Qs is a popular npm package for parsing and stringifying URL query strings, offering robust support for nested objects and arrays, with control over the nesting depth. Comparing version 6.10.0 with the previous stable version 6.9.7 reveals several updates relevant to developers. Most notably, version 6.10.0 introduces a new dependency, side-channel, while the listed devDependencies have generally been updated; for example, eslint goes from ^7.22.0 to ^8.6.0.
Developers should be aware that the package size, specifically unpackedSize, increases from 169869 bytes in 6.9.7 to 203463 bytes in 6.10.0 potentially adding bloat to an application. A major difference is the release date as the 6.10.0 was released on March 18, 2021, and 6.9.7 was released on January 11, 2022 making it more recent.
While both versions share the same core functionality, license (BSD-3-Clause), repository, and funding information, the updated dependencies in version 6.9.7 likely include bug fixes, performance improvements, and security patches in the tooling, ensuring a smoother development experience. Choosing between versions hinges on whether the benefits of the updated tooling and package size outweigh the need for the new dependency introduced in 6.10.0 or the updated tooling in 6.9.7. Consider testing both versions in your specific environment to assess their impact and ensure compatibility.
All the vulnerabilities related to the version 6.10.0 of the package
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
