Remove direct qs dependency

[lukaselmer]

• As suggested here: Investigate replacing `qs` #5783 (comment)
• See also Dependency graph improvements (via npmgraph.js.org) #6647, Investigate replacing qs #5723, fix(deps): qs@^6.14.0 #6374, qs package security flaw #3230, qs module need to be update #3272, https://github.com/expressjs/express/pulls?q=is%3Apr+qs+is%3Aclosed
• This doesn't remove qs from body-parser

---

Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or

(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or

(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.

(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.

[Copilot]

Pull Request Overview

This PR removes the built-in 'extended' query parser option from Express and moves the qs package from dependencies to devDependencies. Users must now provide a custom parser function to replicate the previous 'extended' behavior.

Key changes:

• Removed qs as a production dependency and added it as a devDependency
• Replaced the 'extended' query parser option with a helpful error message directing users to use a custom parser function
• Updated tests to use qs.parse directly instead of the deprecated 'extended' string option

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
package.json	Moved qs from dependencies to devDependencies
lib/utils.js	Removed qs import, removed parseExtendedQueryString function, and replaced 'extended' case with an error throw
test/req.query.js	Added qs import, updated tests to use qs.parse directly, and added test for new error behavior
History.md	Documented the breaking change with migration instructions

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The error message suggests using { allowPrototypes: true } but this option is a security risk. The old parseExtendedQueryString function used this option, but users migrating should be warned about the security implications or given a safer default option.

Suggested change

throw new TypeError("query parser 'extended' is no longer supported; use: `app.set('query parser', str => qs.parse(str, { allowPrototypes: true }))` to replicate the old behavior");

throw new TypeError("query parser 'extended' is no longer supported. To replicate the old behavior, you may use: `app.set('query parser', str => qs.parse(str, { allowPrototypes: true }))`, but WARNING: enabling `{ allowPrototypes: true }` is a security risk and can lead to prototype pollution vulnerabilities. Do not use this option in production unless you fully understand the risks. The default behavior is safer and recommended.");

[lukaselmer]

ljharb/qs#321 => allowPrototypes: true is not a security issue