The qs package, a widely used querystring parser for Node.js and the browser, provides robust support for nesting and arrays within query strings, all while adhering to a configurable depth limit. Examining versions 1.2.2 and 2.0.0 reveals subtle yet important distinctions for developers to consider. While both versions share a similar core functionality, description, lack of runtime dependencies, and testing framework (lab), the key difference lies in the version number itself and the subsequent implications.
The jump from version 1.2.2 to 2.0.0 suggests a potentially significant update, possibly including breaking changes or major feature additions. Developers should carefully review the changelog when migrating to version 2.0.0 to ensure compatibility with existing code. Although specific changes aren't detailed in the provided data, semantic versioning dictates that a major version bump (1.x.x to 2.x.x) signals potential backward-incompatible updates.
Both versions benefit from being authored by Nathan LaFreniere, indicating consistent maintainership and a single point of contact. The package's availability on GitHub (https://github.com/hapijs/qs.git) allows developers to inspect the source code, contribute improvements, and report issues. The tarball URLs provide direct access to the package files on the npm registry, enabling reproducible builds and offline installation. Furthermore, developers can deduce that version 2.0.0 was released roughly 11 days after version 1.2.2.
All the vulnerabilities related to the version 2.0.0 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
