qs is a popular npm package used for parsing and stringifying URL query strings. Both versions 6.1.0 and 6.1.1 share the same core functionality: providing a robust querystring parser that supports nested objects and arrays within the URL, all while respecting a configurable depth limit to prevent potential denial-of-service issues. They are both licensed under the BSD-3-Clause license and maintained in the same GitHub repository. The listed dependencies and devDependencies are identical, including tools like tape for testing, eslint for code linting, browserify for bundling, and @ljharb/eslint-config for consistent code style.
The crucial difference lies in the release date and potentially very minor bug fixes or internal improvements. Version 6.1.0 was released on February 4th, 2016, while version 6.1.1 came out approximately a year later, on February 16th, 2017. While the changelogs for these minor versions should be consulted for definitive answers, it's highly likely that 6.1.1 addresses edge cases or subtle issues discovered after the initial 6.1.0 release. For developers choosing between the two, the recommendation is almost always to use the latest available version (6.1.1 in this case), as it likely contains improvements. However, given that this update is over 7 years old, it is highly recomended to check available newer versions, as there might be better options available.
All the vulnerabilities related to the version 6.1.1 of the package
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
