Qs is a popular npm package used for parsing and stringifying URL query strings, crucial for web applications handling complex data structures in URLs. Comparing versions 6.10.2 and 6.10.1 reveals subtle but potentially important differences for developers. Both versions share the same core functionality, description, license (BSD-3-Clause), and repository URL, indicating a focus on maintaining existing features. Both versions depend on the side-channel package as well. The key changes lie in the development dependencies, reflecting updates to the tooling used in the package's development and testing. Version 6.10.2 upgrades eslint from version 7.22.0 to 8.4.0, @ljharb/eslint-config from 17.5.1 to 20.0.0, tape from 5.2.2 to 5.3.2, object-inspect from 1.9.0 to 1.11.0, aud from 1.1.4 to 1.1.5 and safe-publish-latest from 1.1.4 to 2.0.0 These updates likely incorporate new linting rules, testing improvements, and security enhancements, leading to a more robust and secure development process. Furthermore, the dist object shows an increase in unpacked size from 204351 to 212118, implying the inclusion of more code, likely related to these tooling upgrades. Developers should consider these changes primarily for the improved development environment they bring, potentially leading to more reliable and maintainable code when integrating qs into their projects.
All the vulnerabilities related to the version 6.10.2 of the package
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
