qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
Release Notes
ljharb/qs (qs)
### [`v6.5.3`](https://togithub.com/ljharb/qs/blob/HEAD/CHANGELOG.md#653)
[Compare Source](https://togithub.com/ljharb/qs/compare/v6.5.2...v6.5.3)
- \[Fix] `parse`: ignore `__proto__` keys ([#428](https://togithub.com/ljharb/qs/issues/428))
- \[Fix] `utils.merge`: avoid a crash with a null target and a truthy non-array source
- \[Fix] correctly parse nested arrays
- \[Fix] `stringify`: fix a crash with `strictNullHandling` and a custom `filter`/`serializeDate` ([#279](https://togithub.com/ljharb/qs/issues/279))
- \[Fix] `utils`: `merge`: fix crash when `source` is a truthy primitive & no options are provided
- \[Fix] when `parseArrays` is false, properly handle keys ending in `[]`
- \[Fix] fix for an impossible situation: when the formatter is called with a non-string value
- \[Fix] `utils.merge`: avoid a crash with a null target and an array source
- \[Refactor] `utils`: reduce observable \[\[Get]]s
- \[Refactor] use cached `Array.isArray`
- \[Refactor] `stringify`: Avoid arr = arr.concat(...), push to the existing instance ([#269](https://togithub.com/ljharb/qs/issues/269))
- \[Refactor] `parse`: only need to reassign the var once
- \[Robustness] `stringify`: avoid relying on a global `undefined` ([#427](https://togithub.com/ljharb/qs/issues/427))
- \[readme] remove travis badge; add github actions/codecov badges; update URLs
- \[Docs] Clean up license text so it’s properly detected as BSD-3-Clause
- \[Docs] Clarify the need for "arrayLimit" option
- \[meta] fix README.md ([#399](https://togithub.com/ljharb/qs/issues/399))
- \[meta] add FUNDING.yml
- \[actions] backport actions from main
- \[Tests] always use `String(x)` over `x.toString()`
- \[Tests] remove nonexistent tape option
- \[Dev Deps] backport from main
### [`v6.5.2`](https://togithub.com/ljharb/qs/blob/HEAD/CHANGELOG.md#652)
[Compare Source](https://togithub.com/ljharb/qs/compare/v6.5.1...v6.5.2)
- \[Fix] use `safer-buffer` instead of `Buffer` constructor
- \[Refactor] utils: `module.exports` one thing, instead of mutating `exports` ([#230](https://togithub.com/ljharb/qs/issues/230))
- \[Dev Deps] update `browserify`, `eslint`, `iconv-lite`, `safer-buffer`, `tape`, `browserify`
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
6.5.1->6.5.3GitHub Vulnerability Alerts
CVE-2022-24999
qs before 6.10.3 allows attackers to cause a Node process hang because an
__ proto__key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such asa[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.Release Notes
ljharb/qs (qs)
### [`v6.5.3`](https://togithub.com/ljharb/qs/blob/HEAD/CHANGELOG.md#653) [Compare Source](https://togithub.com/ljharb/qs/compare/v6.5.2...v6.5.3) - \[Fix] `parse`: ignore `__proto__` keys ([#428](https://togithub.com/ljharb/qs/issues/428)) - \[Fix] `utils.merge`: avoid a crash with a null target and a truthy non-array source - \[Fix] correctly parse nested arrays - \[Fix] `stringify`: fix a crash with `strictNullHandling` and a custom `filter`/`serializeDate` ([#279](https://togithub.com/ljharb/qs/issues/279)) - \[Fix] `utils`: `merge`: fix crash when `source` is a truthy primitive & no options are provided - \[Fix] when `parseArrays` is false, properly handle keys ending in `[]` - \[Fix] fix for an impossible situation: when the formatter is called with a non-string value - \[Fix] `utils.merge`: avoid a crash with a null target and an array source - \[Refactor] `utils`: reduce observable \[\[Get]]s - \[Refactor] use cached `Array.isArray` - \[Refactor] `stringify`: Avoid arr = arr.concat(...), push to the existing instance ([#269](https://togithub.com/ljharb/qs/issues/269)) - \[Refactor] `parse`: only need to reassign the var once - \[Robustness] `stringify`: avoid relying on a global `undefined` ([#427](https://togithub.com/ljharb/qs/issues/427)) - \[readme] remove travis badge; add github actions/codecov badges; update URLs - \[Docs] Clean up license text so it’s properly detected as BSD-3-Clause - \[Docs] Clarify the need for "arrayLimit" option - \[meta] fix README.md ([#399](https://togithub.com/ljharb/qs/issues/399)) - \[meta] add FUNDING.yml - \[actions] backport actions from main - \[Tests] always use `String(x)` over `x.toString()` - \[Tests] remove nonexistent tape option - \[Dev Deps] backport from main ### [`v6.5.2`](https://togithub.com/ljharb/qs/blob/HEAD/CHANGELOG.md#652) [Compare Source](https://togithub.com/ljharb/qs/compare/v6.5.1...v6.5.2) - \[Fix] use `safer-buffer` instead of `Buffer` constructor - \[Refactor] utils: `module.exports` one thing, instead of mutating `exports` ([#230](https://togithub.com/ljharb/qs/issues/230)) - \[Dev Deps] update `browserify`, `eslint`, `iconv-lite`, `safer-buffer`, `tape`, `browserify`Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.