chore(deps): update dependency qs to v6.14.1 [security]#11641

Open

renovate[bot] wants to merge 1 commit intomasterfrom

renovate/npm-qs-vulnerability

Contributor

renovate bot commented Dec 31, 2025 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
qs	`6.5.3` → `6.14.1`

GitHub Vulnerability Alerts

CVE-2025-15284

Summary

The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations.

Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit regardless of arrayLimit, because each a[]=value consumes one parameter slot. The severity has been reduced accordingly.

Details

The arrayLimit option only checked limits for indexed notation (a[0]=1&a[1]=2) but did not enforce it for bracket notation (a[]=1&a[]=2).

Vulnerable code (lib/parse.js:159-162):

if (root === '[]' && options.parseArrays) {
    obj = utils.combine([], leaf);  // No arrayLimit check
}

Working code (lib/parse.js:175):

else if (index <= options.arrayLimit) {  // Limit checked here
    obj = [];
    obj[index] = leaf;
}

The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.

PoC

const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length);  // Output: 6 (should be max 5)

Note on parameterLimit interaction: The original advisory's "DoS demonstration" claimed a length of 10,000, but parameterLimit (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000.

Impact

Consistency bug in arrayLimit enforcement. With default parameterLimit, the practical DoS risk is negligible since parameterLimit already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when parameterLimit is explicitly set to a very high value.

Release Notes

ljharb/qs (qs)

`v6.14.1`

[Fix] ensure arrayLength applies to [] notation as well
[Fix] parse: when a custom decoder returns null for a key, ignore that key
[Refactor] parse: extract key segment splitting helper
[meta] add threat model
[actions] add workflow permissions
[Tests] stringify: increase coverage
[Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

`v6.14.0`

[New] parse: add throwOnParameterLimitExceeded option (#517)
[Refactor] parse: use utils.combine more
[patch] parse: add explicit throwOnLimitExceeded default
[actions] use shared action; re-add finishers
[meta] Fix changelog formatting bug
[Deps] update side-channel
[Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
[Tests] increase coverage

`v6.13.3`

[Fix] fix regressions from robustness refactor
[actions] update reusable workflows

`v6.13.2`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.13.1`

[Fix] stringify: avoid a crash when a filter key is null
[Fix] utils.merge: functions should not be stringified into keys
[Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
[Fix] stringify: ensure a non-string filter does not crash
[Refactor] use __proto__ syntax instead of Object.create for null objects
[Refactor] misc cleanup
[Tests] utils.merge: add some coverage
[Tests] fix a test case
[actions] split out node 10-20, and 20+
[Dev Deps] update es-value-fixtures, mock-property, object-inspect, tape

`v6.13.0`

[New] parse: add strictDepth option (#511)
[Tests] use npm audit instead of aud

`v6.12.5`

[Fix] fix regressions from robustness refactor
[actions] update reusable workflows

`v6.12.4`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.12.3`

[Fix] parse: properly account for strictNullHandling when allowEmptyArrays
[meta] fix changelog indentation

`v6.12.2`

[Fix] parse: parse encoded square brackets (#506)
[readme] add CII best practices badge

`v6.12.1`

[Fix] parse: Disable decodeDotInKeys by default to restore previous behavior (#501)
[Performance] utils: Optimize performance under large data volumes, reduce memory usage, and speed up processing (#502)
[Refactor] utils: use +=
[Tests] increase coverage

`v6.12.0`

[New] parse/stringify: add decodeDotInKeys/encodeDotKeys options (#488)
[New] parse: add duplicates option
[New] parse/stringify: add allowEmptyArrays option to allow [] in object values (#487)
[Refactor] parse/stringify: move allowDots config logic to its own variable
[Refactor] stringify: move option-handling code into normalizeStringifyOptions
[readme] update readme, add logos (#484)
[readme] stringify: clarify default arrayFormat behavior
[readme] fix line wrapping
[readme] remove dead badges
[Deps] update side-channel
[meta] make the dist build 50% smaller
[meta] add sideEffects flag
[meta] run build in prepack, not prepublish
[Tests] parse: remove useless tests; add coverage
[Tests] stringify: increase coverage
[Tests] use mock-property
[Tests] stringify: improve coverage
[Dev Deps] update @ljharb/eslint-config , aud, has-override-mistake, has-property-descriptors, mock-property, npmignore, object-inspect, tape
[Dev Deps] pin glob, since v10.3.8+ requires a broken jackspeak
[Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6

