Qs is a popular npm package used for parsing and stringifying URL query strings, offering robust support for nested objects and arrays with configurable depth limits. Comparing versions 6.9.3 and 6.9.4, the primary difference lies in updated development dependencies. Specifically, version 6.9.3 relies on tape version ^5.0.0-next.5, while 6.9.4 upgrades this to ^5.0.0. Importantly, 6.9.4 also updates browserify from version 16.5.0 to 16.5.1. The unpacked size of 6.9.4 is slightly larger (160179 bytes) compared to 6.9.3 (160076 bytes), suggesting potential minor internal changes or dependency updates. Both versions maintain the same core functionality, license (BSD-3-Clause), repository, funding information, and maintainer. Both have no listed dependencies, highlighting its lightweight nature. Upgrading from 6.9.3 to 6.9.4 provides the benefit of using stable releases of tape and latest fixes/improvements in browserify. Developers heavily invested in tape for testing or those leveraging browserify for bundling might find the update worthwhile. If neither of these tools are central to your workflow, the functional impact of upgrading may be minimal, but adhering to the latest dependencies generally provides enhanced security and stability in the long run, as well as the most recent bug fixes and performance improvements in underlying dev dependencies.
All the vulnerabilities related to the version 6.9.4 of the package
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
