qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
Release Notes
ljharb/qs (qs)
### [`v6.5.3`](https://redirect.github.com/ljharb/qs/blob/HEAD/CHANGELOG.md#653)
[Compare Source](https://redirect.github.com/ljharb/qs/compare/v6.5.2...v6.5.3)
- \[Fix] `parse`: ignore `__proto__` keys ([#428](https://redirect.github.com/ljharb/qs/issues/428))
- \[Fix] `utils.merge`: avoid a crash with a null target and a truthy non-array source
- \[Fix] correctly parse nested arrays
- \[Fix] `stringify`: fix a crash with `strictNullHandling` and a custom `filter`/`serializeDate` ([#279](https://redirect.github.com/ljharb/qs/issues/279))
- \[Fix] `utils`: `merge`: fix crash when `source` is a truthy primitive & no options are provided
- \[Fix] when `parseArrays` is false, properly handle keys ending in `[]`
- \[Fix] fix for an impossible situation: when the formatter is called with a non-string value
- \[Fix] `utils.merge`: avoid a crash with a null target and an array source
- \[Refactor] `utils`: reduce observable \[\[Get]]s
- \[Refactor] use cached `Array.isArray`
- \[Refactor] `stringify`: Avoid arr = arr.concat(...), push to the existing instance ([#269](https://redirect.github.com/ljharb/qs/issues/269))
- \[Refactor] `parse`: only need to reassign the var once
- \[Robustness] `stringify`: avoid relying on a global `undefined` ([#427](https://redirect.github.com/ljharb/qs/issues/427))
- \[readme] remove travis badge; add github actions/codecov badges; update URLs
- \[Docs] Clean up license text so itβs properly detected as BSD-3-Clause
- \[Docs] Clarify the need for "arrayLimit" option
- \[meta] fix README.md ([#399](https://redirect.github.com/ljharb/qs/issues/399))
- \[meta] add FUNDING.yml
- \[actions] backport actions from main
- \[Tests] always use `String(x)` over `x.toString()`
- \[Tests] remove nonexistent tape option
- \[Dev Deps] backport from main
Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
6.5.2->6.5.3GitHub Vulnerability Alerts
CVE-2022-24999
qs before 6.10.3 allows attackers to cause a Node process hang because an
__ proto__key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such asa[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.Release Notes
ljharb/qs (qs)
### [`v6.5.3`](https://redirect.github.com/ljharb/qs/blob/HEAD/CHANGELOG.md#653) [Compare Source](https://redirect.github.com/ljharb/qs/compare/v6.5.2...v6.5.3) - \[Fix] `parse`: ignore `__proto__` keys ([#428](https://redirect.github.com/ljharb/qs/issues/428)) - \[Fix] `utils.merge`: avoid a crash with a null target and a truthy non-array source - \[Fix] correctly parse nested arrays - \[Fix] `stringify`: fix a crash with `strictNullHandling` and a custom `filter`/`serializeDate` ([#279](https://redirect.github.com/ljharb/qs/issues/279)) - \[Fix] `utils`: `merge`: fix crash when `source` is a truthy primitive & no options are provided - \[Fix] when `parseArrays` is false, properly handle keys ending in `[]` - \[Fix] fix for an impossible situation: when the formatter is called with a non-string value - \[Fix] `utils.merge`: avoid a crash with a null target and an array source - \[Refactor] `utils`: reduce observable \[\[Get]]s - \[Refactor] use cached `Array.isArray` - \[Refactor] `stringify`: Avoid arr = arr.concat(...), push to the existing instance ([#269](https://redirect.github.com/ljharb/qs/issues/269)) - \[Refactor] `parse`: only need to reassign the var once - \[Robustness] `stringify`: avoid relying on a global `undefined` ([#427](https://redirect.github.com/ljharb/qs/issues/427)) - \[readme] remove travis badge; add github actions/codecov badges; update URLs - \[Docs] Clean up license text so itβs properly detected as BSD-3-Clause - \[Docs] Clarify the need for "arrayLimit" option - \[meta] fix README.md ([#399](https://redirect.github.com/ljharb/qs/issues/399)) - \[meta] add FUNDING.yml - \[actions] backport actions from main - \[Tests] always use `String(x)` over `x.toString()` - \[Tests] remove nonexistent tape option - \[Dev Deps] backport from mainConfiguration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.