`v6.11.4`

[Fix] fix regressions from robustness refactor
[actions] update reusable workflows

`v6.11.3`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.11.2`

[Fix] parse: Fix parsing when the global Object prototype is frozen (#473)
[Tests] add passing test cases with empty keys (#473)

`v6.11.1`

[Fix] stringify: encode comma values more consistently (#463)
[readme] add usage of filter option for injecting custom serialization, i.e. of custom types (#447)
[meta] remove extraneous code backticks (#457)
[meta] fix changelog markdown
[actions] update checkout action
[actions] restrict action permissions
[Dev Deps] update @ljharb/eslint-config, aud, object-inspect, tape

`v6.11.0`

[New] [Fix] stringify: revert 0e903c0; add commaRoundTrip option (#442)
[readme] fix version badge

`v6.10.7`

[Fix] fix regressions from robustness refactor
[actions] update reusable workflows

`v6.10.6`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.10.5`

[Fix] stringify: with arrayFormat: comma, properly include an explicit [] on a single-item array (#434)

`v6.10.4`

[Fix] stringify: with arrayFormat: comma, include an explicit [] on a single-item array (#441)
[meta] use npmignore to autogenerate an npmignore file
[Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbol, object-inspect, tape

`v6.10.3`

[Fix] parse: ignore __proto__ keys (#428)
[Robustness] stringify: avoid relying on a global undefined (#427)
[actions] reuse common workflows
[Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, tape

`v6.10.2`

[Fix] stringify: actually fix cyclic references (#426)
[Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)
[readme] remove travis badge; add github actions/codecov badges; update URLs
[Docs] add note and links for coercing primitive values (#408)
[actions] update codecov uploader
[actions] update workflows
[Tests] clean up stringify tests slightly
[Dev Deps] update eslint, @ljharb/eslint-config, aud, object-inspect, safe-publish-latest, tape

`v6.10.1`

[Fix] stringify: avoid exception on repeated object values (#402)

`v6.10.0`

[New] stringify: throw on cycles, instead of an infinite loop (#395, #394, #393)
[New] parse: add allowSparse option for collapsing arrays with missing indices (#312)
[meta] fix README.md (#399)
[meta] only run npm run dist in publish, not install
[Dev Deps] update eslint, @ljharb/eslint-config, aud, has-symbols, tape
[Tests] fix tests on node v0.6
[Tests] use ljharb/actions/node/install instead of ljharb/actions/node/run
[Tests] Revert "[meta] ignore eclint transitive audit warning"

`v6.9.9`

[Fix] fix regressions from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.9.8`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.9.7`

[Fix] parse: ignore __proto__ keys (#428)
[Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)
[Robustness] stringify: avoid relying on a global undefined (#427)
[readme] remove travis badge; add github actions/codecov badges; update URLs
[Docs] add note and links for coercing primitive values (#408)
[Tests] clean up stringify tests slightly
[meta] fix README.md (#399)
Revert "[meta] ignore eclint transitive audit warning"
[actions] backport actions from main
[Dev Deps] backport updates from main

`v6.9.6`

[Fix] restore dist dir; mistakenly removed in d4f6c32

`v6.9.5`

[Fix] stringify: do not encode parens for RFC1738
[Fix] stringify: fix arrayFormat comma with empty array/objects (#350)
[Refactor] format: remove util.assign call
[meta] add "Allow Edits" workflow; update rebase workflow
[actions] switch Automatic Rebase workflow to pull_request_target event
[Tests] stringify: add tests for #378
[Tests] migrate tests to Github Actions
[Tests] run nyc on all tests; use tape runner
[Dev Deps] update eslint, @ljharb/eslint-config, browserify, mkdirp, object-inspect, tape; add aud

