Skip to content

chore(deps): bump qs, express and body-parser#1526

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-62d2111253
Open

chore(deps): bump qs, express and body-parser#1526
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-62d2111253

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps qs to 6.15.3 and updates ancestor dependencies qs, express and body-parser. These dependencies need to be updated together.

Updates qs from 6.14.1 to 6.15.3

Changelog

Sourced from qs's changelog.

6.15.3

  • [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via combine/merge
  • [Fix] utils: respect encoding of surrogate pairs across chunks (#559)
  • [Robustness] parse: throw the arrayLimit error before splitting oversized comma values
  • [Robustness] utils.merge / utils.assign: avoid invoking __proto__ setter when copying own properties
  • [Robustness] utils: enforce arrayLimit consistently across merge's array paths
  • [Perf] utils: make compact O(n) via a side-channel visited-set instead of Array.indexOf
  • [Deps] update side-channel
  • [Dev Deps] update eslint, mock-property, tape
  • [Tests] parse: characterize current lenient handling of unbalanced bracket keys (#558)

6.15.2

  • [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
  • [Fix] stringify: use configured delimiter after charsetSentinel (#555)
  • [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
  • [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
  • [Fix] parse: handle nested bracket groups and add regression tests (#530)
  • [readme] fix grammar (#550)
  • [Dev Deps] update @ljharb/eslint-config
  • [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1

  • [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
  • [Deps] update @ljharb/eslint-config
  • [Dev Deps] update @ljharb/eslint-config, iconv-lite
  • [Tests] increase coverage

6.15.0

  • [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
  • [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2

  • [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
  • [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
  • [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
  • [Fix] parse: enforce arrayLimit on comma-parsed values
  • [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
  • [Robustness] avoid .push, use void
  • [readme] document that addQueryPrefix does not add ? to empty output (#418)
  • [readme] clarify parseArrays and arrayLimit documentation (#543)
  • [readme] replace runkit CI badge with shields.io check-runs badge
  • [meta] fix changelog typo (arrayLengtharrayLimit)
  • [actions] fix rebase workflow permissions
Commits
  • 18d085e v6.15.3
  • c38af42 [Deps] update side-channel
  • adce539 [Dev Deps] update eslint, mock-property, tape
  • 74a0f6a [Robustness] utils: enforce arrayLimit consistently across merge's arra...
  • f4938f5 [Tests] parse: characterize current lenient handling of unbalanced bracket ...
  • 5d5f723 [Perf] utils: make compact O(n) via a side-channel visited-set instead of...
  • 52afe00 [Robustness] parse: throw the arrayLimit error before splitting oversized...
  • 963e538 [Fix] parse: enforce throwOnLimitExceeded for cumulative array growth via...
  • 59da434 [Fix] utils: respect encoding of surrogate pairs across chunks
  • 9532969 [Robustness] utils.merge / utils.assign: avoid invoking __proto__ sette...
  • Additional commits viewable in compare view

Updates express from 4.22.1 to 4.22.2

Release notes

Sourced from express's releases.

v4.22.2

What's Changed

  • fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
    • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
  • deps: qs@~6.15.1
  • deps: body-parser@~1.20.5

New Contributors

Full Changelog: expressjs/express@v4.22.1...v4.22.2

Changelog

Sourced from express's changelog.

4.22.2 / 2026-05-011

  • fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
    • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
  • deps: qs@~6.15.1
  • deps: body-parser@~1.20.5
Commits

Updates body-parser from 1.20.4 to 1.20.6

Release notes

Sourced from body-parser's releases.

1.20.6

Important: Security

What's Changed

Full Changelog: expressjs/body-parser@1.20.5...1.20.6

v1.20.5

What's Changed

The reason for this release is a fix to the extended urlencoded parser returning objects instead of arrays for large array inputs (> 100) on qs@6.14.2+. (expressjs/body-parser#716)

New Contributors

Special thanks to triager @​krzysdz for keeping this on our radar and effectively triaging the specific issue!

Full Changelog: expressjs/body-parser@1.20.4...1.20.5

Changelog

Sourced from body-parser's changelog.

1.20.6 / 2026-07-09

  • Security fix for GHSA-v422-hmwv-36x6
  • fix: improve limit option validation (#698)
    • Invalid limit values (e.g. unparseable strings or NaN) now throw instead of being silently ignored, which previously disabled size limit enforcement
    • null and undefined fall back to the default 100kb limit

1.20.5 / 2026-04-24

  • refactor(json): simplify strict mode error string construction
  • fix: extended urlencoded parsing of arrays with >100 elements (#716)
  • deps: qs@~6.15.1
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 22, 2026
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 22, 2026
@danielpeintner

Copy link
Copy Markdown
Member

@dependabot rebase

@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-62d2111253 branch from 6e05856 to 420aacd Compare July 15, 2026 12:02

@danielpeintner danielpeintner left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI is green after rebase

Bumps [qs](https://github.com/ljharb/qs) to 6.15.3 and updates ancestor dependencies [qs](https://github.com/ljharb/qs), [express](https://github.com/expressjs/express) and [body-parser](https://github.com/expressjs/body-parser). These dependencies need to be updated together.


Updates `qs` from 6.14.1 to 6.15.3
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.14.1...v6.15.3)

Updates `express` from 4.22.1 to 4.22.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/v4.22.2/History.md)
- [Commits](expressjs/express@v4.22.1...v4.22.2)

Updates `body-parser` from 1.20.4 to 1.20.6
- [Release notes](https://github.com/expressjs/body-parser/releases)
- [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md)
- [Commits](expressjs/body-parser@1.20.4...1.20.6)

---
updated-dependencies:
- dependency-name: body-parser
  dependency-version: 1.20.5
  dependency-type: direct:development
- dependency-name: express
  dependency-version: 4.22.2
  dependency-type: direct:development
- dependency-name: qs
  dependency-version: 6.15.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-62d2111253 branch from 420aacd to 6f6cb32 Compare July 16, 2026 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant