Skip to content

Releases: edwardsmit/node-qs-serialization

v1.1.0 — compat shim release

20 May 09:04
@edwardsmit edwardsmit
v1.1.0
ed6dcfe
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.1.0 — compat shim release Latest
Latest

First compat shim release. deparam now delegates parsing to qs (currently 6.15.2) while param keeps the original jQuery-traditional stringify implementation. All 58 conformance cases stay green; the only API change since 1.0.0 is none — the optional maxDepth parameter was already there.

What changed

  • lib/deparam.js rewritten as a qs.parse wrapper with three local protections layered on top:
    • safeDecoder: ISO-8859 fallback via unescape() when decodeURIComponent rejects malformed UTF-8. Preserves accents from legacy Latin-1 query strings (e.g. on the way to Elasticsearch).
    • preFilter: per-parameter rejection of __proto__ / constructor / prototype key segments and of paths exceeding maxDepth (default 5).
    • coerceWalk: post-parse type coercion (true/false/null/undefined strings, numerics) — opt-out via deparam(qs, false).
  • lib/param.js unchanged from 1.0.0 — pure ES5, zero deps, no attack surface.

Dependency change

  • qs ^6.15.2 added as a runtime dependency (was zero deps in 1.0.0).
  • Future qs CVE patches flow in automatically via Dependabot lockfile bumps in downstream projects — no republish of this library needed for routine patches.

CI changes

  • New job: Conformance against qs@latest — installs bleeding-edge qs unsaved and reruns the conformance suite. Early-warning for any future qs release that would break the shim.

Install

npm install node-qs-serialization@1.1.0

Verified

  • All 58 conformance cases green on Node 18/20/22/24
  • Smoke test green on Node 0.10 through 16 via Docker
  • Full saas-sitesearch integration suite (757 mocha tests, 90% coverage gates) green with 1.1.0 swapped in as a transparent drop-in for 0.0.2
Assets 2
Loading

v1.0.0 — Phase 0 baseline

20 May 06:54
@edwardsmit edwardsmit
v1.0.0
e37a791
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.0.0 — Phase 0 baseline

First maintained release since 2014. Today's code with the minimum patches to be CVE-clean on the original install target (Node 0.10+).

Security

  • Reject deparam parameter keys equal to __proto__, constructor, or prototype (same shape as qs CVE-2017-1000048 / CVE-2022-24999).
  • New maxDepth parameter on deparam (default 5) caps nesting depth; parameters exceeding it are silently dropped.

Tooling

  • Consolidated LICENSE with full attribution to jQuery and jquery-bbq.
  • Added SECURITY.md, files allowlist, engines: ">=0.10".
  • CI matrix: full mocha on Node 18/20/22/24 via setup-node, Docker smoke on Node 0.10/0.12/4/6/8/10/12/14/16. Zero runtime CVEs.

Tests

  • Reference Conformance Spec (`test/conformance.spec.js`, 58 cases) pins the wire-format and security contract for all future modernization phases and any replacement library.

Install

```
npm install node-qs-serialization@1.0.0
```

Breaking change: callers passing prototype-polluting keys or relying on >5-deep nested parameters via `deparam` will see those values silently dropped. Both behaviors are pinned by the conformance spec.

Loading