`v6.9.4`

[Fix] stringify: when arrayFormat is comma, respect serializeDate (#364)
[Refactor] stringify: reduce branching (part of #350)
[Refactor] move maybeMap to utils
[Dev Deps] update browserify, tape

`v6.9.3`

[Fix] proper comma parsing of URL-encoded commas (#361)
[Fix] parses comma delimited array while having percent-encoded comma treated as normal text (#336)

`v6.9.2`

[Fix] parse: Fix parsing array from object with comma true (#359)
[Fix] parse: throw a TypeError instead of an Error for bad charset (#349)
[meta] ignore eclint transitive audit warning
[meta] fix indentation in package.json
[meta] add tidelift marketing copy
[Dev Deps] update eslint, @ljharb/eslint-config, object-inspect, has-symbols, tape, mkdirp, iconv-lite
[actions] add automatic rebasing / merge commit blocking

`v6.9.1`

[Fix] parse: with comma true, handle field that holds an array of arrays (#335)
[Fix] parse: with comma true, do not split non-string values (#334)
[meta] add funding field
[Dev Deps] update eslint, @ljharb/eslint-config
[Tests] use shared travis-ci config

`v6.9.0`

[New] parse/stringify: Pass extra key/value argument to decoder (#333)
[Dev Deps] update eslint, @ljharb/eslint-config, evalmd
[Tests] parse: add passing arrayFormat tests
[Tests] add posttest using npx aud to run npm audit without a lockfile
[Tests] up to node v12.10, v11.15, v10.16, v8.16
[Tests] Buffer.from in node v5.0-v5.9 and v4.0-v4.4 requires a TypedArray

`v6.8.5`

[Fix] fix regressions from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.8.4`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.8.3`

[Fix] parse: ignore __proto__ keys (#428)
[Robustness] stringify: avoid relying on a global undefined (#427)
[Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)
[readme] remove travis badge; add github actions/codecov badges; update URLs
[Tests] clean up stringify tests slightly
[Docs] add note and links for coercing primitive values (#408)
[meta] fix README.md (#399)
[actions] backport actions from main
[Dev Deps] backport updates from main
[Refactor] stringify: reduce branching
[meta] do not publish workflow files

`v6.8.2`

[Fix] proper comma parsing of URL-encoded commas (#361)
[Fix] parses comma delimited array while having percent-encoded comma treated as normal text (#336)

`v6.8.1`

[Fix] parse: Fix parsing array from object with comma true (#359)
[Fix] parse: throw a TypeError instead of an Error for bad charset (#349)
[Fix] parse: with comma true, handle field that holds an array of arrays (#335)
[fix] parse: with comma true, do not split non-string values (#334)
[meta] add tidelift marketing copy
[meta] add funding field
[Dev Deps] update eslint, @ljharb/eslint-config, tape, safe-publish-latest, evalmd, has-symbols, iconv-lite, mkdirp, object-inspect
[Tests] parse: add passing arrayFormat tests
[Tests] use shared travis-ci configs
[Tests] Buffer.from in node v5.0-v5.9 and v4.0-v4.4 requires a TypedArray
[actions] add automatic rebasing / merge commit blocking

`v6.8.0`

[New] add depth=false to preserve the original key; [Fix] depth=0 should preserve the original key (#326)
[New] [Fix] stringify symbols and bigints
[Fix] ensure node 0.12 can stringify Symbols
[Fix] fix for an impossible situation: when the formatter is called with a non-string value
[Refactor] formats: tiny bit of cleanup.
[Dev Deps] update eslint, @ljharb/eslint-config, browserify, safe-publish-latest, iconv-lite, tape
[Tests] add tests for depth=0 and depth=false behavior, both current and intuitive/intended (#326)
[Tests] use eclint instead of editorconfig-tools
[docs] readme: add security note
[meta] add github sponsorship
[meta] add FUNDING.yml
[meta] Clean up license text so it’s properly detected as BSD-3-Clause

`v6.7.5`

[Fix] fix regressions from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.7.4`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.7.3`

