Qs is a popular npm package designed for parsing and stringifying URL query strings with support for nesting and arrays, limited by a configurable depth. Version 6.5.1, released on September 9, 2017, is a patch release following version 6.5.0, which was released on June 28, 2017. While both versions share the same core functionality and description, the key differences lie in their development dependencies, indicating improvements in the development and testing environment rather than changes to the core library functionality.
Specifically, version 6.5.1 upgrades the eslint version from 3.19.0 to 4.6.1 and @ljharb/eslint-config from 11.0.0 to 12.2.1, along with a minor tape upgrade from 4.7.0 to 4.8.0, suggesting fixes based on linting rules and updated testing frameworks. For developers, this means version 6.5.1 likely incorporates enhanced code quality and potentially more robust testing compared to 6.5.0, improving reliability. The update does not come with new feature, which makes it backward compatible. Choosing the latest version (6.5.1) is recommended for access to the most up-to-date improvements in code quality and testing practices. The BSD-3-Clause license ensures freedom of use and modification, suitable for various project needs.
All the vulnerabilities related to the version 6.5.1 of the package
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
