Gathering detailed insights and metrics for qs
Gathering detailed insights and metrics for qs
Gathering detailed insights and metrics for qs
Gathering detailed insights and metrics for qs
A querystring parser with nesting support
npm install qs
Typescript
Module System
Min. Node Version
Node Version
NPM Version
96.2
Supply Chain
100
Quality
84.6
Maintenance
100
Vulnerability
100
License
JavaScript (100%)
Total Downloads
18,459,118,369
Last Day
3,315,495
Last Week
73,377,986
Last Month
315,982,801
Last Year
3,788,294,977
8,600 Stars
816 Commits
732 Forks
67 Watching
10 Branches
64 Contributors
Minified
Minified + Gzipped
Latest Version
6.13.1
Package Id
qs@6.13.1
Unpacked Size
249.73 kB
Size
54.43 kB
File Count
18
NPM Version
10.9.0
Node Version
23.2.0
Publised On
17 Nov 2024
Cumulative downloads
Total Downloads
Last day
-7.6%
3,315,495
Compared to previous day
Last week
-3.3%
73,377,986
Compared to previous week
Last month
-7.9%
315,982,801
Compared to previous month
Last year
5.2%
3,788,294,977
Compared to previous year
1
31
A querystring parsing and stringifying library with some added security.
Lead Maintainer: Jordan Harband
The qs module was originally created and maintained by TJ Holowaychuk.
1var qs = require('qs'); 2var assert = require('assert'); 3 4var obj = qs.parse('a=c'); 5assert.deepEqual(obj, { a: 'c' }); 6 7var str = qs.stringify(obj); 8assert.equal(str, 'a=c');
1qs.parse(string, [options]);
qs allows you to create nested objects within your query strings, by surrounding the name of sub-keys with square brackets []
.
For example, the string 'foo[bar]=baz'
converts to:
1assert.deepEqual(qs.parse('foo[bar]=baz'), { 2 foo: { 3 bar: 'baz' 4 } 5});
When using the plainObjects
option the parsed value is returned as a null object, created via { __proto__: null }
and as such you should be aware that prototype methods will not exist on it and a user may set those names to whatever value they like:
1var nullObject = qs.parse('a[hasOwnProperty]=b', { plainObjects: true }); 2assert.deepEqual(nullObject, { a: { hasOwnProperty: 'b' } });
By default parameters that would overwrite properties on the object prototype are ignored, if you wish to keep the data from those fields either use plainObjects
as mentioned above, or set allowPrototypes
to true
which will allow user input to overwrite those properties.
WARNING It is generally a bad idea to enable this option as it can cause problems when attempting to use the properties that have been overwritten.
Always be careful with this option.
1var protoObject = qs.parse('a[hasOwnProperty]=b', { allowPrototypes: true }); 2assert.deepEqual(protoObject, { a: { hasOwnProperty: 'b' } });
URI encoded strings work too:
1assert.deepEqual(qs.parse('a%5Bb%5D=c'), { 2 a: { b: 'c' } 3});
You can also nest your objects, like 'foo[bar][baz]=foobarbaz'
:
1assert.deepEqual(qs.parse('foo[bar][baz]=foobarbaz'), { 2 foo: { 3 bar: { 4 baz: 'foobarbaz' 5 } 6 } 7});
By default, when nesting objects qs will only parse up to 5 children deep.
This means if you attempt to parse a string like 'a[b][c][d][e][f][g][h][i]=j'
your resulting object will be:
1var expected = { 2 a: { 3 b: { 4 c: { 5 d: { 6 e: { 7 f: { 8 '[g][h][i]': 'j' 9 } 10 } 11 } 12 } 13 } 14 } 15}; 16var string = 'a[b][c][d][e][f][g][h][i]=j'; 17assert.deepEqual(qs.parse(string), expected);
This depth can be overridden by passing a depth
option to qs.parse(string, [options])
:
1var deep = qs.parse('a[b][c][d][e][f][g][h][i]=j', { depth: 1 }); 2assert.deepEqual(deep, { a: { b: { '[c][d][e][f][g][h][i]': 'j' } } });
You can configure qs to throw an error when parsing nested input beyond this depth using the strictDepth
option (defaulted to false):
1try { 2 qs.parse('a[b][c][d][e][f][g][h][i]=j', { depth: 1, strictDepth: true }); 3} catch (err) { 4 assert(err instanceof RangeError); 5 assert.strictEqual(err.message, 'Input depth exceeded depth option of 1 and strictDepth is true'); 6}
The depth limit helps mitigate abuse when qs is used to parse user input, and it is recommended to keep it a reasonably small number. The strictDepth option adds a layer of protection by throwing an error when the limit is exceeded, allowing you to catch and handle such cases.
For similar reasons, by default qs will only parse up to 1000 parameters. This can be overridden by passing a parameterLimit
option:
1var limited = qs.parse('a=b&c=d', { parameterLimit: 1 }); 2assert.deepEqual(limited, { a: 'b' });
To bypass the leading question mark, use ignoreQueryPrefix
:
1var prefixed = qs.parse('?a=b&c=d', { ignoreQueryPrefix: true }); 2assert.deepEqual(prefixed, { a: 'b', c: 'd' });
An optional delimiter can also be passed:
1var delimited = qs.parse('a=b;c=d', { delimiter: ';' }); 2assert.deepEqual(delimited, { a: 'b', c: 'd' });
Delimiters can be a regular expression too:
1var regexed = qs.parse('a=b;c=d,e=f', { delimiter: /[;,]/ }); 2assert.deepEqual(regexed, { a: 'b', c: 'd', e: 'f' });
Option allowDots
can be used to enable dot notation:
1var withDots = qs.parse('a.b=c', { allowDots: true }); 2assert.deepEqual(withDots, { a: { b: 'c' } });
Option decodeDotInKeys
can be used to decode dots in keys
Note: it implies allowDots
, so parse
will error if you set decodeDotInKeys
to true
, and allowDots
to false
.
1var withDots = qs.parse('name%252Eobj.first=John&name%252Eobj.last=Doe', { decodeDotInKeys: true }); 2assert.deepEqual(withDots, { 'name.obj': { first: 'John', last: 'Doe' }});
Option allowEmptyArrays
can be used to allowing empty array values in object
1var withEmptyArrays = qs.parse('foo[]&bar=baz', { allowEmptyArrays: true }); 2assert.deepEqual(withEmptyArrays, { foo: [], bar: 'baz' });
Option duplicates
can be used to change the behavior when duplicate keys are encountered
1assert.deepEqual(qs.parse('foo=bar&foo=baz'), { foo: ['bar', 'baz'] }); 2assert.deepEqual(qs.parse('foo=bar&foo=baz', { duplicates: 'combine' }), { foo: ['bar', 'baz'] }); 3assert.deepEqual(qs.parse('foo=bar&foo=baz', { duplicates: 'first' }), { foo: 'bar' }); 4assert.deepEqual(qs.parse('foo=bar&foo=baz', { duplicates: 'last' }), { foo: 'baz' });
If you have to deal with legacy browsers or services, there's also support for decoding percent-encoded octets as iso-8859-1:
1var oldCharset = qs.parse('a=%A7', { charset: 'iso-8859-1' }); 2assert.deepEqual(oldCharset, { a: '§' });
Some services add an initial utf8=✓
value to forms so that old Internet Explorer versions are more likely to submit the form as utf-8.
Additionally, the server can check the value against wrong encodings of the checkmark character and detect that a query string or application/x-www-form-urlencoded
body was not sent as utf-8, eg. if the form had an accept-charset
parameter or the containing page had a different character set.
qs supports this mechanism via the charsetSentinel
option.
If specified, the utf8
parameter will be omitted from the returned object.
It will be used to switch to iso-8859-1
/utf-8
mode depending on how the checkmark is encoded.
Important: When you specify both the charset
option and the charsetSentinel
option, the charset
will be overridden when the request contains a utf8
parameter from which the actual charset can be deduced.
In that sense the charset
will behave as the default charset rather than the authoritative charset.
1var detectedAsUtf8 = qs.parse('utf8=%E2%9C%93&a=%C3%B8', { 2 charset: 'iso-8859-1', 3 charsetSentinel: true 4}); 5assert.deepEqual(detectedAsUtf8, { a: 'ø' }); 6 7// Browsers encode the checkmark as ✓ when submitting as iso-8859-1: 8var detectedAsIso8859_1 = qs.parse('utf8=%26%2310003%3B&a=%F8', { 9 charset: 'utf-8', 10 charsetSentinel: true 11}); 12assert.deepEqual(detectedAsIso8859_1, { a: 'ø' });
If you want to decode the &#...;
syntax to the actual character, you can specify the interpretNumericEntities
option as well:
1var detectedAsIso8859_1 = qs.parse('a=%26%239786%3B', { 2 charset: 'iso-8859-1', 3 interpretNumericEntities: true 4}); 5assert.deepEqual(detectedAsIso8859_1, { a: '☺' });
It also works when the charset has been detected in charsetSentinel
mode.