[Fix] parse: ignore __proto__ keys (#428)
[Fix] stringify: avoid encoding arrayformat comma when encodeValuesOnly = true (#424)
[Robustness] stringify: avoid relying on a global undefined (#427)
[readme] remove travis badge; add github actions/codecov badges; update URLs
[Docs] add note and links for coercing primitive values (#408)
[meta] fix README.md (#399)
[meta] do not publish workflow files
[actions] backport actions from main
[Dev Deps] backport updates from main
[Tests] use nyc for coverage
[Tests] clean up stringify tests slightly

`v6.7.2`

[Fix] proper comma parsing of URL-encoded commas (#361)
[Fix] parses comma delimited array while having percent-encoded comma treated as normal text (#336)

`v6.7.1`

[Fix] parse: Fix parsing array from object with comma true (#359)
[Fix] parse: with comma true, handle field that holds an array of arrays (#335)
[fix] parse: with comma true, do not split non-string values (#334)
[Fix] parse: throw a TypeError instead of an Error for bad charset (#349)
[Fix] fix for an impossible situation: when the formatter is called with a non-string value
[Refactor] formats: tiny bit of cleanup.
readme: add security note
[meta] add tidelift marketing copy
[meta] add funding field
[meta] add FUNDING.yml
[meta] Clean up license text so it’s properly detected as BSD-3-Clause
[Dev Deps] update eslint, @ljharb/eslint-config, tape, safe-publish-latest, evalmd, iconv-lite, mkdirp, object-inspect, browserify
[Tests] parse: add passing arrayFormat tests
[Tests] use shared travis-ci configs
[Tests] Buffer.from in node v5.0-v5.9 and v4.0-v4.4 requires a TypedArray
[Tests] add tests for depth=0 and depth=false behavior, both current and intuitive/intended
[Tests] use eclint instead of editorconfig-tools
[actions] add automatic rebasing / merge commit blocking

`v6.7.0`

[New] stringify/parse: add comma as an arrayFormat option (#276, #219)
[Fix] correctly parse nested arrays (#212)
[Fix] utils.merge: avoid a crash with a null target and a truthy non-array source, also with an array source
[Robustness] stringify: cache Object.prototype.hasOwnProperty
[Refactor] utils: isBuffer: small tweak; add tests
[Refactor] use cached Array.isArray
[Refactor] parse/stringify: make a function to normalize the options
[Refactor] utils: reduce observable [[Get]]s
[Refactor] stringify/utils: cache Array.isArray
[Tests] always use String(x) over x.toString()
[Tests] fix Buffer tests to work in node < 4.5 and node < 5.10
[Tests] temporarily allow coverage to fail

`v6.6.3`

[Fix] fix regressions from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.6.2`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

`v6.6.1`

[Fix] parse: ignore __proto__ keys (#428)
[Fix] fix for an impossible situation: when the formatter is called with a non-string value
[Fix] utils.merge: avoid a crash with a null target and an array source
[Fix] utils.merge: avoid a crash with a null target and a truthy non-array source
[Fix] correctly parse nested arrays
[Robustness] stringify: avoid relying on a global undefined (#427)
[Robustness] stringify: cache Object.prototype.hasOwnProperty
[Refactor] formats: tiny bit of cleanup.
[Refactor] utils: isBuffer: small tweak; add tests
[Refactor]: stringify/utils: cache Array.isArray
[Refactor] utils: reduce observable [[Get]]s
[Refactor] use cached Array.isArray
[Refactor] parse/stringify: make a function to normalize the options
[readme] remove travis badge; add github actions/codecov badges; update URLs
[Docs] Clarify the need for "arrayLimit" option
[meta] fix README.md (#399)
[meta] do not publish workflow files
[meta] Clean up license text so it’s properly detected as BSD-3-Clause
[meta] add FUNDING.yml
[meta] Fixes typo in CHANGELOG.md
[actions] backport actions from main
[Tests] fix Buffer tests to work in node < 4.5 and node < 5.10
[Tests] always use String(x) over x.toString()
[Dev Deps] backport from main

