Qs is a popular npm package for parsing and stringifying URL query strings with support for nested objects and arrays. Comparing versions 6.4.0 and 6.3.3 reveals significant shifts in the development environment and tooling, though core functionality remains consistent. Most notably, version 6.3.3, released much later, boasts a vastly updated suite of development dependencies. This includes newer versions of testing frameworks like tape, linting tools like eslint, and build tools like browserify. The inclusion of nyc for code coverage and aud for auditing dependencies for vulnerabilities suggests a stronger focus on code quality and security in the later version. Also the package size it's slightly bigger in the newer version.
Importantly, qs itself matured; while the core purpose—parsing complex query strings—remained, these dependency updates imply better testing, security, and maintainability. For developers, this means greater confidence in the library's stability and robustness. If you need a well-tested solution, the newer version is the best one. However, if your goal is to use the most used package despite the risk of some vulnerabilities, 6.4.0 might be interesting. Both versions maintain the same BSD-3-Clause license, repository location, and description regarding nesting and array support which shows a consistency in the package goal during all its versions.
All the vulnerabilities related to the version 6.4.0 of the package
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