qs can also parse arrays using a similar []
notation:
1var withArray = qs.parse('a[]=b&a[]=c'); 2assert.deepEqual(withArray, { a: ['b', 'c'] });
You may specify an index as well:
1var withIndexes = qs.parse('a[1]=c&a[0]=b'); 2assert.deepEqual(withIndexes, { a: ['b', 'c'] });
Note that the only difference between an index in an array and a key in an object is that the value between the brackets must be a number to create an array. When creating arrays with specific indices, qs will compact a sparse array to only the existing values preserving their order:
1var noSparse = qs.parse('a[1]=b&a[15]=c'); 2assert.deepEqual(noSparse, { a: ['b', 'c'] });
You may also use allowSparse
option to parse sparse arrays:
1var sparseArray = qs.parse('a[1]=2&a[3]=5', { allowSparse: true }); 2assert.deepEqual(sparseArray, { a: [, '2', , '5'] });
Note that an empty string is also a value, and will be preserved:
1var withEmptyString = qs.parse('a[]=&a[]=b'); 2assert.deepEqual(withEmptyString, { a: ['', 'b'] }); 3 4var withIndexedEmptyString = qs.parse('a[0]=b&a[1]=&a[2]=c'); 5assert.deepEqual(withIndexedEmptyString, { a: ['b', '', 'c'] });
qs will also limit specifying indices in an array to a maximum index of 20
.
Any array members with an index of greater than 20
will instead be converted to an object with the index as the key.
This is needed to handle cases when someone sent, for example, a[999999999]
and it will take significant time to iterate over this huge array.
1var withMaxIndex = qs.parse('a[100]=b'); 2assert.deepEqual(withMaxIndex, { a: { '100': 'b' } });
This limit can be overridden by passing an arrayLimit
option:
1var withArrayLimit = qs.parse('a[1]=b', { arrayLimit: 0 }); 2assert.deepEqual(withArrayLimit, { a: { '1': 'b' } });
To disable array parsing entirely, set parseArrays
to false
.
1var noParsingArrays = qs.parse('a[]=b', { parseArrays: false }); 2assert.deepEqual(noParsingArrays, { a: { '0': 'b' } });
If you mix notations, qs will merge the two items into an object:
1var mixedNotation = qs.parse('a[0]=b&a[b]=c'); 2assert.deepEqual(mixedNotation, { a: { '0': 'b', b: 'c' } });
You can also create arrays of objects:
1var arraysOfObjects = qs.parse('a[][b]=c'); 2assert.deepEqual(arraysOfObjects, { a: [{ b: 'c' }] });
Some people use comma to join array, qs can parse it:
1var arraysOfObjects = qs.parse('a=b,c', { comma: true }) 2assert.deepEqual(arraysOfObjects, { a: ['b', 'c'] })
(this cannot convert nested objects, such as a={b:1},{c:d}
)
By default, all values are parsed as strings. This behavior will not change and is explained in issue #91.
1var primitiveValues = qs.parse('a=15&b=true&c=null'); 2assert.deepEqual(primitiveValues, { a: '15', b: 'true', c: 'null' });
If you wish to auto-convert values which look like numbers, booleans, and other values into their primitive counterparts, you can use the query-types Express JS middleware which will auto-convert all request query parameters.
1qs.stringify(object, [options]);
When stringifying, qs by default URI encodes output. Objects are stringified as you would expect:
1assert.equal(qs.stringify({ a: 'b' }), 'a=b'); 2assert.equal(qs.stringify({ a: { b: 'c' } }), 'a%5Bb%5D=c');
This encoding can be disabled by setting the encode
option to false
:
1var unencoded = qs.stringify({ a: { b: 'c' } }, { encode: false }); 2assert.equal(unencoded, 'a[b]=c');
Encoding can be disabled for keys by setting the encodeValuesOnly
option to true
:
1var encodedValues = qs.stringify( 2 { a: 'b', c: ['d', 'e=f'], f: [['g'], ['h']] }, 3 { encodeValuesOnly: true } 4); 5assert.equal(encodedValues,'a=b&c[0]=d&c[1]=e%3Df&f[0][0]=g&f[1][0]=h');
This encoding can also be replaced by a custom encoding method set as encoder
option:
1var encoded = qs.stringify({ a: { b: 'c' } }, { encoder: function (str) { 2 // Passed in values `a`, `b`, `c` 3 return // Return encoded string 4}})
(Note: the encoder
option does not apply if encode
is false
)
Analogue to the encoder
there is a decoder
option for parse
to override decoding of properties and values:
1var decoded = qs.parse('x=z', { decoder: function (str) { 2 // Passed in values `x`, `z` 3 return // Return decoded string 4}})
You can encode keys and values using different logic by using the type argument provided to the encoder:
1var encoded = qs.stringify({ a: { b: 'c' } }, { encoder: function (str, defaultEncoder, charset, type) { 2 if (type === 'key') { 3 return // Encoded key 4 } else if (type === 'value') { 5 return // Encoded value 6 } 7}})
The type argument is also provided to the decoder:
1var decoded = qs.parse('x=z', { decoder: function (str, defaultDecoder, charset, type) { 2 if (type === 'key') { 3 return // Decoded key 4 } else if (type === 'value') { 5 return // Decoded value 6 } 7}})
Examples beyond this point will be shown as though the output is not URI encoded for clarity. Please note that the return values in these cases will be URI encoded during real usage.
When arrays are stringified, they follow the arrayFormat
option, which defaults to indices
:
1qs.stringify({ a: ['b', 'c', 'd'] }); 2// 'a[0]=b&a[1]=c&a[2]=d'
You may override this by setting the indices
option to false
, or to be more explicit, the arrayFormat
option to repeat
:
1qs.stringify({ a: ['b', 'c', 'd'] }, { indices: false }); 2// 'a=b&a=c&a=d'
You may use the arrayFormat
option to specify the format of the output array:
1qs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'indices' }) 2// 'a[0]=b&a[1]=c' 3qs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'brackets' }) 4// 'a[]=b&a[]=c' 5qs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'repeat' }) 6// 'a=b&a=c' 7qs.stringify({ a: ['b', 'c'] }, { arrayFormat: 'comma' }) 8// 'a=b,c'
Note: when using arrayFormat
set to 'comma'
, you can also pass the commaRoundTrip
option set to true
or false
, to append []
on single-item arrays, so that they can round trip through a parse.
When objects are stringified, by default they use bracket notation:
1qs.stringify({ a: { b: { c: 'd', e: 'f' } } }); 2// 'a[b][c]=d&a[b][e]=f'
You may override this to use dot notation by setting the allowDots
option to true
:
1qs.stringify({ a: { b: { c: 'd', e: 'f' } } }, { allowDots: true }); 2// 'a.b.c=d&a.b.e=f'
You may encode the dot notation in the keys of object with option encodeDotInKeys
by setting it to true
:
Note: it implies allowDots
, so stringify
will error if you set decodeDotInKeys
to true
, and allowDots
to false
.
Caveat: when encodeValuesOnly
is true
as well as encodeDotInKeys
, only dots in keys and nothing else will be encoded.
1qs.stringify({ "name.obj": { "first": "John", "last": "Doe" } }, { allowDots: true, encodeDotInKeys: true }) 2// 'name%252Eobj.first=John&name%252Eobj.last=Doe'
You may allow empty array values by setting the allowEmptyArrays
option to true
:
1qs.stringify({ foo: [], bar: 'baz' }, { allowEmptyArrays: true }); 2// 'foo[]&bar=baz'
Empty strings and null values will omit the value, but the equals sign (=) remains in place:
1assert.equal(qs.stringify({ a: '' }), 'a=');
Key with no values (such as an empty object or array) will return nothing:
1assert.equal(qs.stringify({ a: [] }), ''); 2assert.equal(qs.stringify({ a: {} }), ''); 3assert.equal(qs.stringify({ a: [{}] }), ''); 4assert.equal(qs.stringify({ a: { b: []} }), ''); 5assert.equal(qs.stringify({ a: { b: {}} }), '');
Properties that are set to undefined
will be omitted entirely:
1assert.equal(qs.stringify({ a: null, b: undefined }), 'a=');
The query string may optionally be prepended with a question mark:
1assert.equal(qs.stringify({ a: 'b', c: 'd' }, { addQueryPrefix: true }), '?a=b&c=d');
The delimiter may be overridden with stringify as well:
1assert.equal(qs.stringify({ a: 'b', c: 'd' }, { delimiter: ';' }), 'a=b;c=d');
If you only want to override the serialization of Date
objects, you can provide a serializeDate
option:
1var date = new Date(7); 2assert.equal(qs.stringify({ a: date }), 'a=1970-01-01T00:00:00.007Z'.replace(/:/g, '%3A')); 3assert.equal( 4 qs.stringify({ a: date }, { serializeDate: function (d) { return d.getTime(); } }), 5 'a=7' 6);
You may use the sort
option to affect the order of parameter keys:
1function alphabeticalSort(a, b) { 2 return a.localeCompare(b); 3} 4assert.equal(qs.stringify({ a: 'c', z: 'y', b : 'f' }, { sort: alphabeticalSort }), 'a=c&b=f&z=y');
Finally, you can use the filter
option to restrict which keys will be included in the stringified output.
If you pass a function, it will be called for each key to obtain the replacement value.
Otherwise, if you pass an array, it will be used to select properties and array indices for stringification:
1function filterFunc(prefix, value) { 2 if (prefix == 'b') { 3 // Return an `undefined` value to omit a property. 4 return; 5 } 6 if (prefix == 'e[f]') { 7 return value.getTime(); 8 } 9 if (prefix == 'e[g][0]') { 10 return value * 2; 11 } 12 return value; 13} 14qs.stringify({ a: 'b', c: 'd', e: { f: new Date(123), g: [2] } }, { filter: filterFunc }); 15// 'a=b&c=d&e[f]=123&e[g][0]=4' 16qs.stringify({ a: 'b', c: 'd', e: 'f' }, { filter: ['a', 'e'] }); 17// 'a=b&e=f' 18qs.stringify({ a: ['b', 'c', 'd'], e: 'f' }, { filter: ['a', 0, 2] }); 19// 'a[0]=b&a[2]=d'
You could also use filter
to inject custom serialization for user defined types.
Consider you're working with some api that expects query strings of the format for ranges:
https://domain.com/endpoint?range=30...70
For which you model as:
1class Range { 2 constructor(from, to) { 3 this.from = from; 4 this.to = to; 5 } 6}
You could inject a custom serializer to handle values of this type:
1qs.stringify( 2 { 3 range: new Range(30, 70), 4 }, 5 { 6 filter: (prefix, value) => { 7 if (value instanceof Range) { 8 return `${value.from}...${value.to}`; 9 } 10 // serialize the usual way 11 return value; 12 }, 13 } 14); 15// range=30...70
null
valuesBy default, null
values are treated like empty strings:
1var withNull = qs.stringify({ a: null, b: '' }); 2assert.equal(withNull, 'a=&b=');
Parsing does not distinguish between parameters with and without equal signs. Both are converted to empty strings.
1var equalsInsensitive = qs.parse('a&b='); 2assert.deepEqual(equalsInsensitive, { a: '', b: '' });
To distinguish between null
values and empty strings use the strictNullHandling
flag. In the result string the null
values have no =
sign:
1var strictNull = qs.stringify({ a: null, b: '' }, { strictNullHandling: true }); 2assert.equal(strictNull, 'a&b=');
To parse values without =
back to null
use the strictNullHandling
flag:
1var parsedStrictNull = qs.parse('a&b=', { strictNullHandling: true }); 2assert.deepEqual(parsedStrictNull, { a: null, b: '' });
To completely skip rendering keys with null
values, use the skipNulls
flag:
1var nullsSkipped = qs.stringify({ a: 'b', c: null}, { skipNulls: true }); 2assert.equal(nullsSkipped, 'a=b');
If you're communicating with legacy systems, you can switch to iso-8859-1
using the charset
option:
1var iso = qs.stringify({ æ: 'æ' }, { charset: 'iso-8859-1' }); 2assert.equal(iso, '%E6=%E6');
Characters that don't exist in iso-8859-1
will be converted to numeric entities, similar to what browsers do:
1var numeric = qs.stringify({ a: '☺' }, { charset: 'iso-8859-1' }); 2assert.equal(numeric, 'a=%26%239786%3B');
You can use the charsetSentinel
option to announce the character by including an utf8=✓
parameter with the proper encoding if the checkmark, similar to what Ruby on Rails and others do when submitting forms.
1var sentinel = qs.stringify({ a: '☺' }, { charsetSentinel: true }); 2assert.equal(sentinel, 'utf8=%E2%9C%93&a=%E2%98%BA'); 3 4var isoSentinel = qs.stringify({ a: 'æ' }, { charsetSentinel: true, charset: 'iso-8859-1' }); 5assert.equal(isoSentinel, 'utf8=%26%2310003%3B&a=%E6');
By default the encoding and decoding of characters is done in utf-8
, and iso-8859-1
support is also built in via the charset
parameter.
If you wish to encode querystrings to a different character set (i.e.
Shift JIS) you can use the
qs-iconv
library:
1var encoder = require('qs-iconv/encoder')('shift_jis'); 2var shiftJISEncoded = qs.stringify({ a: 'こんにちは!' }, { encoder: encoder }); 3assert.equal(shiftJISEncoded, 'a=%82%B1%82%F1%82%C9%82%BF%82%CD%81I');
This also works for decoding of query strings:
1var decoder = require('qs-iconv/decoder')('shift_jis'); 2var obj = qs.parse('a=%82%B1%82%F1%82%C9%82%BF%82%CD%81I', { decoder: decoder }); 3assert.deepEqual(obj, { a: 'こんにちは!' });
RFC3986 used as default option and encodes ' ' to %20 which is backward compatible. In the same time, output can be stringified as per RFC1738 with ' ' equal to '+'.
assert.equal(qs.stringify({ a: 'b c' }), 'a=b%20c');
assert.equal(qs.stringify({ a: 'b c' }, { format : 'RFC3986' }), 'a=b%20c');
assert.equal(qs.stringify({ a: 'b c' }, { format : 'RFC1738' }), 'a=b+c');
Please email @ljharb or see https://tidelift.com/security if you have a potential security vulnerability to report.
Available as part of the Tidelift Subscription
The maintainers of qs and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. Learn more.
qs logo by NUMI:
Stable Version
16
7.5/10
Summary
qs vulnerable to Prototype Pollution
Affected Versions
< 6.2.4
Patched Versions
6.2.4
7.5/10
Summary
qs vulnerable to Prototype Pollution
Affected Versions
>= 6.3.0, < 6.3.3
Patched Versions
6.3.3
7.5/10
Summary
qs vulnerable to Prototype Pollution
Affected Versions
>= 6.4.0, < 6.4.1
Patched Versions
6.4.1
7.5/10
Summary
qs vulnerable to Prototype Pollution
Affected Versions
>= 6.5.0, < 6.5.3
Patched Versions
6.5.3
7.5/10
Summary
qs vulnerable to Prototype Pollution
Affected Versions
>= 6.6.0, < 6.6.1
Patched Versions
6.6.1
7.5/10
Summary
qs vulnerable to Prototype Pollution
Affected Versions
>= 6.7.0, < 6.7.3
Patched Versions
6.7.3
7.5/10
Summary
qs vulnerable to Prototype Pollution
Affected Versions
>= 6.8.0, < 6.8.3
Patched Versions
6.8.3
7.5/10
Summary
qs vulnerable to Prototype Pollution
Affected Versions
>= 6.9.0, < 6.9.7
Patched Versions
6.9.7
7.5/10
Summary
qs vulnerable to Prototype Pollution
Affected Versions
>= 6.10.0, < 6.10.3
Patched Versions
6.10.3
7.5/10
Summary
Prototype Pollution Protection Bypass in qs
Affected Versions
>= 6.3.0, < 6.3.2
Patched Versions
6.3.2
7.5/10
Summary
Prototype Pollution Protection Bypass in qs
Affected Versions
>= 6.2.0, < 6.2.3
Patched Versions
6.2.3
7.5/10
Summary
Prototype Pollution Protection Bypass in qs
Affected Versions
>= 6.1.0, < 6.1.2
Patched Versions
6.1.2
7.5/10
Summary
Prototype Pollution Protection Bypass in qs
Affected Versions
< 6.0.4
Patched Versions
6.0.4
0/10
Summary
High severity vulnerability that affects qs
Affected Versions
< 1.0.0
Patched Versions
1.0.0
0/10
Summary
Denial-of-Service Extended Event Loop Blocking in qs
Affected Versions
< 1.0.0
Patched Versions
1.0.0
0/10
Summary
Denial-of-Service Memory Exhaustion in qs
Affected Versions
< 1.0.0
Patched Versions
1.0.0
Reason
10 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
Reason
security policy file detected
Details
Reason
badge detected: Passing
Reason
Found 4/30 approved changesets -- score normalized to 1
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
Reason
project is not fuzzed
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Score
Last Scanned on 2024-12-16
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More