`v6.6.0`

[New] Add support for iso-8859-1, utf8 "sentinel" and numeric entities (#268)
[New] move two-value combine to a utils function (#189)
[Fix] stringify: fix a crash with strictNullHandling and a custom filter/serializeDate (#279)
[Fix] when parseArrays is false, properly handle keys ending in [] (#260)
[Fix] stringify: do not crash in an obscure combo of interpretNumericEntities, a bad custom decoder, & iso-8859-1
[Fix] utils: merge: fix crash when source is a truthy primitive & no options are provided
[refactor] stringify: Avoid arr = arr.concat(...), push to the existing instance (#269)
[Refactor] parse: only need to reassign the var once
[Refactor] parse/stringify: clean up charset options checking; fix defaults
[Refactor] add missing defaults
[Refactor] parse: one less concat call
[Refactor] utils: compactQueue: make it explicitly side-effecting
[Dev Deps] update browserify, eslint, @ljharb/eslint-config, iconv-lite, safe-publish-latest, tape
[Tests] up to node v10.10, v9.11, v8.12, v6.14, v4.9; pin included builds to LTS

`v6.5.5`

[Fix] fix regressions from robustness refactor
[meta] add npmignore to autogenerate an npmignore file
[actions] update reusable workflows

`v6.5.4`

[Robustness] avoid .push, use void
[readme] clarify parseArrays and arrayLimit documentation (#543)
[readme] document that addQueryPrefix does not add ? to empty output (#418)
[readme] replace runkit CI badge with shields.io check-runs badge
[actions] fix rebase workflow permissions

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot changed the title ~~Update dependency qs to v6.14.1 [SECURITY]~~ Update dependency qs to v6.14.1 [SECURITY] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-qs-vulnerability branch

January 1, 2026 22:05

renovate bot changed the title ~~Update dependency qs to v6.14.1 [SECURITY] - autoclosed~~ chore(deps): update dependency qs to v6.14.1 [security]

renovate bot reopened this

renovate bot force-pushed the renovate/npm-qs-vulnerability branch 3 times, most recently from 2b55bb6 to 4cc9f67 Compare

January 8, 2026 18:04

renovate bot changed the title ~~chore(deps): update dependency qs to v6.14.1 [security]~~ Update dependency qs to v6.14.1 [SECURITY]

renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 4cc9f67 to 7fa235f Compare

January 19, 2026 20:11

renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 7fa235f to 8ebc1c5 Compare

February 2, 2026 14:42

renovate bot changed the title ~~Update dependency qs to v6.14.1 [SECURITY]~~ chore(deps): update dependency qs to v6.14.1 [security]

renovate bot force-pushed the renovate/npm-qs-vulnerability branch 2 times, most recently from 62bbf2a to 9e21668 Compare

February 12, 2026 10:41

renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 9e21668 to 430ef63 Compare

February 17, 2026 16:14

renovate bot changed the title ~~chore(deps): update dependency qs to v6.14.1 [security]~~ Update dependency qs to v6.14.1 [SECURITY]

renovate bot changed the title ~~Update dependency qs to v6.14.1 [SECURITY]~~ chore(deps): update dependency qs to v6.14.1 [security]

renovate bot changed the title ~~chore(deps): update dependency qs to v6.14.1 [security]~~ Update dependency qs to v6.14.1 [SECURITY]

renovate bot force-pushed the renovate/npm-qs-vulnerability branch from 430ef63 to a84859b Compare

March 5, 2026 16:12

renovate bot changed the title ~~Update dependency qs to v6.14.1 [SECURITY]~~ chore(deps): update dependency qs to v6.14.1 [security]

renovate bot changed the title ~~chore(deps): update dependency qs to v6.14.1 [security]~~ Update dependency qs to v6.14.1 [SECURITY]


          Update dependency qs to v6.14.1 [SECURITY]

6a5e736

renovate bot force-pushed the renovate/npm-qs-vulnerability branch from a84859b to 6a5e736 Compare

March 13, 2026 15:44

renovate bot changed the title ~~Update dependency qs to v6.14.1 [SECURITY]~~ chore(deps): update dependency qs to v6.14.1 [security]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet