Qs is a popular npm package used for parsing and stringifying URL query strings, offering robust support for nested objects and arrays with configurable depth limits. Comparing version 6.7.2 with its predecessor, 6.7.1, reveals subtle yet important differences for developers. Both versions share identical core functionalities, dependencies, and development dependencies designed for testing, linting, and code coverage. They both use the same license, repository, and funding URL. The key difference lies primarily in the dist object, specifically the unpackedSize. Version 6.7.2 has an unpacked size of 153474 bytes, slightly larger than the 151905 bytes of version 6.7.1, indicating minor code adjustments or additions. Likewise there is a small difference in the release date. While both versions maintain the same file count of 20, which affects performance slightly. For developers, this means that while upgrading from 6.7.1 to 6.7.2 is unlikely to introduce breaking changes regarding its parsing and stringifying capabilities, they should be aware of the minor increase in bundle size. This package continues to be a solid choice when dealing with complex query strings in Node.js and browser environments due to its battle-tested status and comprehensive feature set.
All the vulnerabilities related to the version 6.7.2 of the package
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
