Qs is a popular npm package designed for parsing and stringifying URL query strings, offering robust support for nested objects and arrays. Comparing versions 3.0.0 and 3.1.0 reveals a focused incremental update. Both versions share the same core functionality: parsing complex querystrings into JavaScript objects and converting objects back into querystrings. They both boast implementations that handle nesting and arrays effectively, making them suitable for applications dealing with intricate URL structures. The listed dependencies and development dependencies are equivalent, indicating similar testing methodologies and browser compatibility considerations across these releases; both leverage lab for testing, code for assertions, and browserify for browser builds. Both releases are licensed under the BSD-3-Clause license and are hosted on GitHub under the hapijs organization.
The key difference between qs 3.0.0 and 3.1.0 lies in the refinements and potential bug fixes introduced in the latter, released just five days after version 3.0.0. While specifics of the changes aren't detailed in this metadata, the quick turnaround suggests minor enhancements or addressing immediate issues identified in the initial 3.0.0 release. For developers, upgrading from 3.0.0 to 3.1.0 is advisable to benefit from these likely improvements, ensuring a more stable and reliable querystring parsing experience. Considering the shared codebase and testing infrastructure, the transition should pose minimal disruption while potentially resolving underlying edge-case scenarios.
All the vulnerabilities related to the version 3.1.0 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
