96f) (v6.14.1, changelog)
  • [actions] re-add finishers (51fdc98) (v6.14.1, changelog)
  • [actions] add workflow permissions (973dc3c) (v6.14.1, changelog)
  • [Tests] convert tests to tape so they no longer require ES6 features. (ce56459) (v6.14.1, changelog)
  • [Tests] use my standard travis.yml file. (7872213) (v6.14.1, changelog)
  • Revert "Delete CHANGELOG.md" and update URLs. (4c78294) (v6.14.1, changelog)
  • Remove compiled files from the git repo. (ece0655) (v6.14.1, changelog)
  • Add npm run dist to prepublish. (f1a50c0) (v6.14.1, changelog)
  • [Refactor] remove unnecessary internal object lookup. (4503717) (v6.14.1, changelog)
  • [Refactor] Use module.exports instead of exports. (d6412f7) (v6.14.1, changelog)
  • [Refactor] clean up whitespace. (bc0c1cb) (v6.14.1, changelog)
  • [Refactor] Don’t reassign function parameters. (3efbba4) (v6.14.1, changelog)
  • [Tests] add npm run lint (807c310) (v6.14.1, changelog)
  • [Docs] Add evalmd, fix broken examples in README, and ensure all examples have assertions. (d89b173) (v6.14.1, changelog)
  • Array stringification tests with dots notation on for objects. (d680e23) (v6.14.1, changelog)
  • Bumped complexity, max-params, max-statements settings by one. (92cfd0e) (v6.14.1, changelog)
  • Merge pull request #151 from snow01/master (b191b37) (v6.14.1, changelog)
  • v6.1.0 (5bd7954) (v6.14.1, changelog)
  • [Tests] adding a stringify test for a nested array of mixed objects and primitives. (0f8650b) (v6.14.1, changelog)
  • Remove tests/ directory and ESLint files from .npmignore (f320d69) (v6.14.1, changelog)

View 492 more changes in the full analysis

References (6)

[1]: Application uses express.urlencoded({ extended: false }), which means it doesn't use the qs parser. Breaking changes in qs (depth limits, cycle detection) don't affect this application since extended: false uses the querystring library instead

node-restful-app/app.js

Line 23 in 73ef5f7

app.use(express.urlencoded({ extended: false }));

[2]: Express upgraded to 4.22.1 - staying within v4.x branch, so Express 5 breaking changes don't apply

node-restful-app/package-lock.json

Line 521 in 73ef5f7

"version": "4.22.1",

[3]: qs upgraded to 6.14.1 with critical security fixes for prototype pollution (proto keys) and safer-buffer usage

node-restful-app/package-lock.json

Line 1204 in 73ef5f7

"version": "6.14.1",

[4]: res.status usage with numeric expression (err.status || 500) is compatible - no string or non-integer values used

node-restful-app/app.js

Line 48 in 73ef5f7

res.status(err.status || 500);

[5]: No req.query usage found in user routes - application doesn't parse or modify query parameters

node-restful-app/routes/users.js

Line 1 in 73ef5f7

var express = require('express');

[6]: No res.redirect or res.clearCookie usage in routes - deprecated patterns not present in codebase

node-restful-app/routes/index.js

Line 1 in 73ef5f7

var express = require('express');

fossabot analyzed this PR using static analysis and dependency research. View this analysis on the web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants